I tried the following things:
1- I did not stop the DNS Client service and installed the LSP.
Rebooted the machine and used ping to send the DNS request. Did not
log anything.
2- I stopped the DNS Client service and installed the LSP. Did not
restart the machine and used ping to generate DNS request. DNS request
was intercepted and logged to file.
Could it be a difference of some settings on my machine or what?
sarshah
On Mar 18, 1:31Â pm, Vishal Swarnkar
gmail.com> wrote:> On Mar 18, 12:26Â pm, "Volodymyr M. Shcherbyna"
>
>
>
>
>
>
online.mvps.org> wrote:>> If you simply reboot machine, does the LSP intercept data?
>
>> --
>> V.
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
yahoo.com> wrote in message>
>>news:ed693aa6-f4c3-4c20-8abb-fd88876d0320@
d4g2000prg.googlegroups.com...
>> Guys thanks for your responses. Here is what i found out.The problem
>> completely goes away if i do the following: Stop theDNSclient from
>> Services list, installed the LSP and now i am gettingDNSdata in
>> WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
>> WSPSendDisconnect but if i do not stop theDNSclient service and then
>> install LSP,DNSdata is not intercepted not even in WSPSendTo. Any
>> thoughts on this?
>
>> On Mar 15, 11:13 am, Vishal Swarnkar
gmail.com>
>> wrote:>
>>> On Mar 15, 11:10 am, Vishal Swarnkar
gmail.com>
>>> wrote:>
>>>> On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"
>
>>>>
online.mvps.org> wrote:>>>>> What you can do, is to download TdiMon or TdiScope, and look at the
>>>>> output
>>>>> when makingDNSrequest. If the "application" is "System", then, for
>>>>> sure,
>>>>> the requests are generated in km system thread.
>
>>>>> --
>>>>> V.
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>> "Volodymyr M. Shcherbyna"
online.mvps.org> wrote in
>>>>> messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl...>
>>>>>>I did not verified this issue, but my assumption is thatDNStraffic
>>>>>>goes
>>>>>>via TDI providers and all operations are done in Kernel Mode.
>>>>>>Consider ways
>>>>>>of traffic interception at kernel mode. For 2k and XP and Vista - TDI
>>>>>>filter may be enough.
>
>>>>>> --
>>>>>> V.
>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights.
>>>>>>
yahoo.com> wrote in message
>>>>>>news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
>>>>>> Hi again,>
>>>>>> I have done a few additional things since yesterday to find out the
>>>>>> issue.
>
>>>>>> I have restarted the system after installing theLSP. I did it
>>>>>> because
>>>>>>LSPwhen installed is only effective for those processes that are
>>>>>> executed after theLSPinstallation. So if i want to intercept network
>>>>>> calls by processes that are already running (like different services
>>>>>> or some other user process) then i would have to restart the system.
>>>>>> StillDNSqueries are undetectable.
>
>>>>>> In order to verify if anLSPcan intercept any UDP traffic, i tried to
>>>>>> connect from the machine whereLSPis installed to a TFTP server on a
>>>>>> remote machine (on LAN). The connection was successful andLSP
>>>>>> intercepts the data sent over UDP (UDP data dumped in the log file
>>>>>> and
>>>>>> compared with the network traffic to verify). From this, i am
>>>>>> suspecting thatDNSqueries are not sent by a process operating at
>>>>>> user level. I am not sure if this statement is entirely correct.
>
>>>>>> So far no one has responded to the post. If all the details in the
>>>>>> first post has created ambiguity and i have failed to convey my
>>>>>> question then lets just forget about all the details about what i
>>>>>> did
>>>>>> or did not and help me find answer to the following question:
>
>>>>>> Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
>>>>>> intercepted (byLSP) at user level? (LSPoperates at user level)
>
>>>>>> Responses by some of the guys really helped me in one of my posts
>>>>>> related toLSP. If you guys are listening out there........Please
>>>>>> help
>>>>>> me.
>
>>>>>> sarshah.
