Forum Replies Created
-
Posts
-
Hmm, I don’t think you can alter Windows native bridge behavior, however you can try an alternative network bridging approach suggested here https://www.ntkernel.com/bridging-networks-with-windows-packet-filter/. It should work for your setup.
If your task is connecting RNDIS USB device to laptop network then you can also use NAT approach instead bridge. I have had such experience in the past with USB connected NetTalk DUO device.
And the last, you can try to play around OID_GEN_CURRENT_PACKET_FILTER by setting it directly for underlying USB RNDIS miniport. WinpkFilter driver allows you to bind above and below Windows native Ethernet Bridge, so you can bind to USB RNDIS miniport directly even with enabled bridging. And then try try set different filter for USB RNDIS by using CNdisApi:SetHwPacketFilter. Al least you can find out if setting different packet filter can help here.
It looks that problem is specific to the particular host, not to Windows 10 in general. There are two possibilities: first, something is screwed in this particular Windows installation and you may try system restore or you have some kind of security software installed which prevents third-party drivers from being installed…
I have tested VirtNet on Windows 10 x86 1511 and Windows 10 x64 1607. In both cases driver was installed using Device Manager and installation worked as intended.
I suspect you have tryed to install x86 driver build on x64 platform or vide versa. This would explain an error message you have got.
Hmm, probably driver package have to be updated to support Windows 10. We will check and update the package if necessary.
Question: What happens if, for whatever reason, all 1000 buffers are filled before a receiver calls ReadPacket(hDriver, &Request)?
First, I have to note that part of this buffers (10% or 100 packets) is reserved and never placed into the adapter queue. So if packets queue grows up to 900 buffers (an example, if user mode application stops reading packets from the driver) then the driver stops placing followed packets into the queue. Instead it checks packets against loaded static filters and current adapter mode, if the packet should be passed then it is passed, if it should be dropped OR PLACED INTO THE QUEUE then is is DROPPED. Such driver behaviour allows to avoid network lock if user mode application is hangs. An example, in case of remote debugging you can set the static filter to pass TCP port 3389 (RDP) and even if you stop the filtering application in debugger (causing driver queue grow up to maximum size) you still won’t loose the RDP connection. Although, please note that all other network activity (except allowed explicitely by static filters) will be blocked.
There are actually two different things by the link you posted, socket buffer size and winpcap buffer size. If your question is about WinpkFilter driver internal buffers then for Windows Vista and later driver preallocates 1000 buffers for 1514 bytes sized packets. This value is hardcoded (changing requires driver recompile) and can’t be changed from user mode application.
Yes, this is a part of required changes, but it is not enough to change this definition in common.h and rebuild ndisapi.dll. In order to enable jumbo frames you also have to enable jumbo frames in winpkfilter driver and rebuild it.
If you look at those packets closer then you will notice that TTL for each fllowed duplicated packet is decremented. Without going deep into details this behaviour is caused by single interface IP routing combined with loopback packet indications (required by Winpcap to collect packets). And thus there are several ways to fix it.
1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.
2) You can drop re-routed packets in WinpkFilter application.
3) WinpkFilter has some filter flags to prevent loopback packet indications which are normally used in promiscuous mode. I have to check if these flags are applicable to this situation with single interface routing but this is another possible approach – just filter these packets out on the driver level.
I think you can take a look at WAN Emulator sample code. The part responsible for packet delay is very similar to what you need to do to implement bandwidth limiter.
WAN Emulator (PacketDelayerLayer.cpp) has two packet queues, one for incoming packets and another for outgoing. All intercepted packets first are placed into these queues and sent out from these queues by two dedicated threads after delaying packets for the specified number of milliseconds.
To limit bandwidth for the specified IP address you should do very similar things by queueing packets, but instead of delaying each packet for the fixed amount of milliseconds you should first calculate the time passed since last send operation, then calculate the amount of data which would be passed for the particular IP address during this time using you bandwidth limit parameter and then send out as many packets as it fits into the calculated amount of bytes.
Hope it helps…
Yes, in Windows 10 it is a little bit trickier to identify NDISWANIP interface and yes, you are right I have to update ListAdapters sample.
However, it is not a complex task at all. in order to do this you have to enumerate subkeys of the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}. Each subkey represents a network interface and the name of the subkey is the same as returned by WinpkFilter driver internal network interface name. For each network connection subkey you have to open ‘Connection’ subkey and check ‘PnPInstanceId’ value. If it is ‘SWD\MSRRAS\MS_NDISWANIP’ then this connection corresponds NDISWANIP connection under earlier versions of Windows.
Hope it helps…
WinpkFilter works at the NDIS level, while socket is a high level abstraction, also for some packets (an example, routed packets) there can be no socket object at all.
Also, is there any way to get process metadata(process name, pid etc) using winpkfilter?
Yes, there is a way. You can use IP helper API to query active connections from the system and use protocol/IP/port information to match the packet against the connection and figure out the originating process.
