27530 total geeks with 3536 solutions
Recent challengers:
  • lzlw bonus 15 - 09:28PM
  • DXM level 3 - 03:27PM
  • DXM level 2 - 02:59PM
 Welcome, you are an anonymous user! [register] [login] Get a yourname@osix.net email address 



User's box

Forgot password?
New account

It's Friday... That's good enough for me!
non stop lolz here but thats soon to end thanks to uni, surely the rest of the world is going good?
how things are going guys? Here... boring...
I must be going wrong on the password lengths then, as long as it was done on ECB
lol... the key is in hex (MD5: of the string "doit" without the "'s) and is in lower case. Maybe i should have submitted this as a challenge!

Donate and help us fund new challenges
Due Date: Jul 31
July Goal: $40.00
Gross: $0.00
Net Balance: $0.00
Left to go: $40.00

News Feeds
The Register
Let me PLUG that up
there, love. It?s
Export control laws
force student to
censor infosec
Storage upstart:
Our flashy gear is
WAY faster than
slow old DRAM
Biologists gasp at
lemur"s improbably
colossal bollocks
Will rising CO2
damage the world"s
oceans? NOT SO MUCH
? new boffinry
Rampaging fox
terrorises rural
sports club, victim
sustains ?tweaked
emotional plea for
asylum in France
Wikipedia: YES!
we?ve SAVED the
It"s all Uber!
France ends its
love affair with
ride-sharing app
Vectone Mobile gone
for the week, don"t
know when it"ll be
How To Design Robot
Overlords For
"Robot Overlords"
In Response to Open
Letter, France
Rejects Asylum For
Julian Assange
Japanese Court
Orders Google To
Delete Past Reports
Of Man"s
Molestation Arrest
Turing Near Ready
To Ship World"s
First Liquid Metal
Android Smartphone
FBI Wants Pirate
Bay Logs For
Investigation Into
Copyright Trolls
Clang Plays Tetris
-- Tetris As a C++
3-D Ultrasonic
Scanning Could
Smartphone Security
Ask Slashdot: What
Is Your Most
Unusual Hardware
Square Enix Pulls,
Apologizes For Mac
Version of Final
Fantasy XIV
Leased LEDs and
Energy Service
Contracts can Cut
Electric Bills
Article viewer

Raw Ethernet Packet Manipulation - Part 1

Written by:miahrugger
Published by:Nightscript
Published on:2006-10-06 15:56:35
Search OSI about Windows.More articles by miahrugger.
 viewed 74162 times send this article printer friendly

Digg this!
    Rate this article :
This purpose of this article is to explain how to send a raw Ethernet packet using C# on a Microsoft platform. A raw Ethernet packet is the complete Layer 2 network frame that is sent to the physical wire. Sending a frame like this allows you to manipulate the target and source MAC addresses and the Layer 3 protocol fields.


You may be thinking, "Why would anyone want to do this?". Well, I was trying to create an application (using C#) that would make a typical Windows computer with 2 NICs act as a Layer 2 Network device. My goal was to listen for packets on a network interface and send the exact same packet out of the opposite interface, basically a packet repeater. To do this, I needed to be able to read a raw Ethernet packet (easy) and then write that same raw Ethernet packet (difficult). The sent packet needed to be exactly like the read packet, Ethernet header and all. I did a great deal of research online, and did not find a whole lot of info, just a few hints here and there.

The first problem was that Windows does not include a way to programmatically send a raw Ethernet packet. After some research, I realized that I needed to create a NDIS Protocol Driver (PassThru and Intermediate drivers will also work) to interface with the network adapters at a very low level. Luckily, the Windows Driver Development Kits (DDKs) included samples that would accomplish this for me. Great, the hard part down right......yeah, that is what I thought too. Now I had to interface with the driver from managed C# code.

Well, enough of the background.....on to the code.....

Part 1 - NDIS Protocol Driver

So, like I said, the DDK provides a suitable NDIS driver for sending raw packets. I compiled this, creating the .inf and .sys files for the driver (I have included the compiled driver, altered to fit my needs, in the attached zip file). After running a few test, I found that I could:

1. Only receive packets destined for me and
2. I could only send packets with a source address of my adapter.

Well, this was not acceptable. I needed to receive any packets on my LAN segment, and send those same packets regardless of the source address. So after looking through the driver code, I figured out how to accomplish that.

To receive any packets, the driver had to be set to Promiscuous mode. The following code segment was what was altered to accomplish this.

// ndisprot.h
// line 177
// Add NDIS_PACKET_TYPE_PROMISCUOUS to support promiscuous mode reading

                              NDIS_PACKET_TYPE_MULTICAST| \
                              NDIS_PACKET_TYPE_BROADCAST| \
                              NDIS_PACKET_TYPE_PROMISCUOUS) // **Added**

To send any packets, the following code segment had to be commented out

// send.c
// line 136
// Comment out to support sending packets from any MAC source address

     // To prevent applications from sending packets with spoofed
     // mac address, we will do the following check to make sure the source
     // address in the packet is same as the current MAC address of the NIC.
     if ((pIrp->RequestorMode == UserMode) &&
          pOpenContext->CurrentAddress, NPROT_MAC_ADDR_LEN))
            DEBUGP(DL_WARN, ("Write: Failing with invalid Source address"));
            NtStatus = STATUS_INVALID_PARAMETER;

Once those changes were made, the NDIS Driver performed perfect for what I needed.

Part 2 - C# RawEthernet Application

The code for the RawEthernet application is commented fairly well, so I am not going to go into a lot of detail on the code here. I am just going to highlight the important steps in the code.

