Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...

Fri, 19 Sep 2003 02:10:05 -0700 

Hi.

This is a bit off topic, but might be related to the problem you
are experiencing.

It seems it is a driver problem, but its not winpcap.
In my case it was because my nick was a 3Com.

And on any 3Com 3c90x we tried, it didn't capture packets
send by itself, regardless of wich 3Com driver we used.

Replacing it with a RTL8139 card solved the issue for me.
I found this to be weird, and testet this on some other computers.

And we verified that you cannot capture packets on some 3com
nics if they where also send by that one.
This was testet on w2k/wxp.

J. Thomsen, Denmark.


----- Original Message ----- 
From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 18, 2003 11:36 PM
Subject: RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...


> Thanks for the response!
>
> -----Original Message-----
> From: Michael Vergoz [mailto:[EMAIL PROTECTED]
> Sent: September 17, 2003 5:05 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
>
>
> ----- Original Message ----- 
> From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, September 18, 2003 12:01 AM
> Subject: RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
>
>
> > We have a product that is dependent on winpcap. It creates point to
point
> > encrypted tunnels across tcp/ip networks. Basically the sender
intercepts
> > outbound packets, encrypts them, wraps & tunnels them over one port; the
> > receiver, listening on that port, grabs the incoming packet, decrypts
it,
> > and reinjects it on the stack.
> Oh my god!
> That's a very apt response. It's been a very difficult development path.
> We use winpcap on the outbound traffic to
> > determine which outbound packets to grab(there is an NDIS driver that
> > removes the outbound packet from the tcp/ip stack).
> >
> > A client wants to use this software on a machine which has a Checkpoint
> > Firewall-1 installed on it. It appears as though npf.sys can still bind
to
> > the lower interface but no outbound traffic is being captured. We know
it
> > isn't the rest of our product since this behaviour is dependent on
whether
> > or not winpcap is on the machine; regardless of whether or not our
product
> > is there. If I bring up ethereal on this machine (capturing all traffic)
> it
> > captures all inbound traffic but no outbound traffic. A sniffer on the
> same
> > hub as this machine shows both inbound and outbound traffic.
> You are sure that it is a hub?
> Yes.
> >
> > I speculate that the firewall interferes with the upper-edge binding to
> > npf.sys. Rebuilding a debug npf.sys and logging its activity shows lots
of
> > reads but nothing else. Any ideas on this would be really helpful.
Thanks
> > for any tips!
>
> The "problem" of all firewalls it"s that they touch "inevitably" low a
level
> than you, it's its role also...
>  I think that for fixed this problem it would be necessary that you
launched
> your program before launched firewall, it is possible that you take a best
> priority.
>
> We've tried this manually, the firewall doesn't like it. I'm going to test
> adding a DependOnService value to the FW-1 service key.
>
> I don't know exactly how ,in level kernel functions, two drivers acting
out
> of two similar things...
> You tested of passed of the rules to the firewall?
>
> Haven't gotten that far...
>
> What you can do it is also hook the symbol of npf.sys and to replace them
by
> dex vectors of call
> ex:
> - open npf.sys and find all sub_  function in .text section and all of in
> .idata section of the file and record it.
> - close npf.sys
> - copy npf.sys to npfc.sys
> - open npfc.sys
> - DUPLICATE the .text section with a separator.
> - find all sub_ reference and patch the code after the proc nead to create
a
> ds: call. These sub reference must be pathed before the separator.
> .text:000108EC sub_108EC       proc near               ; CODE XREF:
> sub_10996+54Cp
> .text:000108EC                                         ; sub_11304+EBp
> .text:000108EC                                         ; DATA XREF: ...
> .text:000108EC
> .text:000108EC arg_0           = dword ptr  8
> .text:000108EC arg_4           = dword ptr  0Ch
> .text:000108EC arg_8           = dword ptr  10h
> .text:000108EC call    ds:OriginalKeQueryPerformanceCounter
>
> And OriginalKeQueryPerformanceCounter is egal to the copy before the
> separator. (OriginalKeQueryPerformanceCounter is an example).
>
> I know this method is gruikkk coding. But with that you can intercept
> _every_ npf driver hook and you can replace your own priority ! in the
same
> type you can create a function by make 2 call at the ds segment. hmmmm if
i
> remember some anti-viral toolkit used this method... to be confirmed...
>
>
> Sorry for my bad english;
> No problem! Thanks for the ideas!
>
> >
> > -----Original Message-----
> > From: Michael Vergoz [mailto:[EMAIL PROTECTED]
> > Sent: September 17, 2003 1:37 PM
> > To: [EMAIL PROTECTED]
> > Subject: Fw: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> >
> >
> >
> > ----- Original Message ----- 
> > From: "Michael Vergoz" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 17, 2003 9:31 PM
> > Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> >
> >
> > > Could you given me more information on the design of your network?
> > > firewall, router, computer, switch...
> > >
> > > You seek to know entering and outgoing Internet traffic of your
> > > routeur/firewall by ethreal?
> > >
> > > Michael Michael VERGOZ
> > > PHP Development Team
> > > [EMAIL PROTECTED]
> > > php-gtk : http://gtk.php.net/
> > > http://www.php.net
> > >
> > > ----- Original Message ----- 
> > > From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> > > To: "'winpcap-users'" <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 17, 2003 7:07 PM
> > > Subject: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > >
> > >
> > > > Hi, All
> > > >
> > > > We've run into an "interesting" problem running winpcap & a
> > > > checkpoint-1 Firewall. Bringing up Ethereal on the same machine
shows
> > > > inbound traffic but no outbound traffic. This is with the firewall
> > > > configured to pass through all traffic in both directions.
> > > >
> > > > I have read the faq but am hoping someone might have more technical
> > detail
> > > > as to why this is happening.
> > > >
> > > > Cheers,
> > > > Richard
> > >
> > -----------------------------------------------------------------------
> > > > Richard Jagodzinski
> > > > Research & Development
> > > > Non-Elephant Encryption Systems Inc.
> > > > (403) 232 6001
> > > >
> > > >
> > > > ==================================================================
> > > >  This is the WinPcap users list. It is archived at
> > > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > > >
> > > >  To unsubscribe use
> > > >  mailto: [EMAIL PROTECTED]
> > > > ==================================================================
> > >
> >
> >
> >
> > ==================================================================
> >  This is the WinPcap users list. It is archived at
> >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> >
> >  To unsubscribe use
> >  mailto: [EMAIL PROTECTED]
> > ==================================================================
> >
> >
> > ==================================================================
> >  This is the WinPcap users list. It is archived at
> >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> >
> >  To unsubscribe use
> >  mailto: [EMAIL PROTECTED]
> > ==================================================================
>
>
>
> ==================================================================
>  This is the WinPcap users list. It is archived at
>  http://www.mail-archive.com/[EMAIL PROTECTED]/
>
>  To unsubscribe use
>  mailto: [EMAIL PROTECTED]
> ==================================================================
>
>
> ==================================================================
>  This is the WinPcap users list. It is archived at
>  http://www.mail-archive.com/[EMAIL PROTECTED]/
>
>  To unsubscribe use
>  mailto: [EMAIL PROTECTED]
> ==================================================================
>




==================================================================
 This is the WinPcap users list. It is archived at
 http://www.mail-archive.com/[EMAIL PROTECTED]/

 To unsubscribe use 
 mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to