27171 total geeks with 3531 solutions
Recent challengers:
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 

Articles

GEEK

User's box
Username:
Password:

Forgot password?
New account

Shoutbox
MaxMouse
It's Friday... That's good enough for me!
CodeX
non stop lolz here but thats soon to end thanks to uni, surely the rest of the world is going good?
stabat
how things are going guys? Here... boring...
CodeX
I must be going wrong on the password lengths then, as long as it was done on ECB
MaxMouse
lol... the key is in hex (MD5: of the string "doit" without the "'s) and is in lower case. Maybe i should have submitted this as a challenge!

Donate
Donate and help us fund new challenges
Donate!
Due Date: Nov 30
November Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00
Contributors


News Feeds
The Register
How to run a big
web music biz
(Spotify): Grab
more cash from
fans, sink deeper
into
Floody hell! Brits
cram Internet of
Things into tight
White Spaces
BT said to have
pulled
patent-infringing
boxes from DSL
network
Bloke fighting
Facebook in court
says ad network
claims its users
lack "legal
capacit
Technology quiz
reveals that nobody
including quiz
drafters knows
anything about IT
Hey, here"s some
face-tracking tech
from Samsung you
probably won"t find
creepy at all
Why did it take
antivirus giants
YEARS to drill into
super-scary Regin?
Symantec
resp
UK cops: Give us
ONE journo"s phone
records. Vodafone:
Take the WHOLE damn
database!
Privacy bods Detekt
FinFisher dressed
as bookmark manager
Snowden doc leak
lists submarine"d
cables tapped by
spooks
Slashdot
NSF Commits $16M To
Build Cloud-Based
and Data-Intensive
Supercomputers
New Snowden Docs
Show GCHQ Paid
Telcos For Cable
Taps
ISS"s 3-D Printer
Creates Its First
Object In Space
Is LTO Tape On Its
Way Out?
The People Who Are
Branding
Vulnerabilities
Firefox Will Soon
Offer One-Click
Buttons For Your
Search Engines
How the World"s
First Computer Was
Rescued From the
Scrap Heap
Samsung Shows "Eye
Mouse" For People
With Disabilities
About 40% of World
Population Online,
90% of Offliners In
Developing
Countries
How Intel and
Micron May Finally
Kill the Hard Disk
Drive
Article viewer

Raw Ethernet Packet Manipulation - Part 1



Written by:miahrugger
Published by:Nightscript
Published on:2006-10-06 15:56:35
Topic:Windows
Search OSI about Windows.More articles by miahrugger.
 viewed 67369 times send this article printer friendly

Digg this!
    Rate this article :
This purpose of this article is to explain how to send a raw Ethernet packet using C# on a Microsoft platform. A raw Ethernet packet is the complete Layer 2 network frame that is sent to the physical wire. Sending a frame like this allows you to manipulate the target and source MAC addresses and the Layer 3 protocol fields.

Background

You may be thinking, "Why would anyone want to do this?". Well, I was trying to create an application (using C#) that would make a typical Windows computer with 2 NICs act as a Layer 2 Network device. My goal was to listen for packets on a network interface and send the exact same packet out of the opposite interface, basically a packet repeater. To do this, I needed to be able to read a raw Ethernet packet (easy) and then write that same raw Ethernet packet (difficult). The sent packet needed to be exactly like the read packet, Ethernet header and all. I did a great deal of research online, and did not find a whole lot of info, just a few hints here and there.

The first problem was that Windows does not include a way to programmatically send a raw Ethernet packet. After some research, I realized that I needed to create a NDIS Protocol Driver (PassThru and Intermediate drivers will also work) to interface with the network adapters at a very low level. Luckily, the Windows Driver Development Kits (DDKs) included samples that would accomplish this for me. Great, the hard part down right......yeah, that is what I thought too. Now I had to interface with the driver from managed C# code.

Well, enough of the background.....on to the code.....

