Solved

How can I receive broadcasts to 255.255.255.255?

Posted on 2004-04-12
25
1,630 Views
Last Modified: 2013-12-03
I am investigating writing a DHCP server to run under Win2K & WinXP.  I have so far implemented a partly-successful packet sniffer under Winsock2, using a socket configured with the SOCK_RAW and SIO_RCVALL options.  I was surprised to discover that the SIO_RCVALL option does not actually return all packets on the network:  It appears to return only those packets which were successfully received by a machine on the network.  (This was revealed when I could sniff DHCP client/server conversations, but could no longer see the DHCP requests when the DHCP server was removed from the network).

So I can't use just SIO_RCVALL to catch incoming DHCP requests while implementing a DHCP server.

I attempted to add the DHCP broadcast address of 255.255.255.255 to my adapter's list of IP addresses, but Windows 2000's Advanced TCPIP settings dialog does not allow this address, instead popping up an error dialog stating, "255 is not a valid entry.  Please specify a value between 1 and 223."

So who can tell me how to either a); receive these packets using another parameter besides SIO_RCVALL, or b); get the needed 255.255.255.255 broadcast address into my adapter's address list without having to write a device driver?

(If someone can authoritatively answer that the only way to do this is to write or modify a device driver, I will of course have to accept it as an answer if no other answer appears).
0
Comment
Question by:RHenningsgard
  • 9
  • 9
  • 4
  • +3
25 Comments
 
LVL 8

Assisted Solution

by:_corey_
_corey_ earned 250 total points
ID: 10807422
Well, if you're just looking to sniff, and want to write your code based off of that, I'd sugget: http://www.ethereal.com/

It's a filter driver and works great from what I've used.
0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10807547
Yes, I've looked into Ethereal, but I have a real aversion to the thought of using (and being dependent on) a third-party driver or DLL like the WinPCap upon which Ethereal depends.  I'll use something like that only as a last resort.  Right now I'm reading the source for WinPCap scrounging for API clues.
0
 
LVL 8

Expert Comment

by:_corey_
ID: 10807808
Well, you're only looking at it for information for your own program.  It's not production reliablity needs, or am I wrong?

I've done some extensive debugging with it and found the data to be accurate, and the system was still stable with it.
0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10807935
<<It's not production reliability needs, or am I wrong?>>

Got it:  I see how one could have construed that from the way I described the context of my question.  No, this is absolutely a production reliability issue, as I'm choosing/developing the technology we'll build into a commercial product.  I can't use a third-party piece like WinPCap under any circumstances.

So to focus the question:  How (or can) I get Winsock2 to return me all network UDP datagrams addressed to 255.255.255.255?

P.S. I'm a paying Premium member and will happily increase the points for a working answer to this question well beyond 500.
0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10808126
More refinement:

The problem is not actually the 255.255.255.255 destination address:  It is apparently whether the Ethernet packet is acked at the transport level or not, to wit:

I hook up my two-machine test setup to a hub.  I run my sniffer (socket with SIO_RCVALL), and I ping one machine from the other (i.e. "ping 192.168.0.1" from a machine at ip 192.168.0.2).  Bingo, in come the packets from Winsock2.  

All else remaining the same, from the same keyboard, I ping an address having no representative on the isolated net, (i.e. "ping 192.168.0.3" from the machine at ip 192.168.0.2).  Nothing shows up from Winsock2, even as the link lights flash, and the sending machine repeatedly says "Request timed out".

So apparently, a socket optioned with SIO_RCVALL returns only packets which got acked at the Ethernet level.

Any suggestions, experts?
0
 
LVL 8

Expert Comment

by:_corey_
ID: 10808278
Yea, those requests create an ARP packet, which I'm not sure how to capture at winsock.  I'm interested to see what someone has on that.
0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10808587
Well, I just tried a nice-looking sniffer called "Capsa", and it doesn't even log packets sent to an IP address that's not represented on the subnet.  It is an interesting problem indeed, but also vexing.

