Intercepting DNS Queries Using LSP - Programmer

This is a discussion on Intercepting DNS Queries Using LSP - Programmer ; Hi All, I was looking (again ) at the LSP code that comes with Platform SDk which i downloaded a couple of months ago. I just wanted to see if an LSP traps DNS requests so i modified the WSPSend ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Intercepting DNS Queries Using LSP

  1. Intercepting DNS Queries Using LSP

    Hi All,

    I was looking (again ) at the LSP code that comes with Platform SDk
    which i downloaded a couple of months ago. I just wanted to see if an
    LSP traps DNS requests so i modified the WSPSend function by only
    adding the code to dump to a file any data that is passed in LPWSABUF
    lpBuffers param. Before doing something that would send a DNS query, i
    started Ethereal to see any traffic being sent on the wire. After
    that, i started a web browser window and accessed a URL (its not in
    the cache). I found out that WSPSend did not print any data sent on
    UDP even though a DNS request could be seen on the wire (WSPSend does
    get called though multi times). The same code prints data sent on TCP
    (like HTTP traffic of the page i opened). I have debugged the lsp dll
    to see if i am doing something wrong while dumping data to a file but
    the contents of the buffers (being sent as parameters) match dumped
    data. The observation that i made is that every time WSPSend is called
    for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    I have also logged whenever calls to other send functions such as
    WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
    DNS query sent as a result), only WSPSend is called (and i am
    perfectly ok with that). Since these functions were never being called
    so i did not bother logging data being passed as their parameters.

    So my question is can LSP be used to trap DNS requests? If yes then
    how it can be done and any idea on why i am seeing the aforementioned
    behavior?

    The OS is Windows XP SP2 and I have installed the lsp in two different
    ways using the following commands:

    - instlsp -i -a -n "MyLSP"
    - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    Thank you for your help,

    sarshah.

  2. Re: Intercepting DNS Queries Using LSP

    Hi again,

    I have done a few additional things since yesterday to find out the
    issue.

    I have restarted the system after installing the LSP. I did it because
    LSP when installed is only effective for those processes that are
    executed after the LSP installation. So if i want to intercept network
    calls by processes that are already running (like different services
    or some other user process) then i would have to restart the system.
    Still DNS queries are undetectable.

    In order to verify if an LSP can intercept any UDP traffic, i tried to
    connect from the machine where LSP is installed to a TFTP server on a
    remote machine (on LAN). The connection was successful and LSP
    intercepts the data sent over UDP (UDP data dumped in the log file and
    compared with the network traffic to verify). From this, i am
    suspecting that DNS queries are not sent by a process operating at
    user level. I am not sure if this statement is entirely correct.

    So far no one has responded to the post. If all the details in the
    first post has created ambiguity and i have failed to convey my
    question then lets just forget about all the details about what i did
    or did not and help me find answer to the following question:

    Can an LSP be used to intercept DNS queries? or DNS queries cannot be
    intercepted (by LSP) at user level? (LSP operates at user level)

    Responses by some of the guys really helped me in one of my posts
    related to LSP. If you guys are listening out there........Please help
    me.

    sarshah.




    On Mar 12, 10:04*pm, sarsha...@yahoo.com wrote:
    > Hi All,
    >
    > I was looking (again ) at the LSP code that comes with Platform SDk
    > which i downloaded a couple of months ago. I just wanted to see if an
    > LSP traps DNS requests so i modified the WSPSend function by only
    > adding the code to dump to a file any data that is passed in LPWSABUF
    > lpBuffers param. Before doing something that would send a DNS query, i
    > started Ethereal to see any traffic being sent on the wire. After
    > that, i started a web browser window and accessed a URL (its not in
    > the cache). I found out that WSPSend did not print any data sent on
    > UDP even though a DNS request could be seen on the wire (WSPSend does
    > get called though multi times). The same code prints data sent on TCP
    > (like HTTP traffic of the page i opened). I have debugged the lsp dll
    > to see if i am doing something wrong while dumping data to a file but
    > the contents of the buffers (being sent as parameters) match dumped
    > data. The observation that i made is that every time WSPSend is called
    > for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > one byte and the contents (LPWSABUF.buf) as 21 hex (!).
    >
    > I have also logged whenever calls to other send functions such as
    > WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
    > DNS query sent as a result), only WSPSend is called (and i am
    > perfectly ok with that). Since these functions were never being called
    > so i did not bother logging data being passed as their parameters.
    >
    > So my question is can LSP be used to trap DNS requests? If yes then
    > how it can be done and any idea on why i am seeing the aforementioned
    > behavior?
    >
    > The OS is Windows XP SP2 and I have installed the lsp in two different
    > ways using the following commands:
    >
    > - instlsp -i -a -n "MyLSP"
    > - instlsp -i -o 1001 -o 1002 -n "MyLSP"
    >
    > Thank you for your help,
    >
    > sarshah.



  3. Re: Intercepting DNS Queries Using LSP

    I did not verified this issue, but my assumption is that DNS traffic goes
    via TDI providers and all operations are done in Kernel Mode. Consider ways
    of traffic interception at kernel mode. For 2k and XP and Vista - TDI filter
    may be enough.

    --
    V.
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    wrote in message
    news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    Hi again,

    I have done a few additional things since yesterday to find out the
    issue.

    I have restarted the system after installing the LSP. I did it because
    LSP when installed is only effective for those processes that are
    executed after the LSP installation. So if i want to intercept network
    calls by processes that are already running (like different services
    or some other user process) then i would have to restart the system.
    Still DNS queries are undetectable.

    In order to verify if an LSP can intercept any UDP traffic, i tried to
    connect from the machine where LSP is installed to a TFTP server on a
    remote machine (on LAN). The connection was successful and LSP
    intercepts the data sent over UDP (UDP data dumped in the log file and
    compared with the network traffic to verify). From this, i am
    suspecting that DNS queries are not sent by a process operating at
    user level. I am not sure if this statement is entirely correct.

    So far no one has responded to the post. If all the details in the
    first post has created ambiguity and i have failed to convey my
    question then lets just forget about all the details about what i did
    or did not and help me find answer to the following question:

    Can an LSP be used to intercept DNS queries? or DNS queries cannot be
    intercepted (by LSP) at user level? (LSP operates at user level)

    Responses by some of the guys really helped me in one of my posts
    related to LSP. If you guys are listening out there........Please help
    me.

    sarshah.




    On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > Hi All,
    >
    > I was looking (again ) at the LSP code that comes with Platform SDk
    > which i downloaded a couple of months ago. I just wanted to see if an
    > LSP traps DNS requests so i modified the WSPSend function by only
    > adding the code to dump to a file any data that is passed in LPWSABUF
    > lpBuffers param. Before doing something that would send a DNS query, i
    > started Ethereal to see any traffic being sent on the wire. After
    > that, i started a web browser window and accessed a URL (its not in
    > the cache). I found out that WSPSend did not print any data sent on
    > UDP even though a DNS request could be seen on the wire (WSPSend does
    > get called though multi times). The same code prints data sent on TCP
    > (like HTTP traffic of the page i opened). I have debugged the lsp dll
    > to see if i am doing something wrong while dumping data to a file but
    > the contents of the buffers (being sent as parameters) match dumped
    > data. The observation that i made is that every time WSPSend is called
    > for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > one byte and the contents (LPWSABUF.buf) as 21 hex (!).
    >
    > I have also logged whenever calls to other send functions such as
    > WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
    > DNS query sent as a result), only WSPSend is called (and i am
    > perfectly ok with that). Since these functions were never being called
    > so i did not bother logging data being passed as their parameters.
    >
    > So my question is can LSP be used to trap DNS requests? If yes then
    > how it can be done and any idea on why i am seeing the aforementioned
    > behavior?
    >
    > The OS is Windows XP SP2 and I have installed the lsp in two different
    > ways using the following commands:
    >
    > - instlsp -i -a -n "MyLSP"
    > - instlsp -i -o 1001 -o 1002 -n "MyLSP"
    >
    > Thank you for your help,
    >
    > sarshah.




  4. Re: Intercepting DNS Queries Using LSP

    What you can do, is to download TdiMon or TdiScope, and look at the output
    when making DNS request. If the "application" is "System", then, for sure,
    the requests are generated in km system thread.

