WinPkFilter/Wireshark(WinPcap)

Home Forums Discussions General WinPkFilter/Wireshark(WinPcap)

Tagged: 

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • September 16, 2016 at 12:36 pm #9316
    luzl
    Participant

      Hi Everyone, need help on this issue.

      With WinPkFilter Sample,
      Filter <ifindex> 1 (1 – Redirect only IPv4 DNS packets for processing in user mode.)
      When Wireshark is not running, we got two packets printed (one reqest and one response). But, once Wireshark is running, we got 256 packets printed.

      It is very important for us to have both WinPkFilter and WinPcap working at the same time. Any help will be greatly appreciated.

      September 16, 2016 at 1:04 pm #9317
      Vadim Smirnov
      Keymaster

        If you look at those packets closer then you will notice that TTL for each fllowed duplicated packet is decremented. Without going deep into details this behaviour is caused by single interface IP routing combined with loopback packet indications (required by Winpcap to collect packets). And thus there are several ways to fix it.

        1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.

        2) You can drop re-routed packets in WinpkFilter application.

        3) WinpkFilter has some filter flags to prevent loopback packet indications which are normally used in promiscuous mode. I have to check if these flags are applicable to this situation with single interface routing but this is another possible approach – just filter these packets out on the driver level.

        September 18, 2016 at 8:18 am #9318
        luzl
        Participant

          1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.

          Yes, it works this way. Thanks.

          November 20, 2019 at 5:15 pm #11228
          Zyxel
          Participant

            Vadim,

            Did you ever investigate your solution #3 further?

            Why is this problem with double indications happening anyway?
            Where in the driver hierarchy, is the WinPkFlt LWF driver positioned in relation to the current Wireshark’s NPCAP driver ?

            Is the WinPkFlt LWF driver always BELOW* the Wireshark’s NPCAP driver …or is their relationship affected by their order of installation ?

            Is there a diagram of WinPkFlt LWF and NPCAP driver and these pesky NDIS loopbacks anywhere to elucidate all of this ?

            * BELOW = closer to the NDIS miniport (adapter driver).

          • Author
            Posts
          Viewing 4 posts - 1 through 4 (of 4 total)
          • You must be logged in to reply to this topic.