Simple Bridge Performance and DNS ???

Oct 25, 2011 at 12:32 PM

Hi I have 2 questions.  (1) is Calculating speed of connection in a simple bridge, the second (2) is DNS remanipulation....

1)   If I setup a simple bridge. (ie.  2 Network cards, Say A and B)

      Listen on A,   Do your work logging/changing/etc, then Send on B
      Listen on B,   Do your work logging/changing/etc, then Send on A

      What calcs should I use to determine the throughput of a given Ip address ? (stats mode in WinpCap doesn't allow capture ??? So it must be done by hand ?)

          ie.. This simple bridge would be inline with my adsl line. It would be nice to see what speed (for example) was pulling through the bridge

2) Again on the simple bridge... I would like to poison the DNS requests for a certain site at my school.  Do you have an example piece of code which shows

    capturing a DNS request

    if its say   returning a different address ?  (say google ?)

    I'm assuming TCP checksum recalc, and copy DNS details, modifying ip address (whats the preferred way for DNS manipulation using Pcap.NET)





Oct 29, 2011 at 8:11 AM

Hi CastleSoft,


1. You simply count the packets for the given IP or create a filter for the given IP and use stats (you don't need to capture just for the stats part, you can do the capturing in a separate PacketCommunicator).
I'm not sure if this helps but I need more details to understand your problem fully. What kind of a given IP (sender to you? your IP? The IP you send to?).
2. Please don't do anything illegal.
Assuming you are allowed to poison DNS requests at your school, DNS manipulation is coming in the next version.
You can download the latest sources and build them to have a current version, which allows you to capture DNS packets, manipulate them and send your own DNS packets (of course, since it's not a released version, it is isn't fully featured, it hasn't been fully tested and the documentation is lacking).
You can read about DNS poisoning and decide what method of poisoning you prefer to do and then implement it using Pcap.Net.
I hope this helps,
Oct 29, 2011 at 11:20 AM

Hi Boaz,

I'll try and clarify the first question...

I have a simple transparent bridge between my network and internet.  Packets from the LAN are received on CARD A, then SEND out on CARD B to the Internet. Incoming Internet replies are received on CARDB and then SEND on Card A.

So both cards are always Capturing and Sending, and are doing this for ALL LAN traffic heading to the Gateway (which is 700+ PC's) no pcap filters are applied and the its not in stats mode.

This works perfectly.. But I would like to be able to pick any IP using the bridge and calculate their live/current bandwidth usage.

 I can log the IP's, etc then divide per second etc.. Is this the right way to go ? Or can I enable stats and Capture/send at the same time ?

As for DNS... Its not for anything illegal.

Basically we can filter adult content/facebook/etc for students easily.... BUT some websites are switching to SSL which causes current webfilters problems. Short of blocking all SSL sites.

My thought is... If I can monitor each PC's DNS request.. I can see when a machine is trying to lookup say GOOGLE+ and redirect it to a blocking page. Currently we monitor HTTP requests and redirect, its just another level of student protection.

We can apply profiles to the desktops etc to stop students adding HOST entries etc.. And firewall alternate DNS servers etc...

Its a little cleaner than Man in the Middle for SSL monitoring of sites...  Its also more flexible than forcing say OpenDNS, as it's not flexible enough for us. (Its got no Safe Search and missing LOTS of features).

I'll grab your latest source code and give it a try.






Oct 29, 2011 at 2:12 PM

Hi Andrew,


If you want to measure the rate of all IPs, I suggest doing what you suggested - have some kind of counters for each IP so you can get the current rate.

If you want to monitor a specific IP, you can open a PacketCommunicator and use the statistics mode.


Regarding DNS, the simplest thing would be to block any request you don't want people to get to.

You can also give some reply to that DNS request, depending on what you want the client to do.


Of course, there are always ways around it - like different proxy servers or other manipulations.