Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...

Fri, 19 Sep 2003 02:18:24 -0700 

Hi,

When you install the drivers of your 3com it has to launch a program of
installation ?

In my opinion, if the RTL8139 work and not the 3Com it is that the problem
come from you.

You tested your card under linux/unix?

It's possible that 3COM add some **** stuff in his drivers.

Regards,
Michael

----- Original Message ----- 
From: "winpcap" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 19, 2003 11:05 AM
Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...


> Hi.
>
> This is a bit off topic, but might be related to the problem you
> are experiencing.
>
> It seems it is a driver problem, but its not winpcap.
> In my case it was because my nick was a 3Com.
>
> And on any 3Com 3c90x we tried, it didn't capture packets
> send by itself, regardless of wich 3Com driver we used.
>
> Replacing it with a RTL8139 card solved the issue for me.
> I found this to be weird, and testet this on some other computers.
>
> And we verified that you cannot capture packets on some 3com
> nics if they where also send by that one.
> This was testet on w2k/wxp.
>
> J. Thomsen, Denmark.
>
>
> ----- Original Message ----- 
> From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, September 18, 2003 11:36 PM
> Subject: RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
>
>
> > Thanks for the response!
> >
> > -----Original Message-----
> > From: Michael Vergoz [mailto:[EMAIL PROTECTED]
> > Sent: September 17, 2003 5:05 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> >
> >
> > ----- Original Message ----- 
> > From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, September 18, 2003 12:01 AM
> > Subject: RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> >
> >
> > > We have a product that is dependent on winpcap. It creates point to
> point
> > > encrypted tunnels across tcp/ip networks. Basically the sender
> intercepts
> > > outbound packets, encrypts them, wraps & tunnels them over one port;
the
> > > receiver, listening on that port, grabs the incoming packet, decrypts
> it,
> > > and reinjects it on the stack.
> > Oh my god!
> > That's a very apt response. It's been a very difficult development path.
> > We use winpcap on the outbound traffic to
> > > determine which outbound packets to grab(there is an NDIS driver that
> > > removes the outbound packet from the tcp/ip stack).
> > >
> > > A client wants to use this software on a machine which has a
Checkpoint
> > > Firewall-1 installed on it. It appears as though npf.sys can still
bind
> to
> > > the lower interface but no outbound traffic is being captured. We know
> it
> > > isn't the rest of our product since this behaviour is dependent on
> whether
> > > or not winpcap is on the machine; regardless of whether or not our
> product
> > > is there. If I bring up ethereal on this machine (capturing all
traffic)
> > it
> > > captures all inbound traffic but no outbound traffic. A sniffer on the
> > same
> > > hub as this machine shows both inbound and outbound traffic.
> > You are sure that it is a hub?
> > Yes.
> > >
> > > I speculate that the firewall interferes with the upper-edge binding
to
> > > npf.sys. Rebuilding a debug npf.sys and logging its activity shows
lots
> of
> > > reads but nothing else. Any ideas on this would be really helpful.
> Thanks
> > > for any tips!
> >
> > The "problem" of all firewalls it"s that they touch "inevitably" low a
> level
> > than you, it's its role also...
> >  I think that for fixed this problem it would be necessary that you
> launched
> > your program before launched firewall, it is possible that you take a
best
> > priority.
> >
> > We've tried this manually, the firewall doesn't like it. I'm going to
test
> > adding a DependOnService value to the FW-1 service key.
> >
> > I don't know exactly how ,in level kernel functions, two drivers acting
> out
> > of two similar things...
> > You tested of passed of the rules to the firewall?
> >
> > Haven't gotten that far...
> >
> > What you can do it is also hook the symbol of npf.sys and to replace
them
> by
> > dex vectors of call
> > ex:
> > - open npf.sys and find all sub_  function in .text section and all of
in
> > .idata section of the file and record it.
> > - close npf.sys
> > - copy npf.sys to npfc.sys
> > - open npfc.sys
> > - DUPLICATE the .text section with a separator.
> > - find all sub_ reference and patch the code after the proc nead to
create
> a
> > ds: call. These sub reference must be pathed before the separator.
> > .text:000108EC sub_108EC       proc near               ; CODE XREF:
> > sub_10996+54Cp
> > .text:000108EC                                         ; sub_11304+EBp
> > .text:000108EC                                         ; DATA XREF: ...
> > .text:000108EC
> > .text:000108EC arg_0           = dword ptr  8
