[Winpcap-users] packet redirection

Ben Greear greearb at candelatech.com
Wed Sep 14 02:37:02 GMT 2005


Guy Harris wrote:
> 
> On Sep 13, 2005, at 4:55 PM, Ben Greear wrote:
> 
>> With a slightly modified driver, you can become a transparent bridge,
> 
> 
> Do the modifications include inserting the driver into the networking  
> stack in such a way that intercepted packets *have* to get passed on  by 
> the driver in order to be transmitted?

The modification is about 2 lines that just make transmitted packets
NOT received by the tap sniffing on that interface.  With this patch,
you can make a bridge, without it, you basically get into an endless
loop or have to do horrible things to try to figure out if a packet
you sniffed is tx or rx.

>> The standard winpcap does not support sending packets (correctly),  
>> however.
> 
> 
> It doesn't?  "pcap_sendpacket()" (and, in 3.1, "pcap_inject()") don't  
> correctly send a packet that an application has constructed?

It correctly sends, it's just that it also 'sniffs' the sent packet,
just as it would a packet from the external network.

>> For commercial ventures, it appears that these guys have a  competing 
>> tool
>> that their sales guy *said* could transmit packets.  I have not  actually
>> had time to try it out yet...
>>
>> http://microolap.com/products/network/pssdk/
> 
> 
> They also say it has a bunch of features, at least some of which I  
> think or know WinPcap also has:
> 
>     BPF support
> 
>     JIT compiler for BPF programs.
> 
> I don't know how well WinPcap 3.1 supports SMP systems, or whether  "You 
> can create an application to capture Gigabit network traffic  totally 
> without packet loss."  Some of the other features sound like  features 
> above the libpcap/WinPcap API layer (if by "packet  generating 
> functions" in "Packet generating/sending functions" they  mean functions 
> such as the ones in libnet:

It's relatively trivial to capture GigE at line speed (with MTU sized packets,
at least), but to bridge requires 4Gbps across the PCI bus, not counting
overhead.  I can *almost* do this with Linux..can get about 920Mbps bi-directional,
but this is with a kernel module.

> I'm not sure what's special about "No pre-installed packet capture  
> drivers are required" - unless "internal" means that the code to the  
> driver is something such as a giant array of bytes of code, so that a  
> PSSDK-based application doesn't have to come with a driver, I'm not  
> sure how this is interestingly different from WinPcap.

If this actually works so that I don't have an external dependency, it's
a big win for me.  I will believe it when I see it work, however :)

The really sad thing is that so much would be easier if winders just
had a packet-socket api :P

Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the Winpcap-users mailing list