always get 592 errors

[alexliyu]

in windows 2012 64bit system：

if (!WinDivertSend(handle, (PVOID)dnr, icmp_length, &send_addr, NULL)) { fprintf(stderr, "warning: failed to send ICMP message " "(%d)\n", GetLastError()); }

in newfilter demo。 here always get 592 errors。

and in win7 64bit system

// Re-inject the matching packet. if (!WinDivertSend(handle, packet, packet_len, &addr, NULL)) { fprintf(stderr, "warning: failed to reinject packet (%d)\n", GetLastError()); }

warning: failed to reinject packet (592) always get 592 errors，why？

[basil00]

The leading theory is that the Windows TCP/IP stack does not handle these kinds of ICMP messages. Instead of silently ignoring them, the stack returns an error code if the packet was injected via WFP (or WinDivert). With WinDivert, this error manifests itself as a user-mode 592 error.

So, it is likely that these 592 errors are benign, and can be ignored. However, in general other things may cause 592 errors (e.g. attempting to inject a malformed packet), so 592 errors cannot be ignored by WinDivert completely.

Further documentation: http://reqrypt.org/windivert-faq.html#q2

[dmitryyy]

I have the same error in webfilter example after some time (about several hours) of work. But I have changed in this example "outbound" filter to "inbound". In other words WinDivert can't inject inbound packets with not zero data length. And this is big problem :(

[basil00]

The original sample already injects both inbound and outbound packets. So if the original sample works, then WinDivert itself would not be the cause of the error. A 592 error can also indicate an attempt to inject an invalid packet, e.g. wrong length, wrong checksum, wrong field values, etc., etc.

For inbound, you can use the netdump.exe sample to print injected packets. Use a lower priority (-> higher value) than the injection handle, e.g. something like netdump.exe true 999. This is useful for debugging. If nothing is printed it usually means the application attempted to inject an invalid packet.

[nscboy]

In win10(x64) ,when i used passthru.exe with param ""inbound && ip && tcp.DstPort == 9000&& tcp.PayloadLength > 0" 1" I always get the error :"warning: failed to reinject packet (592)" and the client disconnect after it send somethings. but in the win7(x64,SP1).I can run the same application passthru.exe successed. I used netdump.exe in Win10 ,it work OK. can I do something to decide this issue? I check the source and find the two project diff on WinDivertOpen: passthru used WinDivertOpen(argv[1], WINDIVERT_LAYER_NETWORK, 0, 0); and netdump used (argv[1], WINDIVERT_LAYER_NETWORK, priority,WINDIVERT_FLAG_SNIFF);

[basil00]

I am not sure what would cause that behavior. It is possible that some other software (only on the Win10 machine) is blocking the re-injected packets, and this manifests as a 592 error.

For netdump the WINDIVERT_FLAG_SNIFF means the original packet is not dropped. So it seems the problem only appears for packets injected from userspace.

Unfortunately I do not have a Win10 box to test ATM.