none
Setting SIO_RCVALL option for windows kernel socket RRS feed

  • Question

  • I am developing a kernel driver to capture icmp router advertisement message. Following are the steps :

    1. Create a raw socket using WskSocket: CreateSocket(AF_INET, SOCK_RAW, IPPROTO_IP, WSK_FLAG_DATAGRAM_SOCKET);

    2. Bind it to a specific interface and port 0

    3. Invoke Receive from

    I read online that for raw sockets to sniff all IP packets we need to set IOCTL SIO_RCVALL. However I didn't find an equivalent option in Winsock Kernel. From NetMon I see the icmp packet reaching the VM (Windows Hyper V VM), however the driver isn't able to intercept. The driver is able to receive udp packets. One more observation,  the destination Ethernet for the packets received by the driver is FF-FF-FF-FF-FF-FF.  The icmp packets received by NetMon have well defined Ethernet destination.

    a. Kindly let me know if additional steps are needed to make raw sockets sniff all ip packets in kernel mode.

    b. Would NDIS Protocol Drivers be an easier way to go forward?

    I was able to establish icmp communication using raw sockets in user mode (Winsock) and I have replicated exact same steps.

    Sunday, January 17, 2016 5:44 PM

All replies

  • Do you want only to receive these packets or modify/drop? A protocol cannot do the latter.

    --pa

    Sunday, January 17, 2016 6:15 PM