Vishal,
Thanks for your reply. I am sure i am doing something wrong at my end.
Thanks for the clarification. I will again try exactly as you
mentioned.
sarshah
On Mar 25, 4:48Â pm, Vishal Swarnkar
gmail.com> wrote:> On Mar 20, 10:53Â pm, sarsha...@
yahoo.com wrote:
>
>> I tried the following things:
>
>> 1- Â I did not stop theDNSClient service and installed the LSP.
>> Rebooted the machine and used ping to send theDNSrequest. Did not
>> log anything.
>
>> 2- I stopped theDNSClient service and installed the LSP. Did not
>> restart the machine and used ping to generateDNSrequest.DNSrequest
>> was intercepted and logged to file.
>
>> Could it be a difference of some settings on my machine or what?
>
>> sarshah
>
>> On Mar 18, 1:31Â pm, Vishal Swarnkar
gmail.com> wrote:>
>>> On Mar 18, 12:26Â pm, "Volodymyr M. Shcherbyna"
>
>>>
online.mvps.org> wrote:>>>> If you simply reboot machine, does the LSP intercept data?
>
>>>> --
>>>> V.
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
yahoo.com> wrote in message>
>>>>news:ed693aa6-f4c3-4c20-8abb-fd88876d0320@
d4g2000prg.googlegroups.com...
>>>> Guys thanks for your responses. Here is what i found out.The problem
>>>> completely goes away if i do the following: Stop theDNSclient from
>>>> Services list, installed the LSP and now i am gettingDNSdata in
>>>> WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
>>>> WSPSendDisconnect but if i do not stop theDNSclient service and then
>>>> install LSP,DNSdata is not intercepted not even in WSPSendTo. Any
>>>> thoughts on this?
>
>>>> On Mar 15, 11:13 am, Vishal Swarnkar
gmail.com>
>>>> wrote:>
>>>>> On Mar 15, 11:10 am, Vishal Swarnkar
gmail.com>
>>>>> wrote:>
>>>>>> On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"
>
>>>>>>
online.mvps.org> wrote:>>>>>>> What you can do, is to download TdiMon or TdiScope, and look at the
>>>>>>> output
>>>>>>> when makingDNSrequest. If the "application" is "System", then, for
>>>>>>> sure,
>>>>>>> the requests are generated in km system thread.
>
>>>>>>> --
>>>>>>> V.
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>> "Volodymyr M. Shcherbyna"
online.mvps.org> wrote in
>>>>>>> messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl...>
>>>>>>>>I did not verified this issue, but my assumption is thatDNStraffic
>>>>>>>>goes
>>>>>>>>via TDI providers and all operations are done in Kernel Mode.
>>>>>>>>Consider ways
>>>>>>>>of traffic interception at kernel mode. For 2k and XP and Vista - TDI
>>>>>>>>filter may be enough.
>
>>>>>>>> --
>>>>>>>> V.
>>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>>> rights.
>>>>>>>>
yahoo.com> wrote in message
>>>>>>>>news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
>>>>>>>> Hi again,>
>>>>>>>> I have done a few additional things since yesterday to find out the
>>>>>>>> issue.
>
>>>>>>>> I have restarted the system after installing theLSP. I did it
>>>>>>>> because
>>>>>>>>LSPwhen installed is only effective for those processes that are
>>>>>>>> executed after theLSPinstallation. So if i want to intercept network
>>>>>>>> calls by processes that are already running (like different services
>>>>>>>> or some other user process) then i would have to restart the system.
>>>>>>>> StillDNSqueries are undetectable.
>
>>>>>>>> In order to verify if anLSPcan intercept any UDP traffic, i tried to
>>>>>>>> connect from the machine whereLSPis installed to a TFTP server on a
>>>>>>>> remote machine (on LAN). The connection was successful andLSP
>>>>>>>> intercepts the data sent over UDP (UDP data dumped in the log file
>>>>>>>> and
>>>>>>>> compared with the network traffic to verify). From this, i am
>>>>>>>> suspecting thatDNSqueries are not sent by a process operating at
>>>>>>>> user level. I am not sure if this statement is entirely correct.
>
>>>>>>>> So far no one has responded to the post. If all the details in the
>>>>>>>> first post has created ambiguity and i have failed to convey my
>>>>>>>> question then lets just forget about all the details about what i
>>>>>>>> did
>>>>>>>> or did not and help me find answer to the following question:
>
>>>>>>>> Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
>>>>>>>> intercepted (byLSP) at user level? (LSPoperates at user level)
>
>>>>>>>> Responses by some of the guys really helped me in one of my posts
>>>>>>>> related toLSP. If you guys are listening out there........Please
>>>>>>>> help
>>>>>>>> me.
>
>>>>>>>> sarshah.
