Unfortunately, winpcap can do very few to solve this kind of problems. Its packet driver delivers to the user the packets that NDIS provides him. As a consequence, when something underneath changes (possibly in a non standard way) the behavior of NDIS, the packet driver has no mean to see the actual traffic. A better place to ask your question is probably the Checkpoint support.
Loris > We have a product that is dependent on winpcap. It creates point to point > encrypted tunnels across tcp/ip networks. Basically the sender intercepts > outbound packets, encrypts them, wraps & tunnels them over one port; the > receiver, listening on that port, grabs the incoming packet, decrypts it, > and reinjects it on the stack. We use winpcap on the outbound traffic to > determine which outbound packets to grab(there is an NDIS driver that > removes the outbound packet from the tcp/ip stack). > > A client wants to use this software on a machine which has a Checkpoint > Firewall-1 installed on it. It appears as though npf.sys can still bind to > the lower interface but no outbound traffic is being captured. We know it > isn't the rest of our product since this behaviour is dependent on whether > or not winpcap is on the machine; regardless of whether or not our product > is there. If I bring up ethereal on this machine (capturing all traffic) it > captures all inbound traffic but no outbound traffic. A sniffer on the same > hub as this machine shows both inbound and outbound traffic. > > I speculate that the firewall interferes with the upper-edge binding to > npf.sys. Rebuilding a debug npf.sys and logging its activity shows lots of > reads but nothing else. Any ideas on this would be really helpful. Thanks > for any tips! > > -----Original Message----- > From: Michael Vergoz [mailto:[EMAIL PROTECTED] > Sent: September 17, 2003 1:37 PM > To: [EMAIL PROTECTED] > Subject: Fw: [WinPcap-users] Winpcap & Checkpoint-1 Firewall... > > > > ----- Original Message ----- > From: "Michael Vergoz" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, September 17, 2003 9:31 PM > Subject: Re: [WinPcap-users] Winpcap & Checkpoint-1 Firewall... > > > > Could you given me more information on the design of your network? > > firewall, router, computer, switch... > > > > You seek to know entering and outgoing Internet traffic of your > > routeur/firewall by ethreal? > > > > Michael Michael VERGOZ > > PHP Development Team > > [EMAIL PROTECTED] > > php-gtk : http://gtk.php.net/ > > http://www.php.net > > > > ----- Original Message ----- > > From: "Richard Jagodzinski" <[EMAIL PROTECTED]> > > To: "'winpcap-users'" <[EMAIL PROTECTED]> > > Sent: Wednesday, September 17, 2003 7:07 PM > > Subject: [WinPcap-users] Winpcap & Checkpoint-1 Firewall... > > > > > > > Hi, All > > > > > > We've run into an "interesting" problem running winpcap & a > > > checkpoint-1 Firewall. Bringing up Ethereal on the same machine shows > > > inbound traffic but no outbound traffic. This is with the firewall > > > configured to pass through all traffic in both directions. > > > > > > I have read the faq but am hoping someone might have more technical > detail > > > as to why this is happening. > > > > > > Cheers, > > > Richard > > > ----------------------------------------------------------------------- > > > Richard Jagodzinski > > > Research & Development > > > Non-Elephant Encryption Systems Inc. > > > (403) 232 6001 > > > > > > > > > ================================================================== > > > This is the WinPcap users list. It is archived at > > > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > > > > > To unsubscribe use > > > mailto: [EMAIL PROTECTED] > > > ================================================================== > > > > > > ================================================================== > This is the WinPcap users list. It is archived at > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > To unsubscribe use > mailto: [EMAIL PROTECTED] > ================================================================== > > > ================================================================== > This is the WinPcap users list. It is archived at > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > To unsubscribe use > mailto: [EMAIL PROTECTED] > ================================================================== ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