    --
    V.
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    "Volodymyr M. Shcherbyna" wrote in message
    news:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl...
    >I did not verified this issue, but my assumption is that DNS traffic goes
    >via TDI providers and all operations are done in Kernel Mode. Consider ways
    >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
    >filter may be enough.
    >
    > --
    > V.
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > wrote in message
    > news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > Hi again,
    >
    > I have done a few additional things since yesterday to find out the
    > issue.
    >
    > I have restarted the system after installing the LSP. I did it because
    > LSP when installed is only effective for those processes that are
    > executed after the LSP installation. So if i want to intercept network
    > calls by processes that are already running (like different services
    > or some other user process) then i would have to restart the system.
    > Still DNS queries are undetectable.
    >
    > In order to verify if an LSP can intercept any UDP traffic, i tried to
    > connect from the machine where LSP is installed to a TFTP server on a
    > remote machine (on LAN). The connection was successful and LSP
    > intercepts the data sent over UDP (UDP data dumped in the log file and
    > compared with the network traffic to verify). From this, i am
    > suspecting that DNS queries are not sent by a process operating at
    > user level. I am not sure if this statement is entirely correct.
    >
    > So far no one has responded to the post. If all the details in the
    > first post has created ambiguity and i have failed to convey my
    > question then lets just forget about all the details about what i did
    > or did not and help me find answer to the following question:
    >
    > Can an LSP be used to intercept DNS queries? or DNS queries cannot be
    > intercepted (by LSP) at user level? (LSP operates at user level)
    >
    > Responses by some of the guys really helped me in one of my posts
    > related to LSP. If you guys are listening out there........Please help
    > me.
    >
    > sarshah.
    >
    >
    >
    >
    > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    >> Hi All,
    >>
    >> I was looking (again ) at the LSP code that comes with Platform SDk
    >> which i downloaded a couple of months ago. I just wanted to see if an
    >> LSP traps DNS requests so i modified the WSPSend function by only
    >> adding the code to dump to a file any data that is passed in LPWSABUF
    >> lpBuffers param. Before doing something that would send a DNS query, i
    >> started Ethereal to see any traffic being sent on the wire. After
    >> that, i started a web browser window and accessed a URL (its not in
    >> the cache). I found out that WSPSend did not print any data sent on
    >> UDP even though a DNS request could be seen on the wire (WSPSend does
    >> get called though multi times). The same code prints data sent on TCP
    >> (like HTTP traffic of the page i opened). I have debugged the lsp dll
    >> to see if i am doing something wrong while dumping data to a file but
    >> the contents of the buffers (being sent as parameters) match dumped
    >> data. The observation that i made is that every time WSPSend is called
    >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).
    >>
    >> I have also logged whenever calls to other send functions such as
    >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
    >> DNS query sent as a result), only WSPSend is called (and i am
    >> perfectly ok with that). Since these functions were never being called
    >> so i did not bother logging data being passed as their parameters.
    >>
    >> So my question is can LSP be used to trap DNS requests? If yes then
    >> how it can be done and any idea on why i am seeing the aforementioned
    >> behavior?
    >>
    >> The OS is Windows XP SP2 and I have installed the lsp in two different
    >> ways using the following commands:
    >>
    >> - instlsp -i -a -n "MyLSP"
    >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"
    >>
    >> Thank you for your help,
    >>
    >> sarshah.

    >
    >




  5. Re: Intercepting DNS Queries Using LSP

    On Mar 15, 2:18*am, "Volodymyr M. Shcherbyna"
    wrote:
    > What you can do, is to download TdiMon or TdiScope, and look at the output
    > when making DNS request. If the "application" is "System", then, for sure,
    > the requests are generated in km system thread.
    >
    > --
    > V.
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > "Volodymyr M. Shcherbyna" wrote in messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..
    >
    >
    >
    > >I did not verified this issue, but my assumption is that DNS traffic goes
    > >via TDI providers and all operations are done in Kernel Mode. Consider ways
    > >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
    > >filter may be enough.

    >
    > > --
    > > V.
    > > This posting is provided "AS IS" with no warranties, and confers no
    > > rights.
    > > wrote in message
    > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > > Hi again,

    >
    > > I have done a few additional things since yesterday to find out the
    > > issue.

    >
    > > I have restarted the system after installing the LSP. I did it because
    > > LSP when installed is only effective for those processes that are
    > > executed after the LSP installation. So if i want to intercept network
    > > calls by processes that are already running (like different services
    > > or some other user process) then i would have to restart the system.
    > > Still DNS queries are undetectable.

    >
    > > In order to verify if an LSP can intercept any UDP traffic, i tried to
    > > connect from the machine where LSP is installed to a TFTP server on a
    > > remote machine (on LAN). The connection was successful and LSP
    > > intercepts the data sent over UDP (UDP data dumped in the log file and
    > > compared with the network traffic to verify). From this, i am
    > > suspecting that DNS queries are not sent by a process operating at
    > > user level. I am not sure if this statement is entirely correct.

    >
    > > So far no one has responded to the post. If all the details in the
    > > first post has created ambiguity and i have failed to convey my
    > > question then lets just forget about all the details about what i did
    > > or did not and help me find answer to the following question:

    >
    > > Can an LSP be used to intercept DNS queries? or DNS queries cannot be
    > > intercepted (by LSP) at user level? (LSP operates at user level)

    >
    > > Responses by some of the guys really helped me in one of my posts
    > > related to LSP. If you guys are listening out there........Please help
    > > me.

    >
    > > sarshah.

    >
    > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > >> Hi All,

    >
    > >> I was looking (again ) at the LSP code that comes with Platform SDk
    > >> which i downloaded a couple of months ago. I just wanted to see if an
    > >> LSP traps DNS requests so i modified the WSPSend function by only
    > >> adding the code to dump to a file any data that is passed in LPWSABUF
    > >> lpBuffers param. Before doing something that would send a DNS query, i
    > >> started Ethereal to see any traffic being sent on the wire. After
    > >> that, i started a web browser window and accessed a URL (its not in
    > >> the cache). I found out that WSPSend did not print any data sent on
    > >> UDP even though a DNS request could be seen on the wire (WSPSend does
    > >> get called though multi times). The same code prints data sent on TCP
    > >> (like HTTP traffic of the page i opened). I have debugged the lsp dll
    > >> to see if i am doing something wrong while dumping data to a file but
    > >> the contents of the buffers (being sent as parameters) match dumped
    > >> data. The observation that i made is that every time WSPSend is called
    > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > >> I have also logged whenever calls to other send functions such as
    > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
    > >> DNS query sent as a result), only WSPSend is called (and i am
    > >> perfectly ok with that). Since these functions were never being called
    > >> so i did not bother logging data being passed as their parameters.

    >
    > >> So my question is can LSP be used to trap DNS requests? If yes then
    > >> how it can be done and any idea on why i am seeing the aforementioned
    > >> behavior?

    >
    > >> The OS is Windows XP SP2 and I have installed the lsp in two different
    > >> ways using the following commands:

    >
    > >> - instlsp -i -a -n "MyLSP"
    > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > >> Thank you for your help,

    >
    > >> sarshah.- Hide quoted text -

    >
    > - Show quoted text -


    Sorry for late reply Sarsah, didnt see your message before.

    First to answer your quetion
    >>Can an LSP be used to intercept DNS queries? or DNS queries cannot be intercepted (by LSP) at user level? (LSP operates at user level)


    Ofcourse you can intercept DNS query in LSP, there is no need to go in
    kernal level if your problem is just to intercept DNS queries.

    You are very right to confirm that DNS runs over UDP. DNS primarily
    uses UDP on port 53 to serve requests. Almost all DNS queries consist
    of a single UDP request from the client followed by a single UDP reply
    from the server. TCP comes into play only when the response data size
    exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    you dont need to handle the second task as this will hardly come in
    picture and zone transfer will be in case of IPv6 only. I believe you
    are building your program for windows users only so TCP can be skipped
    for now. ?? To add with DNS queries runs over TCP for few OSes like HP-
    UX.

    Well focusing on UDP for now -->>
    Sarshah, you are doing a mistake when you say you are logging inside
    WSPSend. WSPSend is meant to work with Connected socket only, that
    means TCP. To intercept UDP traffic you need to implement WSPSendTo
    function.

    As you said you verified that you are intercepting UDP using TFTP. I
    know TFTP uses UDP on port 69 but I am not sure what are the calls you
    saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    that you are returning WSPSendTo in the proctable in WSPStartup
    function, means you are implementing it.

    You can check a DNS query inside WSPSendTo function by making a
    check ::

    if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) // DNS
    client.

    Be sure that you are logging every data, I am not sure at which moment
    IE makes a DNS query.

  6. Re: Intercepting DNS Queries Using LSP

    On Mar 15, 11:10*am, Vishal Swarnkar
    wrote:
    > On Mar 15, 2:18*am, "Volodymyr M. Shcherbyna"
    >
    >
    >
    >
    >
    > wrote:
    > > What you can do, is to download TdiMon or TdiScope, and look at the output
    > > when making DNS request. If the "application" is "System", then, for sure,
    > > the requests are generated in km system thread.

    >
    > > --
    > > V.
    > > This posting is provided "AS IS" with no warranties, and confers no
    > > rights.
    > > "Volodymyr M. Shcherbyna" wrote in messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..

    >
    > > >I did not verified this issue, but my assumption is that DNS traffic goes
    > > >via TDI providers and all operations are done in Kernel Mode. Consider ways
    > > >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
    > > >filter may be enough.

    >
    > > > --
    > > > V.
    > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > rights.
    > > > wrote in message
    > > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com....
    > > > Hi again,

    >
    > > > I have done a few additional things since yesterday to find out the
    > > > issue.

    >
    > > > I have restarted the system after installing the LSP. I did it because
    > > > LSP when installed is only effective for those processes that are
    > > > executed after the LSP installation. So if i want to intercept network
    > > > calls by processes that are already running (like different services
    > > > or some other user process) then i would have to restart the system.
    > > > Still DNS queries are undetectable.

