I'm trying to figure out the best way to approach a software problem, here's a little history:
I'd like to write a program which utilizes a product like WinPcap to intercept ALL Windows network traffic. I want to use it to make a specialized LAN analyzer which allows a user complete and total control over all messaging and in various ways. I built this product 18 years ago using DOS and the famous PKTDRVR product. Works great and finds problems fast - but now we want to update it.
Does anyone know if WinPcap is the choice or is there another PKTDRVR like product out there for this purpose?
I've read a bunch of the documentation from WinPcap and it seems like it should do the trick, but before I commit I'd like to solicit some opinions and suggestions.
So specifically, I want to grab EVERYTHING in and block EVERYTHING out based on user control settings. Also, should the user allow certain messages through (such as ARP or DNS type stuff), I want to be able to pass those through transparently (aside from the delay I'd introduce).
Any thoughts? Thanks in advance!
Analyzer / Winpcap question
Re: Analyzer / Winpcap question
winpcap will not allow you to block any outgoing data or intercept/modify packets before they reach the Windows TCP/IP stack. you will need to design a driver that sees the data before Windows processes it, this could be very tricky and i couldn't tell you exactly how to go about that - i've never had to need to do anything like that.
but in short, no winpcap will not do what you want. things like this were much easier in the DOS days.
.....just hook the packet driver interrupt, and act as the middle man!
but in short, no winpcap will not do what you want. things like this were much easier in the DOS days.
.....just hook the packet driver interrupt, and act as the middle man!-
garystampa
- Posts: 4
- Joined: Thu Jun 02, 2011 7:27 am
Re: Analyzer / Winpcap question
Yes, unfortunately Windows never delivered on any of its grand promises. Big shock... Instead people are stuck with an "OS" that tries to be all things to all people but satisfies none. But I digress.
When you say "design a driver" do you mean there is a way to get between the network chip's code and Window's code? I would think Windows would never allow such an intrusion. On the other hand, hackers seem to alter RUNDLL32 all the time...
If there's an allowed mechanism to get directly at the network interface's driver without making a huge mess, I'll take the 3 months to figure it out - but I'd hate to head down that path to find that it's futile.
(I did suggest we use Linux, but got shot down.) BTW, I totally appreciate the input!
When you say "design a driver" do you mean there is a way to get between the network chip's code and Window's code? I would think Windows would never allow such an intrusion. On the other hand, hackers seem to alter RUNDLL32 all the time...
If there's an allowed mechanism to get directly at the network interface's driver without making a huge mess, I'll take the 3 months to figure it out - but I'd hate to head down that path to find that it's futile.
(I did suggest we use Linux, but got shot down.) BTW, I totally appreciate the input!
-
Owen
- Member
- Posts: 1700
- Joined: Fri Jun 13, 2008 3:21 pm
- Location: Cambridge, United Kingdom
- Contact:
Re: Analyzer / Winpcap question
Winsock is very extensible. I think what you're after will involve writing a kernel mode Winsock filter driver, however.
That will be especially fun if you want to support both XP and WIndows 7. Microsoft changed a lot of the kernel mode networking APIs between them, and while Vista provides backwards compatibility with the XP APIs I believe Windows 7 does not.
That will be especially fun if you want to support both XP and WIndows 7. Microsoft changed a lot of the kernel mode networking APIs between them, and while Vista provides backwards compatibility with the XP APIs I believe Windows 7 does not.
Re: Analyzer / Winpcap question
An other way is to detours, and hook the winsock API from user application.
http://research.microsoft.com/en-us/projects/detours/
However, anti-virus software may not like this.
http://research.microsoft.com/en-us/projects/detours/
However, anti-virus software may not like this.
-
garystampa
- Posts: 4
- Joined: Thu Jun 02, 2011 7:27 am
Re: Analyzer / Winpcap question
Windows 7 is fine, no need to support other flavors of Windows. There won't be anti-virus software on this system. We only have about 20 of my DOS/PKTDRVR systems in the field and this will be used to replace them.
Therefore I have a lot of freedom - but of course I don't want a cluster of band-aids and kludges (after all, that's what Windows brings to the party).
Detours is very interesting and would certainly do the job if I knew where the job needed to be done. I guess I can start hunting Microsoft's functions and try to find a good point - hopefully it'll be in a DLL. Thanks for the tip!
Therefore I have a lot of freedom - but of course I don't want a cluster of band-aids and kludges (after all, that's what Windows brings to the party).
Detours is very interesting and would certainly do the job if I knew where the job needed to be done. I guess I can start hunting Microsoft's functions and try to find a good point - hopefully it'll be in a DLL. Thanks for the tip!
Last edited by garystampa on Sat Jul 09, 2011 11:24 am, edited 1 time in total.
