27285 total geeks with 3532 solutions
Recent challengers:
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 

Articles

GEEK

User's box
Username:
Password:

Forgot password?
New account

Shoutbox
timsattemme
[b][url=http ://www.daune njackewiemon cler.com/]mo n<strong><a href="http:/ /www.daunenj ackewiemoncl er.com/">mon cler sale</a></st rong> <br> <strong><a href="http:/ /www.daunenj ackewiemoncl er.com/">mon cler outlet store</a></s trong> <br>
timsattemme
<strong><a href="http:/ /www.daunenj ackewiemoncl er.com/">Dis count Moncler on sale</a></st rong> <br> <strong><a href="http:/ /www.daunenj ackewiemoncl er.com/">Che ap Moncler</a>< /strong> <br > <strong><a href="http:/ /www.daunenj ackewiemoncl er.com/">Che ap Moncle
timsattemme
[b][url=http ://www.newba lanceclassic .org/]buy chea<strong> <a href="http:/ /www.newbala nceclassic.o rg/">buy cheap new balance shoes</a></s trong> <br> <strong><a href="http:/ /www.newbala nceclassic.o rg/">new balance shoes</a></s trong> <br>
timsattemme
[b][url=http ://www.menti taniumwatche s.com/]high quality swiss replica watches[/url ][/b] [b]<a href="http:/ /www.mentita niumwatches. com/"<ul><li ><strong><a href="http:/ /www.mentita niumwatches. com/">high quality swiss replica watches</a>< /strong> </l i><li><s
timsattemme
<ul><li><str ong><a href="http:/ /www.mentita niumwatches. com/">high quality swiss replica watches</a>< /strong> </l i><li><stron g><a href="http:/ /www.mentita niumwatches. com/">watche s</a></stron g> </li><li> <strong><a href="http:/ /www.mentita niumwatches. com/">s

Donate
Donate and help us fund new challenges
Donate!
Due Date: Dec 31
December Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00
Contributors


News Feeds
The Register
You have a "SIMPLE
QUESTION"? Well,
the answer is NO
Europe: Hold my
wine glass, I"ve
got an internet
govt to build
Kepler"s still got
it! Space telescope
spots SUPER-EARTH
180 light years
away
Heads up! If Tor
VANISHES over the
weekend, this is
why
If at first you
don"t succeed ...
Fire, Fire again:
Amazon mulls
smartmobe sequel
Google sues
Mississippi
Attorney General
"for doing MPAA"s
dirty work"
Staples comes
clean: 1+ million
bank cards at risk
after hack
Super Cali"s
futuristic Tesla
batt swap focus ?
even though car
tech test is an
expec
ICANN: The TRUTH
about that hacker
attack on our DNS
zone file database
Sony Pictures hack
is Hollywood"s
"Snowden moment"
say infosec bods
Slashdot
How a 3D Printer
Let a Dog Run For
the First Time
Hackers Used Nasty
"SMB Worm" Attack
Toolkit Against
Sony
Staples: Breach May
Have Affected 1.16
Million Customers"
Cards
Calculus Textbook
Author James
Stewart Has Died
T-Mobile To Pay
$90M For
Unauthorized
Charges On
Customers" Bills
NASA Video Shows
What It"s Like To
Reenter the Earth"s
Atmosphere
Ask Slashdot:
Resources For Kids
Who Want To Make
Games?
Tesla About To
Start Battery-Swap
Pilot Program
Geoengineered
Climate Cooling
With Microbubbles
LinuxFest Northwest
2015 Will be Held
April 25 and 26
(Video)
Article viewer

Raw Ethernet Packet Manipulation - Part 1



Written by:miahrugger
Published by:Nightscript
Published on:2006-10-06 15:56:35
Topic:Windows
Search OSI about Windows.More articles by miahrugger.
 viewed 67800 times send this article printer friendly

Digg this!
    Rate this article :
This purpose of this article is to explain how to send a raw Ethernet packet using C# on a Microsoft platform. A raw Ethernet packet is the complete Layer 2 network frame that is sent to the physical wire. Sending a frame like this allows you to manipulate the target and source MAC addresses and the Layer 3 protocol fields.

Background

You may be thinking, "Why would anyone want to do this?". Well, I was trying to create an application (using C#) that would make a typical Windows computer with 2 NICs act as a Layer 2 Network device. My goal was to listen for packets on a network interface and send the exact same packet out of the opposite interface, basically a packet repeater. To do this, I needed to be able to read a raw Ethernet packet (easy) and then write that same raw Ethernet packet (difficult). The sent packet needed to be exactly like the read packet, Ethernet header and all. I did a great deal of research online, and did not find a whole lot of info, just a few hints here and there.

