[Winpcap-users] Generic packet questions

Patrick Malka malka.patrick at gmail.com
Thu Jan 17 18:15:21 PST 2013

*Hello, I have some generic IP related questions that I thought some of the
people on this list might be able to answer since this product is very
similar in functionality to what we are doing.*

In Windows, we are using the fwps* family of driver functions to filter IP
packets. The filter mechanism is not important, but rather what happens
during the callback functions for packets that match the filter.

In these callbacks, we wish to alter the data, and have the reverse
operation performed on the receiving end. Our goal is to perform encryption
and tamper detection.

Encryption is fairly easy to do as it does not alter the size of the (IP)
packet, but tamper detection is proving to be harder due to the need to
send extra data in addition to the payload in order to be able to detect

In this light, my questions are:

   - If I reinject (FwpsInjectNetwork*Async0) an IP packet that is larger
   than the ethernet MTU, what will happen? Will it be rejected or fragmented?
   Does the answer depend on the specific environment?
   - If I fragment an IP packet explicitly before reinjecting it, will the
   fragments then be filtered again?
   - If I want to send a packet larger than the ethernet MTU, must I
   fragment it myself or will Windows do it for me after reinjection.
   - If I fragment an IP packet during a send, will my receiving IP filter
   see the fragment packets or the assembled packet? Where does reassembly
   occur, before or after the various Windows driver filters.
   - Is there a way to safely process a maximum size IP packet (one that
   will just fit into an ethernet frame) such that tamper detection can be
   performed on the receiving end without having to expand and fragment the
   - If I take an IP packet and add an IP option to the header, does that
   count as increasing the packet size? (I think the answer is yes, I just
   thought I would get confirmation).

Thanks for any help anyone can provide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20130117/bcfc6d2f/attachment.html>

More information about the Winpcap-users mailing list