    >
    > > > In order to verify if an LSP can intercept any UDP traffic, i tried to
    > > > connect from the machine where LSP is installed to a TFTP server on a
    > > > remote machine (on LAN). The connection was successful and LSP
    > > > intercepts the data sent over UDP (UDP data dumped in the log file and
    > > > compared with the network traffic to verify). From this, i am
    > > > suspecting that DNS queries are not sent by a process operating at
    > > > user level. I am not sure if this statement is entirely correct.

    >
    > > > So far no one has responded to the post. If all the details in the
    > > > first post has created ambiguity and i have failed to convey my
    > > > question then lets just forget about all the details about what i did
    > > > or did not and help me find answer to the following question:

    >
    > > > Can an LSP be used to intercept DNS queries? or DNS queries cannot be
    > > > intercepted (by LSP) at user level? (LSP operates at user level)

    >
    > > > Responses by some of the guys really helped me in one of my posts
    > > > related to LSP. If you guys are listening out there........Please help
    > > > me.

    >
    > > > sarshah.

    >
    > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > > >> Hi All,

    >
    > > >> I was looking (again ) at the LSP code that comes with Platform SDk
    > > >> which i downloaded a couple of months ago. I just wanted to see if an
    > > >> LSP traps DNS requests so i modified the WSPSend function by only
    > > >> adding the code to dump to a file any data that is passed in LPWSABUF
    > > >> lpBuffers param. Before doing something that would send a DNS query, i
    > > >> started Ethereal to see any traffic being sent on the wire. After
    > > >> that, i started a web browser window and accessed a URL (its not in
    > > >> the cache). I found out that WSPSend did not print any data sent on
    > > >> UDP even though a DNS request could be seen on the wire (WSPSend does
    > > >> get called though multi times). The same code prints data sent on TCP
    > > >> (like HTTP traffic of the page i opened). I have debugged the lsp dll
    > > >> to see if i am doing something wrong while dumping data to a file but
    > > >> the contents of the buffers (being sent as parameters) match dumped
    > > >> data. The observation that i made is that every time WSPSend is called
    > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > > >> I have also logged whenever calls to other send functions such as
    > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
    > > >> DNS query sent as a result), only WSPSend is called (and i am
    > > >> perfectly ok with that). Since these functions were never being called
    > > >> so i did not bother logging data being passed as their parameters.

    >
    > > >> So my question is can LSP be used to trap DNS requests? If yes then
    > > >> how it can be done and any idea on why i am seeing the aforementioned
    > > >> behavior?

    >
    > > >> The OS is Windows XP SP2 and I have installed the lsp in two different
    > > >> ways using the following commands:

    >
    > > >> - instlsp -i -a -n "MyLSP"
    > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > > >> Thank you for your help,

    >
    > > >> sarshah.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Sorry for late reply Sarsah, didnt see your message before.
    >
    > First to answer your quetion
    >
    > >>Can an LSP be used to intercept DNS queries? or DNS queries cannot be *intercepted (by LSP) at user level? (LSP operates at user level)

    >
    > Ofcourse you can intercept DNS query in LSP, there is no need to go in
    > kernal level if your problem is just to intercept DNS queries.
    >
    > You are very right to confirm that DNS runs over UDP. DNS primarily
    > uses UDP on port 53 to serve requests. Almost all DNS queries consist
    > of a single UDP request from the client followed by a single UDP reply
    > from the server. TCP comes into play only when the response data size
    > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    > you dont need to handle the second task as this will hardly come in
    > picture and zone transfer will be in case of IPv6 only. I believe you
    > are building your program for windows users only so TCP can be skipped
    > for now. ?? To add with DNS queries runs over TCP for few OSes like HP-
    > UX.
    >
    > Well focusing on UDP for now -->>
    > Sarshah, you are doing a mistake when you say you are logging inside
    > WSPSend. WSPSend is meant to work with Connected socket only, that
    > means TCP. To intercept UDP traffic you need to implement WSPSendTo
    > function.
    >
    > As you said you verified that you are intercepting UDP using TFTP. I
    > know TFTP uses UDP on port 69 but I am not sure what are the calls you
    > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    > that you are returning WSPSendTo in the proctable in WSPStartup
    > function, means you are implementing it.
    >
    > You can check a DNS query inside WSPSendTo function by making a
    > check ::
    >
    > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) // DNS
    > client.
    >
    > Be sure that you are logging every data, I am not sure at which moment
    > IE makes a DNS query.- Hide quoted text -
    >
    > - Show quoted text -


    I just verified this, I can get DNS calls by making the above check in
    WSPSendTo.

  7. Re: Intercepting DNS Queries Using LSP

    Guys thanks for your responses. Here is what i found out.The problem
    completely goes away if i do the following: Stop the DNS client from
    Services list, installed the LSP and now i am getting DNS data in
    WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
    WSPSendDisconnect but if i do not stop the DNS client service and then
    install LSP, DNS data is not intercepted not even in WSPSendTo. Any
    thoughts on this?



    On Mar 15, 11:13*am, Vishal Swarnkar
    wrote:
    > On Mar 15, 11:10*am, Vishal Swarnkar
    > wrote:
    >
    >
    >
    >
    >
    > > On Mar 15, 2:18*am, "Volodymyr M. Shcherbyna"

    >
    > > wrote:
    > > > What you can do, is to download TdiMon or TdiScope, and look at the output
    > > > when makingDNSrequest. If the "application" is "System", then, for sure,
    > > > the requests are generated in km system thread.

    >
    > > > --
    > > > V.
    > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > rights.
    > > > "Volodymyr M. Shcherbyna" wrote in messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..

    >
    > > > >I did not verified this issue, but my assumption is thatDNStraffic goes
    > > > >via TDI providers and all operations are done in Kernel Mode. Consider ways
    > > > >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
    > > > >filter may be enough.

    >
    > > > > --
    > > > > V.
    > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > rights.
    > > > > wrote in message
    > > > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > > > > Hi again,

    >
    > > > > I have done a few additional things since yesterday to find out the
    > > > > issue.

    >
    > > > > I have restarted the system after installing theLSP. I did it because
    > > > >LSPwhen installed is only effective for those processes that are
    > > > > executed after theLSPinstallation. So if i want to intercept network
    > > > > calls by processes that are already running (like different services
    > > > > or some other user process) then i would have to restart the system.
    > > > > StillDNSqueries are undetectable.

    >
    > > > > In order to verify if anLSPcan intercept any UDP traffic, i tried to
    > > > > connect from the machine whereLSPis installed to a TFTP server on a
    > > > > remote machine (on LAN). The connection was successful andLSP
    > > > > intercepts the data sent over UDP (UDP data dumped in the log file and
    > > > > compared with the network traffic to verify). From this, i am
    > > > > suspecting thatDNSqueries are not sent by a process operating at
    > > > > user level. I am not sure if this statement is entirely correct.

    >
    > > > > So far no one has responded to the post. If all the details in the
    > > > > first post has created ambiguity and i have failed to convey my
    > > > > question then lets just forget about all the details about what i did
    > > > > or did not and help me find answer to the following question:

    >
    > > > > Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > Responses by some of the guys really helped me in one of my posts
    > > > > related toLSP. If you guys are listening out there........Please help
    > > > > me.

    >
    > > > > sarshah.

    >
    > > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > > > >> Hi All,

    >
    > > > >> I was looking (again ) at theLSPcode that comes with Platform SDk
    > > > >> which i downloaded a couple of months ago. I just wanted to see if an
    > > > >>LSPtrapsDNSrequests so i modified the WSPSend function by only
    > > > >> adding the code to dump to a file any data that is passed in LPWSABUF
    > > > >> lpBuffers param. Before doing something that would send aDNSquery, i
    > > > >> started Ethereal to see any traffic being sent on the wire. After
    > > > >> that, i started a web browser window and accessed a URL (its not in
    > > > >> the cache). I found out that WSPSend did not print any data sent on
    > > > >> UDP even though aDNSrequest could be seen on the wire (WSPSend does
    > > > >> get called though multi times). The same code prints data sent on TCP
    > > > >> (like HTTP traffic of the page i opened). I have debugged thelspdll
    > > > >> to see if i am doing something wrong while dumping data to a file but
    > > > >> the contents of the buffers (being sent as parameters) match dumped
    > > > >> data. The observation that i made is that every time WSPSend is called
    > > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > > > >> I have also logged whenever calls to other send functions such as
    > > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
    > > > >>DNSquery sent as a result), only WSPSend is called (and i am
    > > > >> perfectly ok with that). Since these functions were never being called
    > > > >> so i did not bother logging data being passed as their parameters.

    >
    > > > >> So my question is canLSPbe used to trapDNSrequests? If yes then
    > > > >> how it can be done and any idea on why i am seeing the aforementioned
    > > > >> behavior?

    >
    > > > >> The OS is Windows XP SP2 and I have installed thelspin two different
    > > > >> ways using the following commands:

    >
    > > > >> - instlsp -i -a -n "MyLSP"
    > > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > > > >> Thank you for your help,

    >
    > > > >> sarshah.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > Sorry for late reply Sarsah, didnt see your message before.

