Forum Replies Created
-
Posts
-
If you look at those packets closer then you will notice that TTL for each fllowed duplicated packet is decremented. Without going deep into details this behaviour is caused by single interface IP routing combined with loopback packet indications (required by Winpcap to collect packets). And thus there are several ways to fix it.
1) You can disable IP routing feature on the host by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and changing IPEnableRouter from 1 to 0. IP routing feature is required only for the Internet Gateway sample and it is enabled only if you install this sample. If you don’t need it for smething else then it is safe to disable.
2) You can drop re-routed packets in WinpkFilter application.
3) WinpkFilter has some filter flags to prevent loopback packet indications which are normally used in promiscuous mode. I have to check if these flags are applicable to this situation with single interface routing but this is another possible approach – just filter these packets out on the driver level.
I think you can take a look at WAN Emulator sample code. The part responsible for packet delay is very similar to what you need to do to implement bandwidth limiter.
WAN Emulator (PacketDelayerLayer.cpp) has two packet queues, one for incoming packets and another for outgoing. All intercepted packets first are placed into these queues and sent out from these queues by two dedicated threads after delaying packets for the specified number of milliseconds.
To limit bandwidth for the specified IP address you should do very similar things by queueing packets, but instead of delaying each packet for the fixed amount of milliseconds you should first calculate the time passed since last send operation, then calculate the amount of data which would be passed for the particular IP address during this time using you bandwidth limit parameter and then send out as many packets as it fits into the calculated amount of bytes.
Hope it helps…
Yes, in Windows 10 it is a little bit trickier to identify NDISWANIP interface and yes, you are right I have to update ListAdapters sample.
However, it is not a complex task at all. in order to do this you have to enumerate subkeys of the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}. Each subkey represents a network interface and the name of the subkey is the same as returned by WinpkFilter driver internal network interface name. For each network connection subkey you have to open ‘Connection’ subkey and check ‘PnPInstanceId’ value. If it is ‘SWD\MSRRAS\MS_NDISWANIP’ then this connection corresponds NDISWANIP connection under earlier versions of Windows.
Hope it helps…
WinpkFilter works at the NDIS level, while socket is a high level abstraction, also for some packets (an example, routed packets) there can be no socket object at all.
Also, is there any way to get process metadata(process name, pid etc) using winpkfilter?
Yes, there is a way. You can use IP helper API to query active connections from the system and use protocol/IP/port information to match the packet against the connection and figure out the originating process.
Yes, besides changing the IP address you have to recalculate packet checksums. You can find some C++ sample code in the Internet Gateway. When doing NAT it changes source IP address and recalculates checksums.
Windows Packet Filter Kit 3.2.7 released:
- Significantly improved driver performance for high speed networks.
If you are eligible for a free update, please send the following details to support@ntkernel.com tо receive an update instruction:
Your order ID.
An approximate date of purchasing.Windows Packet Filter Kit 3.2.6 released:
- Added special reserved pool for packets handled in kernel mode (these are packets which are not supposed to be redirected to user mode application for further processing: passed/blocked according loaded filters and collected from non-tunneled network interfaces). This feature seriously improves remote debugging capabilities for WinpkFilter based applications. An example, if you debug over RDP and your application load static filters to pass RDP connections prior putting network interface into the tunnel mode then you can safely put breakpoints in the packet processing thread, suspend it, analyze individual packets without a risk to be disconnected.
- Fixed Visual Studio 2015 compiler errors when building WinpkFilter NDIS 6.x Lightweight Filter drivers
If you are eligible for a free update, please send the following details to support@ntkernel.com tо receive an update instruction:
- Your order ID.
- An approximate date of purchasing.
Windows Packet Filter 3.2.5 released:
- Fixed NDIS-hooking driver on Windows XP crash
- Fixed issue with NDIS Lightweight Filter driver (driver bypassed some packets without analyses in low memory resources state)
If you are eligible for a free update, please send the following details to support@ntkernel.com tо receive an update instruction:
- Your order ID.
- An approximate date of purchasing.
This information is not available on driver level, however you can use IP Helper API to retrieve information about network adapters (GetAdaptersInfo) and associate with adapters returned from WinpkFilter using AdapterName (GUID) or Address (MAC address). Also suchinformation can be fetched from the registry directly.
Windows Packet Filter 3.2.4 released:
Installer:
- Windows XP Embedded installation fix (Embedded required NDIS IM driver to be present in WINDIR)
- Silent installation support with /S switch
Internet Gateway sample:
- Fixed packet multiplication issue caused by combination of Wireshark, loopback packet indications and single interface routing
Driver:
- Built-in filters performance optimization
- Adapter list change event fix (removed time gap between event and actual change of the list)
- Possible memory leak issue fixed
- INF file for LWF changed to bind below and above Ethernet bridge
- Fixed incorrect field alignment in NDISHK_PACKET
- Fixed NDIS 5.1 IM DriverVerifyer crash
- Fixed issue with network interface MTU configuration changes
If you are eligible for a free update, please send the following details to support@ntkernel.com tо receive an update instruction:
- Your order ID.
- An approximate date of purchasing.
This action simply means that packet should be sent to your user-mode application for processing. Please refer filter.cpp for the filtering sample patterns.
WWWCENSOR is just a simple sample application which demonstrates how certain connections can be selected and blocked. It’s primary audience are developers, not end users. If you think to use WWWCENSOR as a base for your content filtering application then you can trace its code with the sites where it does not work and check why these sites are passed.
Anyway, I have an idea why it may not work in some cases you noticed. WWWCENSOR uses single byte ASCII encoding when searching for the pattern to block. If the web-page content is UNICODE encoded, an example, then it won’t be able to find it. As I have mentioned above this is just a simple sample.
Hi Matt,
I ndisapi.cs ETH_M_REQUEST is defined with constant array size 256, but this is only to avoid writing complex marshaling code for the variable array size. You can change this constant to any of your choice.
-Vadim
Hi Matt,
I did not have much to continue testing with Windows 10 yet. The second reason is that Windows 10 IoT does not yet support all the features it is supposed to, so it may be time wasting to test before release. However, I do plan to continue the research.
-Vadim
I have played a little with Windows 10 on Raspberry Pi 2 over the weekend. The good news is that yes, it allows device drivers installations and etc…
Regretfully devcon is not suitable for installing network filter drivers and since there is no GUI control panel applet then a port of snetcfg is also needed to install NDIS Lightweight Filter Driver. It was not a big deal to compile WinpkFilter for ARM, but simple compilation of snetcfg for ARM did not work and it needs more time to resolve.
