[Winpcap-users] Want to get original Packet!

Guy Harris guy at alum.mit.edu
Fri Jul 21 19:10:46 GMT 2006

On Jul 21, 2006, at 3:57 AM, ahsan askari wrote:

> I am developing a firewall application for my dissertation.

Unfortunately, libpcap/WinPcap is not useful for that; see below.

> The idea is that my firewall application runs on system with two  
> network interfaces(via VMWARE). One is connected to the outside  
> world and the other one is connected to the internal network. My  
> application has to capture packets comming from outside for the  
> internal network take some decisions and forward it to the internal  
> network or drop the packet. I am using winpcap for capturing  
> packets and I know that winpcap only gets a copy of the packet not  
> the original packet.

In some sense, *everything* is a copy of the original packet, as the  
original packet is a network transmission, not a sequence of octets  
in memory.  The internal networking stack also gets a "copy" in that  

However, the real problem is that:

> But my idea was to disable routing on the machine running my  
> application so that even if kernel has the original copy of the  
> packet it can't deliver it to the internal network. But the problem  
> is that after doing every thing i.e disable routing and deleting  
> the route of the internal network from application running host,  
> the kernel stills delievers it to the destination.

...the mechanisms libpcap/WinPcap use are taps; they aren't in the  
data path of the networking stack.

So the problem isn't one of

> 1. My question is Could anyone please tell me an easy way to  
> capture the original packet from the network ?

"capturing the original packet", the problem is one of inserting your  
code into the main data path of the networking stack.


> 2. Do I have to write a NDIS driver to do the above task ? (I am  
> afraid doing this because I haven't done any driver development  
> before)

you'd probably have to do that, and I think it'd have to be an  
"intermediate driver" rather than a "protocol driver" or "transport  
driver" or whatever the WinPcap driver is.  Unfortunately, that's  
about all the details I know about NDIS, so I can't help you do that.

There might be toolkits out there for doing that sort of thing.  Try  
searching for "NDIS" and "intermediate driver".

More information about the Winpcap-users mailing list