> > .text:000108EC arg_4           = dword ptr  0Ch
> > .text:000108EC arg_8           = dword ptr  10h
> > .text:000108EC call    ds:OriginalKeQueryPerformanceCounter
> >
> > And OriginalKeQueryPerformanceCounter is egal to the copy before the
> > separator. (OriginalKeQueryPerformanceCounter is an example).
> >
> > I know this method is gruikkk coding. But with that you can intercept
> > _every_ npf driver hook and you can replace your own priority ! in the
> same
> > type you can create a function by make 2 call at the ds segment. hmmmm
if
> i
> > remember some anti-viral toolkit used this method... to be confirmed...
> >
> >
> > Sorry for my bad english;
> > No problem! Thanks for the ideas!
> >
> > >
> > > -----Original Message-----
> > > From: Michael Vergoz [mailto:[EMAIL PROTECTED]
> > > Sent: September 17, 2003 1:37 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Fw: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > >
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Michael Vergoz" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 17, 2003 9:31 PM
> > > Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > >
> > >
> > > > Could you given me more information on the design of your network?
> > > > firewall, router, computer, switch...
> > > >
> > > > You seek to know entering and outgoing Internet traffic of your
> > > > routeur/firewall by ethreal?
> > > >
> > > > Michael Michael VERGOZ
> > > > PHP Development Team
> > > > [EMAIL PROTECTED]
> > > > php-gtk : http://gtk.php.net/
> > > > http://www.php.net
> > > >
> > > > ----- Original Message ----- 
> > > > From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> > > > To: "'winpcap-users'" <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, September 17, 2003 7:07 PM
> > > > Subject: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > > >
> > > >
> > > > > Hi, All
> > > > >
> > > > > We've run into an "interesting" problem running winpcap & a
> > > > > checkpoint-1 Firewall. Bringing up Ethereal on the same machine
> shows
> > > > > inbound traffic but no outbound traffic. This is with the firewall
> > > > > configured to pass through all traffic in both directions.
> > > > >
> > > > > I have read the faq but am hoping someone might have more
technical
> > > detail
> > > > > as to why this is happening.
> > > > >
> > > > > Cheers,
> > > > > Richard
> > > >
> >
> -----------------------------------------------------------------------
> > > > > Richard Jagodzinski
> > > > > Research & Development
> > > > > Non-Elephant Encryption Systems Inc.
> > > > > (403) 232 6001
> > > > >
> > > > >
> > > > > ==================================================================
> > > > >  This is the WinPcap users list. It is archived at
> > > > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > > > >
> > > > >  To unsubscribe use
> > > > >  mailto: [EMAIL PROTECTED]
> > > > > ==================================================================
> > > >
> > >
> > >
> > >
> > > ==================================================================
> > >  This is the WinPcap users list. It is archived at
> > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > >
> > >  To unsubscribe use
> > >  mailto: [EMAIL PROTECTED]
> > > ==================================================================
> > >
> > >
> > > ==================================================================
> > >  This is the WinPcap users list. It is archived at
> > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > >
> > >  To unsubscribe use
> > >  mailto: [EMAIL PROTECTED]
> > > ==================================================================
> >
> >
> >
> > ==================================================================
> >  This is the WinPcap users list. It is archived at
> >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> >
> >  To unsubscribe use
> >  mailto: [EMAIL PROTECTED]
> > ==================================================================
> >
> >
> > ==================================================================
> >  This is the WinPcap users list. It is archived at
> >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> >
> >  To unsubscribe use
> >  mailto: [EMAIL PROTECTED]
> > ==================================================================
> >
>
>
>
>
> ==================================================================
>  This is the WinPcap users list. It is archived at
>  http://www.mail-archive.com/[EMAIL PROTECTED]/
>
>  To unsubscribe use
>  mailto: [EMAIL PROTECTED]
> ==================================================================



==================================================================
 This is the WinPcap users list. It is archived at
 http://www.mail-archive.com/[EMAIL PROTECTED]/

 To unsubscribe use 
 mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to