Re: [WinPcap-users] Hi!

[security]

You are very kind to guide me with such knowledges.   Thank you! Lucian ----- Original Message ----- From: Daniel To: [EMAIL PROTECTED] Sent: 07 August, 2003 01:56 PM Subject: Re: [WinPcap-users] Hi! No PPP is not a reason for WinPcap being incapable of being a firewall....it's the way it's made. It won't allow you to block anything because it's not NDIS or TDI filter, it's a protocol wrapper based on TDI (from what I gathered), so it only gets data that passes through, and it can send data too. Implementing a firewall you'd need to do some research. There are quite a few methods: There's Intermediate NDIS way, TDI filter (hence you'll hook TCP/IP protocols on the system since they use TDI, and you'll also be able to block WinPcap from receiving data yay), NDIS Hooking, Kernel hooking (hooking all possible functions that are responsible for sending/receiving data, but it's not recommended since you better off hooking NDIS) and last one LSP (layered service provider).   There are possibly others out there, as I said it requires some research. If I were to write a firewall it would be based on TDI and NDIS Hooking. TDI will be used to block outgoing data hence determine the application which sent data, if TDI was skipped (say the program uses NDIS drivers directly), then I would have another set of rules for NDIS. For incoming data, I would filter data in NDIS, and if I have to ask the user whether to allow a packet through, I'll use TDI to figure out which process it goes to etc. You can use LSP instead of TDI, it's simplier (I actually made one a few days ago) and you can use a ready sample from MS or komodia.com. Regarding NDIS hooking...if you haven't done any other hooking before, it's basically finding the EXE in memory, finding its function import table, injecting your file to memory, replacing the import table with your own, saving the old offset etc. Maybe this site will help http://www.madshi.net But it's for Borland Delphi (maybe Borland C++ Builder too). Maybe a better way to hook NDIS would be to patch ndis.vxd and sys, but afaik NDIS involves loading your own driver to memory before the OS boots. It's a new area to me too. you can buy a ready sample with source from http://www.pcausa.com.   Daniel ----- Original Message ----- From: security To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:22 AM Subject: Re: [WinPcap-users] Hi! Hi Daniel! Thank you for your quick response. :) I am still reading about winpcap and I am accommodating with the terms & concepts. Sorry about that!   My intention is to build a personal firewall but only for a LAN netcard (I have read about the leak of PPP standardisation but that is not a problem for me). There are some other reasons for I can't build a firewall?   Lucian ----- Original Message ----- From: Daniel To: [EMAIL PROTECTED] Sent: 07 August, 2003 01:01 PM Subject: Re: [WinPcap-users] Hi! You read the docs bad :)   WinPcap cannot filter data, so can't do a firewall (if it did, you'd have to add the support for dialup, since winpcap doesn't work with with PPP). WinPcap is quite popular, have seen it in commercial apps...the ones that are most useful to me is Ethereal and Nmap (those are not really commercial, just widely used).   Daniel ----- Original Message ----- From: security To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 10:55 AM Subject: [WinPcap-users] Hi! Hi! I'm very new in winpcap world. have read some docs about it and I already have few newby questions in mind. First is: it is winpcap capable to support a successfull development of a windows personal firewall? and the 2nd: there is a way and it is recomanded to develop commercial applications based on winpcap? A fair answer will be greatly appreciated.   Thank you in advance Lucian Naie