The first problem was that Windows does not include a way to programmatically send a raw Ethernet packet. After some research, I realized that I needed to create a NDIS Protocol Driver (PassThru and Intermediate drivers will also work) to interface with the network adapters at a very low level. Luckily, the Windows Driver Development Kits (DDKs) included samples that would accomplish this for me. Great, the hard part down right......yeah, that is what I thought too. Now I had to interface with the driver from managed C# code.

Well, enough of the background.....on to the code.....

Part 1 - NDIS Protocol Driver

So, like I said, the DDK provides a suitable NDIS driver for sending raw packets. I compiled this, creating the .inf and .sys files for the driver (I have included the compiled driver, altered to fit my needs, in the attached zip file). After running a few test, I found that I could:

1. Only receive packets destined for me and
2. I could only send packets with a source address of my adapter.

Well, this was not acceptable. I needed to receive any packets on my LAN segment, and send those same packets regardless of the source address. So after looking through the driver code, I figured out how to accomplish that.

To receive any packets, the driver had to be set to Promiscuous mode. The following code segment was what was altered to accomplish this.

// ndisprot.h
// line 177
// Add NDIS_PACKET_TYPE_PROMISCUOUS to support promiscuous mode reading

#define NUIOO_PACKET_FILTER (NDIS_PACKET_TYPE_DIRECTED| \
                              NDIS_PACKET_TYPE_MULTICAST| \
                              NDIS_PACKET_TYPE_BROADCAST| \
                              NDIS_PACKET_TYPE_PROMISCUOUS) // **Added**


To send any packets, the following code segment had to be commented out

// send.c
// line 136
// Comment out to support sending packets from any MAC source address

     // To prevent applications from sending packets with spoofed
     // mac address, we will do the following check to make sure the source
     // address in the packet is same as the current MAC address of the NIC.
     //
     if ((pIrp->RequestorMode == UserMode) &&
          !NPROT_MEM_CMP(pEthHeader->SrcAddr,
          pOpenContext->CurrentAddress, NPROT_MAC_ADDR_LEN))
     {
            DEBUGP(DL_WARN, ("Write: Failing with invalid Source address"));
            NtStatus = STATUS_INVALID_PARAMETER;
            break;
     }


Once those changes were made, the NDIS Driver performed perfect for what I needed.

Part 2 - C# RawEthernet Application

The code for the RawEthernet application is commented fairly well, so I am not going to go into a lot of detail on the code here. I am just going to highlight the important steps in the code.

Writing information to a device driver is somewhat similar to writing to a file. We open the driver file by calling the CreateFile API. This returns a handle that we can use to write to and read from the driver. Next, we can bind the driver handle to a specific adapter by using the DeviceIoControl API. Binding the adapter lets us access the NDIS Driver on a specific network adapter. After all this, the writing is simple. We use the WriteFile API. The ReadFile API can be used in a similar manner to read incoming network data as well.

To send a packet, we have to create a byte representation on the packet that we want to send. The following shows the Ethernet header (first 14 bytes of packet) in byte format

DD DD DD DD DD DD SS SS SS SS SS SS PP PP <data follows>

* D = Destination MAC Address
* S = Source MAC Address
* P = Next Layer Protocol (0800 = IP)

You can use a packet sniffer (Ethereal, Snoop, EtherPeeks) to verify that you are sending a raw data packet on the network medium. The packet that this application currently sends is a very simple data packet that served no purpose other than to show the concept. This can easily be changed to reflect a real packet, such as a ping or anything else that you can think of.

Running the Sample NDIS Driver

You can install the NDIS Driver by opening your network adapter properties and clicking the "Install" button, selecting "Protocol", and then choosing "Have Disk". Then browse to the .inf file and click "OK". This will then load the driver onto every adapter that you have in your system.

Important - Make sure that it is enabled, there should be a check in the box next to "Raw Packet NDIS Protocol Driver".

Important - Open a command prompt and type "net start ndisprot" to start the driver service.

Note - The beauty of having this driver is that you can disable every other protocol in the Adapter's protocol list (i.e. Internet Protocol) and you will still be able to send and receive packets. Your machine will not even have an address, but because we are working at Layer 2, you don't need one. (This driver will work even if you keep all of the other protocols enabled)

RawEthernet Application

The zip file contains the source and compiled binary for the RawEthernet application. Once the driver is installed and enabled, simply run the EXE to see the packets being sent.

