SHARKFEST '09 | Stanford University | June 15–18, 2009 WinPcap Dos and Donts Wednesday, June 17 th, 2009 Gianluca Varenni Senior Software Engineer | CACE.

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Chapter 8: Operating Systems and Utility Programs
Copyright line. Maintaining an Active Directory Environment Exam Objectives Backup and Recovery Backup and Recovery Offline Maintenance Offline Maintenance.
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Università di Bologna.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Reconsidering Reliable Transport Protocol in Heterogeneous Wireless Networks Wang Yang Tsinghua University 1.
© 2008 The MathWorks, Inc. ® ® Using Instant Messaging to Usability Test an API Rachel Cobleigh Donna Cooper.
1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.
By Rick Clements Software Testing 101 By Rick Clements
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
©2003 aQute, All Rights Reserved Tokyo, August 2003 : 1 OSGi Service Platform Tokyo August 28, 2003 Peter Kriens CEO aQute, OSGi Fellow
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
1 Interprocess Communication 1. Ways of passing information 2. Guarded critical activities (e.g. updating shared data) 3. Proper sequencing in case of.
Making the System Operational
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
Block Cipher Modes of Operation and Stream Ciphers
SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 4: Organizing a Disk for Data.
Mehdi Naghavi Spring 1386 Operating Systems Mehdi Naghavi Spring 1386.
Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc
Computers Are Your Future Twelfth Edition Chapter 4: System Software Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 1.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
© 2009 VMware Inc. All rights reserved View Pool Image Configuration Considerations for Gold Images around Application virtualization and performance.
Local Area Networks - Internetworking
I/O and Networking Fred Kuhns
CSI 400/500 Operating Systems Spring 2009 Lecture #14 – Device Management and Drivers Monday, March 23 rd, 2009.
I/O Systems.
Chapter 4 Memory Management Basic memory management Swapping
ATM Firewall Routers with Black Lists Hwajung LEE The George Washington University School of Engineering and Applied Science Electrical Engineering and.
INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.
Spring 2014 RMS/EOC Proctor Caching Training. Agenda 2 Proctor caching overview Downloading & installing Cache test content.
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Linking Verb? Action Verb or. Question 1 Define the term: action verb.
COMP1214 Systems & Platforms: Operating Systems Concepts Dr. Yvonne Howard – Rikki Prince – 1.
CMPT 431 Dr. Alexandra Fedorova Lecture III: OS Support.
CMPT 401 Dr. Alexandra Fedorova Lecture III: OS Support.
1 NS-2 Tutorial COMP R2 University of Manitoba March 4, 2009.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Introduction to Computer Administration Introduction.
Processes Management.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Executional Architecture
UNIX System Programming Installing OpenSolaris. 2/86 Contents How to setup a virtual machine guest How to install OpenSolaris as a guest How to update.
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Week 1.
We will resume in: 25 Minutes.
1 Unit 1 Kinematics Chapter 1 Day
1  1998 Morgan Kaufmann Publishers Interfacing Processors and Peripherals.
Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
NetSlices: Scalable Multi-Core Packet Processing in User-Space Tudor Marian, Ki Suh Lee, Hakim Weatherspoon Cornell University Presented by Ki Suh Lee.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
© 2006, The Technology FirmWWW.THETECHFIRM.COM 1 WINDOWS XP SUPPORT TOOLS.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.
Tutorial 11 Installing, Updating, and Configuring Software
Ethernet Driver Changes for NET+OS V5.1. Design Changes Resides in bsp\devices\ethernet directory. Source code broken into more C files. Native driver.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
Lecture Topics: 11/1 General Operating System Concepts Processes
Presentation transcript:

SHARKFEST '09 | Stanford University | June 15–18, 2009 WinPcap Dos and Donts Wednesday, June 17 th, 2009 Gianluca Varenni Senior Software Engineer | CACE Technologies, Inc. WinPcap Product Manager SHARKFEST '09 Stanford University June 15-18, 2009

SHARKFEST '09 | Stanford University | June 15–18, 2009 Agenda Dos and Donts Tips and tricks Open discussion/questions 2

SHARKFEST '09 | Stanford University | June 15–18, 2009 Dos and Donts

SHARKFEST '09 | Stanford University | June 15–18, 2009 Packet reception Do NOT keep the packet pointers received from – pcap_next_ex – pcap_loop – pcap_dispatch – pcap_next in your own data structures. They are valid only up to the next call to pcap_next_ex. Copy the packets if needed. 4

SHARKFEST '09 | Stanford University | June 15–18, 2009 Packet dissection Packets can be truncated. – Be savvy when dissecting packets, check boundaries. – If you receive a 30 bytes IP packet, the IP header is truncated! Do NOT assume that the headers have a fixed length! – The IP header is 20 bytes when there are no options – Compute the header length properly 5 IP header Ethernet header IP options 14 bytes20 bytes0 or more bytes L4 protocol

SHARKFEST '09 | Stanford University | June 15–18, 2009 Data link types Do NOT assume that the link type is Ethernet ( DLT_EN10MB ). Check the link type with pcap_datalink In case of wireless (AirPcap), three possible encapsulations – Bare (no meta-information) – Per-Packet Information (PPI) – Radiotap 6

