search

basil00 / WinDivert

WinDivert: Windows Packet Divert
https://reqrypt.org/windivert.html
Other
2.48k stars 501 forks source link

Possible multicast packets problem #87

Open asvald opened 7 years ago

asvald commented 7 years ago

Hello! My computer get many multicast packets from local network on WINDIVERT_LAYER_NETWORK. Like this Packet1: SrcIP=192.168.113.149 Port=59466 ---> DstIP=224.0.0.252 Port=5355 Packet2: SrcIP=192.168.113.144 Port=51300 ---> DstIP=239.192.152.143 Port=6771 ...

When I just pass this packets like in passthru example in a few minutes network is down and after closing my app it hangs in memory for 2 min approx. Filter string is: "ip && inbound" If i set my interface ip in filter AnsiString localFilterStr = AnsiString("ip && inbound && ip.DstAddr==192.168.113.122"); FHWindivertLocal = __WinDivertOpen(localFilterStr.c_str(), WINDIVERT_LAYER_NETWORK, -998, WINDIVERT_FLAG_NO_CHECKSUM);

Everything works for hours. Also everything ok if set such filter "ip && inbound && ( (udp && udp.DstPort!=5355 && udp.DstPort!=6771) || tcp)" In my case multicast packet somehow hang up windivert. I use 1.1.8 64-bit version.

basil00 commented 7 years ago

Hard to say what the problem is. From the symptoms, it sounds like the multicast packets are getting trapped in a loop somehow. There are a few possibilities: bug in the user program, multiple WFP drivers (issue #41), or perhaps injecting inbound multicast somehow gets sent out to the network again (causing a copy the packet to be indicated again). Or it can be some other problem entirely.

mosesBD commented 5 years ago

how does your local network handle multicast? note that because of special ip address and mac address of multicast packets your network should be configured to handle multicast packets(igmp snooping on switches for example). otherwise these packets can cause broadcast storms (if switches are not configured they will broadcast multicast packets) which i guess causes your network to go down. also you should not pass multicast packets unless your are a switch or router so just drop the multicast packets that are not intended for your PC. when i say intended for your PC it means that you have joined a multicast group.

mosesBD commented 5 years ago

the multicast addresses in your question are 224.0.0.252 which is for Link-local Multicast Name Resolution (LLMNR) address protocol and the other one is a user scope meaning that you are receiving a multicast stream. if your system has joined this group it is ok otherwise your network is miss-configured and you should fix that first.