Trouble programming network access filter gateway

From: Sachs (
Date: 04/28/04

  • Next message: HisNameWasRobertPaulson: ""Spoofed" packets - causing our firewall to NOT RESPOND to legitimate traffic !!!"
    Date: 28 Apr 2004 14:45:03 -0700


    I am programming a real-time network access filter gateway as a
    requirement of my course. The main purpose of the gateway is to block
    access to some black-listed websites (i.e. block some HTTP requests).

    I am using WinPCap 3.0 library and using VC++ 6.0 for development.
    WinPCap is good for developing network analysis tools, but there is
    one feature of teh library which allows one to send raw packets to the
    network adapter (

    Now my pseudo code for capturing request packets goes like this

      open network adapter connected to internal network (e.g. LAN);
      capture all request packets;
      if tcp request
         if http request
           parse http header and get domain name;
           lookup the domain name in the blocked list;
           if blocked
             drop the request packet(s);
             send customized response back;
             allow the request;
      send captured request packets to the network adapter connected to
    the external network (e.g. Internet);
      open network adapter connected to external network;
      capture all response packets;
      send captured responses to the adapter connected to the internal

    Now I am trying to capture packets from the internal network adapter
    using a filter expression
    ( in a
    promiscuous mode. The expression looks like "eth src xx:xx:xx:xx:xx:xx
    and eth dst yy:yy:yy:yy:yy:yy", where "xx:xx:....:xx" is MAC address
    of the adapter where the requests are coming from (e.g. router) and
    "yy:yy:...:yy" is MAC address of the adapter on the gateway connected
    to internal network. similarly I follow the similar filter expression
    for the response packet capturing.

    Now the main issue is I don't see any response coming from the
    external network even if I transfer all the captured packets from
    internal network adapter to the external network adapter. Do I have
    to change the MAC layer addresses when I transfer all the packets from
    internal network to the external network ?

    I will appreciate any guidelines or references to the similar

    Thank you.

    Sachin Shah

  • Next message: HisNameWasRobertPaulson: ""Spoofed" packets - causing our firewall to NOT RESPOND to legitimate traffic !!!"

    Relevant Pages

    • Re: Update: UDP 770 Potential Worm
      ... > were no packets indicating some form of replication. ... > my capture was limited due to the switched ... to see if the problem occurs on the test network, ... The proxy had already been isolated from the ...
    • Re: Block all NIC outgoing traffic in Windows XP SP2??
      ... you need a network adapter that can work in promiscuous mode, ... > monitor network traffic on a hub, without interferring with other packets. ... > cable connected to a 100 Mbs hub. ...
    • Ethereal and routers question
      ... packets for the whole network, not just those coming and going to my eth1. ... This RH9 is a desktop in the network and "not used as a router", ... in order to capture all the packets. ...
    • Re: Network Monitor - TCP: Checksum = ERROR
      ... If so, probably TCP ... You can check in your network connection ... You can also verify by running the capture program ... filtering for packets sent from the original server. ...
    • Slow logon XP Event IDs 15 1807 32077 0 1517 1053 1003 8035 8021 1
      ... logging on to Win2000 native mode domain. ... DHCP Server: Linksys router ... Ethernet adapter Wireless Network Connection: ... The system detected that network adapter ...