Re: Analyzer / Winpcap question
off-topic, but why are you being so snobbish towards windows? what grand promise did MS break that has to do with network traffic filtering? don't get me wrong, i love linux, but i tend to not use it on a system that is intended for desktop/workstation use.
windows did used to be an unstable turd, but that hasn't been the case since before win2k came out. linux simply can't be beat for a server box, but it's never going to be as refined as windows as a daily workstation. both systems have their pros and cons.
give credit where it's due, MS has done a pretty good job of coming up with an OS that tries to cover all the bases. it's user friendly, it almost always "just works", and it's powerful. it's also stable. i haven't seen a windows kernel crash not related to faulty third party drivers or failing hardware since windows 98 came out. their older OSes like that gave the stability a bad reputation, but it's completely different now.
sorry to hijack the thread, but this irks me. i pick the right tool for the job instead of completely dismissing one of my options. if i need to set up some sort of server, definitely going with linux. if i am just going to use a machine for casual stuff, web browsing, etc -- windows it is. just my 2 cents.
windows did used to be an unstable turd, but that hasn't been the case since before win2k came out. linux simply can't be beat for a server box, but it's never going to be as refined as windows as a daily workstation. both systems have their pros and cons.
it satisfies a LOT of people, including many tech-savvy ones because it actually does do almost everything well. *nix is more secure, but it's a trade-off for ease of use/less hassle. come on, don't rip windows just because you don't know how to do this. you absolutely can get between the network hardware and the windows protocol stacks, and the way to do so is pretty well-designed, looking at the link in the post above this.Yes, unfortunately Windows never delivered on any of its grand promises. Big shock... Instead people are stuck with an "OS" that tries to be all things to all people but satisfies none. But I digress.
When you say "design a driver" do you mean there is a way to get between the network chip's code and Window's code? I would think Windows would never allow such an intrusion. On the other hand, hackers seem to alter RUNDLL32 all the time...
give credit where it's due, MS has done a pretty good job of coming up with an OS that tries to cover all the bases. it's user friendly, it almost always "just works", and it's powerful. it's also stable. i haven't seen a windows kernel crash not related to faulty third party drivers or failing hardware since windows 98 came out. their older OSes like that gave the stability a bad reputation, but it's completely different now.
sorry to hijack the thread, but this irks me. i pick the right tool for the job instead of completely dismissing one of my options. if i need to set up some sort of server, definitely going with linux. if i am just going to use a machine for casual stuff, web browsing, etc -- windows it is. just my 2 cents.
-
garystampa
- Posts: 4
- Joined: Thu Jun 02, 2011 7:27 am
Re: Analyzer / Winpcap question
Sorry, about my ranting. But I remember Bill Gate's big promises when Windows was first announced. He sold a lot of engineers on the idea that MS would make their lives easier, there would be unprecedented interoperability, version-to-version support, zero obsolescence, dynamic driver loading - essentially anything and everything that anyone ever wanted - would be in Windows.
Still to this day: 1) every version is different 2) you still have to reboot after most installations of anything 3) nothing is well organized 4) nothing is well documented 5) nothing is well written 6) nothing is either small or fast 7) nothing works anywhere near what the promises were - and never will 8) microsoft competes with its own customers often in an unfair manner 9) plenty of items are changed or removed as versions are released 10) "buddy" companies get inside information small developers will never have access to
Trying to be all things to all people means you're good at none.
It's certainly the engineering communities' fault for believing this marketing hype, but I put most of the blame on the hype-makers - people wanted a level playing field. What we got instead was countless billions of man-hours wasted trying to sift through this thing called Windows. No sooner had XP become stable that Vista came out, then 7 and now 8. What are the differences? The difference is in the weight of your wallet. There's nothing of note that 7 or Vista can do that XP can't. Now there's an 8 ? Forgive me, but the "fix the world with the next version" hype has burned me out. Who needs a new OS every 12 months?
I worked at a small company 20+ years that was bleeding edge in telephony. A bigger company (the Microsoft of the industry) told everyone that they were coming out with the same products very soon - no need to buy from the smaller company, etc. A year went by, then 2, then 3. They kept promising to come out with the stuff, no need buy from the little guy. It was killing us. After the third year, people started buying from us and we finally started to make money. Living in Silicon Valley during the 80s and 90s I saw Microsoft pull this crap all the time. So when you say "they finally got it right" - I say there were plenty of companies who already had it right but Microsoft's B.S. kept these companies from those sales. Does Apple come to mind? Should we give all companies 10+ years to get it right?
/End rant
Anyway, it looks like I need to get between the miniport driver and NDIS.
Still to this day: 1) every version is different 2) you still have to reboot after most installations of anything 3) nothing is well organized 4) nothing is well documented 5) nothing is well written 6) nothing is either small or fast 7) nothing works anywhere near what the promises were - and never will 8) microsoft competes with its own customers often in an unfair manner 9) plenty of items are changed or removed as versions are released 10) "buddy" companies get inside information small developers will never have access to
Trying to be all things to all people means you're good at none.
It's certainly the engineering communities' fault for believing this marketing hype, but I put most of the blame on the hype-makers - people wanted a level playing field. What we got instead was countless billions of man-hours wasted trying to sift through this thing called Windows. No sooner had XP become stable that Vista came out, then 7 and now 8. What are the differences? The difference is in the weight of your wallet. There's nothing of note that 7 or Vista can do that XP can't. Now there's an 8 ? Forgive me, but the "fix the world with the next version" hype has burned me out. Who needs a new OS every 12 months?
I worked at a small company 20+ years that was bleeding edge in telephony. A bigger company (the Microsoft of the industry) told everyone that they were coming out with the same products very soon - no need to buy from the smaller company, etc. A year went by, then 2, then 3. They kept promising to come out with the stuff, no need buy from the little guy. It was killing us. After the third year, people started buying from us and we finally started to make money. Living in Silicon Valley during the 80s and 90s I saw Microsoft pull this crap all the time. So when you say "they finally got it right" - I say there were plenty of companies who already had it right but Microsoft's B.S. kept these companies from those sales. Does Apple come to mind? Should we give all companies 10+ years to get it right?
/End rant
Anyway, it looks like I need to get between the miniport driver and NDIS.