Monitoring and reacting to incoming and outgoing traffic.

Hello All.

If I where to capture network traffic, dropping packets and modifying
packets. I.e write firewall functionality. Which API or SDK would be the
correct choice? I would prefer to do it in .net.

Do I have to use the DDK package or is there any other way?

Im quite lost here.
--
Best regards Björn Olsson
Head of Technology
Centre for Business Solutions
Gothenburg School of Economics and Commercial Law

re: Monitoring and reacting to incoming and outgoing traffic.

Hello, Björn!

BO> If I where to capture network traffic, dropping packets and modifying
BO> packets. I.e write firewall functionality. Which API or SDK would be
BO> the correct choice? I would prefer to do it in .net.

Win PCAP library can be good start, however it is unmanaged.
( http://www.winpcap.org/ )

BO> Do I have to use the DDK package or is there any other way?

If you want to filter not only sockets traffic, then definetly DDK. You will have to write kernel-mode device driver.
If sockets traffic is okay for you you can stay on user mode and write LSP ( Layered Service Provider )

--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com

re: Monitoring and reacting to incoming and outgoing traffic.

Thanks for your reply :)

I was looking into the PCAP documentation at first but found this in its FAQ:
"Q-17: Can I use WinPcap to drop the incoming packets? Is it possible to use
WinPcap to build a firewall?

A: No. WinPcap is implemented as a protocol, therefore it is able to capture
the packets, but it can't be used to drop them before they reach the
applications. The filtering capabilities of WinPcap work only on the sniffed
packets. In order to intercept the packets before the TCP/IP stack, you must
create an intermediate driver.
"

Will I be able to to drop and modify packets with a LAyered Service Provider?
Can you point me in some direction where I can find more information on LSP?

--
Best regards Björn Olsson
Head of Technology
Centre for Business Solutions
Gothenburg School of Economics and Commercial Law


"Vadym Stetsyak" wrote:
[color=blue]
> Hello, Björn!
>
> BO> If I where to capture network traffic, dropping packets and modifying
> BO> packets. I.e write firewall functionality. Which API or SDK would be
> BO> the correct choice? I would prefer to do it in .net.
>
> Win PCAP library can be good start, however it is unmanaged.
> ( http://www.winpcap.org/ )
>
> BO> Do I have to use the DDK package or is there any other way?
>
> If you want to filter not only sockets traffic, then definetly DDK. You will have to write kernel-mode device driver.
> If sockets traffic is okay for you you can stay on user mode and write LSP ( Layered Service Provider )
>
> --
> Regards, Vadym Stetsyak
> www: http://vadmyst.blogspot[/color]

re: Monitoring and reacting to incoming and outgoing traffic.

Hello, Björn!

BO> Will I be able to to drop and modify packets with a LAyered Service
BO> Provider?

yes

BO> Can you point me in some direction where I can find more information on
BO> LSP?

( http://www.microsoft.com/msj/0599/La...edService.aspx )
( http://www.ndis.com/papers/winpktfilter.htm )
( http://www.ndis.com/papers/winpktfilter.htm#WinsockLSP )
( http://www.ndis.com/papers/winpktfil...ilterInterface )
--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com

re: Monitoring and reacting to incoming and outgoing traffic.

Thanks again for all the info. :)
Ive managed to read through it now and downloaded the latest windows server
2003 DDK. However I cant find anything named Layered services on the cd. :(
Have I gone blind?

--
Best regards Björn Olsson
Head of Technology
Centre for Business Solutions
Gothenburg School of Economics and Commercial Law


"Vadym Stetsyak" wrote:
[color=blue]
> Hello, Björn!
>
> BO> Will I be able to to drop and modify packets with a LAyered Service
> BO> Provider?
>
> yes
>
> BO> Can you point me in some direction where I can find more information on
> BO> LSP?
>
> ( http://www.microsoft.com/msj/0599/La...edService.aspx )
> ( http://www.ndis.com/papers/winpktfilter.htm )
> ( http://www.ndis.com/papers/winpktfilter.htm#WinsockLSP )
> ( http://www.ndis.com/papers/winpktfil...ilterInterface )
> --
> Regards, Vadym Stetsyak
> www: http://vadmyst.blogspot[/color]

re: Monitoring and reacting to incoming and outgoing traffic.

Hello, Björn!

BO> Thanks again for all the info. :)
BO> Ive managed to read through it now and downloaded the latest windows
BO> server 2003 DDK. However I cant find anything named Layered services on
BO> the cd. :( Have I gone blind?

Nope, LSP is not a part of DDK, LSPs are user mode applications.
Take a look ( http://www.microsoft.com/msj/0599/La...edService.aspx )
especially code sample, it is a good start point

--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com