basil00
commented
10 months ago If the Impostor field is "lost" then a good safe default is Impostor=True.
The Impostor field exists because Windows seemingly cannot detect packet loops when there are multiple drivers. All it does it cause the driver to decrement the TTL, and fail with error if the TTL reaches zero. This is a last-resort defense against undetectable loops.
I'm writing a library that uses WinDivert to capture and inject raw packets for client applications. My API only allows raw data, not additional information, such as the Address structure.
As such, I have no idea wether packets are re-injections or not, and I need a default value to set 'Impostor' to. What is safer, always setting true or always setting false? What are the tradeoffs?