    >
    > > First to answer your quetion

    >
    > > >>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be *intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > Ofcourse you can interceptDNSquery inLSP, there is no need to go in
    > > kernal level if your problem is just to interceptDNSqueries.

    >
    > > You are very right to confirm thatDNSruns over UDP.DNSprimarily
    > > uses UDP on port 53 to serve requests. Almost allDNSqueries consist
    > > of a single UDP request from the client followed by a single UDP reply
    > > from the server. TCP comes into play only when the response data size
    > > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    > > you dont need to handle the second task as this will hardly come in
    > > picture and zone transfer will be in case of IPv6 only. I believe you
    > > are building your program for windows users only so TCP can be skipped
    > > for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
    > > UX.

    >
    > > Well focusing on UDP for now -->>
    > > Sarshah, you are doing a mistake when you say you are logging inside
    > > WSPSend. WSPSend is meant to work with Connected socket only, that
    > > means TCP. To intercept UDP traffic you need to implement WSPSendTo
    > > function.

    >
    > > As you said you verified that you areinterceptingUDP using TFTP. I
    > > know TFTP uses UDP on port 69 but I am not sure what are the calls you
    > > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    > > that you are returning WSPSendTo in the proctable in WSPStartup
    > > function, means you are implementing it.

    >
    > > You can check aDNSquery inside WSPSendTo function by making a
    > > check ::

    >
    > > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
    > > client.

    >
    > > Be sure that you are logging every data, I am not sure at which moment
    > > IE makes aDNSquery.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I just verified this, I can getDNScalls by making the above check in
    > WSPSendTo.- Hide quoted text -
    >
    > - Show quoted text -



  8. Re: Intercepting DNS Queries Using LSP

    If you simply reboot machine, does the LSP intercept data?

    --
    V.
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    wrote in message
    news:ed693aa6-f4c3-4c20-8abb-fd88876d0320@d4g2000prg.googlegroups.com...
    Guys thanks for your responses. Here is what i found out.The problem
    completely goes away if i do the following: Stop the DNS client from
    Services list, installed the LSP and now i am getting DNS data in
    WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
    WSPSendDisconnect but if i do not stop the DNS client service and then
    install LSP, DNS data is not intercepted not even in WSPSendTo. Any
    thoughts on this?



    On Mar 15, 11:13 am, Vishal Swarnkar
    wrote:
    > On Mar 15, 11:10 am, Vishal Swarnkar
    > wrote:
    >
    >
    >
    >
    >
    > > On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"

    >
    > > wrote:
    > > > What you can do, is to download TdiMon or TdiScope, and look at the
    > > > output
    > > > when makingDNSrequest. If the "application" is "System", then, for
    > > > sure,
    > > > the requests are generated in km system thread.

    >
    > > > --
    > > > V.
    > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > rights.
    > > > "Volodymyr M. Shcherbyna" wrote in
    > > > messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..

    >
    > > > >I did not verified this issue, but my assumption is thatDNStraffic
    > > > >goes
    > > > >via TDI providers and all operations are done in Kernel Mode.
    > > > >Consider ways
    > > > >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
    > > > >filter may be enough.

    >
    > > > > --
    > > > > V.
    > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > rights.
    > > > > wrote in message
    > > > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > > > > Hi again,

    >
    > > > > I have done a few additional things since yesterday to find out the
    > > > > issue.

    >
    > > > > I have restarted the system after installing theLSP. I did it
    > > > > because
    > > > >LSPwhen installed is only effective for those processes that are
    > > > > executed after theLSPinstallation. So if i want to intercept network
    > > > > calls by processes that are already running (like different services
    > > > > or some other user process) then i would have to restart the system.
    > > > > StillDNSqueries are undetectable.

    >
    > > > > In order to verify if anLSPcan intercept any UDP traffic, i tried to
    > > > > connect from the machine whereLSPis installed to a TFTP server on a
    > > > > remote machine (on LAN). The connection was successful andLSP
    > > > > intercepts the data sent over UDP (UDP data dumped in the log file
    > > > > and
    > > > > compared with the network traffic to verify). From this, i am
    > > > > suspecting thatDNSqueries are not sent by a process operating at
    > > > > user level. I am not sure if this statement is entirely correct.

    >
    > > > > So far no one has responded to the post. If all the details in the
    > > > > first post has created ambiguity and i have failed to convey my
    > > > > question then lets just forget about all the details about what i
    > > > > did
    > > > > or did not and help me find answer to the following question:

    >
    > > > > Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > Responses by some of the guys really helped me in one of my posts
    > > > > related toLSP. If you guys are listening out there........Please
    > > > > help
    > > > > me.

    >
    > > > > sarshah.

    >
    > > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > > > >> Hi All,

    >
    > > > >> I was looking (again ) at theLSPcode that comes with Platform SDk
    > > > >> which i downloaded a couple of months ago. I just wanted to see if
    > > > >> an
    > > > >>LSPtrapsDNSrequests so i modified the WSPSend function by only
    > > > >> adding the code to dump to a file any data that is passed in
    > > > >> LPWSABUF
    > > > >> lpBuffers param. Before doing something that would send aDNSquery,
    > > > >> i
    > > > >> started Ethereal to see any traffic being sent on the wire. After
    > > > >> that, i started a web browser window and accessed a URL (its not in
    > > > >> the cache). I found out that WSPSend did not print any data sent on
    > > > >> UDP even though aDNSrequest could be seen on the wire (WSPSend does
    > > > >> get called though multi times). The same code prints data sent on
    > > > >> TCP
    > > > >> (like HTTP traffic of the page i opened). I have debugged thelspdll
    > > > >> to see if i am doing something wrong while dumping data to a file
    > > > >> but
    > > > >> the contents of the buffers (being sent as parameters) match dumped
    > > > >> data. The observation that i made is that every time WSPSend is
    > > > >> called
    > > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > > > >> I have also logged whenever calls to other send functions such as
    > > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL
    > > > >> (and
    > > > >>DNSquery sent as a result), only WSPSend is called (and i am
    > > > >> perfectly ok with that). Since these functions were never being
    > > > >> called
    > > > >> so i did not bother logging data being passed as their parameters.

    >
    > > > >> So my question is canLSPbe used to trapDNSrequests? If yes then
    > > > >> how it can be done and any idea on why i am seeing the
    > > > >> aforementioned
    > > > >> behavior?

    >
    > > > >> The OS is Windows XP SP2 and I have installed thelspin two
    > > > >> different
    > > > >> ways using the following commands:

    >
    > > > >> - instlsp -i -a -n "MyLSP"
    > > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > > > >> Thank you for your help,

    >
    > > > >> sarshah.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > Sorry for late reply Sarsah, didnt see your message before.

    >
    > > First to answer your quetion

    >
    > > >>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > >>intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > Ofcourse you can interceptDNSquery inLSP, there is no need to go in
    > > kernal level if your problem is just to interceptDNSqueries.

    >
    > > You are very right to confirm thatDNSruns over UDP.DNSprimarily
    > > uses UDP on port 53 to serve requests. Almost allDNSqueries consist
    > > of a single UDP request from the client followed by a single UDP reply
    > > from the server. TCP comes into play only when the response data size
    > > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    > > you dont need to handle the second task as this will hardly come in
    > > picture and zone transfer will be in case of IPv6 only. I believe you
    > > are building your program for windows users only so TCP can be skipped
    > > for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
    > > UX.

    >
    > > Well focusing on UDP for now -->>
    > > Sarshah, you are doing a mistake when you say you are logging inside
    > > WSPSend. WSPSend is meant to work with Connected socket only, that
    > > means TCP. To intercept UDP traffic you need to implement WSPSendTo
    > > function.

    >
    > > As you said you verified that you areinterceptingUDP using TFTP. I
    > > know TFTP uses UDP on port 69 but I am not sure what are the calls you
    > > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    > > that you are returning WSPSendTo in the proctable in WSPStartup
    > > function, means you are implementing it.

    >
    > > You can check aDNSquery inside WSPSendTo function by making a
    > > check ::

    >
    > > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
    > > client.

    >
    > > Be sure that you are logging every data, I am not sure at which moment
    > > IE makes aDNSquery.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I just verified this, I can getDNScalls by making the above check in
    > WSPSendTo.- Hide quoted text -
    >
    > - Show quoted text -




  9. Re: Intercepting DNS Queries Using LSP

    On Mar 18, 12:26*pm, "Volodymyr M. Shcherbyna"
    wrote:
    > If you simply reboot machine, does the LSP intercept data?
    >
    > --
    > V.
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights. wrote in message
    >
    > news:ed693aa6-f4c3-4c20-8abb-fd88876d0320@d4g2000prg.googlegroups.com...
    > Guys thanks for your responses. Here is what i found out.The problem
    > completely goes away if i do the following: Stop the DNS client from
    > Services list, installed the LSP and now i am getting DNS data in
    > WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
    > WSPSendDisconnect but if i do not stop the DNS client service and then
    > install LSP, DNS data is not intercepted not even in WSPSendTo. Any
    > thoughts on this?
    >
    > On Mar 15, 11:13 am, Vishal Swarnkar
    > wrote:
    >
    >
    >
    > > On Mar 15, 11:10 am, Vishal Swarnkar
    > > wrote:

    >
    > > > On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"

    >
    > > > wrote:
    > > > > What you can do, is to download TdiMon or TdiScope, and look at the
    > > > > output
    > > > > when makingDNSrequest. If the "application" is "System", then, for
    > > > > sure,
    > > > > the requests are generated in km system thread.

