Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 496 through 510 (of 1,486 total)
  • Author
    Posts
  • in reply to: about gateway #11482
    Vadim Smirnov
    Keymaster

      In the context of the Internet Gateway the Provider is the interface connected to the Internet, the Client is the network interface connected to the internal network you would like to share the Internet to. Internet Gateway sample does not implement DHCP protocol, so all IP addresses (except the Provider which is typically assigned by ISP) should be assigned manually.

      in reply to: about gateway #11480
      Vadim Smirnov
      Keymaster

        It is worth mentioning that there is more than one way to achieve this depending on the exact requirements, however basic NAT sample can be found here.

        in reply to: OID_GEN_TRANSMIT_QUEUE_LENGTH #11477
        Vadim Smirnov
        Keymaster

          Here you can find SYSTEM_PERFORMANCE_INFORMATION for Windows 8 and later.

          in reply to: OID_GEN_TRANSMIT_QUEUE_LENGTH #11476
          Vadim Smirnov
          Keymaster

            I think you could try to monitor non paged pool usage via ZwQuerySystemInformation with SystemPerformanceInformation class. Although SYSTEM_PERFORMANCE_INFORMATION is not officially documented but I don’t think that in Windows 10 it is very different (if different at all) from the one below (I think this definition is from times of NT 4.0/2000/XP):

            typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
                LARGE_INTEGER IdleProcessTime;
                LARGE_INTEGER IoReadTransferCount;
                LARGE_INTEGER IoWriteTransferCount;
                LARGE_INTEGER IoOtherTransferCount;
                ULONG IoReadOperationCount;
                ULONG IoWriteOperationCount;
                ULONG IoOtherOperationCount;
                ULONG AvailablePages;
                ULONG CommittedPages;
                ULONG CommitLimit;
                ULONG PeakCommitment;
                ULONG PageFaultCount;
                ULONG CopyOnWriteCount;
                ULONG TransitionCount;
                ULONG CacheTransitionCount;
                ULONG DemandZeroCount;
                ULONG PageReadCount;
                ULONG PageReadIoCount;
                ULONG CacheReadCount;
                ULONG CacheIoCount;
                ULONG DirtyPagesWriteCount;
                ULONG DirtyWriteIoCount;
                ULONG MappedPagesWriteCount;
                ULONG MappedWriteIoCount;
                ULONG PagedPoolPages;
                ULONG NonPagedPoolPages;
                ULONG PagedPoolAllocs;
                ULONG PagedPoolFrees;
                ULONG NonPagedPoolAllocs;
                ULONG NonPagedPoolFrees;
                ULONG FreeSystemPtes;
                ULONG ResidentSystemCodePage;
                ULONG TotalSystemDriverPages;
                ULONG TotalSystemCodePages;
                ULONG NonPagedPoolLookasideHits;
                ULONG PagedPoolLookasideHits;
                ULONG Spare3Count;
                ULONG ResidentSystemCachePage;
                ULONG ResidentPagedPoolPage;
                ULONG ResidentSystemDriverPage;
                ULONG CcFastReadNoWait;
                ULONG CcFastReadWait;
                ULONG CcFastReadResourceMiss;
                ULONG CcFastReadNotPossible;
                ULONG CcFastMdlReadNoWait;
                ULONG CcFastMdlReadWait;
                ULONG CcFastMdlReadResourceMiss;
                ULONG CcFastMdlReadNotPossible;
                ULONG CcMapDataNoWait;
                ULONG CcMapDataWait;
                ULONG CcMapDataNoWaitMiss;
                ULONG CcMapDataWaitMiss;
                ULONG CcPinMappedDataCount;
                ULONG CcPinReadNoWait;
                ULONG CcPinReadWait;
                ULONG CcPinReadNoWaitMiss;
                ULONG CcPinReadWaitMiss;
                ULONG CcCopyReadNoWait;
                ULONG CcCopyReadWait;
                ULONG CcCopyReadNoWaitMiss;
                ULONG CcCopyReadWaitMiss;
                ULONG CcMdlReadNoWait;
                ULONG CcMdlReadWait;
                ULONG CcMdlReadNoWaitMiss;
                ULONG CcMdlReadWaitMiss;
                ULONG CcReadAheadIos;
                ULONG CcLazyWriteIos;
                ULONG CcLazyWritePages;
                ULONG CcDataFlushes;
                ULONG CcDataPages;
                ULONG ContextSwitches;
                ULONG FirstLevelTbFills;
                ULONG SecondLevelTbFills;
                ULONG SystemCalls;
            } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
            in reply to: OID_GEN_TRANSMIT_QUEUE_LENGTH #11474
            Vadim Smirnov
            Keymaster

              Hi,

              Well, OID_GEN_TRANSMIT_QUEUE_LENGTH is an optional, so you are not guaranteed to receive anything useful.