Part 1 - NDIS Protocol Driver

So, like I said, the DDK provides a suitable NDIS driver for sending raw packets. I compiled this, creating the .inf and .sys files for the driver (I have included the compiled driver, altered to fit my needs, in the attached zip file). After running a few test, I found that I could:

1. Only receive packets destined for me and
2. I could only send packets with a source address of my adapter.

Well, this was not acceptable. I needed to receive any packets on my LAN segment, and send those same packets regardless of the source address. So after looking through the driver code, I figured out how to accomplish that.

To receive any packets, the driver had to be set to Promiscuous mode. The following code segment was what was altered to accomplish this.

// ndisprot.h
// line 177
// Add NDIS_PACKET_TYPE_PROMISCUOUS to support promiscuous mode reading

#define NUIOO_PACKET_FILTER (NDIS_PACKET_TYPE_DIRECTED| \
                              NDIS_PACKET_TYPE_MULTICAST| \
                              NDIS_PACKET_TYPE_BROADCAST| \
                              NDIS_PACKET_TYPE_PROMISCUOUS) // **Added**


To send any packets, the following code segment had to be commented out

// send.c
// line 136
// Comment out to support sending packets from any MAC source address

     // To prevent applications from sending packets with spoofed
     // mac address, we will do the following check to make sure the source
     // address in the packet is same as the current MAC address of the NIC.
     //
     if ((pIrp->RequestorMode == UserMode) &&
          !NPROT_MEM_CMP(pEthHeader->SrcAddr,
          pOpenContext->CurrentAddress, NPROT_MAC_ADDR_LEN))
     {
            DEBUGP(DL_WARN, ("Write: Failing with invalid Source address"));
            NtStatus = STATUS_INVALID_PARAMETER;
            break;
     }


Once those changes were made, the NDIS Driver performed perfect for what I needed.

Part 2 - C# RawEthernet Application

The code for the RawEthernet application is commented fairly well, so I am not going to go into a lot of detail on the code here. I am just going to highlight the important steps in the code.

Writing information to a device driver is somewhat similar to writing to a file. We open the driver file by calling the CreateFile API. This returns a handle that we can use to write to and read from the driver. Next, we can bind the driver handle to a specific adapter by using the DeviceIoControl API. Binding the adapter lets us access the NDIS Driver on a specific network adapter. After all this, the writing is simple. We use the WriteFile API. The ReadFile API can be used in a similar manner to read incoming network data as well.

To send a packet, we have to create a byte representation on the packet that we want to send. The following shows the Ethernet header (first 14 bytes of packet) in byte format

DD DD DD DD DD DD SS SS SS SS SS SS PP PP <data follows>

* D = Destination MAC Address
* S = Source MAC Address
* P = Next Layer Protocol (0800 = IP)

You can use a packet sniffer (Ethereal, Snoop, EtherPeeks) to verify that you are sending a raw data packet on the network medium. The packet that this application currently sends is a very simple data packet that served no purpose other than to show the concept. This can easily be changed to reflect a real packet, such as a ping or anything else that you can think of.

Running the Sample NDIS Driver

You can install the NDIS Driver by opening your network adapter properties and clicking the "Install" button, selecting "Protocol", and then choosing "Have Disk". Then browse to the .inf file and click "OK". This will then load the driver onto every adapter that you have in your system.

Important - Make sure that it is enabled, there should be a check in the box next to "Raw Packet NDIS Protocol Driver".

Important - Open a command prompt and type "net start ndisprot" to start the driver service.

Note - The beauty of having this driver is that you can disable every other protocol in the Adapter's protocol list (i.e. Internet Protocol) and you will still be able to send and receive packets. Your machine will not even have an address, but because we are working at Layer 2, you don't need one. (This driver will work even if you keep all of the other protocols enabled)

RawEthernet Application

The zip file contains the source and compiled binary for the RawEthernet application. Once the driver is installed and enabled, simply run the EXE to see the packets being sent.

Did you like this article? There are hundreds more.

Comments:
miahrugger
2006-10-07 01:48:49
Forgot to mention, the NDIS Protocol Driver was built using the XP DDK, so it will work on XP and likely 2003. However, if you plan to use it on 2000, it might fail. It will have to be rebuilt using the 2000 DDK.
bb
2006-10-08 05:09:43
I'd love to elaborate on this subject as I think its really interesting.

