Re: Could this be implemented with an NDIS or TDI driver?
From: Thomas F. Divine [DDK MVP] (tdivine_at_NOpcausaSPAM.com)
Date: 04/09/04
- Next message: Don Burn: "Re: hook driver"
- Previous message: shawn: "Re: hook driver"
- In reply to: Bill Paxman: "Could this be implemented with an NDIS or TDI driver?"
- Next in thread: Wood: "Re: Could this be implemented with an NDIS or TDI driver?"
- Reply: Wood: "Re: Could this be implemented with an NDIS or TDI driver?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 9 Apr 2004 17:04:52 -0400
"Bill Paxman" <william.paxman@siliconboston.com> wrote in message
news:bfdcbc0d.0404091014.152983ce@posting.google.com...
> Hello Windows experts,
>
> I have UNIX development experience but am a Windows newbie. I've been
> asked to find out the feasability of creating a Windows client that
> does the following:
>
> * Sits above TCP/UDP, but below the applications
To sit above TCP but below applications the filter must be a TDI or AFD
filter driver. See the illustration at the URL:
http://www.ndis.com/papers/winpktfilter.htm
> * Is able to write to disk all TCP or UDP traffic on selected ports
> * Is able to read the payload of a TCP or UDP packet
> * Is able to read from the file system
> * Is able to delete selected TCP or UDP traffic so that the host
> applications do not see it.
TDI or AFD filter can do this, but are tedious.
> * Is able to pass selected TCP or UDP traffic to the host applications
Ditto.
> * Is able to generate new TCP or UDP packets (i.e. packets that did
> not enter this node from the network) that will be sent to
> applications on this host.
Ditto.
> * Is able to generate TCP or UDP traffic destined for another host
> * Maintains state between invocations
>
Ditto.
> In addition, if there is VPN software already on this host, is there a
> way of ensuring that the client we want to develop sits on top of the
> VPN software so that it sees only the decrypted traffic?
>
Ditto.
> What I have learned so far suggests this might be possible with:
>
> 1. A combination of an NDIS intermediate driver and application, or
> 2. A combination of a TDI driver and an application
>
A TDI or AFD filter fits the requirements except for some potentially
confusing terminology.
A filter above TCP/IP will NEVER see ANY network packet. These filter
kernel-mode operations that are loosely similar to sent(), sendto(), etc.
You will see the _data_ above TCP, and (with difficulty) you can intercept,
modify data. You can also operate as a TDI client to accept and initiate new
connections of your own, send/receive datagrams, etc.
So, I guess you would say that a filter above the kernel-mode TCP/IP driver
would see all of the traffic (payloads) but none of the packets...
VPN software is below the kernel-mode TCP/IP driver.
In an NDIS IM driver you will see all of the packets. However, you will have
to re-invent TCP/IP to re-assemble the "traffic". Interaction with VPN would
require careful control of binding order. Fairly tedious...
Both approaches are difficult. Could be conflicts with other filtering
products (Anti-Virus, firewall, etc.) installed on the same host.
Good luck,
Thomas F. Divine
http://www.pcausa.com
> Will either one of these work? If not, is there some other way of
> doing this? If this is possible, we will certainly get experienced
> professional help in implementing this. Thanks in advance for any
> pointers.
>
> Bill
- Next message: Don Burn: "Re: hook driver"
- Previous message: shawn: "Re: hook driver"
- In reply to: Bill Paxman: "Could this be implemented with an NDIS or TDI driver?"
- Next in thread: Wood: "Re: Could this be implemented with an NDIS or TDI driver?"
- Reply: Wood: "Re: Could this be implemented with an NDIS or TDI driver?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
