How can i filter (allow, deny etc) outgoing packets in Windows? I want to search in TCP or UDP packet types to find in the data segment for example this "387602304fd236e048125453b1fa10c980e9dad4fa7f3f5dd2497c2e8b2b" and drop/block/deny the packet, if it matches the search hex string.
I have already tried WIPFW and PKTFILTER but they only serve IP source, dest, port etc filtering. They don't inspect the packet's data.
I think Berkeley Packet Filter doe's that job, but it's for unix...
Here is some to filter packet in windows:
WinDivert Free open source project work on Windows 7, 2008 or upper. network layer.
WinpkFilter 3.0 Commercial, Windows XP and upper. datalink layer
pcausa, Commercial. datalink layer
Windows Filtering Platform Packet Modification Sample
A sample to create callout driver that WinDivert use, you should now to implement kernel driver. network layer.
you can use SmartSniff in windows.
Starting from version 1.10, you can filter unwanted TCP/IP activity during the capture process (Capture Filter), or when displaying the captured TCP/IP data (Display Filter)
You want application level filtering then, (just changing the payload). If you want to be able to drop, I know you can hook into Winsock, which will allow you to capture packets as they go out and set up a filter there. Windows seven also added to their firewall, so you could use that API to grab outbound packets; I'm not sure if it will allow you to specifically alter the payload data, though.
Related
The old question is here. But I still cannot find useful solutions in the question so that I rewrite this question here.
How can i filter (allow, deny etc) outgoing packets in Windows? I want to filter IP packets through particular bits eg. the BPF rule IP[2:2] > 189. And then transmitted these filtered packages to other programs to resolve the packets. But I read the information on Windows Filtering Platform, it allow developers to write a middleware which I think it is hard for me to do.
So is there a relative way to filter packets in Windows xp or 2003 and then transmitted the packets to other applications?
I am using a filter string to catch only the probe-request frames from my wifi router working in monitor/Promisc mode.
the same string i.e. "type mgt subtype probe-req" is working when i am running my code on a laptop but on my linksys WRT54g its giving error that
cannot pcap_compile() function is not working.
To be more explanatory, I am using OpenWRT White Russian 0.9 firmware on my router and its equivalent SDK to build package for it. The program uses Libpcap library to capture raw packets from the network.
So I want to know that is there any change in the string format while working on embedded devices like a router. If yes can you suggest me where I can find the documentation for it.
If no that what's wrong I am doing.
The filter strings that are allowed depend on:
the version of libpcap/WinPcap in use;
the link-layer header type being captured on the device.
That particular filter would be allowed if libpcap 1.0 or later is being used and if the adapter is supplying packets with 802.11 headers. Note that, on most OSes, an 802.11 adapter will supply packets with 802.11 headers only if the adapter is running in monitor mode; otherwise, it'll supply packets with Ethernet headers, and will only supply data frames, not management or control frames.
The program uses Libpcap library to capture raw packets from the network.
Whatever the program is, it should be doing a better job of reporting errors from pcap_compile(). It should include, in the error message, the text returned by pcap_geterr() when pcap_geterr() is handed the pcap_t * that you passed to pcap_compile(); that way, you will know more information about why the error occurred, and therefore will know more information about what you need to do to fix it.
I am struggling with switching between multiple live streams. For example, I have five live streaming servers streaming(HTTP or RTSP) and I want to put some broker between those (five) streaming sources and destination so that output to the destination would be one video streaming (later I may change the streaming source again using switch). Broker plays role of switcher, My question is, is there such open source "switcher"? Or how this technology works?
here is link to similar question but I want some open source or some brief guidance about how it could be implemented: http://forums.creativecow.net/thread/117/858680
Thank You in advance
That answer can be an archive for the researchers
First Suggestion or Solution(Multicast Router)
You can use a Router or L3 Switch which is support IGMP protocol. That Router or L3 Switch must support IGMP protocol you can structure multicast IP address. You can configure L3 to switch all streaming. Multicast Ip address works within 224.0.0.0 to 239.255.255.255 and works based on device' mac address. You can create different multicast Ip address for the different type of switching scenarios. After finished Router or L3 Switch configuration, you only change IP address to switch streaming into your program. (I didn't mention Broadcast. Broadcast send data to all points. Multicast send data to certain points.)
