Windows network packet modification

Question

I'm looking to write a small program which will intercept network packets (on the local machine) and modify them before they go out on the network. I need to be able to modify the headers as well, not just the data.

I've already looked through several possibilities but am unsure which one is best to pursue. There are open source packet filters out there, but filtering only seems to be able to either allow or reject packets, not much else.

The other solution would be to write an NDIS intermediate driver, but writing drivers is a beyond me. Even the simple pass-thru example in the WinDDK is thousands of lines. I'm also not looking forward to having to constantly reinstall a driver and reboot to test my code.

I'd ideally like the program to be self contained, and not rely on the installation of 3rd party drivers/software/whatever.

So if you people could point me in the right direction, throw some helpful links my way, whatever, I'd appreciate it.

Answer 1

IMHO, If you want to modify packets you'll need something to talk to the hardware, a driver of some kind. If you do not want to use your own, you should get a 3rd party driver to inter-operate with.

For filtering there's libraries like: winpcap or libpcap.

Also have a look here: http://www.ntkernel.com/w&p.php?id=7

Another link: http://bittwist.sourceforge.net/

Hope this helps!

Answer 2

winpcap is only able to filter packets with precompiled conditions. What you need is to write LSP-level network driver. You won't need to reboot every time you reinstall it, but it can really modify packets before they go out to the network. More info here: http://blogs.msdn.com/wndp/archive/2006/02/09/529031.aspx or here: http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx

Answer 3

Depends what kind of packets do you want to filter/modify.

If you're after application-level filtering, and want to get your hands on HTTP or similar packets, your best bet would probably be an LSP. Note however, following this path has certain disadvantages. First MS seems to be trying to get rid of this technology, and IIRC a part of Windows 7 logo requirements is "no LSP in your product", they seem to be promoting the Windows Filtering Platform. Second, you'd be very surprised with how much trouble you're getting into in terms of 3rd party LSP compatibility. Third, a very dummy LSP is still around 2 KLOC :)

If you're after an IP level packet filtering you'd need to go for a driver.

Windows Filtering Platform provides you with functionality needed in either case. However, it's only available on Windows Vista and later products, so no XP there. Another thing to take into consideration, WFP was only capable of allow/reject packets in user-land, and if you need to modify them, you'd need to go kernel-mode. (At least that what the situation was at the time it appeared, maybe they've improved something by now).

Answer 4

I'm no expert but I'm looking to do something similar on my LAN. I want to intercept packets form one single fixed IP and modify them before they go to my router then out onto the internet. I also want to capture and modify the returning packets prior to allowing them through to my host. The method I had envisaged was something like this...

1. ARP poison the host and router so my sniffing machine was having all packets passed through it.
2. Analyse the packets that I will want to modify in future and look for unique characteristics to those packets so I can catch just them.
3. Write a macro/script that looked for said characteristic in real-time and then modified it on the fly before sending it on its' way.

I know Cain&Abel for Windows is able (haha) to ARP poison but I'm not sure if it can provide raw dump of packet contents. Wireshark is able to dump all but not sure if it can ARP poison so as just to get what I'm after, if not then I can easily connect the host I want to intercept to my sniffer machine via ethernet and then share the internet via the sniffer so that all packets will go through the sniffer machine anyway.

So step 1 can be accomplished, I don't know if said programs have the ability to filter based on specifics yet but I'm guessing they do.

That's as far as I am with it. Hope this is of help to someone and maybe someone else can take this further?