flat assembler
Message board for the users of flat assembler.

Index > Windows > WinPCap question

Author
Thread Post new topic Reply to topic
garystampa



Joined: 25 May 2011
Posts: 52
Location: Central FLorida
garystampa 03 Jul 2011, 16:55
I'd like to write a program which utilizes a product like WinPcap to intercept ALL Windows network traffic. I want to use it to make a specialized LAN analyzer which allows a user complete and total control over all messaging and in various ways. I built this product 18 years ago using DOS and the famous PKTDRVR product. Works great and finds problems fast - but now we want to update it.

Does anyone know if WinPcap is the choice or is there another PKTDRVR like product out there for this purpose?

I've read a bunch of the documentation from WinPcap and it seems like it should do the trick, but before I commit I'd like to solicit some opinions and suggestions.

So specifically, I want to grab EVERYTHING in and block EVERYTHING out based on user control settings. Also, should the user allow certain messages through (such as ARP or DNS type stuff), I want to be able to pass those through transparently (aside from the delay I'd introduce).

Any thoughts? Thanks in advance!
Post 03 Jul 2011, 16:55
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 05 Jul 2011, 22:25
Ring0 is the answer if you want custom data capture ? The WDK7 comes with a tutorial of that type too. (It does not necessarily capture data etc, it just shows you how to setup, and and receive events.)

However, some APIs are limited only to Win Server 200X.

WinPcap would mean that you'd have to sit in front of your PC and do it manually, or setup batch scripts to get it done.

Either is a good option
Post 05 Jul 2011, 22:25
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 06 Jul 2011, 00:24
From what I know WinPcap will allow you to capture, however, you'll have some problems with sending raw packets (I never managed to send one over a PPPoE connection, but it's OK over plain Ethernet), and I think it comes with no means to block packets from reaching the applications (but it allows you to set up a filter so you capture only a subset of all incoming traffic).

Another option is write your own network driver, but since Microsoft now requires drivers to be signed, you'll probably better off with WinPcap if it really gives you all you need since it comes signed.

PS: BTW, the traffic blocking part perhaps could be implemented by programmatically configuring the Windows' built-in firewall as needed.
Post 06 Jul 2011, 00:24
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 06 Jul 2011, 19:02
LocoDelAssembly wrote:
Microsoft now requires drivers to be signed


I think that applies mainly to Industry standard drivers.

You don't have to sign it in-order to run it. You can just manually load it when it's needed. As simple as that.
Post 06 Jul 2011, 19:02
View user's profile Send private message Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
Dex4u 07 Jul 2011, 16:29
Why not just code it for linux, as you can do raw packets in linux.
You can make a boot disk or code it as a linux server, that does the capture and sends the raw data to a windows PC, enclosed in http etc.
Post 07 Jul 2011, 16:29
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 07 Jul 2011, 23:14
Dex4u wrote:
Why not just code it for linux, as you can do raw packets in linux.


That's what I like about Linux.

Windows always wants you to be "2nd level consumer" not "first level"
Post 07 Jul 2011, 23:14
View user's profile Send private message Reply with quote
garystampa



Joined: 25 May 2011
Posts: 52
Location: Central FLorida
garystampa 08 Jul 2011, 18:42
Dex4u wrote:
Why not just code it for linux, as you can do raw packets in linux.

If I was the boss, I would...

Has anyone ever used "Windows Filtering Platform" ? I wonder if it could be abused to perform this functionality?
.
Post 08 Jul 2011, 18:42
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.