Discussion:
Mac address
(too old to reply)
Mandy
2010-05-14 18:59:18 UTC
Permalink
Raw Message
Sorry for the odd question but I have some basic missunderstanding with
soecket communication-
When I use my dial up communication (using a modem)I see with the sniffer
some MAC address that is different from the one of the network card.
Where does it comes from and why is the difference?
Regards
Mandy
Tom Handal
2010-05-15 19:58:39 UTC
Permalink
Raw Message
On May 14, 11:59 am, "Mandy" <***@mirk.com> wrote:
> Sorry for the odd question but I have some basic missunderstanding with
> soecket communication-
> When I use my dial up communication (using a modem)I see with the sniffer
> some MAC address that is different from the one of the network card.
> Where does it comes from and why is the difference?
> Regards
> Mandy

I'm not sure exactly what you are seeing (would be helpful to see the
packet capture) but most likely you are using Point-to-Point Protocol
over Ethernet (PPPoE) and I would read about it here:
http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet

Maybe it will give you an understanding of what you are seeing.

Regards
Tom Handal
Mandy
2010-05-15 22:07:29 UTC
Permalink
Raw Message
Thanks Tom,
I followed your advice and as a result I really feel that I understand more
about this stuff, but still I have some question...
My final goal is to capture packets from my dial-up dsl modem with WinPcap
and than to transmit them to another node across the Internet. I could do it
across LAN using the ethernet connection but the support regarding capturing
and transmitting on dial-up is very poor(with WinPcap).
So what I ask is whether you think that it is possible to use the ethernet
connection instead of the dial-up connection(with Wireshark I see that the
packets are similar on both connections).
Thanks in advance
Mandy

I'm not sure exactly what you are seeing (would be helpful to see the
packet capture) but most likely you are using Point-to-Point Protocol
over Ethernet (PPPoE) and I would read about it here:
http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet

Maybe it will give you an understanding of what you are seeing.

Regards
Tom Handal
Tom Handal
2010-05-20 18:12:59 UTC
Permalink
Raw Message
On May 15, 3:07 pm, "Mandy" <***@mirk.com> wrote:
> Thanks Tom,
> I followed your advice and as a result I really feel that I understand more
> about this stuff, but still I have some question...
> My final goal is to capture packets from my dial-up dsl modem with WinPcap
> and than to transmit them to another node across the Internet. I could do it
> across LAN using the ethernet connection but the support regarding capturing
> and transmitting on dial-up is very poor(with WinPcap).
> So what I ask is whether you think that it is possible to use the ethernet
> connection instead of the dial-up connection(with Wireshark I see that the
> packets are similar on both connections).
> Thanks in advance
> Mandy
>
> I'm not sure exactly what you are seeing (would be helpful to see the
> packet capture) but most likely you are using Point-to-Point Protocol
> over Ethernet (PPPoE) and I would read about it here:http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
>
> Maybe it will give you an understanding of what you are seeing.
>
> Regards
> Tom Handal

Interesting project. If you want to do this just for yourself, you
could probably do it fairly easily using a Layered Service Provider
(LSP) in Windows. Check out this link: http://en.wikipedia.org/wiki/Layered_Service_Provider

You can write one for yourself and use it to snoop the data from the
TCP/UDP packets and re-transmit or do what you want with them. If
you REALLY want to have fun, you can write an NDIS driver (which is
what WinPCap is)... but that is very involved and probably overkill
for what you want :-). LSP is much more simple and should accomplish
your objective.

Just beware, some anti-virus/rootkit detecting software flag LSPs
because they are used a lot by malicious software.

Regards
Tom Handal
m
2010-05-22 20:40:09 UTC
Permalink
Raw Message
WinPcap is an NDIS protocol driver. Protocol drivers are bound to
interfaces (in your case a dialup interface) and receive ALL packets
arriving on the interface and can send packets out on the interface. You
should expect these packets to include header information specific to the
interface that they have been received on and since MAC is immaterial to
point-to-point protocols your results are unsurprising.

I expect that the goal you want achieve is to create a network bridge -
something built into Windows. If your goal is to build a tunneling bridge
(i.e. forward traffic to a specific remote host via another protocol like
UDP), then WinPCap + winsock could work for you but the performance will be
poor at best because of the latency of UM-KM transitions & the IP stack
overhead. If you want better performance, an NDIS protocol driver + KM
sockets would be a reasonable solution, but is a multi-man-year project and
not for the feint of heart.

