Re: How to go about developing a TCP Packet Filter
- From: Victor43 <Victor43@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 19 Jul 2009 10:56:01 -0700
"Volodymyr M. Shcherbyna" wrote:
Hello there,
Victor43 wrote:
Hello Volodymyr. I have another question if its ok. If I wish to not only
capture TCP traffic like my original question but to be able to modify or
drop the same packets what suggestion would you make ? Thanks so much for
your time and help.
You can modify and capture packets in LSP's, TDI filters and NDIS IM
filters. Any filter in the chain before you can discard the packet, and
thus you don't know that there was an attempt to send packet. You can get
this info by doing extra assumptions, for example, write two filters at
different levels: at TDI level you capture TDI_CONNECT and you set up
CompletionRoutine. If CompletionRoutine fails and at NDIS IM Filter you
don't see TCP SYN for specified IP address, it means, someone "eat" the
packet.
The higher level you are, i.e., in LSP's the less traffic you see. That's
true. LSP's can't see traffic of TDI clients, for example nebt.sys traffic.
But, usually they are enough to analyze ftp and http and https traffic. If
you need to capture every single bit of information sent, you need NDIS IM.
However, if you want to filter https traffic, you need something in user
mode, as you have to inject your code after traffic is decrypted.
Basically, this is not an easy task you are talking about. You will need at
least something in kernel mode and in user mode to be able to:
1. capture all data
2. analyze kwnown prototocols
3. analyze https traffic
4. be compatible with all third party firewalls and antiviruses
It takes time. Especially compatibility with different AV and FW's ...
--
Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no rights)
Thanks Volodymyr. I am glad to see your reply because its set the stage for
a very complex project one which might be beyond my range and which would
take some time for myself. But worth looking into nonetheless.
Thanking you
Victor
.
- References:
- How to go about developing a TCP Packet Filter
- From: Victor43
- Re: How to go about developing a TCP Packet Filter
- From: Volodymyr M. Shcherbyna
- Re: How to go about developing a TCP Packet Filter
- From: Victor43
- Re: How to go about developing a TCP Packet Filter
- From: Volodymyr M. Shcherbyna
- Re: How to go about developing a TCP Packet Filter
- From: Victor43
- Re: How to go about developing a TCP Packet Filter
- From: Volodymyr M. Shcherbyna
- Re: How to go about developing a TCP Packet Filter
- From: Victor43
- Re: How to go about developing a TCP Packet Filter
- From: Volodymyr M. Shcherbyna
- Re: How to go about developing a TCP Packet Filter
- From: Victor43
- Re: How to go about developing a TCP Packet Filter
- From: Volodymyr M. Shcherbyna
- How to go about developing a TCP Packet Filter
- Prev by Date: Re: Which editors do developers use to write DDK code samples ?
- Next by Date: Re: Which editors do developers use to write DDK code samples ?
- Previous by thread: Re: How to go about developing a TCP Packet Filter
- Next by thread: Re: How to go about developing a TCP Packet Filter
- Index(es):
Relevant Pages
|
