locked
Problem reinjecting a modified packet in outbound transport layer RRS feed

  • Question

  • I've modified a ping packet with the following procedure (in transport outbound layer):

    1. Used NdisRetreatNetBufferDataStart on original NBL with delta equal to ip packet header size plus new option (timestamp) size.

    2. Cloned NBL.

    3. Used NdisAdvanceNetBufferDataStart to restore original NBL offset.

    4. Used NdisAdvanceNetBufferDataStart on cloned NBL with delta of an ip packet header size.

    5. Called FwpsConstructIpHeaderForTransportPacket0 with headerIncludeHeaderSize set to 0 to create ip packet header.

    6. Used NdisGetDataBuffer to get pointer to the beginning of the header, added timestamp option, and corrected header size and total packet size.

    7. Used FwpsConstructIpHeaderForTransportPacket0 a second time but with headerIncludeHeaderSize set to the new header size (to fix checksums).

    8. Called FwpsInjectTransportSendAsync0 - with or without sendArgs.

    When call FwpsInjectTransportSendAsync0 with sendArgs set to null the packed is sent to the loopback interface instead of going out, and I'm getting a reply from it. If I call FwpsInjectTransportSendAsync0 with sendArgs containing remote address the injection inserts another ip header in front of the header I've created - corrupting my packet.

    Any idea what am I doing wrong?


    Freddy

    Friday, April 20, 2012 6:19 PM

Answers

  • I think I've solved it by myself. It seems that FwpsInjectTransportSendAsync0 cannot inject non-error ICMP packets. I moved my capture to outbound IPPACKET layer and everything works.

    Freddy

    Friday, April 20, 2012 9:19 PM