    >
    > > > > --
    > > > > V.
    > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > rights.
    > > > > "Volodymyr M. Shcherbyna" wrote in
    > > > > messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..

    >
    > > > > >I did not verified this issue, but my assumption is thatDNStraffic
    > > > > >goes
    > > > > >via TDI providers and all operations are done in Kernel Mode.
    > > > > >Consider ways
    > > > > >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
    > > > > >filter may be enough.

    >
    > > > > > --
    > > > > > V.
    > > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > > rights.
    > > > > > wrote in message
    > > > > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > > > > > Hi again,

    >
    > > > > > I have done a few additional things since yesterday to find out the
    > > > > > issue.

    >
    > > > > > I have restarted the system after installing theLSP. I did it
    > > > > > because
    > > > > >LSPwhen installed is only effective for those processes that are
    > > > > > executed after theLSPinstallation. So if i want to intercept network
    > > > > > calls by processes that are already running (like different services
    > > > > > or some other user process) then i would have to restart the system.
    > > > > > StillDNSqueries are undetectable.

    >
    > > > > > In order to verify if anLSPcan intercept any UDP traffic, i tried to
    > > > > > connect from the machine whereLSPis installed to a TFTP server on a
    > > > > > remote machine (on LAN). The connection was successful andLSP
    > > > > > intercepts the data sent over UDP (UDP data dumped in the log file
    > > > > > and
    > > > > > compared with the network traffic to verify). From this, i am
    > > > > > suspecting thatDNSqueries are not sent by a process operating at
    > > > > > user level. I am not sure if this statement is entirely correct.

    >
    > > > > > So far no one has responded to the post. If all the details in the
    > > > > > first post has created ambiguity and i have failed to convey my
    > > > > > question then lets just forget about all the details about what i
    > > > > > did
    > > > > > or did not and help me find answer to the following question:

    >
    > > > > > Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > > intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > > Responses by some of the guys really helped me in one of my posts
    > > > > > related toLSP. If you guys are listening out there........Please
    > > > > > help
    > > > > > me.

    >
    > > > > > sarshah.

    >
    > > > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > > > > >> Hi All,

    >
    > > > > >> I was looking (again ) at theLSPcode that comes with Platform SDk
    > > > > >> which i downloaded a couple of months ago. I just wanted to see if
    > > > > >> an
    > > > > >>LSPtrapsDNSrequests so i modified the WSPSend function by only
    > > > > >> adding the code to dump to a file any data that is passed in
    > > > > >> LPWSABUF
    > > > > >> lpBuffers param. Before doing something that would send aDNSquery,
    > > > > >> i
    > > > > >> started Ethereal to see any traffic being sent on the wire. After
    > > > > >> that, i started a web browser window and accessed a URL (its not in
    > > > > >> the cache). I found out that WSPSend did not print any data sent on
    > > > > >> UDP even though aDNSrequest could be seen on the wire (WSPSend does
    > > > > >> get called though multi times). The same code prints data sent on
    > > > > >> TCP
    > > > > >> (like HTTP traffic of the page i opened). I have debugged thelspdll
    > > > > >> to see if i am doing something wrong while dumping data to a file
    > > > > >> but
    > > > > >> the contents of the buffers (being sent as parameters) match dumped
    > > > > >> data. The observation that i made is that every time WSPSend is
    > > > > >> called
    > > > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > > > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > > > > >> I have also logged whenever calls to other send functions such as
    > > > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL
    > > > > >> (and
    > > > > >>DNSquery sent as a result), only WSPSend is called (and i am
    > > > > >> perfectly ok with that). Since these functions were never being
    > > > > >> called
    > > > > >> so i did not bother logging data being passed as their parameters..

    >
    > > > > >> So my question is canLSPbe used to trapDNSrequests? If yes then
    > > > > >> how it can be done and any idea on why i am seeing the
    > > > > >> aforementioned
    > > > > >> behavior?

    >
    > > > > >> The OS is Windows XP SP2 and I have installed thelspin two
    > > > > >> different
    > > > > >> ways using the following commands:

    >
    > > > > >> - instlsp -i -a -n "MyLSP"
    > > > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > > > > >> Thank you for your help,

    >
    > > > > >> sarshah.- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > Sorry for late reply Sarsah, didnt see your message before.

    >
    > > > First to answer your quetion

    >
    > > > >>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > >>intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > Ofcourse you can interceptDNSquery inLSP, there is no need to go in
    > > > kernal level if your problem is just to interceptDNSqueries.

    >
    > > > You are very right to confirm thatDNSruns over UDP.DNSprimarily
    > > > uses UDP on port 53 to serve requests. Almost allDNSqueries consist
    > > > of a single UDP request from the client followed by a single UDP reply
    > > > from the server. TCP comes into play only when the response data size
    > > > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    > > > you dont need to handle the second task as this will hardly come in
    > > > picture and zone transfer will be in case of IPv6 only. I believe you
    > > > are building your program for windows users only so TCP can be skipped
    > > > for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
    > > > UX.

    >
    > > > Well focusing on UDP for now -->>
    > > > Sarshah, you are doing a mistake when you say you are logging inside
    > > > WSPSend. WSPSend is meant to work with Connected socket only, that
    > > > means TCP. To intercept UDP traffic you need to implement WSPSendTo
    > > > function.

    >
    > > > As you said you verified that you areinterceptingUDP using TFTP. I
    > > > know TFTP uses UDP on port 69 but I am not sure what are the calls you
    > > > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    > > > that you are returning WSPSendTo in the proctable in WSPStartup
    > > > function, means you are implementing it.

    >
    > > > You can check aDNSquery inside WSPSendTo function by making a
    > > > check ::

    >
    > > > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
    > > > client.

    >
    > > > Be sure that you are logging every data, I am not sure at which moment
    > > > IE makes aDNSquery.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > I just verified this, I can getDNScalls by making the above check in
    > > WSPSendTo.- Hide quoted text -

    >
    > > - Show quoted text -- Hide quoted text -

    >
    > - Show quoted text -


    I install LSP simple and immediately go for logs and I can see DNS
    queries intercepting. Yeah but I launch IE after installing LSP so
    that my LSP should get loaded properly.
    IE is making a DNS queries so it gets intercepted by LSP. If you want
    to intercept every query by DNS Client, then yes you need a reboot or
    restart of your service so that it should load your LSP. In short only
    those applications which starts after installation your LSP will load
    your LSP. ( Dont get confuse with winlogon and lsass.exe because they
    are system critical process and I dont know how they keep on
    refereshing the things).

  10. Re: Intercepting DNS Queries Using LSP

    I tried the following things:

    1- I did not stop the DNS Client service and installed the LSP.
    Rebooted the machine and used ping to send the DNS request. Did not
    log anything.

    2- I stopped the DNS Client service and installed the LSP. Did not
    restart the machine and used ping to generate DNS request. DNS request
    was intercepted and logged to file.

    Could it be a difference of some settings on my machine or what?

    sarshah




    On Mar 18, 1:31*pm, Vishal Swarnkar wrote:
    > On Mar 18, 12:26*pm, "Volodymyr M. Shcherbyna"
    >
    >
    >
    >
    >
    > wrote:
    > > If you simply reboot machine, does the LSP intercept data?

    >
    > > --
    > > V.
    > > This posting is provided "AS IS" with no warranties, and confers no
    > > rights. wrote in message

    >
    > >news:ed693aa6-f4c3-4c20-8abb-fd88876d0320@d4g2000prg.googlegroups.com...
    > > Guys thanks for your responses. Here is what i found out.The problem
    > > completely goes away if i do the following: Stop theDNSclient from
    > > Services list, installed the LSP and now i am gettingDNSdata in
    > > WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
    > > WSPSendDisconnect but if i do not stop theDNSclient service and then
    > > install LSP,DNSdata is not intercepted not even in WSPSendTo. Any
    > > thoughts on this?

    >
    > > On Mar 15, 11:13 am, Vishal Swarnkar
    > > wrote:

    >
    > > > On Mar 15, 11:10 am, Vishal Swarnkar
    > > > wrote:

    >
    > > > > On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"

    >
    > > > > wrote:
    > > > > > What you can do, is to download TdiMon or TdiScope, and look at the
    > > > > > output
    > > > > > when makingDNSrequest. If the "application" is "System", then, for
    > > > > > sure,
    > > > > > the requests are generated in km system thread.

    >
    > > > > > --
    > > > > > V.
    > > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > > rights.
    > > > > > "Volodymyr M. Shcherbyna" wrote in
    > > > > > messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..

    >
    > > > > > >I did not verified this issue, but my assumption is thatDNStraffic
    > > > > > >goes
    > > > > > >via TDI providers and all operations are done in Kernel Mode.
    > > > > > >Consider ways
    > > > > > >of traffic interception at kernel mode. For 2k and XP and Vista -TDI
    > > > > > >filter may be enough.