I'm going to try a Winsock XRay grabber with a 3rd-party program that does DHCP serving, to see if that yields any clues.  Man, the points for this answer are increasing by the hour... as is the pile of my hair on the floor.
0
 
LVL 49

Accepted Solution

by:
DanRollins earned 250 total points
ID: 10815473
hi RHenningsgard,
As Page Editor for this section, I was asked to look into this for you.  It is quite abit outside of my area of expertice, but I did find some information that (while it sounds like gibberish to me might make snese to you.  I used this Search string on googel groups:

    http://groups.google.com/groups?q=%22255.255.255.255%22

A few of the early items look promising.... talking about potential problems related to routers and also socket options that may apply.

    http://groups.google.com/groups?threadm=381509AF.8707E82%40ihug.co.nzNOSPAM

    http://groups.google.com/groups?threadm=356B6181.37E6355B%40ilog.com

    http://groups.google.com/groups?threadm=Nlmu7.19%241F6.124908%40newsr2.u-net.net

Sorry that I don't have time right now for any more detailed digging, but that google-groups search might help.  I am also adding a {LQ} Link Question to the E networking areas to see if I can lure some of those smart folks into taking a look.

Good luck!

-- DanRollins / EE Page Editor
0
 
LVL 8

Expert Comment

by:_corey_
ID: 10815661
RH,

  I've seen that also(the notes provided by Dan), but the socket option only sets broadcast send ability.
0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10815784
Guys, I'm going to close this one, with a split award to corey and Dan.  As it works out, the strict title of my question was actually kind of addressed in corey's first post, and then refined (greatly) by the post from our Page Editor.  The question I _should_ have asked was either "How can I receive DHCPDISCOVER Ethernet packets?", or possibly "How can I receive ARP packets?".

The real discovery in this thread was that a Winsock2 SO_RCVALL implementation of a sniffer will NOT receive packets which were not successfully received and acked at the Ethernet transport level.  I tried this in several sniffers (including my own development prototype), and have concluded that it's a fact.  This has interesting implementations for anyone implementing any sniffer-type application.

The answer to catching and answering DHCPDISCOVER ARP packets seems to be inescapably at the NDIS level, which is where I'm headed next.  Thanks to all who read the question, and of course to corey and Dan.
0
 
LVL 8

Expert Comment

by:mxjijo
ID: 10815880

 RHenningsgard,
      Are you binding your socket explicitly to a local n/w interface ot INADDR_ANY ?

 
0
 
LVL 8

Expert Comment

by:_corey_
ID: 10816129
I don't think it would work at all if he was binding to INADDRY_ANY would it?

Well this post has been informative for me as well.  I really never knew if it was possible to do a full sniff at the ethernet level.  I guess I assumed it had to be done with a filter driver but never needed it manually.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Author Comment

by:RHenningsgard
ID: 10816193
mxjijo,

I read somewhere in the catacombs of MSDN that INADDR_ANY and SO_RCVALL are mutually exclusive.  My experience has borne that out, inasmuch as every attempt to do so resulted in a socket error on the bind() call.

I'm taking a second look at WinPCap, too, to see if I can live with the 3rd-party package corey recommended indirectly in his first post.  It looks good so far, and with my deadline fast approaching, I don't have time to learn how to write my own NDIS driver.

I should probably post the Delphi source for my prototype sniffer somewhere:  Such a find would have saved me about three days of work this past week.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10816301
Have your seen this article?

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/wsaioctl_2.asp

I'm wondering if SIO_RCVALL_MCAST or SIO_RCVALL_IGMPMCAST would be relevant to you.

0
 
LVL 8

Expert Comment

by:_corey_
ID: 10816355
Those 2 are just limited versions of RCVALL.
0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10816398
Netman66,

Y'know, I didn't bother trying those after I read the fine print in that document (clearly states that the address range thereby enabled doesn't include 255.255.255.255).  I should also mention here that after a DHCP server responds to the original (Winsock2-invisible) DHCPDISCOVER packet, I have actually been receiving packets addressed to 255.255.255.255.

On the flip side, with the project fresh on my system, it'll take only a few minutes to give SIO_RCVALL_MCAST a shot when I can make the time.