>
>>>>>>>> On Mar 12, 10:04 pm, sarsha...@
yahoo.com wrote:
>>>>>>>>> Hi All,
>
>>>>>>>>> I was looking (again :)) at theLSPcode that comes with Platform SDk
>>>>>>>>> which i downloaded a couple of months ago. I just wanted to see if
>>>>>>>>> an
>>>>>>>>>LSPtrapsDNSrequests so i modified the WSPSend function by only
>>>>>>>>> adding the code to dump to a file any data that is passed in
>>>>>>>>> LPWSABUF
>>>>>>>>> lpBuffers param. Before doing something that would send aDNSquery,
>>>>>>>>> i
>>>>>>>>> started Ethereal to see any traffic being sent on the wire. After
>>>>>>>>> that, i started a web browser window and accessed a URL (its not in
>>>>>>>>> the cache). I found out that WSPSend did not print any data sent on
>>>>>>>>> UDP even though aDNSrequest could be seen on the wire (WSPSend does
>>>>>>>>> get called though multi times). The same code prints data sent on
>>>>>>>>> TCP
>>>>>>>>> (like HTTP traffic of the page i opened). I have debugged thelspdll
>>>>>>>>> to see if i am doing something wrong while dumping data to a file
>>>>>>>>> but
>>>>>>>>> the contents of the buffers (being sent as parameters) match dumped
>>>>>>>>> data. The observation that i made is that every time WSPSend is
>>>>>>>>> called
>>>>>>>>> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
>>>>>>>>> one byte and the contents (LPWSABUF.buf) as 21 hex (!).
>
>>>>>>>>> I have also logged whenever calls to other send functions such as
>>>>>>>>> WSPSendTo and WSPSendDisconnect are made but for accessing a URL
>>>>>>>>> (and
>>>>>>>>>DNSquery sent as a result), only WSPSend is called (and i am
>>>>>>>>> perfectly ok with that). Since these functions were never being
>>>>>>>>> called
>>>>>>>>> so i did not bother logging data being passed as their parameters.
>
>>>>>>>>> So my question is canLSPbe used to trapDNSrequests? If yes then
>>>>>>>>> how it can be done and any idea on why i am seeing the
>>>>>>>>> aforementioned
>>>>>>>>> behavior?
>
>>>>>>>>> The OS is Windows XP SP2 and I have installed thelspin two
>>>>>>>>> different
>>>>>>>>> ways using the following commands:
>
>>>>>>>>> - instlsp -i -a -n "MyLSP"
>>>>>>>>> - instlsp -i -o 1001 -o 1002 -n "MyLSP"
>
>>>>>>>>> Thank you for your help,
>
>>>>>>>>> sarshah.- Hide quoted text -
>
>>>>>>> - Show quoted text -
>
>>>>>> Sorry for late reply Sarsah, didnt see your message before.
>
>>>>>> First to answer your quetion
>
>>>>>>>>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
>>>>>>>>intercepted (byLSP) at user level? (LSPoperates at user level)
>
>>>>>> Ofcourse you can interceptDNSquery inLSP, there is no need to go in
>>>>>> kernal level if your problem is just to interceptDNSqueries.
>
>>>>>> You are very right to confirm thatDNSruns over UDP.DNSprimarily
>>>>>> uses UDP on port 53 to serve requests. Almost allDNSqueries consist
>>>>>> of a single UDP request from the client followed by a single UDP reply
>>>>>> from the server. TCP comes into play only when the response data size
>>>>>> exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
>>>>>> you dont need to handle the second task as this will hardly come in
>>>>>> picture and zone transfer will be in case of IPv6 only. I believe you
>>>>>> are building your program for windows users only so TCP can be skipped
>>>>>> for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
>>>>>> UX.
>
>>>>>> Well focusing on UDP for now -->>
>>>>>> Sarshah, you are doing a mistake when you say you are logging inside
>>>>>> WSPSend. WSPSend is meant to work with Connected socket only, that
>>>>>> means TCP. To intercept UDP traffic you need to implement WSPSendTo
>>>>>> function.
>
>>>>>> As you said you verified that you areinterceptingUDP using TFTP. I
>>>>>> know TFTP uses UDP on port 69 but I am not sure what are the calls you
>>>>>> saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
>>>>>> that you are returning WSPSendTo in the proctable in WSPStartup
>>>>>> function, means you are implementing it.
>
>>>>>> You can check aDNSquery inside WSPSendTo function by making a
>>>>>> check ::
>
>>>>>> if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
>>>>>> client.
>
>>>>>> Be sure that you are logging every data, I am not sure at which moment
>>>>>> IE makes aDNSquery.- Hide quoted text -
>
>>>>>> - Show quoted text -
>
>>>>> I just verified this, I can getDNScalls by making the above check in
>>>>> WSPSendTo.- Hide quoted text -
>
>>>>> - Show quoted text -- Hide quoted text -
>
>>>> - Show quoted text -
>
>>> I install LSP simple and immediately go for logs and I can seeDNSqueriesintercepting. Yeah but I launch IE after installing LSP so
>>> that my LSP should get loaded properly.
>>> IE is making aDNSqueriesso it gets intercepted by LSP. If you want
>>> to intercept every query byDNSClient, then yes you need a reboot or
>>> restart of your service so that it should load your LSP. In short only
>>> those applications which starts after installation your LSP will load
>>> your LSP. ( Dont get confuse with winlogon and lsass.exe because they
>>> are system critical process and I dont know how they keep on
>>> refereshing the things).- Hide quoted text -
>
>>> - Show quoted text -- Hide quoted text -
>
>> - Show quoted text -
>
> No difference in settings at all.
>
> As I mentioned to you before, only those application will load your
> LSP which are being started after your LSP's installation. Application
> which are running before your LSP installation will NOT load your LSP
> ( again remember the difference for critical system process like
> winlogon.exe etc).
>
> So if your service is running and you install LSP, your Service will
> NOT load your LSP.
>
> If you stop ur service, install LSP and then start service , which
> means you are STARTING application AFTER your LSP installation, so now
> it will load LSP successfully.