"Tom Handal" <***@gmail.com> wrote in message
news:7b150386-dd4a-4018-80de-***@y18g2000prn.googlegroups.com...
> On May 15, 3:07 pm, "Mandy" <***@mirk.com> wrote:
>> Thanks Tom,
>> I followed your advice and as a result I really feel that I understand
>> more
>> about this stuff, but still I have some question...
>> My final goal is to capture packets from my dial-up dsl modem with
>> WinPcap
>> and than to transmit them to another node across the Internet. I could do
>> it
>> across LAN using the ethernet connection but the support regarding
>> capturing
>> and transmitting on dial-up is very poor(with WinPcap).
>> So what I ask is whether you think that it is possible to use the
>> ethernet
>> connection instead of the dial-up connection(with Wireshark I see that
>> the
>> packets are similar on both connections).
>> Thanks in advance
>> Mandy
>>
>> I'm not sure exactly what you are seeing (would be helpful to see the
>> packet capture) but most likely you are using Point-to-Point Protocol
>> over Ethernet (PPPoE) and I would read about it
>> here:http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
>>
>> Maybe it will give you an understanding of what you are seeing.
>>
>> Regards
>> Tom Handal
>
> Interesting project. If you want to do this just for yourself, you
> could probably do it fairly easily using a Layered Service Provider
> (LSP) in Windows. Check out this link:
> http://en.wikipedia.org/wiki/Layered_Service_Provider
>
> You can write one for yourself and use it to snoop the data from the
> TCP/UDP packets and re-transmit or do what you want with them. If
> you REALLY want to have fun, you can write an NDIS driver (which is
> what WinPCap is)... but that is very involved and probably overkill
> for what you want :-). LSP is much more simple and should accomplish
> your objective.
>
> Just beware, some anti-virus/rootkit detecting software flag LSPs
> because they are used a lot by malicious software.
>
> Regards
> Tom Handal
Vishal Swarankar
2010-05-24 07:25:01 UTC
Permalink
Raw Message
On May 23, 1:40 am, "m" <***@b.c> wrote:
> WinPcap is an NDIS protocol driver.  Protocol drivers are bound to
> interfaces (in your case a dialup interface) and receive ALL packets
> arriving on the interface and can send packets out on the interface.  You
> should expect these packets to include header information specific to the
> interface that they have been received on and since MAC is immaterial to
> point-to-point protocols your results are unsurprising.
>
> I expect that the goal you want achieve is to create a network bridge -
> something built into Windows.  If your goal is to build a tunneling bridge
> (i.e. forward traffic to a specific remote host via another protocol like
> UDP), then WinPCap + winsock could work for you but the performance will be
> poor at best because of the latency of UM-KM transitions & the IP stack
> overhead.  If you want better performance, an NDIS protocol driver + KM
> sockets would be a reasonable solution, but is a multi-man-year project and
> not for the feint of heart.
>
> "Tom Handal" <***@gmail.com> wrote in message
>
> news:7b150386-dd4a-4018-80de-***@y18g2000prn.googlegroups.com...
>
> > On May 15, 3:07 pm, "Mandy" <***@mirk.com> wrote:
> >> Thanks Tom,
> >> I followed your advice and as a result I really feel that I understand
> >> more
> >> about this stuff, but still I have some question...
> >> My final goal is to capture packets from my dial-up dsl modem with
> >> WinPcap
> >> and than to transmit them to another node across the Internet. I could do
> >> it
> >> across LAN using the ethernet connection but the support regarding
> >> capturing
> >> and transmitting on dial-up is very poor(with WinPcap).
> >> So what I ask is whether you think that it is possible to use the
> >> ethernet
> >> connection instead of the dial-up connection(with Wireshark I see that
> >> the
> >> packets are similar on both connections).
> >> Thanks in advance
> >> Mandy
>
> >> I'm not sure exactly what you are seeing (would be helpful to see the
> >> packet capture) but most likely you are using Point-to-Point Protocol
> >> over Ethernet (PPPoE) and I would read about it
> >> here:http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
>
> >> Maybe it will give you an understanding of what you are seeing.
>
> >> Regards
> >> Tom Handal
>
> > Interesting project.  If you want to do this just for yourself, you
> > could probably do it fairly easily using a Layered Service Provider
> > (LSP) in Windows.  Check out this link:
> >http://en.wikipedia.org/wiki/Layered_Service_Provider
>
> > You can write one for yourself and use it to snoop the data from the
> > TCP/UDP packets and re-transmit or do what you want with them.   If
> > you REALLY want to have fun, you can write an NDIS driver (which is
> > what WinPCap is)... but that is very involved and probably overkill
> > for what you want :-).  LSP is much more simple and should accomplish
> > your objective.
>
> > Just beware, some anti-virus/rootkit detecting software flag LSPs
> > because they are used a lot by malicious software.
>
> > Regards
> > Tom Handal

