[Winpcap-users] Want to get original Packet!
guy at alum.mit.edu
Fri Jul 21 19:10:46 GMT 2006
On Jul 21, 2006, at 3:57 AM, ahsan askari wrote:
> I am developing a firewall application for my dissertation.
Unfortunately, libpcap/WinPcap is not useful for that; see below.
> The idea is that my firewall application runs on system with two
> network interfaces(via VMWARE). One is connected to the outside
> world and the other one is connected to the internal network. My
> application has to capture packets comming from outside for the
> internal network take some decisions and forward it to the internal
> network or drop the packet. I am using winpcap for capturing
> packets and I know that winpcap only gets a copy of the packet not
> the original packet.
In some sense, *everything* is a copy of the original packet, as the
original packet is a network transmission, not a sequence of octets
in memory. The internal networking stack also gets a "copy" in that
However, the real problem is that:
> But my idea was to disable routing on the machine running my
> application so that even if kernel has the original copy of the
> packet it can't deliver it to the internal network. But the problem
> is that after doing every thing i.e disable routing and deleting
> the route of the internal network from application running host,
> the kernel stills delievers it to the destination.
...the mechanisms libpcap/WinPcap use are taps; they aren't in the
data path of the networking stack.
So the problem isn't one of
> 1. My question is Could anyone please tell me an easy way to
> capture the original packet from the network ?
"capturing the original packet", the problem is one of inserting your
code into the main data path of the networking stack.
> 2. Do I have to write a NDIS driver to do the above task ? (I am
> afraid doing this because I haven't done any driver development
you'd probably have to do that, and I think it'd have to be an
"intermediate driver" rather than a "protocol driver" or "transport
driver" or whatever the WinPcap driver is. Unfortunately, that's
about all the details I know about NDIS, so I can't help you do that.
There might be toolkits out there for doing that sort of thing. Try
searching for "NDIS" and "intermediate driver".
More information about the Winpcap-users