    >
    > > > > > > --
    > > > > > > V.
    > > > > > > This posting is provided "AS IS" with no warranties, and confersno
    > > > > > > rights.
    > > > > > > wrote in message
    > > > > > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > > > > > > Hi again,

    >
    > > > > > > I have done a few additional things since yesterday to find out the
    > > > > > > issue.

    >
    > > > > > > I have restarted the system after installing theLSP. I did it
    > > > > > > because
    > > > > > >LSPwhen installed is only effective for those processes that are
    > > > > > > executed after theLSPinstallation. So if i want to intercept network
    > > > > > > calls by processes that are already running (like different services
    > > > > > > or some other user process) then i would have to restart the system.
    > > > > > > StillDNSqueries are undetectable.

    >
    > > > > > > In order to verify if anLSPcan intercept any UDP traffic, i tried to
    > > > > > > connect from the machine whereLSPis installed to a TFTP server on a
    > > > > > > remote machine (on LAN). The connection was successful andLSP
    > > > > > > intercepts the data sent over UDP (UDP data dumped in the log file
    > > > > > > and
    > > > > > > compared with the network traffic to verify). From this, i am
    > > > > > > suspecting thatDNSqueries are not sent by a process operating at
    > > > > > > user level. I am not sure if this statement is entirely correct.

    >
    > > > > > > So far no one has responded to the post. If all the details in the
    > > > > > > first post has created ambiguity and i have failed to convey my
    > > > > > > question then lets just forget about all the details about what i
    > > > > > > did
    > > > > > > or did not and help me find answer to the following question:

    >
    > > > > > > Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > > > intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > > > Responses by some of the guys really helped me in one of my posts
    > > > > > > related toLSP. If you guys are listening out there........Please
    > > > > > > help
    > > > > > > me.

    >
    > > > > > > sarshah.

    >
    > > > > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > > > > > >> Hi All,

    >
    > > > > > >> I was looking (again ) at theLSPcode that comes with PlatformSDk
    > > > > > >> which i downloaded a couple of months ago. I just wanted to seeif
    > > > > > >> an
    > > > > > >>LSPtrapsDNSrequests so i modified the WSPSend function by only
    > > > > > >> adding the code to dump to a file any data that is passed in
    > > > > > >> LPWSABUF
    > > > > > >> lpBuffers param. Before doing something that would send aDNSquery,
    > > > > > >> i
    > > > > > >> started Ethereal to see any traffic being sent on the wire. After
    > > > > > >> that, i started a web browser window and accessed a URL (its not in
    > > > > > >> the cache). I found out that WSPSend did not print any data sent on
    > > > > > >> UDP even though aDNSrequest could be seen on the wire (WSPSend does
    > > > > > >> get called though multi times). The same code prints data sent on
    > > > > > >> TCP
    > > > > > >> (like HTTP traffic of the page i opened). I have debugged thelspdll
    > > > > > >> to see if i am doing something wrong while dumping data to a file
    > > > > > >> but
    > > > > > >> the contents of the buffers (being sent as parameters) match dumped
    > > > > > >> data. The observation that i made is that every time WSPSend is
    > > > > > >> called
    > > > > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > > > > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > > > > > >> I have also logged whenever calls to other send functions such as
    > > > > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL
    > > > > > >> (and
    > > > > > >>DNSquery sent as a result), only WSPSend is called (and i am
    > > > > > >> perfectly ok with that). Since these functions were never being
    > > > > > >> called
    > > > > > >> so i did not bother logging data being passed as their parameters.

    >
    > > > > > >> So my question is canLSPbe used to trapDNSrequests? If yes then
    > > > > > >> how it can be done and any idea on why i am seeing the
    > > > > > >> aforementioned
    > > > > > >> behavior?

    >
    > > > > > >> The OS is Windows XP SP2 and I have installed thelspin two
    > > > > > >> different
    > > > > > >> ways using the following commands:

    >
    > > > > > >> - instlsp -i -a -n "MyLSP"
    > > > > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > > > > > >> Thank you for your help,

    >
    > > > > > >> sarshah.- Hide quoted text -

    >
    > > > > > - Show quoted text -

    >
    > > > > Sorry for late reply Sarsah, didnt see your message before.

    >
    > > > > First to answer your quetion

    >
    > > > > >>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > >>intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > Ofcourse you can interceptDNSquery inLSP, there is no need to go in
    > > > > kernal level if your problem is just to interceptDNSqueries.

    >
    > > > > You are very right to confirm thatDNSruns over UDP.DNSprimarily
    > > > > uses UDP on port 53 to serve requests. Almost allDNSqueries consist
    > > > > of a single UDP request from the client followed by a single UDP reply
    > > > > from the server. TCP comes into play only when the response data size
    > > > > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    > > > > you dont need to handle the second task as this will hardly come in
    > > > > picture and zone transfer will be in case of IPv6 only. I believe you
    > > > > are building your program for windows users only so TCP can be skipped
    > > > > for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
    > > > > UX.

    >
    > > > > Well focusing on UDP for now -->>
    > > > > Sarshah, you are doing a mistake when you say you are logging inside
    > > > > WSPSend. WSPSend is meant to work with Connected socket only, that
    > > > > means TCP. To intercept UDP traffic you need to implement WSPSendTo
    > > > > function.

    >
    > > > > As you said you verified that you areinterceptingUDP using TFTP. I
    > > > > know TFTP uses UDP on port 69 but I am not sure what are the calls you
    > > > > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    > > > > that you are returning WSPSendTo in the proctable in WSPStartup
    > > > > function, means you are implementing it.

    >
    > > > > You can check aDNSquery inside WSPSendTo function by making a
    > > > > check ::

    >
    > > > > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
    > > > > client.

    >
    > > > > Be sure that you are logging every data, I am not sure at which moment
    > > > > IE makes aDNSquery.- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > I just verified this, I can getDNScalls by making the above check in
    > > > WSPSendTo.- Hide quoted text -

    >
    > > > - Show quoted text -- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I install LSP simple and immediately go for logs and I can seeDNSqueriesintercepting. Yeah but I launch IE after installing LSP so
    > that my LSP should get loaded properly.
    > IE is making aDNSqueriesso it gets intercepted by LSP. If you want
    > to intercept every query byDNSClient, then yes you need a reboot or
    > restart of your service so that it should load your LSP. In short only
    > those applications which starts after installation your LSP will load
    > your LSP. ( Dont get confuse with winlogon and lsass.exe because they
    > are system critical process and I dont know how they keep on
    > refereshing the things).- Hide quoted text -
    >
    > - Show quoted text -



  11. Re: Intercepting DNS Queries Using LSP

    On Mar 20, 10:53*pm, sarsha...@yahoo.com wrote:
    > I tried the following things:
    >
    > 1- *I did not stop the DNS Client service and installed the LSP.
    > Rebooted the machine and used ping to send the DNS request. Did not
    > log anything.
    >
    > 2- I stopped the DNS Client service and installed the LSP. Did not
    > restart the machine and used ping to generate DNS request. DNS request
    > was intercepted and logged to file.
    >
    > Could it be a difference of some settings on my machine or what?
    >
    > sarshah
    >
    > On Mar 18, 1:31*pm, Vishal Swarnkar wrote:
    >
    >
    >
    > > On Mar 18, 12:26*pm, "Volodymyr M. Shcherbyna"

    >
    > > wrote:
    > > > If you simply reboot machine, does the LSP intercept data?

    >
    > > > --
    > > > V.
    > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > rights. wrote in message

    >
    > > >news:ed693aa6-f4c3-4c20-8abb-fd88876d0320@d4g2000prg.googlegroups.com....
    > > > Guys thanks for your responses. Here is what i found out.The problem
    > > > completely goes away if i do the following: Stop theDNSclient from
    > > > Services list, installed the LSP and now i am gettingDNSdata in
    > > > WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
    > > > WSPSendDisconnect but if i do not stop theDNSclient service and then
    > > > install LSP,DNSdata is not intercepted not even in WSPSendTo. Any
    > > > thoughts on this?

    >
    > > > On Mar 15, 11:13 am, Vishal Swarnkar
    > > > wrote:

    >
    > > > > On Mar 15, 11:10 am, Vishal Swarnkar
    > > > > wrote:

    >
    > > > > > On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"

    >
    > > > > > wrote:
    > > > > > > What you can do, is to download TdiMon or TdiScope, and look at the
    > > > > > > output
    > > > > > > when makingDNSrequest. If the "application" is "System", then, for
    > > > > > > sure,
    > > > > > > the requests are generated in km system thread.

    >
    > > > > > > --
    > > > > > > V.
    > > > > > > This posting is provided "AS IS" with no warranties, and confersno
    > > > > > > rights.
    > > > > > > "Volodymyr M. Shcherbyna" wrote in
    > > > > > > messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..

    >
    > > > > > > >I did not verified this issue, but my assumption is thatDNStraffic
    > > > > > > >goes
    > > > > > > >via TDI providers and all operations are done in Kernel Mode.
    > > > > > > >Consider ways
    > > > > > > >of traffic interception at kernel mode. For 2k and XP and Vista- TDI
    > > > > > > >filter may be enough.

