[Winpcap-users] Want to get original Packet!

Netcount netcount3 at clix.pt
Sun Jul 23 23:37:42 GMT 2006

My 2 cents:

You might use an already made NDIS IM driver, like a passthru derivation, to block all packets to the routing process.
I've once modified one of those to introduce latency or drop specific packets. You can modify it so to drop "all". 
It works for packets going up the stack to App L7, so it should also work for those being routed. The source code is here: http://www.wd-3.com/archive/ExtendingPassthru2.htm 
The hard topic is to ensure that Winpcap still receives a copy of the packet before the "original" is dropped. That depends on the Winpcap driver position in respect to the dropping driver.

As an alternative, you have what u said on 1, u forget about Winpcap for receiving packets, implement a copy-to-user-level mechanism on the NDIS IM driver, and then use Winpcap only to send packets to the destination Interface.
Anyway it might be a nice project :-)

Good luck
Pedro Lucas
Team Netcount
  ----- Original Message ----- 
  From: ahsan askari 
  To: winpcap-users at winpcap.org 
  Sent: Friday, July 21, 2006 11:57 AM
  Subject: [Winpcap-users] Want to get original Packet!


  I am developing a firewall application for my dissertation. The idea is that my firewall application runs on system with two network interfaces(via VMWARE). One is connected to the outside world and the other one is connected to the internal network. My application has to capture packets comming from outside for the internal network take some decisions and forward it to the internal network or drop the packet. I am using winpcap for capturing packets and I know that winpcap only gets a copy of the packet not the original packet. But my idea was to disable routing on the machine running my application so that even if kernel has the original copy of the packet it can't deliver it to the internal network. But the problem is that after doing every thing i.e disable routing and deleting the route of the internal network from application running host, the kernel stills delievers it to the destination. 

  1. My question is Could anyone please tell me an easy way to capture the original packet from the network ? 
  2. Do I have to write a NDIS driver to do the above task ? (I am afraid doing this because I haven't done any driver development before)

  Please let me know because I don't have much time.

  Thank you 


  Winpcap-users mailing list
  Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060723/6fbbc665/attachment.htm

More information about the Winpcap-users mailing list