Forum Replies Created
-
Posts
-
When driver receives the memory block it checks if it has the correct size before filling it with data. If you shrinked the RAS_LINKS structure and passed smaller memory block to driver then it just has failed the operation. Is there a problem in C# with allocating large block of unmanaged memory?
Are you sure that you need these kind of loopback packets? In WinpkFilter context loopback packets are the packets indicated by NDIS layer to bound protocols in response of outgoing packet from one of the bound protocols. An example, TCP/IP sends a packet without NDIS_FLAGS_DONT_LOOPBACK. In this case packets does not only go out on the network media, but normally it is also indicated back to protocol layer as it would be received from the network. Some additional information on loopback packets you can find here http://www.ndis.com/ndis-ndis5/loopback/loopback.htm
I’m not aware much about you firewall code, but I would start with loging data out of your firewall solkution and running network sniffer in parallel in order to catch the situation and analyze what hapens.
If you mean localhost packets (an example, two applications communicating via Winsock and running on the same system) then these packets are processed internally by TCP/IP and never reach NDIS layer. So you can’t use WinpkFilter to control these packets. However, you can use Local Network Monitor, which is based on TDI filter driver and allows to intercept localhost data transfers.
Difficult to say as this issue needs a deep analyses. May be this is just a software bug in firewall.
Something similar is possible if you use IE to download from FTP server:
FTP protocol normally uses two connections, first is control channel for FTP commands and second data channel to send the actual data. In active mode FTP client creates a local listening socket and sends PORT command to FTP server specifying local IP address and port. Then FTP server connects this IP:port and requested file is transferred over this TCP connection. Thus request for file is sent over one TCP connection but file is sent over another one. In passive mode both control and data channels are initiated by FTP client (this mode is easier for NAT traversal), but once again request is sent by client over control channel but data are sent from server over data channel. This is very similar to what you have reported. If I remember fine normally IE uses FTP in passive mode.
1) Yes, of course this is possible to do with WinpkFilter.
2) We don’t have defragment/fragment sample code we can send to you. Although we can develop one as a small consulting project if you agree to pay the development effort.GetAdapterPacketQueueSize was added on the customer request. Personally I never used it myself in WinpkFilter based projects. But it may have sense to use it an example when you have a single thread reading packets from several network interfaces. In this case you can use this call to determine the interface with the largest amount of packets queued and read that amount of packets in next API call.
NdisrdRequest is a wrapper around NdisRequest NDIS call. It only needed if you need to query some specific information from the network interface.
-1 means WAIT_FAILED and the problem is in hEvent[0] value which is NULL
You defined hEvent array indexed from 0, as below
hEvent: array[0..255] of THANDLE;But you fill it with event handles starting from index 1 (see below), so for index 0 you have an invalid event handle.
for dwAdIndex := 1 to AdList.m_nAdapterCount do
begin
...
hEvent[dwAdIndex] := CreateEvent(nil, TRUE, FALSE, nil);You have to install the correct driver into the system, 32 bit driver for 32 bit system and 64 bit driver for 64 bit one. Application can be the same, however 64 bit application may give some advantage on 64 bit platform.
WinpkFilter has an internal packet pool for 500 packets, if the network gets locked then may be there are already 500 packets waiting for you to read them out from the driver. Try to call GetAdapterPacketQueueSize for every adapter you have set into tunnel/listen modes to see how many packets are queued and not processed by your application yet.