The more I've studied this, the more I'm concluding it's NDIS or nothing, if one wants to catch and respond to that apparently-ARP DHCPDISCOVER packet.
0
 
LVL 8

Expert Comment

by:_corey_
ID: 10816438
http://www.codetools.com/csharp/SendRawPacket.asp

The DDK source I've used for other things is very useable and easily modifyable in my opinion.

You should look into this.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10816448
I'm thinking it's outside the Winsock boundaries and that you are correct in assuming it's deeper in.  I have found plenty of references to how DHCP works but nothing definitive on how to pick it up.

It would be interesting to see what's injected into the stack when DHCP is installed on a server - perhaps then you might see at what level the hooks are to deal with this properly.

I have to admit also that this is over my head - but no less interesting to me.  I'll be looking around in the meantime.



0
 
LVL 51

Expert Comment

by:Netman66
ID: 10816466
Yeah, MCAST is not what you're looking for - since multi-cast is a set of addresses not a broadcast....

0
 
LVL 51

Expert Comment

by:Netman66
ID: 10816482
_corey, that link looks promising except it has to install an NDIS shim on the stack - I wonder if you could modify to use the existing driver?

0
 
LVL 8

Expert Comment

by:_corey_
ID: 10816499
Well, you're going to have to insert an extra filter somewhere, unless you have source to the original.
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 10818794
> The problem is not actually the 255.255.255.255 destination address:  It is apparently whether the Ethernet packet is
> acked at the transport level or not, to wit:

Close, but no.  Read on.

> I hook up my two-machine test setup to a hub.  I run my sniffer (socket with SIO_RCVALL), and I ping one machine from
> the other (i.e. "ping 192.168.0.1" from a machine at ip 192.168.0.2).  Bingo, in come the packets from Winsock2.  
>
> All else remaining the same, from the same keyboard, I ping an address having no representative on the isolated net,
> (i.e. "ping 192.168.0.3" from the machine at ip 192.168.0.2).  Nothing shows up from Winsock2, even as the link lights
> flash, and the sending machine repeatedly says "Request timed out".
>
> So apparently, a socket optioned with SIO_RCVALL returns only packets which got acked at the Ethernet level.

Not exactly.  Those link light flashes are not the "ICMP echo request" ping packets going out.  They're the lower-level ARP request packets going out, trying to resolve the target IP address to a MAC address.  If they don't get an answer, the IP packet cannot be sent.

That, however, does not fully explain your problem, because broadcasts should just translate to the broadcast MAC address without relying on ARP.  It does suggest, though, that unless you're seeing layer 2 traffic such as ARP, you can't really tell what's going on in the network.

0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10822296
PennGwyn,

DOH!  Of course!  Thank you for letting some light into my dark room.  (I must admit you've caught me having a "senior moment", as I should have known that instinctively.)

Drat, it has been so long since I worked this close to the bare metal that I've overlooked some of the basics.  (How humbling.)

Returning to the essence of the inquiry, I've been working with WinPCap for a few hours, amd it's becoming obvious that the NDIS level is where I need to be to accomplish my project goals.  WinPCap looks very, very good.

I really want to again thank everyone who has contributed to this thread.  I just anted up as a premium member, and you've given me my money's worth already.  I'll ask customer service if there's a way I can award another round of points to all who contributed.
0
 
LVL 8

Expert Comment

by:_corey_
ID: 10824529
I was looking into some details on an NDIS filter driver for you, but go with what is there if you can :)

0
 
LVL 2

Author Comment

by:RHenningsgard
ID: 10824597
Thanks corey.  I am well on my way, and now committed to the WinPCap approach. One of the things I need to do after the DHCP is a spoof-proofing layer which audits the MAC of every inbound packet from the local subnet against the claimed sender's IP address, so I was probably headed towards the NDIS layer anyhow.  Cheers!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

After several hours of googling I could not gather any information on this topic. There are several ways of controlling the USB port connected to any storage device. The best example of that is by changing the registry value of "HKEY_LOCAL_MACHINE\S…
A theme is a collection of property settings that allow you to define the look of pages and controls, and then apply the look consistently across pages in an application. Themes can be made up of a set of elements: skins, style sheets, images, and o…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now