    >
    > > > > > > > --
    > > > > > > > V.
    > > > > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > > > > rights.
    > > > > > > > wrote in message
    > > > > > > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > > > > > > > Hi again,

    >
    > > > > > > > I have done a few additional things since yesterday to find out the
    > > > > > > > issue.

    >
    > > > > > > > I have restarted the system after installing theLSP. I did it
    > > > > > > > because
    > > > > > > >LSPwhen installed is only effective for those processes that are
    > > > > > > > executed after theLSPinstallation. So if i want to intercept network
    > > > > > > > calls by processes that are already running (like different services
    > > > > > > > or some other user process) then i would have to restart the system.
    > > > > > > > StillDNSqueries are undetectable.

    >
    > > > > > > > In order to verify if anLSPcan intercept any UDP traffic, i tried to
    > > > > > > > connect from the machine whereLSPis installed to a TFTP serveron a
    > > > > > > > remote machine (on LAN). The connection was successful andLSP
    > > > > > > > intercepts the data sent over UDP (UDP data dumped in the log file
    > > > > > > > and
    > > > > > > > compared with the network traffic to verify). From this, i am
    > > > > > > > suspecting thatDNSqueries are not sent by a process operating at
    > > > > > > > user level. I am not sure if this statement is entirely correct.

    >
    > > > > > > > So far no one has responded to the post. If all the details inthe
    > > > > > > > first post has created ambiguity and i have failed to convey my
    > > > > > > > question then lets just forget about all the details about what i
    > > > > > > > did
    > > > > > > > or did not and help me find answer to the following question:

    >
    > > > > > > > Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > > > > intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > > > > Responses by some of the guys really helped me in one of my posts
    > > > > > > > related toLSP. If you guys are listening out there........Please
    > > > > > > > help
    > > > > > > > me.

    >
    > > > > > > > sarshah.

    >
    > > > > > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > > > > > > >> Hi All,

    >
    > > > > > > >> I was looking (again ) at theLSPcode that comes with Platform SDk
    > > > > > > >> which i downloaded a couple of months ago. I just wanted to see if
    > > > > > > >> an
    > > > > > > >>LSPtrapsDNSrequests so i modified the WSPSend function by only
    > > > > > > >> adding the code to dump to a file any data that is passed in
    > > > > > > >> LPWSABUF
    > > > > > > >> lpBuffers param. Before doing something that would send aDNSquery,
    > > > > > > >> i
    > > > > > > >> started Ethereal to see any traffic being sent on the wire. After
    > > > > > > >> that, i started a web browser window and accessed a URL (its not in
    > > > > > > >> the cache). I found out that WSPSend did not print any data sent on
    > > > > > > >> UDP even though aDNSrequest could be seen on the wire (WSPSend does
    > > > > > > >> get called though multi times). The same code prints data sent on
    > > > > > > >> TCP
    > > > > > > >> (like HTTP traffic of the page i opened). I have debugged thelspdll
    > > > > > > >> to see if i am doing something wrong while dumping data to a file
    > > > > > > >> but
    > > > > > > >> the contents of the buffers (being sent as parameters) match dumped
    > > > > > > >> data. The observation that i made is that every time WSPSend is
    > > > > > > >> called
    > > > > > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > > > > > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > > > > > > >> I have also logged whenever calls to other send functions such as
    > > > > > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL
    > > > > > > >> (and
    > > > > > > >>DNSquery sent as a result), only WSPSend is called (and i am
    > > > > > > >> perfectly ok with that). Since these functions were never being
    > > > > > > >> called
    > > > > > > >> so i did not bother logging data being passed as their parameters.

    >
    > > > > > > >> So my question is canLSPbe used to trapDNSrequests? If yes then
    > > > > > > >> how it can be done and any idea on why i am seeing the
    > > > > > > >> aforementioned
    > > > > > > >> behavior?

    >
    > > > > > > >> The OS is Windows XP SP2 and I have installed thelspin two
    > > > > > > >> different
    > > > > > > >> ways using the following commands:

    >
    > > > > > > >> - instlsp -i -a -n "MyLSP"
    > > > > > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > > > > > > >> Thank you for your help,

    >
    > > > > > > >> sarshah.- Hide quoted text -

    >
    > > > > > > - Show quoted text -

    >
    > > > > > Sorry for late reply Sarsah, didnt see your message before.

    >
    > > > > > First to answer your quetion

    >
    > > > > > >>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > > >>intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > > Ofcourse you can interceptDNSquery inLSP, there is no need to go in
    > > > > > kernal level if your problem is just to interceptDNSqueries.

    >
    > > > > > You are very right to confirm thatDNSruns over UDP.DNSprimarily
    > > > > > uses UDP on port 53 to serve requests. Almost allDNSqueries consist
    > > > > > of a single UDP request from the client followed by a single UDP reply
    > > > > > from the server. TCP comes into play only when the response data size
    > > > > > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    > > > > > you dont need to handle the second task as this will hardly come in
    > > > > > picture and zone transfer will be in case of IPv6 only. I believe you
    > > > > > are building your program for windows users only so TCP can be skipped
    > > > > > for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
    > > > > > UX.

    >
    > > > > > Well focusing on UDP for now -->>
    > > > > > Sarshah, you are doing a mistake when you say you are logging inside
    > > > > > WSPSend. WSPSend is meant to work with Connected socket only, that
    > > > > > means TCP. To intercept UDP traffic you need to implement WSPSendTo
    > > > > > function.

    >
    > > > > > As you said you verified that you areinterceptingUDP using TFTP. I
    > > > > > know TFTP uses UDP on port 69 but I am not sure what are the callsyou
    > > > > > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    > > > > > that you are returning WSPSendTo in the proctable in WSPStartup
    > > > > > function, means you are implementing it.

    >
    > > > > > You can check aDNSquery inside WSPSendTo function by making a
    > > > > > check ::

    >
    > > > > > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
    > > > > > client.

    >
    > > > > > Be sure that you are logging every data, I am not sure at which moment
    > > > > > IE makes aDNSquery.- Hide quoted text -

    >
    > > > > > - Show quoted text -

    >
    > > > > I just verified this, I can getDNScalls by making the above check in
    > > > > WSPSendTo.- Hide quoted text -

    >
    > > > > - Show quoted text -- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > I install LSP simple and immediately go for logs and I can seeDNSqueriesintercepting. Yeah but I launch IE after installing LSP so
    > > that my LSP should get loaded properly.
    > > IE is making aDNSqueriesso it gets intercepted by LSP. If you want
    > > to intercept every query byDNSClient, then yes you need a reboot or
    > > restart of your service so that it should load your LSP. In short only
    > > those applications which starts after installation your LSP will load
    > > your LSP. ( Dont get confuse with winlogon and lsass.exe because they
    > > are system critical process and I dont know how they keep on
    > > refereshing the things).- Hide quoted text -

    >
    > > - Show quoted text -- Hide quoted text -

    >
    > - Show quoted text -



    No difference in settings at all.

    As I mentioned to you before, only those application will load your
    LSP which are being started after your LSP's installation. Application
    which are running before your LSP installation will NOT load your LSP
    ( again remember the difference for critical system process like
    winlogon.exe etc).

    So if your service is running and you install LSP, your Service will
    NOT load your LSP.

    If you stop ur service, install LSP and then start service , which
    means you are STARTING application AFTER your LSP installation, so now
    it will load LSP successfully.

  12. Re: Intercepting DNS Queries Using LSP

    Vishal,

    Thanks for your reply. I am sure i am doing something wrong at my end.
    Thanks for the clarification. I will again try exactly as you
    mentioned.

    sarshah


    On Mar 25, 4:48*pm, Vishal Swarnkar wrote:
    > On Mar 20, 10:53*pm, sarsha...@yahoo.com wrote:
    >
    > > I tried the following things:

    >
    > > 1- *I did not stop theDNSClient service and installed the LSP.
    > > Rebooted the machine and used ping to send theDNSrequest. Did not
    > > log anything.

    >
    > > 2- I stopped theDNSClient service and installed the LSP. Did not
    > > restart the machine and used ping to generateDNSrequest.DNSrequest
    > > was intercepted and logged to file.

    >
    > > Could it be a difference of some settings on my machine or what?

    >
    > > sarshah

    >
    > > On Mar 18, 1:31*pm, Vishal Swarnkar wrote:

    >
    > > > On Mar 18, 12:26*pm, "Volodymyr M. Shcherbyna"

    >
    > > > wrote:
    > > > > If you simply reboot machine, does the LSP intercept data?

    >
    > > > > --
    > > > > V.
    > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > rights. wrote in message

    >
    > > > >news:ed693aa6-f4c3-4c20-8abb-fd88876d0320@d4g2000prg.googlegroups.com....
    > > > > Guys thanks for your responses. Here is what i found out.The problem
    > > > > completely goes away if i do the following: Stop theDNSclient from
    > > > > Services list, installed the LSP and now i am gettingDNSdata in
    > > > > WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
    > > > > WSPSendDisconnect but if i do not stop theDNSclient service and then
    > > > > install LSP,DNSdata is not intercepted not even in WSPSendTo. Any
    > > > > thoughts on this?