>
>>>>>> On Mar 12, 10:04 pm, sarsha...@
yahoo.com wrote:
>>>>>>> Hi All,
>
>>>>>>> I was looking (again :)) at theLSPcode that comes with Platform SDk
>>>>>>> which i downloaded a couple of months ago. I just wanted to see if
>>>>>>> an
>>>>>>>LSPtrapsDNSrequests so i modified the WSPSend function by only
>>>>>>> adding the code to dump to a file any data that is passed in
>>>>>>> LPWSABUF
>>>>>>> lpBuffers param. Before doing something that would send aDNSquery,
>>>>>>> i
>>>>>>> started Ethereal to see any traffic being sent on the wire. After
>>>>>>> that, i started a web browser window and accessed a URL (its not in
>>>>>>> the cache). I found out that WSPSend did not print any data sent on
>>>>>>> UDP even though aDNSrequest could be seen on the wire (WSPSend does
>>>>>>> get called though multi times). The same code prints data sent on
>>>>>>> TCP
>>>>>>> (like HTTP traffic of the page i opened). I have debugged thelspdll
>>>>>>> to see if i am doing something wrong while dumping data to a file
>>>>>>> but
>>>>>>> the contents of the buffers (being sent as parameters) match dumped
>>>>>>> data. The observation that i made is that every time WSPSend is
>>>>>>> called
>>>>>>> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
>>>>>>> one byte and the contents (LPWSABUF.buf) as 21 hex (!).
>
>>>>>>> I have also logged whenever calls to other send functions such as
>>>>>>> WSPSendTo and WSPSendDisconnect are made but for accessing a URL
>>>>>>> (and
>>>>>>>DNSquery sent as a result), only WSPSend is called (and i am
>>>>>>> perfectly ok with that). Since these functions were never being
>>>>>>> called
>>>>>>> so i did not bother logging data being passed as their parameters.
>
>>>>>>> So my question is canLSPbe used to trapDNSrequests? If yes then
>>>>>>> how it can be done and any idea on why i am seeing the
>>>>>>> aforementioned
>>>>>>> behavior?
>
>>>>>>> The OS is Windows XP SP2 and I have installed thelspin two
>>>>>>> different
>>>>>>> ways using the following commands:
>
>>>>>>> - instlsp -i -a -n "MyLSP"
>>>>>>> - instlsp -i -o 1001 -o 1002 -n "MyLSP"
>
>>>>>>> Thank you for your help,
>
>>>>>>> sarshah.- Hide quoted text -
>
>>>>> - Show quoted text -
>
>>>> Sorry for late reply Sarsah, didnt see your message before.
>
>>>> First to answer your quetion
>
>>>>>>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
>>>>>>intercepted (byLSP) at user level? (LSPoperates at user level)
>
>>>> Ofcourse you can interceptDNSquery inLSP, there is no need to go in
>>>> kernal level if your problem is just to interceptDNSqueries.
>
>>>> You are very right to confirm thatDNSruns over UDP.DNSprimarily
>>>> uses UDP on port 53 to serve requests. Almost allDNSqueries consist
>>>> of a single UDP request from the client followed by a single UDP reply
>>>> from the server. TCP comes into play only when the response data size
>>>> exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
>>>> you dont need to handle the second task as this will hardly come in
>>>> picture and zone transfer will be in case of IPv6 only. I believe you
>>>> are building your program for windows users only so TCP can be skipped
>>>> for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
>>>> UX.
>
>>>> Well focusing on UDP for now -->>
>>>> Sarshah, you are doing a mistake when you say you are logging inside
>>>> WSPSend. WSPSend is meant to work with Connected socket only, that
>>>> means TCP. To intercept UDP traffic you need to implement WSPSendTo
>>>> function.
>
>>>> As you said you verified that you areinterceptingUDP using TFTP. I
>>>> know TFTP uses UDP on port 69 but I am not sure what are the calls you
>>>> saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
>>>> that you are returning WSPSendTo in the proctable in WSPStartup
>>>> function, means you are implementing it.
>
>>>> You can check aDNSquery inside WSPSendTo function by making a
>>>> check ::
>
>>>> if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
>>>> client.
>
>>>> Be sure that you are logging every data, I am not sure at which moment
>>>> IE makes aDNSquery.- Hide quoted text -
>
>>>> - Show quoted text -
>
>>> I just verified this, I can getDNScalls by making the above check in
>>> WSPSendTo.- Hide quoted text -
>
>>> - Show quoted text -- Hide quoted text -
>
>> - Show quoted text -
>
> I install LSP simple and immediately go for logs and I can seeDNSqueriesintercepting. Yeah but I launch IE after installing LSP so
> that my LSP should get loaded properly.
> IE is making aDNSqueriesso it gets intercepted by LSP. If you want
> to intercept every query byDNSClient, then yes you need a reboot or
> restart of your service so that it should load your LSP. In short only
> those applications which starts after installation your LSP will load
> your LSP. ( Dont get confuse with winlogon and lsass.exe because they
> are system critical process and I dont know how they keep on
> refereshing the things).- Hide quoted text -
>
> - Show quoted text -
