This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Firewall blocking packets

0

Respected sir/ma'am

We are developing our major project in our college on "Designing detection and defense mechanism against DDos attacks". We have come up with the following problem : Our software is not detecting(sniffing) the ethernet packets when Windows Firewall is activated whereas Wireshark detects. Can you help us with the problem?

Expecting your reply as soon as possible.

Thank you.

asked 24 Jan '16, 00:53

Shubham%20Agarwal's gravatar image

Shubham Agarwal
6113
accept rate: 0%

edited 24 Jan '16, 06:45

sindy's gravatar image

sindy
6.0k4851

One Answer:

2

To answer your basic question:

Wireshark's capturing engine, the WinPcap in case of Windows, gets access to incoming packets before the Windows firewall, which itself gets access to them before any application software.

While WinPcap does not affect the packets, just saves a copy of them, the Windows firewall is able to block them before they could reach the application software.

So to make your software see all incoming packets:

  • the most straightforward way is to disable the Windows firewall completely so that you could concentrate on the development of the software's core functionality, and use some external firewall if you need to expose the development machine to the internet at some stage of project development,

  • the more complex way is to learn how to hook your software into the network stack at some point "closer to the wire" than the Windows firewall is hooked, or to use WinPcap as the network-facing part of your application, as you say that you only need to sniff the packets (i.e. you don't need to manipulate them).

I would like to hear more about the "defense mechanism" part, though.

answered 24 Jan '16, 03:13

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 24 Jan '16, 03:28

1

A little side-note: sometimes, even WinPCAP can't capture everything. There are numerous questions on this Q&A site where it turned out that personal firewalls, anti-virus or other security software prevented capturing at least some incoming packets

(24 Jan '16, 03:48) Jasper ♦♦

Respected Sir/Mam, Thank You for your valuable reply.

Regarding our defense module we need to just drop the packets that we detect as malicious. Now the problem in this part is how can we actually drop or dump a packet once it is received or how can we actually hook our application before firewall so that we can then use the windows firewall as a filter.

Thank You.

(28 Jan '16, 11:04) Shubham Agarwal

That is another topic which has nothing to do with Wireshark. You need to familiarize with the Windows network APIs I guess.

(28 Jan '16, 11:13) Jasper ♦♦
1

That is what I was afraid of:

drop the packets that we detect as malicious

we can then use the windows firewall as a filter

Leaving aside what kind of hooking to the kernel you'd have to use, which is definitely out of scope of this site as @Jasper has pointed out, have you ever thought through what a DDoS attack actually means?

As you've mentioned a Windows machine I assume your Ethernet card's maximum bitrate is 1 Gbit/s. As an attacker, I can easily take a battle unit of 2000 zombies (someone else's computers which I or someone else have previously infected with malware and thus made it possible for me to execute tasks on them remotely, without the owner noticing at least for some time) and make each of them send a packet flow of 500 kbit/s to your server.

This way, I will clog the full bandwidth of your server's Ethernet card, so the requests from real clients of your server application will hardly squeeze between the tons of the malicious ones. Therefore, your solution running at the target server may be dropping the packets from source IPs it has identified as malicious ones, but most of your clients will not be served anyway as most of their requests will not ever reach your server.

(28 Jan '16, 19:32) sindy