    >
    > > > > On Mar 15, 11:13 am, Vishal Swarnkar
    > > > > wrote:

    >
    > > > > > On Mar 15, 11:10 am, Vishal Swarnkar
    > > > > > wrote:

    >
    > > > > > > On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"

    >
    > > > > > > wrote:
    > > > > > > > What you can do, is to download TdiMon or TdiScope, and look at the
    > > > > > > > output
    > > > > > > > when makingDNSrequest. If the "application" is "System", then,for
    > > > > > > > sure,
    > > > > > > > the requests are generated in km system thread.

    >
    > > > > > > > --
    > > > > > > > V.
    > > > > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > > > > rights.
    > > > > > > > "Volodymyr M. Shcherbyna" wrote in
    > > > > > > > messagenews:OGDUXKbhIHA.3352@TK2MSFTNGP04.phx.gbl. ..

    >
    > > > > > > > >I did not verified this issue, but my assumption is thatDNStraffic
    > > > > > > > >goes
    > > > > > > > >via TDI providers and all operations are done in Kernel Mode.
    > > > > > > > >Consider ways
    > > > > > > > >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
    > > > > > > > >filter may be enough.

    >
    > > > > > > > > --
    > > > > > > > > V.
    > > > > > > > > This posting is provided "AS IS" with no warranties, and confers no
    > > > > > > > > rights.
    > > > > > > > > wrote in message
    > > > > > > > >news:6f9e9de9-606d-416b-bb5b-61576969f22e@s12g2000prg.googlegroups.com...
    > > > > > > > > Hi again,

    >
    > > > > > > > > I have done a few additional things since yesterday to find out the
    > > > > > > > > issue.

    >
    > > > > > > > > I have restarted the system after installing theLSP. I did it
    > > > > > > > > because
    > > > > > > > >LSPwhen installed is only effective for those processes that are
    > > > > > > > > executed after theLSPinstallation. So if i want to interceptnetwork
    > > > > > > > > calls by processes that are already running (like different services
    > > > > > > > > or some other user process) then i would have to restart thesystem.
    > > > > > > > > StillDNSqueries are undetectable.

    >
    > > > > > > > > In order to verify if anLSPcan intercept any UDP traffic, i tried to
    > > > > > > > > connect from the machine whereLSPis installed to a TFTP server on a
    > > > > > > > > remote machine (on LAN). The connection was successful andLSP
    > > > > > > > > intercepts the data sent over UDP (UDP data dumped in the log file
    > > > > > > > > and
    > > > > > > > > compared with the network traffic to verify). From this, i am
    > > > > > > > > suspecting thatDNSqueries are not sent by a process operating at
    > > > > > > > > user level. I am not sure if this statement is entirely correct.

    >
    > > > > > > > > So far no one has responded to the post. If all the details in the
    > > > > > > > > first post has created ambiguity and i have failed to conveymy
    > > > > > > > > question then lets just forget about all the details about what i
    > > > > > > > > did
    > > > > > > > > or did not and help me find answer to the following question:

    >
    > > > > > > > > Can anLSPbe used to interceptDNSqueries? orDNSqueries cannotbe
    > > > > > > > > intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > > > > > Responses by some of the guys really helped me in one of my posts
    > > > > > > > > related toLSP. If you guys are listening out there........Please
    > > > > > > > > help
    > > > > > > > > me.

    >
    > > > > > > > > sarshah.

    >
    > > > > > > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
    > > > > > > > >> Hi All,

    >
    > > > > > > > >> I was looking (again ) at theLSPcode that comes with Platform SDk
    > > > > > > > >> which i downloaded a couple of months ago. I just wanted tosee if
    > > > > > > > >> an
    > > > > > > > >>LSPtrapsDNSrequests so i modified the WSPSend function by only
    > > > > > > > >> adding the code to dump to a file any data that is passed in
    > > > > > > > >> LPWSABUF
    > > > > > > > >> lpBuffers param. Before doing something that would send aDNSquery,
    > > > > > > > >> i
    > > > > > > > >> started Ethereal to see any traffic being sent on the wire.After
    > > > > > > > >> that, i started a web browser window and accessed a URL (its not in
    > > > > > > > >> the cache). I found out that WSPSend did not print any datasent on
    > > > > > > > >> UDP even though aDNSrequest could be seen on the wire (WSPSend does
    > > > > > > > >> get called though multi times). The same code prints data sent on
    > > > > > > > >> TCP
    > > > > > > > >> (like HTTP traffic of the page i opened). I have debugged thelspdll
    > > > > > > > >> to see if i am doing something wrong while dumping data to a file
    > > > > > > > >> but
    > > > > > > > >> the contents of the buffers (being sent as parameters) match dumped
    > > > > > > > >> data. The observation that i made is that every time WSPSend is
    > > > > > > > >> called
    > > > > > > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
    > > > > > > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).

    >
    > > > > > > > >> I have also logged whenever calls to other send functions such as
    > > > > > > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL
    > > > > > > > >> (and
    > > > > > > > >>DNSquery sent as a result), only WSPSend is called (and i am
    > > > > > > > >> perfectly ok with that). Since these functions were never being
    > > > > > > > >> called
    > > > > > > > >> so i did not bother logging data being passed as their parameters.

    >
    > > > > > > > >> So my question is canLSPbe used to trapDNSrequests? If yes then
    > > > > > > > >> how it can be done and any idea on why i am seeing the
    > > > > > > > >> aforementioned
    > > > > > > > >> behavior?

    >
    > > > > > > > >> The OS is Windows XP SP2 and I have installed thelspin two
    > > > > > > > >> different
    > > > > > > > >> ways using the following commands:

    >
    > > > > > > > >> - instlsp -i -a -n "MyLSP"
    > > > > > > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"

    >
    > > > > > > > >> Thank you for your help,

    >
    > > > > > > > >> sarshah.- Hide quoted text -

    >
    > > > > > > > - Show quoted text -

    >
    > > > > > > Sorry for late reply Sarsah, didnt see your message before.

    >
    > > > > > > First to answer your quetion

    >
    > > > > > > >>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
    > > > > > > >>intercepted (byLSP) at user level? (LSPoperates at user level)

    >
    > > > > > > Ofcourse you can interceptDNSquery inLSP, there is no need to goin
    > > > > > > kernal level if your problem is just to interceptDNSqueries.

    >
    > > > > > > You are very right to confirm thatDNSruns over UDP.DNSprimarily
    > > > > > > uses UDP on port 53 to serve requests. Almost allDNSqueries consist
    > > > > > > of a single UDP request from the client followed by a single UDPreply
    > > > > > > from the server. TCP comes into play only when the response datasize
    > > > > > > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
    > > > > > > you dont need to handle the second task as this will hardly comein
    > > > > > > picture and zone transfer will be in case of IPv6 only. I believe you
    > > > > > > are building your program for windows users only so TCP can be skipped
    > > > > > > for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
    > > > > > > UX.

    >
    > > > > > > Well focusing on UDP for now -->>
    > > > > > > Sarshah, you are doing a mistake when you say you are logging inside
    > > > > > > WSPSend. WSPSend is meant to work with Connected socket only, that
    > > > > > > means TCP. To intercept UDP traffic you need to implement WSPSendTo
    > > > > > > function.

    >
    > > > > > > As you said you verified that you areinterceptingUDP using TFTP.I
    > > > > > > know TFTP uses UDP on port 69 but I am not sure what are the calls you
    > > > > > > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
    > > > > > > that you are returning WSPSendTo in the proctable in WSPStartup
    > > > > > > function, means you are implementing it.

    >
    > > > > > > You can check aDNSquery inside WSPSendTo function by making a
    > > > > > > check ::

    >
    > > > > > > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
    > > > > > > client.

    >
    > > > > > > Be sure that you are logging every data, I am not sure at which moment
    > > > > > > IE makes aDNSquery.- Hide quoted text -

    >
    > > > > > > - Show quoted text -

    >
    > > > > > I just verified this, I can getDNScalls by making the above check in
    > > > > > WSPSendTo.- Hide quoted text -

    >
    > > > > > - Show quoted text -- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > I install LSP simple and immediately go for logs and I can seeDNSqueriesintercepting. Yeah but I launch IE after installing LSP so
    > > > that my LSP should get loaded properly.
    > > > IE is making aDNSqueriesso it gets intercepted by LSP. If you want
    > > > to intercept every query byDNSClient, then yes you need a reboot or
    > > > restart of your service so that it should load your LSP. In short only
    > > > those applications which starts after installation your LSP will load
    > > > your LSP. ( Dont get confuse with winlogon and lsass.exe because they
    > > > are system critical process and I dont know how they keep on
    > > > refereshing the things).- Hide quoted text -

    >
    > > > - Show quoted text -- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > No difference in settings at all.
    >
    > As I mentioned to you before, only those application will load your
    > LSP which are being started after your LSP's installation. Application
    > which are running before your LSP installation will NOT load your LSP
    > ( again remember the difference for critical system process like
    > winlogon.exe etc).
    >
    > So if your service is running and you install LSP, your Service will
    > NOT load your LSP.
    >
    > If you stop ur service, install LSP and then start service , which
    > means you are STARTING application AFTER your LSP installation, so now
    > it will load LSP successfully.



+ Reply to Thread