Home    Product home page    Download    Order
Contents
Introduction
PSSDK basics
BPF programming
HNPSManager
HNAdapter
HNFileAdapter
HNAdapterConfig
HNUserFilter
HNPacket
HNQueue
HNTcpManager
HNTcpSession
HNLBAdapter
HNLBSession
HNLBHosts
Structures
Constants enumerations
Events
RFC
WinPCap to PSSDK migration module
Error codes
FAQ
Packet Sniffer SDK DLL Edition

PSSDK Frequently Asked Questions

Previous 

This section contains frequently asked questions about Packet Sniffer SDK using.

HNAdapter


Q. What is the difference between the asynchronous and synchronous methods for obtaining statistics?

A. The main differences between the Get_AsyncStatistics method and UpdateUserStatistics/UpdateAdapterStatistics methods is that requested statistics value is returned to OnStatistics event handler asynchronously by the internal thread of the library.

On executing OnStatistics event handler one can receive the updated value by calling Get_xxxCount methods.

Get_AsyncStatistics method can be useful for updating only one possible statistics value.


Q. Is it possible to change BPF filter while the adapter is open?

A. Yes, it is. UserFilter property is also available when HNAdapter object has opened the network adapter.


Q. Is it possible that while changing the filter the packet that fits neither the first nor the second filter will be passed?

A. No, such a situation is absolutely impossible, since BPF filter changing is synchronous to the traffic processing.


Q. Is it possible to open several network adapters simultaneously?

A. Yes, it is possible. Moreover you can open one and the same device simultaneously as many times as you wish.

For instance, one can use one HNAdapterConfig object and several HNAdapter objects, or use one HNAdapterConfig object and one HNAdapter object, etc.

Each HNAdapter object has its own individual characteristics before and after its opening (MacFilter, Statistics, packets enumeration, BPF, etc).

HNPacket


Q. How can one get access to packet data?

A. Use PacketData property to get a pointer to the buffer with packet data and also to get IncPacketSize property which contains the size of the data in the buffer. Please refer to examples for details.


Q. How can I connect my own data to a certain HNPacket object?

A. Use UserData property.


Q. How can one create or change HNPacket object in such a way so to process its data by HNTcpManager component?

A. You should complete the following steps:

  1. Allocate memory for HNPacket object. Use AllocatePacket method;
  2. Copy Ethernet Frame into HNPacket object buffer (PacketData property);
  3. Set IncPacketSize property to the value equal to the data size in HNPacket object buffer;
  4. Set MediumType property to atEthernet value.


Q. Suppose, we have Ethernet Frame (byte array). How do we check IP and TCP checksums by HNPacket?

A. You should analyze Ethernet Frame structure programmatically, receive pointers to IP and TCP header, and send them to InetCheckSum and TransportCheckSum methods. If the checksums are correct then the second checksum computation returns 0.


Q. How should I make HNPacket object count the checksum for my packet?

A. It is impossible because methods of HNPacket object intended for checksums calculating do not deal with the structure of the data stored in this object buffer.

HNPSManager


Q. In what cases does OnConfigChange event fire?

A. This event is called at the library initialization when Initialize method is called, when RefreshAdapterList method is called (if you want to refresh adapters list), or HNAdapterConfig.Update method is called (if you want to refresh the network adapter configuration settings).


Q. In the context of what thread does OnConfigChange event fire?

A. OnConfigChange event fires in the context of the thread that calls Initialize, RefreshAdapterList, or HNAdapterConfig.Update methods.


Q. Is the whole list of HNAdapterConfig objects updated by RefreshAdapterList method?

A. Yes, while calling RefreshAdapterList method HNPSManager component creates the whole list of HNAdapterConfig objetcs.


Q. How can I detect the appearance of a new adapter in the system?

A. In the Windows OS family there is no universal method for detecting the appearance of a new system device. Try to use WM_DEVICECHANGEWM_DEVICECHANGE window message event handler with RefreshAdapterList method.

HNQueue


Q. How many threads can HNQueue component create?

A. HNQueue component can create only one thread at that only after a successful Start method call. You can find out whether an internal queue thread exists at the moment or not by IsStarted function.


Q. In the context of which thread are events of HNQueue component called?

A. All events of HNQueue component are called in the context of the internal thread of the component but for OnDelete event. This event is called in the context of the thread that has called FreeItems method.


Q. How does HNQueue.OnPacketReceive event trigger off?

A. After a successful Start method call the component creates a thread that calls Get_FullItem method and waits for data packets to be enqueued. After Return_FullItem method call the thread awakening occurs and OnPacketReceive event fires. At that you should remember that you have to call Return_FreeItem method yourself so to inform the queue that HNPacket packet is available for further using.


Q. How can I close a queue internal thread correctly?

A. To close a queue internal thread you should call Stop method. While executing Stop method UnblockWaitFull method is called and it awakes all threads awaiting the finishing of Get_FullItem method call.


Q. Is it possible to use my own thread for the captured traffic processing with the help of the queue, using HNAdapter together with HNQueue?

A. Yes, it is. You can create your own thread that will be using Get_FullItem and Return_FreeItem methods. For example:

  1. Set HNAdapter.ReceiveQueue property in HNQueue.Handle;
  2. Create HNPacket objects by queue: HNQueue.AllocItems;
  3. Open network adapter by HNAdapter.OpenAdapter;
  4. Create your own thread for traffic processing that will call HNQueue.Get_FullItem method;
  5. Set HNAdapter.MacFilter property.