I did some work on a C# firewall which used a C++ NDIS driver just like you. Some of the stuff I was doing is in this article. I was using driver code I inherited from another project which was quite painful to work with. I was loading a list of ip's for which packets were to be dropped into the driver. The driver then notified the system when a packet was granted or dropped and the C# app was used to list the granted/dropped packets as they came flying past.

I keep meaning to resurect the project - as it was mainly finished just need a decent UI building and some tweaks with the driver.

One problem was a pain in the as regarding the installer for the driver. I tried installing it programmatically and using the DDK installutil and with both the driver never seemed to get installed right - it always required the user to manually do the steps you descrive above to add the driver.... if anyone has any tips on that i'd love to hear them.
sefo
2006-10-08 07:02:35
Not sure if it will help in your case but I developped a driver in asm and it's possible to register it using the windows API:

invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS

If the function doesn't return null:

invoke GetFullPathName, $CTA0("drivername.sys"), sizeof acModulePath, addr acModulePath, esp

The you can install the service

invoke CreateService, hSCManager, $CTA0("drivername"), $CTA0("OSIX challenge driver"), \
            SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
            SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL

If the function doesn't return NULL
start the service

invoke StartService, hService, 0, NULL

if return value is not 0


; the driver can receive I/O request packet (IRP) of type IRP_MJ_CREATE

invoke CreateFile, $CTA0("\\\\.\\driver name"), GENERIC_READ + GENERIC_WRITE, \
                                0, NULL, OPEN_EXISTING, 0, NULL

oh well, it's too long to explain and the textbox here is to small ;)
miahrugger
2006-10-11 16:48:38
bb, I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...
Anonymous
2006-10-19 14:56:21
I also tried to play with this protocol driver and I didn't find the way to do a properties dialog box. Do you have any idea where to look for ?
niazi587
2007-09-03 10:25:56
I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...

http://www.sysexecutive.com/dynamic-data-entry.html
Anonymous
2008-01-29 08:05:14
Hi,

I just wanna read raw ethernets packet from my C program, and reached this article (which is excellent), can someone please direct me to the place where I can find the source code mentioned in this "RawEthernet Apllication" section? [The zip file turned to be empty]
Anonymous
2008-01-31 02:12:13
http://www.logodesignerscompany.com

I am also having trouble reading raw ethernet packets - i tried to find a way to do this from the properties dialog but could not
Anonymous
2009-04-22 08:49:16
I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you. flash games
tycho
2009-06-02 08:14:52
There is nothing in the zip file
Anonymous
2009-10-25 15:46:14
Hi,

I just wanna read raw ethernets packet from my C program, and reached this article (which is excellent), can someone please direct me to the place where I can find the source code mentioned in this "RawEthernet Apllication" section? [The zip file turned to be empty]

comic book reviews
CodeX
2009-10-25 17:36:29
looks like the zip with the article has been lost to the perilous OSIDrive, if all you want to do is read the packets floating around then you can use Wireshark
Anonymous
2011-05-29 08:32:46
Amazing talent. I find her designs to be extraordinary!I agree this point.
Anonymous
2011-06-03 09:23:54
Anonymous
2011-06-04 12:02:19
Thank you for sharing to us.Generic Propecia
Generic Cialis
Careprost
Anonymous
2011-06-09 11:51:55
Finally can copy!<a href="http://www.insanityworkoutdvdset.com">insanity workout dvd</a>
Anonymously add a comment: (or register here)
(registration is really fast and we send you no spam)
BB Code is enabled.
Captcha Number:


Blogs: (People who have posted blogs on this subject..)
greengrub22
Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
bb
SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
shmad123
Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
Hi my name is adam LOL

Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
Microsoft by abhijangda

Quiz based on the Microsoft Operating System
Reverse Engineering basics by sefo

I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.


     
Your Ad Here
 
Copyright Open Source Institute, 2006