tags:

views:

48

answers:

1

What I have read so far, winPcap allows you to bypass OS and bypass application and transport layer processing for TCP and provides direct access to the link layer.

I am planning to use winpcap to do some user application stuff and not just sniffing. I will be receiving and sending critical information using pcap which I am currently doing via sockets.

Does bypassing OS, and according to my understanding application and transport layers on my side, involve any risks?

As a side question the winpcap documentation I have found so far talks about how to programatically implement it but does'nt tell in detail what it is bypassing and how does it do that. Any link to that will be helpful.

Also, I'd like to know if anyone is using winpcap for any purposes other than network sniffing for monitoring reasons and msn.

A: 

Sure, there are plenty of risks:

  • The OS won't know about your privately-managed TCP connections, so it won't know that the port(s) you've chosen is/are in use. This means that it might try to use the same port for another application's connection, leading to chaos.
  • The OS won't know about your privately-managed TCP connections, so unless you prevent it from seeing those packets, it will send RST packets to reset the apparently bogus connection.
  • Your application won't automatically be notified of changes to relevant OS-managed data, configured IP addresses and routing tables. You'll likely have to poll for updates.
  • Properly implementing the TCP protocol is non-trivial. Most implementations, even very well-used ones, had dormant bugs that weren't found for years. Not all the necessary information is in the RFCs, either; there are places where established practice differs from the documented behaviour, usually for good reason. There's also plenty of code in modern TCP stacks specifically to deal with historical buggy behaviour in other stacks, and replicating all that work isn't simple.
  • There's a substantial risk of bad interactions with third party network security software installed on the host, which will expect all TCP connections to be made via the OS.

It seems like a support nightmare to me.

caf
Thank you for a very detailed response.About point 3, the ip addresses and routing tables in production environment dont normally change dynamically while machine is running. or they can? As far as application is concerned, it just knows the destination ip and port which it includes in the byte array it sends out.ABout point 4, I dont plan to do the tcp implementation myself. I will be using winCap apis to set the fields and send the byte array and similarly use wincap for incoming byte stream and decode it. You think wincap apis may have serious risks?
bsobaid
@bsobaid: The available local IP addresses can change while the machine is running, as interfaces go up and down and DHCP leases are released and renewed. Routing tables can be very fluid if a dynamic routing protocol, eg. RIP, is in use. I don't believe WinPCAP fully implements TCP - you will have to handle things like initial sequence number selection, retransmissions, slow start, congestion control, window updates, window scaling, PMTU discovery and more yourself.
caf
so the most appropriate usage is packet sniffing. WinPcap is not well-suited for application data transfer. I wonder why there are c-sharp wrappers around it allowing data send in addition to data sniffing.
bsobaid
@bsobaid: It can be useful for some things, but not really for implementing a TCP connection. For example you could implement a protocol unsupported by the OS.
caf
I really wonder what is the purpose of this thenhttp://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/packet-capture/winpcap/docs/docs_40_2/html/group__wpcap__tut8.html
bsobaid