SHARKFEST '09 | Stanford University | June 15–18, 2009 Packet API Do NOT use it. – No longer documented (it was a mistake) – It can change between releases Do NOT access the npf.sys driver directly – IOCTLs change over time Use the pcap API 7

SHARKFEST '09 | Stanford University | June 15–18, 2009 WinPcap installation Do NOT create your custom WinPcap installer. – It works most of the times on Windows XP x86. What about Vista x64 or NT4? – It corrupts any existing installation. – Debugging installation issues is a major pain. Solutions – Official WinPcap installer. – WinPcap Professional. 8

SHARKFEST '09 | Stanford University | June 15–18, 2009 WinPcap and services You can use WinPcap in a service. You MUST call any WinPcap function after you have notified the SCM that the service is started. Alternatively, put nm and npf as service dependencies using ChangeServiceConfig when installing the service 9 VOID ServiceStart (DWORD dwArgc, LPTSTR *lpszArgv) { // // perform any initialization here // DO NOT CALL WINPCAP HERE // SetServiceStatus(....SERVICE_RUNNING...); // // Service is now running, perform work until shutdown // Start using WinPcap here // } VOID ServiceStart (DWORD dwArgc, LPTSTR *lpszArgv) { // // perform any initialization here // DO NOT CALL WINPCAP HERE // SetServiceStatus(....SERVICE_RUNNING...); // // Service is now running, perform work until shutdown // Start using WinPcap here // }

SHARKFEST '09 | Stanford University | June 15–18, 2009 Kernel buffers Do NOT use large kernel buffers. – Its a cache for traffic spikes or app processing slowdowns. – Kernel memory is a precious resource. 4-8 MB is ok in most cases (even at 1Gbps). Optimize your processing code! 10

SHARKFEST '09 | Stanford University | June 15–18, 2009 Tips and tricks

SHARKFEST '09 | Stanford University | June 15–18, 2009 Multiple devices support You can open the same device multiple times – Within the same process. – From the same or different threads. – Each instance uses its own capture buffer and filter. – Packets are replicated among instances. Be careful with pcap_compile. Its not thread safe (as of WinPcap 4.1beta5). – Future versions will fix the issue. – Use a critical section to protect the calls to pcap_compile. 12

SHARKFEST '09 | Stanford University | June 15–18, 2009 Dumping to disk Disks are generally slow. Dumping all the packets to disk without losses is not trivial on high speed links. Solutions – Dump just the first n bytes of a packet (snaplen). – Filter packets. – Dedicated disks (not partitions!). – RAID 0 (striping). 13

SHARKFEST '09 | Stanford University | June 15–18, 2009 Use pcap_next_ex Why? Its much easier to use. Especially to stop capture. Do not use pcap_loop / pcap_dispatch / pcap_next – They are less immediate to use. pcap_next_ex is blocking – It respects the timeout set in pcap_open_live 14

SHARKFEST '09 | Stanford University | June 15–18, 2009 Timestamps They are generated in software after 1.The packet has been received by the NIC 2.The NIC has notified the OS about available packets (interrupt coalescing) 3.The NIC driver has processed the packet and notified NDIS about the packet The precision is in the order of tens of microseconds in the best case. Do not rely on timestamps for critical measurements. 15

SHARKFEST '09 | Stanford University | June 15–18, 2009 Responsiveness vs. performance Packets are received by the app when the timeout elapses or at least mintocopy bytes are in the kernel driver buffer (whatever comes first) Small read timeouts can affect performance Small mintocopy values can affect performance Do you really need to get the packets as soon as they arrive? 16

SHARKFEST '09 | Stanford University | June 15–18, 2009 Devpack samples Use them as a reference – Header files to include (or not) – LIB files – How to open/close an adapter or capture packets from it 17

SHARKFEST '09 | Stanford University | June 15–18, 2009 GUI applications The UI needs to be responsive while capturing. Use a separate thread to capture (or inject) packets. Use messages for inter-thread communication. – SendMessage – PostMessage Do NOT touch the UI in the capture thread! 18

SHARKFEST '09 | Stanford University | June 15–18, 2009 Wireless capture Most adapters (excluding AirPcap) do not support promiscuous/monitor mode – Its a limit of the hardware/NIC driver – Its not a limit of WinPcap – Bug in WinPcap: it doesnt detect lack of promiscuous support. Fixed in 4.1 betas. Ethernet fake frames. No management/control frames, no headers. Vista native Wi-Fi drivers? Not really. 19

SHARKFEST '09 | Stanford University | June 15–18, 2009 Privileges to run WinPcap Pretty weak security model Admin privileges are needed to – Install WinPcap – Start the driver at each reboot Change the driver start type to SERVICE_AUTO_START to have the driver started at boot time Once the driver is running, a standard user can capture/inject packets 20

SHARKFEST '09 | Stanford University | June 15–18, 2009 WinPcap and.NET You need to create your own wrapper, or use an existing one – No official wrappers – No support for 3 rd party ones Marshalling packet contents (without copies) is not trivial Some APIs (e.g. pcap_findalldevs ) are not.NET friendly Use managed C++ to create your wrapper 21

SHARKFEST '09 | Stanford University | June 15–18, 2009 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.