LSP can't be used for re-transmitting as this is lying in parallel to
TCP/IP stack. Its below WinSock layer, so it cant behave like a
WinSock app , as well as it cant behave like a miniport driver for
sending packets on interface.
You can write a TDI client for yourself or a NDIS IM driver. Checkout
if WFP provides a support for similar thing, but that would be Vista &
above only.

thnx.
Tom Handal
2010-05-28 06:01:44 UTC
Permalink
Raw Message
On May 24, 12:25 am, Vishal Swarankar <***@gmail.com>
wrote:
> On May 23, 1:40 am, "m" <***@b.c> wrote:
>
>
>
>
>
> > WinPcap is an NDIS protocol driver.  Protocol drivers are bound to
> > interfaces (in your case a dialup interface) and receive ALL packets
> > arriving on the interface and can send packets out on the interface.  You
> > should expect these packets to include header information specific to the
> > interface that they have been received on and since MAC is immaterial to
> > point-to-point protocols your results are unsurprising.
>
> > I expect that the goal you want achieve is to create a network bridge -
> > something built into Windows.  If your goal is to build a tunneling bridge
> > (i.e. forward traffic to a specific remote host via another protocol like
> > UDP), then WinPCap + winsock could work for you but the performance will be
> > poor at best because of the latency of UM-KM transitions & the IP stack
> > overhead.  If you want better performance, an NDIS protocol driver + KM
> > sockets would be a reasonable solution, but is a multi-man-year project and
> > not for the feint of heart.
>
> > "Tom Handal" <***@gmail.com> wrote in message
>
> >news:7b150386-dd4a-4018-80de-***@y18g2000prn.googlegroups.com...
>
> > > On May 15, 3:07 pm, "Mandy" <***@mirk.com> wrote:
> > >> Thanks Tom,
> > >> I followed your advice and as a result I really feel that I understand
> > >> more
> > >> about this stuff, but still I have some question...
> > >> My final goal is to capture packets from my dial-up dsl modem with
> > >> WinPcap
> > >> and than to transmit them to another node across the Internet. I could do
> > >> it
> > >> across LAN using the ethernet connection but the support regarding
> > >> capturing
> > >> and transmitting on dial-up is very poor(with WinPcap).
> > >> So what I ask is whether you think that it is possible to use the
> > >> ethernet
> > >> connection instead of the dial-up connection(with Wireshark I see that
> > >> the
> > >> packets are similar on both connections).
> > >> Thanks in advance
> > >> Mandy
>
> > >> I'm not sure exactly what you are seeing (would be helpful to see the
> > >> packet capture) but most likely you are using Point-to-Point Protocol
> > >> over Ethernet (PPPoE) and I would read about it
> > >> here:http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
>
> > >> Maybe it will give you an understanding of what you are seeing.
>
> > >> Regards
> > >> Tom Handal
>
> > > Interesting project.  If you want to do this just for yourself, you
> > > could probably do it fairly easily using a Layered Service Provider
> > > (LSP) in Windows.  Check out this link:
> > >http://en.wikipedia.org/wiki/Layered_Service_Provider
>
> > > You can write one for yourself and use it to snoop the data from the
> > > TCP/UDP packets and re-transmit or do what you want with them.   If
> > > you REALLY want to have fun, you can write an NDIS driver (which is
> > > what WinPCap is)... but that is very involved and probably overkill
> > > for what you want :-).  LSP is much more simple and should accomplish
> > > your objective.
>
> > > Just beware, some anti-virus/rootkit detecting software flag LSPs
> > > because they are used a lot by malicious software.
>
> > > Regards
> > > Tom Handal
>
> LSP can't be used for re-transmitting as this is lying in parallel to
> TCP/IP stack. Its below WinSock layer, so it cant behave like a
> WinSock app , as well as it cant behave like a miniport driver for
> sending packets on interface.
> You can write a TDI client for yourself or a NDIS IM driver. Checkout
> if WFP provides a support for similar thing, but that would be Vista &
> above only.
>
> thnx.

True, but I was thinking maybe he could write an LSP (as it is easier
then TDI or NDIS) and use some sort of IPC to send this to a service
to transmit. I am not sure if he wants to re-transmit packet-for-
packet, or just send the data somewhere? Just sending the data is
easier. If not, he will have to use something like WinPCAP to send
the packets using pcap_open and pcap_sendpacket.

Tom
Loading...