Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...

Fri, 19 Sep 2003 02:45:44 -0700 

Hi again

Trust me, we are several who have verified this, but windows
only, no *nix system testet.

Also, i am a computer programmer & engineer/technician,
and usually i know what i'm doing, so i am shure it wasnt me :)

Regards, J. Thomsen

----- Original Message ----- 
From: "Michael Vergoz" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 19, 2003 11:16 AM
Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...


> Hi,
>
> When you install the drivers of your 3com it has to launch a program of
> installation ?
>
> In my opinion, if the RTL8139 work and not the 3Com it is that the problem
> come from you.
>
> You tested your card under linux/unix?
>
> It's possible that 3COM add some **** stuff in his drivers.
>
> Regards,
> Michael
>
> ----- Original Message ----- 
> From: "winpcap" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 19, 2003 11:05 AM
> Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
>
>
> > Hi.
> >
> > This is a bit off topic, but might be related to the problem you
> > are experiencing.
> >
> > It seems it is a driver problem, but its not winpcap.
> > In my case it was because my nick was a 3Com.
> >
> > And on any 3Com 3c90x we tried, it didn't capture packets
> > send by itself, regardless of wich 3Com driver we used.
> >
> > Replacing it with a RTL8139 card solved the issue for me.
> > I found this to be weird, and testet this on some other computers.
> >
> > And we verified that you cannot capture packets on some 3com
> > nics if they where also send by that one.
> > This was testet on w2k/wxp.
> >
> > J. Thomsen, Denmark.
> >
> >
> > ----- Original Message ----- 
> > From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, September 18, 2003 11:36 PM
> > Subject: RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> >
> >
> > > Thanks for the response!
> > >
> > > -----Original Message-----
> > > From: Michael Vergoz [mailto:[EMAIL PROTECTED]
> > > Sent: September 17, 2003 5:05 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Richard Jagodzinski" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Thursday, September 18, 2003 12:01 AM
> > > Subject: RE: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > >
> > >
> > > > We have a product that is dependent on winpcap. It creates point to
> > point
> > > > encrypted tunnels across tcp/ip networks. Basically the sender
> > intercepts
> > > > outbound packets, encrypts them, wraps & tunnels them over one port;
> the
> > > > receiver, listening on that port, grabs the incoming packet,
decrypts
> > it,
> > > > and reinjects it on the stack.
> > > Oh my god!
> > > That's a very apt response. It's been a very difficult development
path.
> > > We use winpcap on the outbound traffic to
> > > > determine which outbound packets to grab(there is an NDIS driver
that
> > > > removes the outbound packet from the tcp/ip stack).
> > > >
> > > > A client wants to use this software on a machine which has a
> Checkpoint
> > > > Firewall-1 installed on it. It appears as though npf.sys can still
> bind
> > to
> > > > the lower interface but no outbound traffic is being captured. We
know
> > it
> > > > isn't the rest of our product since this behaviour is dependent on
> > whether
> > > > or not winpcap is on the machine; regardless of whether or not our
> > product
> > > > is there. If I bring up ethereal on this machine (capturing all
> traffic)
> > > it
> > > > captures all inbound traffic but no outbound traffic. A sniffer on
the
> > > same
> > > > hub as this machine shows both inbound and outbound traffic.
> > > You are sure that it is a hub?
> > > Yes.
> > > >
> > > > I speculate that the firewall interferes with the upper-edge binding
> to
> > > > npf.sys. Rebuilding a debug npf.sys and logging its activity shows
> lots
> > of
> > > > reads but nothing else. Any ideas on this would be really helpful.
> > Thanks
> > > > for any tips!
> > >
> > > The "problem" of all firewalls it"s that they touch "inevitably" low a
> > level
> > > than you, it's its role also...
> > >  I think that for fixed this problem it would be necessary that you
> > launched
> > > your program before launched firewall, it is possible that you take a
> best
> > > priority.
> > >
> > > We've tried this manually, the firewall doesn't like it. I'm going to
> test
> > > adding a DependOnService value to the FW-1 service key.
> > >
> > > I don't know exactly how ,in level kernel functions, two drivers
acting
> > out
> > > of two similar things...
> > > You tested of passed of the rules to the firewall?
> > >
> > > Haven't gotten that far...
> > >
> > > What you can do it is also hook the symbol of npf.sys and to replace
> them
> > by
> > > dex vectors of call
> > > ex:
> > > - open npf.sys and find all sub_  function in .text section and all of
> in
> > > .idata section of the file and record it.
> > > - close npf.sys
> > > - copy npf.sys to npfc.sys
> > > - open npfc.sys
> > > - DUPLICATE the .text section with a separator.
> > > - find all sub_ reference and patch the code after the proc nead to
> create
> > a
> > > ds: call. These sub reference must be pathed before the separator.
> > > .text:000108EC sub_108EC       proc near               ; CODE XREF:
> > > sub_10996+54Cp
> > > .text:000108EC                                         ;
sub_11304+EBp
> > > .text:000108EC                                         ; DATA XREF:
...
