1.
WinPcap Do’s and Don’ts<br />Wednesday, June 17th, 2009<br />GianlucaVarenni<br />Senior Software Engineer | CACE Technologies, Inc.<br />WinPcapProduct Manager<br />gianluca.varenni@cacetech.com<br />SHARKFEST'09<br />Stanford University<br />June 15-18, 2009<br />

2.
Agenda<br />Do’s and Don’ts<br />Tips and tricks<br />Open discussion/questions<br />2<br />

3.
Do’s and Don’ts<br />

4.
Packet reception<br />Do NOT keep the packet pointers received from<br />pcap_next_ex<br />pcap_loop<br />pcap_dispatch<br />pcap_next<br />in your own data structures.<br />They are valid only up to the next call to pcap_next_ex. <br />Copy the packets if needed.<br />4<br />

5.
Packet dissection<br />Packets can be truncated. <br />Be savvy when dissecting packets, check boundaries.<br />If you receive a 30 bytes IP packet, the IP header is truncated!<br />Do NOT assume that the headers have a fixed length!<br />The IP header is 20 bytes when there are no options<br />Compute the header length properly<br />IP header<br />Ethernet header<br />IP options<br />L4 protocol<br />14 bytes<br />20 bytes<br />0 or more bytes<br />5<br />

6.
Data link types<br />Do NOT assume that the link type is Ethernet (DLT_EN10MB).<br />Check the link type with pcap_datalink<br />In case of wireless (AirPcap), three possible encapsulations<br />Bare 802.11 (no meta-information)<br />Per-Packet Information (PPI)<br />Radiotap<br />6<br />

7.
Packet API<br />Do NOT use it.<br />No longer documented (it was a mistake)<br />It can change between releases<br />Do NOT access the npf.sys driver directly<br />IOCTLs change over time<br />Use the pcap API<br />7<br />

8.
WinPcap installation<br />Do NOT create your custom WinPcap installer.<br />It works most of the times on Windows XP x86.<br />What about Vista x64 or NT4?<br />It corrupts any existing installation.<br />Debugging installation issues is a major pain.<br />Solutions<br />Official WinPcap installer.<br />WinPcap Professional.<br />8<br />

9.
WinPcap and services<br />You can use WinPcap in a service.<br />You MUST call any WinPcap function after you have notified the SCM that the service is started.<br />Alternatively, put “nm” and “npf” as service dependencies using ChangeServiceConfigwhen installing the service<br />VOID ServiceStart (DWORD dwArgc, LPTSTR *lpszArgv)<br />{<br /> //<br /> // perform any initialization here<br />// DO NOT CALL WINPCAP HERE<br /> // <br />SetServiceStatus( ....SERVICE_RUNNING...);<br /> //<br /> // Service is now running, perform work until shutdown<br />// Start using WinPcap here<br /> //<br />}<br />9<br />

10.
Kernel buffers<br />Do NOT use large kernel buffers.<br />It’s a cache for traffic spikes or app processing slowdowns.<br />Kernel memory is a precious resource.<br />4-8 MB is ok in most cases (even at 1Gbps).<br />Optimize your processing code!<br />10<br />

11.
Tips and tricks<br />

12.
Multiple devices support<br />You can open the same device multiple times<br />Within the same process.<br />From the same or different threads.<br />Each instance uses its own capture buffer and filter.<br />Packets are replicated among instances.<br />Be careful with pcap_compile. It’s not thread safe (as of WinPcap4.1beta5).<br />Future versions will fix the issue.<br />Use a critical section to protect the calls to pcap_compile.<br />12<br />

13.
Dumping to disk<br />Disks are generally slow.<br />Dumping all the packets to disk without losses is not trivial on high speed links.<br />Solutions<br />Dump just the first n bytes of a packet (snaplen).<br />Filter packets.<br />Dedicated disks (not partitions!).<br />RAID 0 (striping).<br />13<br />

14.
Use pcap_next_ex<br />Why? It’s much easier to use. Especially to stop capture.<br />Do notuse pcap_loop/pcap_dispatch/pcap_next<br />They are less immediate to use.<br />pcap_next_ex is blocking<br />It respects the timeout set in pcap_open_live<br />14<br />

15.
Timestamps<br />They are generated in software after<br />The packet has been received by the NIC<br />The NIC has notified the OS about available packets (interrupt coalescing)<br />The NIC driver has processed the packet and notified NDIS about the packet<br />The precision is in the order of tens of microseconds in the best case.<br />Do not rely on timestamps for critical measurements.<br />15<br />

16.
Responsiveness vs. performance<br />Packets are received by the app when the timeout elapses or at least mintocopy bytes are in the kernel driver buffer (whatever comes first)<br />Small read timeouts can affect performance<br />Small mintocopy values can affect performance<br />Do you really need to get the packets as soon as they arrive?<br />16<br />

17.
Devpack samples<br />Use them as a reference<br />Header files to include (or not)<br />LIB files<br />How to open/close an adapter or capture packets from it<br />17<br />

18.
GUI applications<br />The UI needs to be responsive while capturing.<br />Use a separate thread to capture (or inject) packets.<br />Use messages for inter-thread communication.<br />SendMessage<br />PostMessage<br />Do NOT touch the UI in the capture thread!<br />18<br />

19.
Wireless capture <br />Most adapters (excluding AirPcap) do not support promiscuous/monitor mode<br />It’s a limit of the hardware/NIC driver<br />It’s not a limit of WinPcap<br />Bug in WinPcap: it doesn’t detect lack of promiscuous support. Fixed in 4.1 betas.<br />Ethernet “fake” frames. No management/control frames, no 802.11 headers.<br />Vista native Wi-Fi drivers? Not really.<br />19<br />

20.
Privileges to run WinPcap<br />Pretty weak security model<br />Admin privileges are needed to<br />Install WinPcap<br />Start the driver at each reboot<br />Change the driver start type to SERVICE_AUTO_START to have the driver started at boot time<br />Once the driver is running, a standard user can capture/inject packets<br />20<br />

21.
WinPcap and .NET<br />You need to create your own wrapper, or use an existing one<br />No official wrappers<br />No support for 3rd party ones<br />Marshalling packet contents (without copies) is not trivial<br />Some APIs (e.g. pcap_findalldevs) are not .NET friendly<br />Use managed C++ to create your wrapper<br />21<br />

22.
Questions?<br />