Did you like this article? There are hundreds more.

Comments:
miahrugger
2006-10-07 01:48:49
Forgot to mention, the NDIS Protocol Driver was built using the XP DDK, so it will work on XP and likely 2003. However, if you plan to use it on 2000, it might fail. It will have to be rebuilt using the 2000 DDK.
bb
2006-10-08 05:09:43
I'd love to elaborate on this subject as I think its really interesting.

I did some work on a C# firewall which used a C++ NDIS driver just like you. Some of the stuff I was doing is in this article. I was using driver code I inherited from another project which was quite painful to work with. I was loading a list of ip's for which packets were to be dropped into the driver. The driver then notified the system when a packet was granted or dropped and the C# app was used to list the granted/dropped packets as they came flying past.

I keep meaning to resurect the project - as it was mainly finished just need a decent UI building and some tweaks with the driver.

One problem was a pain in the as regarding the installer for the driver. I tried installing it programmatically and using the DDK installutil and with both the driver never seemed to get installed right - it always required the user to manually do the steps you descrive above to add the driver.... if anyone has any tips on that i'd love to hear them.
sefo
2006-10-08 07:02:35
Not sure if it will help in your case but I developped a driver in asm and it's possible to register it using the windows API:

invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS

If the function doesn't return null:

invoke GetFullPathName, $CTA0("drivername.sys"), sizeof acModulePath, addr acModulePath, esp

The you can install the service

invoke CreateService, hSCManager, $CTA0("drivername"), $CTA0("OSIX challenge driver"), \
            SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
            SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL

If the function doesn't return NULL
start the service

invoke StartService, hService, 0, NULL

if return value is not 0


; the driver can receive I/O request packet (IRP) of type IRP_MJ_CREATE

invoke CreateFile, $CTA0("\\\\.\\driver name"), GENERIC_READ + GENERIC_WRITE, \
                                0, NULL, OPEN_EXISTING, 0, NULL

oh well, it's too long to explain and the textbox here is to small ;)
miahrugger
2006-10-11 16:48:38
bb, I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...
Anonymous
2006-10-19 14:56:21
I also tried to play with this protocol driver and I didn't find the way to do a properties dialog box. Do you have any idea where to look for ?
niazi587
2007-09-03 10:25:56
I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...

http://www.sysexecutive.com/dynamic-data-entry.html
Anonymous
2008-01-29 08:05:14
Hi,

I just wanna read raw ethernets packet from my C program, and reached this article (which is excellent), can someone please direct me to the place where I can find the source code mentioned in this "RawEthernet Apllication" section? [The zip file turned to be empty]
Anonymous
2008-01-31 02:12:13
http://www.logodesignerscompany.com

I am also having trouble reading raw ethernet packets - i tried to find a way to do this from the properties dialog but could not
Anonymous
2009-04-22 08:49:16
I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you. flash games
tycho
2009-06-02 08:14:52
There is nothing in the zip file
Anonymous
2009-10-25 15:46:14
Hi,

I just wanna read raw ethernets packet from my C program, and reached this article (which is excellent), can someone please direct me to the place where I can find the source code mentioned in this "RawEthernet Apllication" section? [The zip file turned to be empty]

comic book reviews
CodeX
2009-10-25 17:36:29
looks like the zip with the article has been lost to the perilous OSIDrive, if all you want to do is read the packets floating around then you can use Wireshark
Anonymous
2011-05-29 08:32:46
Amazing talent. I find her designs to be extraordinary!I agree this point.
Anonymous
2011-06-03 09:23:54
Anonymous
2011-06-04 12:02:19
Thank you for sharing to us.Generic Propecia
Generic Cialis
Careprost
Anonymous
2011-06-09 11:51:55
Finally can copy!<a href="http://www.insanityworkoutdvdset.com">insanity workout dvd</a>
Anonymously add a comment: (or register here)
(registration is really fast and we send you no spam)
BB Code is enabled.
Captcha Number:


Blogs: (People who have posted blogs on this subject..)
greengrub22
Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
bb
SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
shmad123
Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
Hi my name is adam LOL

Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
Microsoft by abhijangda

Quiz based on the Microsoft Operating System
Reverse Engineering basics by sefo

I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.


     
Your Ad Here
 
Copyright Open Source Institute, 2006