Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Need help with Network Packet filtering (IDS)

10 views
Skip to first unread message

Maverick

unread,
Jan 6, 2010, 12:31:23 AM1/6/10
to
Hi,

I need a network packet filtering SDK for Windows using which I'd be
able to sniff packets over the network and block them after
inspection.
I need this for an Intrusion Detection system I'm planning to develop.
The SDK should provide me with APIs (no matter user mode or kernel
mode) to read incoming packets,
I'll do a content search over the packet data and decide whether the
packet should be dropped or forwarded ahead.
Due to shortage of time, I cannot opt for writing an NDIS Intermediate
driver on my own.

I've found the following 3 SDKs until now:

1. WinPkFilter
http://www.ntkernel.com/w&p.php?id=7

2. MicroOLAP's PSSDK
http://www.microolap.com/products/network/pssdk/

3. IP Packet Redirector
http://pcausa.com/filters/ipredir.htm

I want to know if anyone can recommend me of an SDK better than the
above 3, or something which is more popular.

Thanks

Maverick

unread,
Jan 6, 2010, 4:28:04 AM1/6/10
to
I've come to know that
MicroOLAP's PSSDK cannot drop packets.

So there remains only WinPkFilter and IP Packet Redirector capable of
network packet filtering and dropping packets if required.

WinPkFilter is a perfect example of an SDK or packet filtering library
I'm looking for.
But there's lot of work involved that happens in user mode, thereby
slowing down the network activity.

Can anyone recommend me of a Packet Filtering Library that works
mostly in Kernel mode and hardly any work is done in User mode?

Nike Chen

unread,
Jan 6, 2010, 5:38:20 AM1/6/10
to

Winpcap is what you want, http://www.winpcap.org/

Maverick

unread,
Jan 6, 2010, 8:42:55 AM1/6/10
to

> Winpcap is what you want,http://www.winpcap.org/

Have you tried blocking network traffic of other programs using
Winpcap??

Coz Winpcap's documentation page states that WinPcap isn't able to
block, filter or manipulate traffic generated by other programs on the
same machine.
Refer to the section "What Winpcap can't do" in Winpcap's
documentation. Here's the link:
http://www.winpcap.org/docs/docs_40_2/html/main.html

If there's something that is being misinterpreted here, can you shed
some more light over how we can block network traffic of other
programs using WinPcap??
If not, then is there any other packet filtering library other than
WinPkFilter??

Thomas F. Divine

unread,
Jan 6, 2010, 9:57:06 AM1/6/10
to
WinPCap cannot drop packets. It can "sniff" or monitor (log) packets, but
not block or modify them.

Thomas F. Divine


"Maverick" <koushal...@gmail.com> wrote in message
news:24dc60cf-46f9-4cce...@p8g2000yqb.googlegroups.com...

Thomas F. Divine

unread,
Jan 6, 2010, 10:15:57 AM1/6/10
to
If you are pressed for time and want to develop a decent product, then on
Windows Vista and higher you would be foolish not to use the free
Microsoft-blessed Windows Filtering Platform (WFP). One would consider
alternatives to WFP _only_ to deal with highly unusual specific threats.

On XP it is a completely different situation. To be successful on XP you
will need to have a NDIS IM driver (below TCP/IP) and a Transport Data
Interface (TDI - above TCP/IP) to have complete visibility into network
traffic. Developing this sort of driver suite is not for the faint of heart.
In addition, once you have a product that works perfectly in your lab you
must then consider how it interacts with other similar products (FW/AV) that
might be installed on the same machine. This is a real nightmare.

I strongly recommend that you drop the idea of supporting pre-Vista
altogether and use WFP for Vista and later.

Good luck,

Thomas F. Divine
http://www.rawether.net


"Maverick" <koushal...@gmail.com> wrote in message

news:4c11b736-1905-424a...@21g2000yqj.googlegroups.com...

0 new messages