Patrick, WinPcap uses a protocol driver for capturing packets, I’m not too familiar with the fwps framework (I guess it’s probably one of the intermediate driver technology, like NDIS-intermediate of lightweight IP filtering). Have you tried asking to a NT driver specific mailing list like ntdev?
Have a nice day GV From: [email protected] [mailto:[email protected]] On Behalf Of Patrick Malka Sent: Thursday, January 17, 2013 6:15 PM To: [email protected] Subject: [Winpcap-users] Generic packet questions Hello, I have some generic IP related questions that I thought some of the people on this list might be able to answer since this product is very similar in functionality to what we are doing. In Windows, we are using the fwps* family of driver functions to filter IP packets. The filter mechanism is not important, but rather what happens during the callback functions for packets that match the filter. In these callbacks, we wish to alter the data, and have the reverse operation performed on the receiving end. Our goal is to perform encryption and tamper detection. Encryption is fairly easy to do as it does not alter the size of the (IP) packet, but tamper detection is proving to be harder due to the need to send extra data in addition to the payload in order to be able to detect tampering. In this light, my questions are: · If I reinject (FwpsInjectNetwork*Async0) an IP packet that is larger than the ethernet MTU, what will happen? Will it be rejected or fragmented? Does the answer depend on the specific environment? · If I fragment an IP packet explicitly before reinjecting it, will the fragments then be filtered again? · If I want to send a packet larger than the ethernet MTU, must I fragment it myself or will Windows do it for me after reinjection. · If I fragment an IP packet during a send, will my receiving IP filter see the fragment packets or the assembled packet? Where does reassembly occur, before or after the various Windows driver filters. · Is there a way to safely process a maximum size IP packet (one that will just fit into an ethernet frame) such that tamper detection can be performed on the receiving end without having to expand and fragment the packet? · If I take an IP packet and add an IP option to the header, does that count as increasing the packet size? (I think the answer is yes, I just thought I would get confirmation). Thanks for any help anyone can provide.
_______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
