[lug] using tcpdump to emulate effects of packet dump

George Sexton gsexton at mhsoftware.com
Thu Jul 17 21:22:45 MDT 2003 

You cannot do what you want.

Calling CreateMailSlot() just gives you a file handle that you can then use
with ReadFile(). You get no information about the source of the data. By
convention applications can write their source host name, and user name but
it is totally worthless.


>> both 2k and 98.

One practical bit of advice, is that on NT a read for 0 bytes will block if
there is no data. In Win98, a 0 byte read will not block.

Filtering port 1026 for Windows machines would not randomly break DNS,
because the port is already bound to the messenger service and could not be
used to send out DNS requests.

-----Original Message-----
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of D. Stimits
Sent: Thursday, July 17, 2003 8:10 PM
To: lug at lug.boulder.co.us
Subject: Re: [lug] using tcpdump to emulate effects of packet dump


George Sexton wrote:

> FWIW, the general technology that you would have to use to write a
> filter to
> block them would be to to start a service that opens that mailslot
> (\\.\mailslot\messngr) and listens for incoming data, and then filter the
> data, displaying alerts you want to see.
>
> For general information on Mailslots, search the MSDN on CreateMailSlot().
>
> In general, it's a lot easier to just not run the messenger service.
> Running
> this service on a machine that is directly connected to the internet is
> probably a bad idea anyhow.
>

I want to limit the popup to have it work only if the popup does not
arrive on a particular interface. I want it to continue working on the
serial port, and any network card that is deemed to allow it. An
interface-by-interface yes/no allow/deny.

FYI, this machine has a Linux filtering bridge on it, stopping the
usually garbage that comes in below port 1024. It isn't acceptable to
ban port 1026 udp as this would break a lot of applications, including
(randomly) host lookups, as the lowest open udp port is often the
recipient of dns replies.

The CreateMailSlot() sounds like the right starting spot. Being able to
detect what interface the popup is coming from would be the next task,
and linking them together on a configurable menu to allow or deny. One
of the bigger problems is that I'll have to write it for both 2k and 98.

D. Stimits, stimits AT comcast DOT net

_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list