Q. Is it possible to process HNPacket objects that do not belong to the queue by HNQueue component?

A. No, it is not. This may lead to incorrect working of your application.


Q. If I use HNAdapter together with HNQueue for the captured traffic processing how fast will HNQueue.OnPacketReceive event call occur?

A. HNQueue.OnPacketReceive event call occurs immediately after HNAdapter component receives the packet.


Q. Can I use only one queue for two or more open adapters?

A. Yes, you can, since HNQueue component supports work with any quantity of threads. Though you should bear in mind that the buffer size for one packet data will be the same for all adapters using HNQueue component.


Q. Why does the application main thread deadlock occur every time I call Stop method?

A. Stop method awaits the queue internal thread completion and that is why the deadlock may occur only if the queue internal thread has not been finished yet. This may be due to the following reasons:

  1. You have used the code which is synchronous to the application main thread, for instance, you have called SendMessage function. This may happen on changing the application graphical elements from the queue thread.
  2. You have used the code which is awaiting a certain event in the queue thread and at that you have used WaitForxxx functions.

HNTcpManager


Q. How can I assemble TCP session and get access to the session data by PSSDK?

A. You should use HNTcpManager component that is intended for operating the reconstruction of TCP sessions from the captured traffic.


Q. Does HNTcpManager component work with TokenRing?

A. No, it does not. In this version of PSSDK there are certain restrictions, such as:

  • Traffic is processed only from Ethernet adapters, MediumType property of HNPacket object must have atEthernet value;
  • The only supported version of IP protocol is IPv4;
  • IP fragmentation is not supported.


Q. What can happen if I send to ProcessPacket method non-TCP/IP data? Is it possible?

A. Yes, it is. HNTcpManager component analyzes the data structure in HNPacket object buffer and if there is incorrespondence to the processing criteria HNPacket object will be immediately returned for the further processing by OnPacketReturn event handler.


Q. In what order are HNTcpManager events called?

A. After having sent HNPacket object to ProcessPacket method the HNTcpManager component checks the contents of the object data buffer and takes a decision on further actions:

  1. If the contents of the packet buffer does not meet the checking criteria, HNPacket object will be returned for further using by OnPacketReturn event handler;
  2. The contents of the packet buffer meets the checking criteria:

    • OnSessionCreate is executed at the moment of TCP session registrating by HNTcpManager object;
    • OnSessionConnect is executed right after the successful TCP connection establishing;
    • OnClientData/OnServerData is executed right after the receiving of the data sent by the client/server;
    • OnSessionClose is executed right after TCP session completion;
    • OnSessionDelete is executed immediately before HNTcpSession object deletion;
    • OnPacketReturn is executed after the packet has been freed for further using.


Q. In the context of what thread are the event handlers of HNTcpManager object called?

A. All event handlers are called in the context of the thread that has called ProcessPacket method. HNTcpManager component does not create any internal threads.


Q. Are OnClientData and OnServerData events called for each object individually?

A. Yes, they are. HNTcpManager component does not use any additional memory for sessions reconstruction, but instead it uses HNPacket objects memory.


Q. How is the session timeout set after which it is considered to be closed for some reason?

A. The session has LastPacketTime property. It is used for deleting the session at the time when ResetOnTimeOut methoid is called. The session closing decision looks as follows:

IF GetTickCount() - LastPacketTime >= TimeOut THEN ResetOnTimeOut,

where GetTickCount() is Win32 API function.

You can also use your own algorithm for tracing the sessions whose latency period has been exceeded in your opinion. To do so you can, for instance, make up your own list of HNTcpSession objects and trace LastPacketTime property for each object, and if necessary call CloseSession or DeleteSession methods.


Q. Why do sessions stop assembling on setting CheckTcpSum property to TRUE?

A. The thing is that some network adapters vendors give an opportunity of the checksums calculating and checking at sending and receiving the network packets by network adapters drivers. Windows has information that the driver has such an opportunity that is why it does not check the checksums so to save the processing time.

Thus capturing sessions from a local computer you may receive some packets with uncalculated checksums, since local packets capturing occurs prior to sending them to the network adapter driver. In the next version of PSSDK a new property will be added into HNAdapterConfig object, which will warn about the capability of the netcard to calculate and check the network packets checksums.


Q. How does HNTcpManager component work if InvaderMode property is set to TRUE?

A. If this flag is set to TRUE that will mean that in case TCP data are sent for an unregitered session HNTcpManager component will register a new session at the time when ProcessPacket function is executed.


Q. How does HNTcpManager component work if VirtualMode property is set to TRUE?

A. If this flag is set to TRUE, that will mean that HNTcpManager component will be using only TCP packet parameters and HNPacket object property values at the time when ProcessPacket function is executed.

Virtual TCP sessions mode can be used when it is necessary to analyze the network activity, i.e. when we are interested in TCP connection properties only (the number of connections in a unit of time the size of information sent, hosts taking part in the interaction, etc) and not in its data (TCP packets contents).

HNUserFilter


Q. Do CompileBPFAsmFromxxx methods compile BPF assembler to BPF instructions or CPU ones?

A. These methods compile the BPF assembler program in BPF instructions set. The program that is created at that can be compiled in the CPU instructions set at the level of PSSDK library driver, if either HNAdapter.UseFastUserFilter property is set to TRUE, or after HNUserFilter.CompileToFastBPF method call if the filter is used at the application level.


Q. What will be sent to the library driver as a filter: BPF instructions or the CPU instructions set, if CompileToFastBPF method is called first and then HNAdapter.UserFilter property value is set?

A. Only BPF instructions are sent to the library driver as a filter. That works in such a way so to exclude the execution of malicious code at the OS privileged level.

Previous