<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1276600987;
mso-list-template-ids:1649329594;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Patrick,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">WinPcap uses a protocol driver for capturing packets, I’m not too familiar with the fwps framework (I guess it’s probably one of the intermediate driver technology,
like NDIS-intermediate of lightweight IP filtering). Have you tried asking to a NT driver specific mailing list like ntdev?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Have a nice day<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">GV<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org]
<b>On Behalf Of </b>Patrick Malka<br>
<b>Sent:</b> Thursday, January 17, 2013 6:15 PM<br>
<b>To:</b> winpcap-users@winpcap.org<br>
<b>Subject:</b> [Winpcap-users] Generic packet questions<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">Hello, I have some generic IP related questions that I thought some of the people on this list might be able to answer since this product is
very similar in functionality to what we are doing.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">In Windows, we are using the fwps* family of driver functions to filter IP packets. The filter mechanism is not important, but rather what happens
during the callback functions for packets that match the filter.</span><span style="color:#222222;background:white"><br>
<br>
</span><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">In these callbacks, we wish to alter the data, and have the reverse operation performed on the receiving end. Our goal is to perform encryption and tamper
detection.</span><span style="color:#222222;background:white"><br>
<br>
</span><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">Encryption is fairly easy to do as it does not alter the size of the (IP) packet, but tamper detection is proving to be harder due to the need to send extra
data in addition to the payload in order to be able to detect tampering.</span><span style="color:#222222;background:white"><br>
<br>
</span><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">In this light, my questions are:</span><span style="color:#222222;background:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">If I reinject (FwpsInjectNetwork*Async0) an IP packet that is larger than the ethernet MTU, what will happen? Will it be rejected or
fragmented? Does the answer depend on the specific environment?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">If I fragment an IP packet explicitly before reinjecting it, will the fragments then be filtered again?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">If I want to send a packet larger than the ethernet MTU, must I fragment it myself or will Windows do it for me after reinjection.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">If I fragment an IP packet during a send, will my receiving IP filter see the fragment packets or the assembled packet? Where does
reassembly occur, before or after the various Windows driver filters.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">Is there a way to safely process a maximum size IP packet (one that will just fit into an ethernet frame) such that tamper detection
can be performed on the receiving end without having to expand and fragment the packet?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#222222"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">If I take an IP packet and add an IP option to the header, does that count as increasing the packet size? (I think the answer is yes,
I just thought I would get confirmation).<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#222222;background:white"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif";color:#222222;background:white">Thanks for any help anyone can provide.</span><span style="color:#222222;background:white"><o:p></o:p></span></p>
</div>
</div>
</body>
</html>