              I had not tried to overflow the network card, but I think you could limit your packet sending rate according the card transmit speed. Anyway, faulting the system at high rates looks confusing, I would rather expect card to drop packets if the rate exceeds its capabilities.

              Regards,
              Vadim

              in reply to: _PACKET_OID_DATA #11463
              Vadim Smirnov
              Keymaster

                Agree, but the way of doing this is completely undocumented and thus may vary between Windows versions. The lack of commercial software doing this probably means that this feature is hard to implement/support.

                in reply to: Filtering by protocol using STATIC_FILTER structure #11459
                Vadim Smirnov
                Keymaster

                  In this context above the layer is the driver level abstraction associated with FILE_OBJECT (CNdisApi object) with independent static filters table, packets queue and etc..

                  Using different layers for each application, both of them cannot intercept the same packet?

                  They can if packet was not previously dropped by upper (for outgoing packets) or lower (for incoming packets) layers.

                  Layers architecture allows to share single driver between several different packet filter applications.

                  in reply to: Filtering by protocol using STATIC_FILTER structure #11457
                  Vadim Smirnov
                  Keymaster

                    Standard driver build supports only one packet filter table and is supposed to be used from one user mode process. You can use multiply CNdisApi instances but setting the new filter table will override the previously loaded one. So you are supposed to collect all required filters into the single table.

                    However, there is also a multiply layers driver build available to winpkfilter customers which supports multiply packet filter tables (one per filter layer) which can be used from several application as long as they use different layers.

                    in reply to: Filtering by protocol using STATIC_FILTER structure #11455
                    Vadim Smirnov
                    Keymaster

                      What do you mean “is not working”?

                      If the table you load into the driver is equivalent to the following:

                      // Common values
                      pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
                      pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID;
                      pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
                      pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
                      
                      // Network layer filter
                      pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4; 
                      pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
                      pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;
                      
                      pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
                      pFilters->m_StaticFilters[1].m_ValidFields = 0;
                      pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
                      pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

                      Then it should redirect outgoing TCP packets into the user mode, pass any other outgoing packets (except TCP) over and redirect ALL incoming packets into the user mode.

                      in reply to: Filtering by protocol using STATIC_FILTER structure #11452
                      Vadim Smirnov
                      Keymaster

                        Yes, it is possible. As an example you can check the 3rd scenario in filter.cpp:

                        //**************************************************************************************
                        // 1. Block all ICMP packets
                        // Common values
                        pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
                        pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID;
                        pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_DROP;
                        pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
                        
                        // Network layer filter
                        pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4; 
                        pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
                        pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_ICMP;

                        Please note, that in you code you use incorrect value for m_dwDirectionFlags

                        in reply to: _PACKET_OID_DATA #11450
                        Vadim Smirnov
                        Keymaster

                          I never needed to inject 802.11 frames and thus never researched the subject deep. However, here are several links which could be useful:

                          https://www.codeproject.com/Articles/28713/802-11-Packet-Injection-for-Windows
                          https://github.com/Felis-Sapiens/packet11
                          https://github.com/nmap/npcap/issues/85

                          I’ve taken a quick look at the packet11 code and from what I can see it is a little bit limited in what it can do, e.g. able to inject only management frames.

                          in reply to: _PACKET_OID_DATA #11448
                          Vadim Smirnov
                          Keymaster

                            Yes, this is what I mean. It is not that big deal to make this type of driver from winpkfilter source code, though worth to mention that the functionality of monitoring driver is limited. If I remember fine you can read packets but not to inject them.

                            in reply to: _PACKET_OID_DATA #11440
                            Vadim Smirnov
                            Keymaster

                              You can try to, but I don’t think that it will work. I think you will need a slightly different WiFi monitoring LWF driver for this. I created one in the past from original winpkfilter, but I don’t remember all the details already…

                              in reply to: where is the ndisapi.pas file? #11438
                              Vadim Smirnov
                              Keymaster
                                in reply to: Фильтр string #11435
                                Vadim Smirnov
                                Keymaster

                                  На скрине еще одна ошибка в правиле, нельзя указать “tcp, udp”, протокол может быть только один, или “tcp” или “udp”. Обратите внимание, что в дампе правила (в консоли) указан protocol = ip, с таким значением проверяются только raw ip пакеты. Если нужны и tcp и udp, то загрузите два правила.

                                  HEX строку тоже нет смысла пробовать, поддерживаются только обычные строки. Ну и если не работает то прикладывайте правило, вывод консоли и еще желательно wireshark capture.

                                Viewing 15 posts - 496 through 510 (of 1,486 total)