ndisapi.net
ndisapi.net copied to clipboard
wiresock
Filter table doesn't work
I cloned this repo to play with a demo Implemented a function to set up a filter table
private static unsafe void SetupFilterTable(NdisApi api) {
//api.ResetPacketFilterTable();
var table = api.CreateStaticFilterTable(256);
var udpOut = new STATIC_FILTER();
udpOut.m_Adapter = 0;
udpOut.m_ValidFields = STATIC_FILTER_FIELDS.NETWORK_LAYER_VALID | STATIC_FILTER_FIELDS.TRANSPORT_LAYER_VALID;
udpOut.m_FilterAction = FILTER_PACKET_ACTION.FILTER_PACKET_REDIRECT;
udpOut.m_dwDirectionFlags = PACKET_FLAG.PACKET_FLAG_ON_SEND;
udpOut.m_NetworkFilter.m_dwUnionSelector = FILTER_SELECT_FLAGS.IPV4;
udpOut.m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_FIELDS.IP_V4_FILTER_PROTOCOL;
udpOut.m_NetworkFilter.m_IPv4.m_Protocol = (byte) ProtocolType.Udp;
udpOut.m_TransportFilter.m_dwUnionSelector = FILTER_SELECT_FLAGS.TCPUDP;
udpOut.m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_FILTER_FIELDS.TCPUDP_DEST_PORT;
udpOut.m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 1234;
udpOut.m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 1234;
var udpIn = new STATIC_FILTER();
udpIn.m_Adapter = 0;
udpIn.m_ValidFields = STATIC_FILTER_FIELDS.NETWORK_LAYER_VALID | STATIC_FILTER_FIELDS.TRANSPORT_LAYER_VALID;
udpIn.m_FilterAction = FILTER_PACKET_ACTION.FILTER_PACKET_REDIRECT;
udpIn.m_dwDirectionFlags = PACKET_FLAG.PACKET_FLAG_ON_RECEIVE;
udpIn.m_NetworkFilter.m_dwUnionSelector = FILTER_SELECT_FLAGS.IPV4;
udpIn.m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_FIELDS.IP_V4_FILTER_PROTOCOL;
udpIn.m_NetworkFilter.m_IPv4.m_Protocol = (byte) ProtocolType.Udp;
udpIn.m_TransportFilter.m_dwUnionSelector = FILTER_SELECT_FLAGS.TCPUDP;
udpIn.m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_FILTER_FIELDS.TCPUDP_SRC_PORT;
udpIn.m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 1234;
udpIn.m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 1234;
var pass = new STATIC_FILTER();
pass.m_Adapter = 0;
pass.m_ValidFields = 0;
pass.m_FilterAction = FILTER_PACKET_ACTION.FILTER_PACKET_PASS;
pass.m_dwDirectionFlags = PACKET_FLAG.PACKET_FLAG_ON_SEND | PACKET_FLAG.PACKET_FLAG_ON_RECEIVE;
table->SetStaticFilters(new[] {
udpOut,
udpIn,
pass
});
api.SetPacketFilterTable(*table);
}
After running the following code I get to see the contents of the table with a debugger
var api = NdisApi.Open();
SetupFilterTable(api);
if (api.GetPacketFilterTable(out var table))
var filters = table.GetStaticFilters();
}
Debugger shows that the only correct static filter set up is the first one, other two have shifted/corrupted values
Am I doing something wrong or does this problem belong to ndisapi.net library?
I believe the issue stems from the STATIC_FILTER layout modifications made to support the ARM64 driver build. It seems ndisapi.net might not have been updated in line with these changes. I'll endeavor to allocate some time to address this.
I've reviewed the code and confirmed that all ABI changes (specifically the padding bytes in STATIC_FILTER_TABLE and TCPUDP_FILTER) introduced by version 3.4.0 for ARM64 platform compatibility have been integrated. Could you please verify which version of the Windows Packet Filter driver and ndisapi.dll you're using?
both are 3.4.3.1
driver - Windows.Packet.Filter.3.4.3.1.x64.msi dll - tools_bin_x64.zip got it from here
tried 3.4.0.1, looks like issue remains
btw one thing I noticed, when I removed 3.4.3.1 driver and installed 3.4.0.1, the ndisrd.sys file was still 3.4.3.1 so I had to remove it manually
What is the current version of ndisapi.dll? Be aware that using a driver version that relies on an older ndisapi.dll may lead to issues.