Second Suggestion or Solution(Programming)
I am using Vlc.Dotnet wrapper for using the Vlc and libvlc libraries. It's open source. RTSP streaming is based on IP address and port number. I don't know any open source switch but you can write one of them for you with use Vlc.dotnet wrapper. You build 5 Streaming server and 1 control server. The Streaming Server's destination should be Control Server's IP. and you can control all data from control server with your basic switch program.
5 Streaming Servers : Sends data to Control server
1 Control Server : Controls and Switches data
I prefer to use Router or L3 Switch for make that. Because it's easier.
I discovered almost accidentally that my machine was sending and receiving UDP packets to a machine in Poland. Not that I have any problem with Poland, I just don't know why my laptop has the need to communicate with a server there. Reverse DNS shows just the ISP providing the address to some end user. Using Wireshark, I can monitor the messages, which were indecipherable as they were probably encrypted. All packets sent from my machine had the same source port, so clearly the application that sent them opened this UDP socket to use it. I am searching for ways to:
1) enumerate all current sockets open in the system, including the process that created it and, for both TCP and UDP, what ports and addresses they are current bound to.
2) because applications can open these sockets, use them, and close them right away, I would love to find (or perhaps even write) a program that once started would somehow get notification each time a socket gets created, or really more importantly when bound to a source and/or destination address and port. For UDP, I would love to also be able to monitor/keep track of the destination IP addresses and ports that socket has sent messages to.
I don't want to monitor the traffic itself, I have Wireshark if I want to view the traffic. I want to be able to then cross reference to discover what application is generating the packets. I want to know if it is from a process I trust, or if it is something I need to investigate further.
Does anybody know of any applications (for the Windows platform) that can do this? If not, any ideas about a .NET or Windows API that provides this capability, should I want to write it myself?
Edit:
After further research - looks like the APIs to use are GetExtendedUdpTable and GetExtendedTcpTable, CodeProject.com has some samples wrapping these in .NET (see http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G). So a combination of this API and some sniffer code would be needed to monitor and keep track of what hosts at what ports using what protocol any particular application on your machine is talking to. If I ever get some free time, I'll consider creating this, if you know of an app that does all this, please let me know.
Try SysInternals TCPView. Despite its name, it handles UDP as well.
netstat -b to enumerate all ports along with the process names.
You can try using SysInternals' Process MOnitor (ProcMon.exe or ProcMon64.exe).
It allows for filtering of Processes by "UDP Send" Operation - and provides detailed UDP Connection data, including source and destination addresses(IP) and ports etc.
I'm writing an IPsec implementation for a microcontroller and I want to test it using a standard Linux box running Debian Lenny. Both devices should secure the communication between them using IPsec ESP in tunnel mode. The keys are setup manually using setkey. There's no (or at least should be no) user space program involved in processing an IPsec packet. Now I want to see how my created packets are processed by the Linux kernel. To see the raw packets I capture them using tcpdump and analyze them using wireshark.
What's the best way to obtain debug information about IPsec processing?
How can I figure out whether the packet is accepted by the kernel?
How can I view the reason for a packet to be dropped?
You can instrument the XFRM (or perhaps ipv4/esp.c) kernel code to print out debug messages at the right spots.
For example, in net/ipv4/esp.c there exists a function esp_input() which has some error cases, but you'll see most the interesting stuff is in the xfrm/*.c code.
That said, I didn't have a problem interoperating a custom IPSec with Linux. Following the 43xx specs and verifying the packets came out correctly via wireshark seemed to do well. If you're having issues and don't want to instrument the kernel then you can setup iptables rules and count the number of (various type of) packets at each point.
Finally, be sure you've actually added a security policy (SP) as well as a security association (SA) and setup firewall rules properly.