[Winpcap-users] Generic packet questions

Gianluca Varenni Gianluca.Varenni at riverbed.com
Fri Jan 18 11:15:22 PST 2013


WinPcap uses a protocol driver for capturing packets, I’m not too familiar with the fwps framework (I guess it’s probably one of the intermediate driver technology, like NDIS-intermediate of lightweight IP filtering). Have you tried asking to a NT driver specific mailing list like ntdev?

Have a nice day

From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Patrick Malka
Sent: Thursday, January 17, 2013 6:15 PM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] Generic packet questions

Hello, I have some generic IP related questions that I thought some of the people on this list might be able to answer since this product is very similar in functionality to what we are doing.

In Windows, we are using the fwps* family of driver functions to filter IP packets. The filter mechanism is not important, but rather what happens during the callback functions for packets that match the filter.

In these callbacks, we wish to alter the data, and have the reverse operation performed on the receiving end. Our goal is to perform encryption and tamper detection.

Encryption is fairly easy to do as it does not alter the size of the (IP) packet, but tamper detection is proving to be harder due to the need to send extra data in addition to the payload in order to be able to detect tampering.

In this light, my questions are:
·  If I reinject (FwpsInjectNetwork*Async0) an IP packet that is larger than the ethernet MTU, what will happen? Will it be rejected or fragmented? Does the answer depend on the specific environment?
·  If I fragment an IP packet explicitly before reinjecting it, will the fragments then be filtered again?
·  If I want to send a packet larger than the ethernet MTU, must I fragment it myself or will Windows do it for me after reinjection.
·  If I fragment an IP packet during a send, will my receiving IP filter see the fragment packets or the assembled packet? Where does reassembly occur, before or after the various Windows driver filters.
·  Is there a way to safely process a maximum size IP packet (one that will just fit into an ethernet frame) such that tamper detection can be performed on the receiving end without having to expand and fragment the packet?
·  If I take an IP packet and add an IP option to the header, does that count as increasing the packet size? (I think the answer is yes, I just thought I would get confirmation).

Thanks for any help anyone can provide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20130118/e164fb76/attachment-0001.html>

More information about the Winpcap-users mailing list