locked
vista drop packets with incorrect source ip address RRS feed

  • Question

  • I have windows socket application that receives data from network device. Network device sends udp packets with source ip 0.10.0.0. My application works in XP but not in Vista. How can I disable filtering mechanism so that packet appears at application layer. I see the packets in wireshark. Any help is greatly appreciated.

    Thanks

    Thursday, May 28, 2009 4:23 PM

Answers

  • By the sound of it, the stack is dropping the packet.  0.x.x.x is not generally considered a valid subnet.  Can you check to see if the drop occurs with Windows Firewall disabled (or with the BFE Service Stopped [note doing this may open the machine to malicious attacks, so do so at your own risk]).

    Most Network Snifffing software sits at the lowest layer (NDIS) so it will see all traffic that enters the interface, and all traffic that actually leaves the interface.  If the packet has come in, NDIS only makes determinations for valid packets based off of the MAC Headers.  Then it gets passed to the IP Protocol stack.  THe IP stack will then perform further validation of the packet.  Depending on what validation fails, you may see an ICMP Error generated and sent back out the interface.   In other cases the stack will just discard the packet.

    In your sniff do you see any outbound ICMP Errors?  YOu can aslo enable auditing and tracing to help determine what is happening.

    Hope this helps.


    Dusty Harper [MSFT]
    Friday, May 29, 2009 11:22 AM
    Moderator