Forum Replies Created
-
Posts
-
Im installing driver with snetcfg with ndisrd.inf and ndisrd_m.inf parameters but im using ndis hooking driver with delphi
NDIS hooking driver must be installed by adding registry entries, not by using snetcfg and INF files created for NDIS IM variant of the driver. Doing like you do would cause unpredictable behavior of the system. At least driver won’t work correctly if installed this way. So probably you use NDIS IM driver, not NDIS hooking one.
I used 3.0.2.1 version of ndisrd.sys
It is recommended to update to 3.0.4. NDIS IM driver included in 3..0.2 had some known problems with loopback packets processing and could be a reason of the BSOD mentioned.
I dont know another way of installing driver. I tried to write values into registery with my own installer, I got some errors on different machines with windows xp. How can I do clear install hooking driver automatically? Is there another script or etc? like snet cfg
I can send you a NSIS installer script for the latest build of winpkfilter for the reference if you want.
В описании WinpkFilter указано, что можно использовать RAW IOCTLs в своем драйвере. А есть ли пример драйвера?
Использовать можно, но никто еще, насколько я знаю, так не делал. Обычно клиенты либо не хотят лезть в ядро и делают все в user space, либо переделывают исходный драйвер (все варианты драйвера разделяют общий сегмент кода относящийся к обработке пакетов, все изменения достаточно вносить в него). В общем-то возможность использования IOCTL интерфейса из ядра упомянута скорее для полноты картины, отдельного примера использования нет.
Какая примерно будет разница по производительности если использовать RAW IOCTLs либо встраиваться прямо в драйвер WinpkFilter?
Оценок не делалось, но накладные расходы при использовании IOCTL интерфейса довольно значительны. В качестве альтернативы, можно было бы экспортировать набор функций из winpkfilter драйвера и предусмотреть регистрацию callback функций – это работало бы быстрее. Но опять же, поскольку никто подобной возможностью не интересовался (дополнительный функционал обычно добавляется по востребованности), она не была добавлена.
Hi,
Thank you for reporting this. I’ve got a few questions:
1) WinpkFilter NDIS hooking variant is installed directly through the registry. snetcfg is only applicable to NDIS IM variant of WinpkFilter. Which driver have actually used?
2) What version of WinpkFilter have you used? Prior 3.0.4 WinpkFilter NDIS IM driver may have meet problems with loopback packets processing which would cause the similar crash. This was fixed in 3.0.4.
3) What Windows version have you used? I’ve quickly tested Windows XP 32 bit with IPX installed and have not noticed problems with both NDIS IM and NDIS hooking drivers.
4) If you have any firewall(even integrated with AV)/VPN software installed then please let us know the name and the version, since this can be a software driver conflict.
SetHwPacketFilter выставляет аппаратный фильтр на сетевой карте, наиболее часто встречающийся пример это перевод сетевого интерфейса в promiscuous mode. То есть прямого отношения к фрагментированным пакетам эта ф-ция не имеет.
Что значит “имеющимся функциями фильтрации, работать с фрагментированными пакетами” мне непонятно. С фрагментированными IP пакетами можно работать точно так же как и с любыми другими.
WinpkFilter получает ethernet фреймы до TCP/IP стека (который осуществляет сборку фрагментов), поэтому если из сети приходят фрагментированные пакеты, то и winpkfilter покажет именно их, а не собранный IP пакет.
What Visual Basic do you actually use? The samples were created for Visual Basic 6, so if you are using them under Visual Basic .NET then then the behavior can be different. An example managed memory can’t be directly passed to driver.
For the legacy NT driver you could use HAL routines to reconfigure your device, for PnP driver you better stick with PnP manager. This paper should be of some help to understand the difference: http://www.hollistech.com/Resources/Misc%20art … usdata.doc
What do excatly mean under “order”? I would not recommend to edit network configuration through the registry, however VirtNet can be found in the registry like any other network interface.
how works the winpkfilter, for setting up the SEND / Received message?
If packet comes from the network it is marked as ON_RECEIVE and ON_SEND otherwise.
and what do you think, how many packets are an overflow from the local mac if i capture theses by it
Sorry, I don’t understand the question, could you clarify?
2.x firewall service loaded only filters and adapter modes, new features like port mappings were not supported. It was fixed in 3.x
Loading the following filter will force all UDP packets to pass without processing in user mode, all other packets will be redirected for processing to user mode.
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND | PACKET_FLAG_ON_RECEIVE;
// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;Refer “filter” sample for the general filters usage.
Can UDP packets pass without entering winpk filter?
No, unless you have loaded a filter to pass UDP packets without user-mode processing.
Can I do it using winpkfilter ? If yes how can I do that ?
You can. Just set IP/TCP headers as I have set Ethernet header in the sample above. The actual values of IP/TCP headers depend from the packet you intend to form.
pavankvnaidu posted a sample where he tries to initialize IP and UDP headers, you have to do the similar job.
Actually that depends on how you do copy data. If, an example, you have VirtNet NIC with IP address 192.168.1.101 and send ping packets on it:
ping 192.168.1.101 -t
Then actually non of the ping echo packet ever really reach the NIC, all data sent/received to/from local interfaces are processed inside TCP/IP. So no real network usage….