Writing information to a device driver is somewhat similar to writing to a file. We open the driver file by calling the CreateFile API. This returns a handle that we can use to write to and read from the driver. Next, we can bind the driver handle to a specific adapter by using the DeviceIoControl API. Binding the adapter lets us access the NDIS Driver on a specific network adapter. After all this, the writing is simple. We use the WriteFile API. The ReadFile API can be used in a similar manner to read incoming network data as well.

To send a packet, we have to create a byte representation on the packet that we want to send. The following shows the Ethernet header (first 14 bytes of packet) in byte format

DD DD DD DD DD DD SS SS SS SS SS SS PP PP <data follows>

* D = Destination MAC Address
* S = Source MAC Address
* P = Next Layer Protocol (0800 = IP)

You can use a packet sniffer (Ethereal, Snoop, EtherPeeks) to verify that you are sending a raw data packet on the network medium. The packet that this application currently sends is a very simple data packet that served no purpose other than to show the concept. This can easily be changed to reflect a real packet, such as a ping or anything else that you can think of.

Running the Sample NDIS Driver

You can install the NDIS Driver by opening your network adapter properties and clicking the "Install" button, selecting "Protocol", and then choosing "Have Disk". Then browse to the .inf file and click "OK". This will then load the driver onto every adapter that you have in your system.

Important - Make sure that it is enabled, there should be a check in the box next to "Raw Packet NDIS Protocol Driver".

Important - Open a command prompt and type "net start ndisprot" to start the driver service.

Note - The beauty of having this driver is that you can disable every other protocol in the Adapter's protocol list (i.e. Internet Protocol) and you will still be able to send and receive packets. Your machine will not even have an address, but because we are working at Layer 2, you don't need one. (This driver will work even if you keep all of the other protocols enabled)

RawEthernet Application

The zip file contains the source and compiled binary for the RawEthernet application. Once the driver is installed and enabled, simply run the EXE to see the packets being sent.

Did you like this article? There are hundreds more.

2006-10-07 01:48:49
Forgot to mention, the NDIS Protocol Driver was built using the XP DDK, so it will work on XP and likely 2003. However, if you plan to use it on 2000, it might fail. It will have to be rebuilt using the 2000 DDK.
2006-10-08 05:09:43
I'd love to elaborate on this subject as I think its really interesting.

I did some work on a C# firewall which used a C++ NDIS driver just like you. Some of the stuff I was doing is in this article. I was using driver code I inherited from another project which was quite painful to work with. I was loading a list of ip's for which packets were to be dropped into the driver. The driver then notified the system when a packet was granted or dropped and the C# app was used to list the granted/dropped packets as they came flying past.

I keep meaning to resurect the project - as it was mainly finished just need a decent UI building and some tweaks with the driver.

One problem was a pain in the as regarding the installer for the driver. I tried installing it programmatically and using the DDK installutil and with both the driver never seemed to get installed right - it always required the user to manually do the steps you descrive above to add the driver.... if anyone has any tips on that i'd love to hear them.
2006-10-08 07:02:35
Not sure if it will help in your case but I developped a driver in asm and it's possible to register it using the windows API:


If the function doesn't return null:

invoke GetFullPathName, $CTA0("drivername.sys"), sizeof acModulePath, addr acModulePath, esp

The you can install the service

invoke CreateService, hSCManager, $CTA0("drivername"), $CTA0("OSIX challenge driver"), \
            SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL

If the function doesn't return NULL
start the service

invoke StartService, hService, 0, NULL

if return value is not 0

; the driver can receive I/O request packet (IRP) of type IRP_MJ_CREATE

invoke CreateFile, $CTA0("\\\\.\\driver name"), GENERIC_READ + GENERIC_WRITE, \
                                0, NULL, OPEN_EXISTING, 0, NULL

oh well, it's too long to explain and the textbox here is to small ;)
2006-10-11 16:48:38
bb, I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...
2006-10-19 14:56:21
I also tried to play with this protocol driver and I didn't find the way to do a properties dialog box. Do you have any idea where to look for ?
2007-09-03 10:25:56
I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...

2008-01-29 08:05:14

I just wanna read raw ethernets packet from my C program, and reached this article (which is excellent), can someone please direct me to the place where I can find the source code mentioned in this "RawEthernet Apllication" section? [The zip file turned to be empty]
2008-01-31 02:12:13

I am also having trouble reading raw ethernet packets - i tried to find a way to do this from the properties dialog but could not
2009-04-22 08:49:16
I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you. flash games
2009-06-02 08:14:52
There is nothing in the zip file
2009-10-25 15:46:14

I just wanna read raw ethernets packet from my C program, and reached this article (which is excellent), can someone please direct me to the place where I can find the source code mentioned in this "RawEthernet Apllication" section? [The zip file turned to be empty]

comic book reviews
2009-10-25 17:36:29
looks like the zip with the article has been lost to the perilous OSIDrive, if all you want to do is read the packets floating around then you can use Wireshark
2011-05-29 08:32:46
Amazing talent. I find her designs to be extraordinary!I agree this point.
2011-06-03 09:23:54
2011-06-04 12:02:19
Thank you for sharing to us.Generic Propecia
Generic Cialis
2011-06-09 11:51:55
Finally can copy!<a href="http://www.insanityworkoutdvdset.com">insanity workout dvd</a>
Anonymously add a comment: (or register here)
(registration is really fast and we send you no spam)
BB Code is enabled.
Captcha Number:

Blogs: (People who have posted blogs on this subject..)
Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star
SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.
Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
Hi my name is adam LOL

Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)
Microsoft by abhijangda

Quiz based on the Microsoft Operating System
Reverse Engineering basics by sefo

I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.

Your Ad Here
Copyright Open Source Institute, 2006