> > > .text:000108EC
> > > .text:000108EC arg_0           = dword ptr  8
> > > .text:000108EC arg_4           = dword ptr  0Ch
> > > .text:000108EC arg_8           = dword ptr  10h
> > > .text:000108EC call    ds:OriginalKeQueryPerformanceCounter
> > >
> > > And OriginalKeQueryPerformanceCounter is egal to the copy before the
> > > separator. (OriginalKeQueryPerformanceCounter is an example).
> > >
> > > I know this method is gruikkk coding. But with that you can intercept
> > > _every_ npf driver hook and you can replace your own priority ! in the
> > same
> > > type you can create a function by make 2 call at the ds segment. hmmmm
> if
> > i
> > > remember some anti-viral toolkit used this method... to be
confirmed...
> > >
> > >
> > > Sorry for my bad english;
> > > No problem! Thanks for the ideas!
> > >
> > > >
> > > > -----Original Message-----
> > > > From: Michael Vergoz [mailto:[EMAIL PROTECTED]
> > > > Sent: September 17, 2003 1:37 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Fw: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > > >
> > > >
> > > >
> > > > ----- Original Message ----- 
> > > > From: "Michael Vergoz" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, September 17, 2003 9:31 PM
> > > > Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > > >
> > > >
> > > > > Could you given me more information on the design of your network?
> > > > > firewall, router, computer, switch...
> > > > >
> > > > > You seek to know entering and outgoing Internet traffic of your
> > > > > routeur/firewall by ethreal?
> > > > >
> > > > > Michael Michael VERGOZ
> > > > > PHP Development Team
> > > > > [EMAIL PROTECTED]
> > > > > php-gtk : http://gtk.php.net/
> > > > > http://www.php.net
> > > > >
> > > > > ----- Original Message ----- 
> > > > > From: "Richard Jagodzinski"
<[EMAIL PROTECTED]>
> > > > > To: "'winpcap-users'" <[EMAIL PROTECTED]>
> > > > > Sent: Wednesday, September 17, 2003 7:07 PM
> > > > > Subject: [WinPcap-users] Winpcap & Checkpoint-1 Firewall...
> > > > >
> > > > >
> > > > > > Hi, All
> > > > > >
> > > > > > We've run into an "interesting" problem running winpcap & a
> > > > > > checkpoint-1 Firewall. Bringing up Ethereal on the same machine
> > shows
> > > > > > inbound traffic but no outbound traffic. This is with the
firewall
> > > > > > configured to pass through all traffic in both directions.
> > > > > >
> > > > > > I have read the faq but am hoping someone might have more
> technical
> > > > detail
> > > > > > as to why this is happening.
> > > > > >
> > > > > > Cheers,
> > > > > > Richard
> > > > >
> > >
> > -----------------------------------------------------------------------
> > > > > > Richard Jagodzinski
> > > > > > Research & Development
> > > > > > Non-Elephant Encryption Systems Inc.
> > > > > > (403) 232 6001
> > > > > >
> > > > > >
> > > > > >
==================================================================
> > > > > >  This is the WinPcap users list. It is archived at
> > > > > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > > > > >
> > > > > >  To unsubscribe use
> > > > > >  mailto:
[EMAIL PROTECTED]
> > > > > >
==================================================================
> > > > >
> > > >
> > > >
> > > >
> > > > ==================================================================
> > > >  This is the WinPcap users list. It is archived at
> > > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > > >
> > > >  To unsubscribe use
> > > >  mailto: [EMAIL PROTECTED]
> > > > ==================================================================
> > > >
> > > >
> > > > ==================================================================
> > > >  This is the WinPcap users list. It is archived at
> > > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > > >
> > > >  To unsubscribe use
> > > >  mailto: [EMAIL PROTECTED]
> > > > ==================================================================
> > >
> > >
> > >
> > > ==================================================================
> > >  This is the WinPcap users list. It is archived at
> > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > >
> > >  To unsubscribe use
> > >  mailto: [EMAIL PROTECTED]
> > > ==================================================================
> > >
> > >
> > > ==================================================================
> > >  This is the WinPcap users list. It is archived at
> > >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> > >
> > >  To unsubscribe use
> > >  mailto: [EMAIL PROTECTED]
> > > ==================================================================
> > >
> >
> >
> >
> >
> > ==================================================================
> >  This is the WinPcap users list. It is archived at
> >  http://www.mail-archive.com/[EMAIL PROTECTED]/
> >
> >  To unsubscribe use
> >  mailto: [EMAIL PROTECTED]
> > ==================================================================
>
>
>
> ==================================================================
>  This is the WinPcap users list. It is archived at
>  http://www.mail-archive.com/[EMAIL PROTECTED]/
>
>  To unsubscribe use
>  mailto: [EMAIL PROTECTED]
> ==================================================================
>




==================================================================
 This is the WinPcap users list. It is archived at
 http://www.mail-archive.com/[EMAIL PROTECTED]/

 To unsubscribe use 
 mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to