Filtering TCP/IP packets

[NOS...@rigney.org]

Ceri Coburn <ce...@first4internet.co.uk> wrote:
> Hi,
>
> I'm in the middle of developing a packet filter driver for windows
> which sits in between TCP/IP and the Network Driver.
>
> The idea is to filter packets and modify their content (if need be)
> and sent it up to the TCP/IP
>
> In some cases I need to filter things like images which means that I
> need to capture a lot of packets before I have the whole image. I
> cant send none of the packets up to TCP until the image has been
> scanned. Is there a way that I can keep TCP happy while these packets
> are coming in so that it wont timeout.

You're violating one of the premises of protocol 'stacks.' TCP doesn't
know anything about 'images' or 'files.' All it knows about is byte streams.
If you need to filter data at that layer, you need something like an
HTTP proxy.

-parc

[Ceri Coburn]

NOS...@rigney.org wrote in message news:<bbkg4a....@fileserver.rigney.org>...

I'll still be sending it up to TCP as data streams but it will be
deleyed as the driver will be collecting the data streams coming in
and not sending them up to TCP stack. After the whole email as come
in I will then split it back up into segments with the expected SEQ
and ACK numbers the TCP stack is expecting.

I was wondering if I could have the TCP socket to wait while the
collecting and scanning is in progress. Could I possibly send an
empty ACK upto the TCP stack when the first packet arrives (so that
TCP connection will be idle) and then when subsiquent packets arrive
the driver will capture the packets and send ACK's back to the server
but the data will not be sent upto the TCP stack. Once the data is
then ready to be sent up to the TCP stack it will be split back into
packets (whether it's been changed or not) and when the TCP Protocol
ACK's them packets the driver will drop them as we would have already
sent the ACK's to the server.

[Barry Margolin]

In article <eb2e22b6.02021...@posting.google.com>,

Ceri Coburn <ce...@first4internet.co.uk> wrote:
>I'm in the middle of developing a packet filter driver for windows
>which sits in between TCP/IP and the Network Driver.
>
>The idea is to filter packets and modify their content (if need be)
>and sent it up to the TCP/IP
>
>In some cases I need to filter things like images which means that I
>need to capture a lot of packets before I have the whole image. I
>cant send none of the packets up to TCP until the image has been
>scanned. Is there a way that I can keep TCP happy while these packets
>are coming in so that it wont timeout.

Send acknowledgements, just like TCP itself would. This basically means
you'll need to duplicate much of TCP's internals -- you'll have to keep
track of gaps in the sequence numbers so you don't acknowledge a packet
until all the preceding packets in the connection have been received.

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

[Ceri Coburn]

Barry Margolin <bar...@genuity.net> wrote in message news:<r7Va8.13$Se6.21066@burlma1-snr2>...

> In article <eb2e22b6.02021...@posting.google.com>,
> Ceri Coburn <ce...@first4internet.co.uk> wrote:
> >I'm in the middle of developing a packet filter driver for windows
> >which sits in between TCP/IP and the Network Driver.
> >
> >The idea is to filter packets and modify their content (if need be)
> >and sent it up to the TCP/IP
> >
> >In some cases I need to filter things like images which means that I
> >need to capture a lot of packets before I have the whole image. I
> >cant send none of the packets up to TCP until the image has been
> >scanned. Is there a way that I can keep TCP happy while these packets
> >are coming in so that it wont timeout.
>
> Send acknowledgements, just like TCP itself would. This basically means
> you'll need to duplicate much of TCP's internals -- you'll have to keep
> track of gaps in the sequence numbers so you don't acknowledge a packet
> until all the preceding packets in the connection have been received.

I dont mind programming the internals because it will only be on a
ceratin connection - for example only connections made to port 110.
I've already done the SEQ number sorting etc. I was just wondering if
it would be possible or would the calling application timeout, because
in some cases scanning could take up to a minute or two if there are
big images and lots of text. I wont have to worry about much of the
options list in the TCP or IP headers either because in will only
interrup at connection if it's to port 110 and a RETR command has been
sent as the last outgoing packet.

[Anonymouse]

I do uite a bit of work for the graphics industry. It's quite common to send
and receive large files (the "small ones" are in the 40 meg range). How will
your solution handle it? Will you be able to be able to allocate enough
buffer?

"Ceri Coburn" <ce...@first4internet.co.uk> wrote in message
news:eb2e22b6.02021...@posting.google.com...

[Fernando Gont]

On 14 Feb 2002 09:57:45 -0800, ce...@first4internet.co.uk (Ceri Coburn)
wrote:

>I was wondering if I could have the TCP socket to wait while the
>collecting and scanning is in progress. Could I possibly send an
>empty ACK upto the TCP stack when the first packet arrives (so that
>TCP connection will be idle) and then when subsiquent packets arrive
>the driver will capture the packets and send ACK's back to the server
>but the data will not be sent upto the TCP stack. Once the data is
>then ready to be sent up to the TCP stack it will be split back into
>packets (whether it's been changed or not) and when the TCP Protocol
>ACK's them packets the driver will drop them as we would have already
>sent the ACK's to the server.

If you want to filter specific data at the application layer, why
don't you make a filter at the aplication layer?

If you want to filter the things your users can get by e-mail, then
why don't you modify the POP3 server or make a program that processes
each e-mail you get by SMTP?

I can'tt see the advantage of dealing with the transport layer....

--
Fernando Gont
e-mail: fern...@ANTISPAM.gont.com.ar

[To send a personal reply, please remove the ANTISPAM tag]

[Ceri Coburn]

The filter actualy scans for pornographic images. It's very rare to
se pornographic images over the 5MB range. So if this is the case the
image wont be scanned anyway's.

With regards to the application working on the POP3 or SMTP server.
This is another solution that we have already implemented. This
application needs to be installed on home computers where everyday
people dont get access to SMTP and POP3 servers. And bacuse it's not
application specific (e.g. Microsoft Outlook) that's why I thought it
would be better to do it at this level. I did see something abaout an
LSP but it seemed rather complicated.

"Anonymouse" <an...@optonline.net> wrote in message news:<eLhb8.111310$th4.31...@news02.optonline.net>...

[Fernando Gont]

On 18 Feb 2002 03:03:12 -0800, ce...@first4internet.co.uk (Ceri Coburn)
wrote:

>With regards to the application working on the POP3 or SMTP server.

>This is another solution that we have already implemented. This
>application needs to be installed on home computers where everyday
>people dont get access to SMTP and POP3 servers.

Why don't you install your application at the server host?

I mean, if I've understood correctly, you don't want your users to get
pornographic images.

Then why don't you filter them at the server, instead of filtering
them at the client side?

> And bacuse it's not application specific (e.g. Microsoft Outlook) that's
> why I thought it would be better to do it at this level.

If you filter the images at the server side, the it won't matter
whether your users us Outlook, Eudora, or whatever mail client they
use....