LSP hook is a term that refers to the way Winsock LSP intercepts traffic. This should not be confused with Winsock hook which is another way to perform network interception.
Barak
LSP hook is a term that refers to the way Winsock LSP intercepts traffic. This should not be confused with Winsock hook which is another way to perform network interception.
Barak
How to intercept data on Internet? This can be done using number of technologies:
Barak
Network traffic monitor Windows can be done with various methods and technologies like: Winsock LSP, NDIS Passthru or NDIS IM, TDI Filter or TDI Driver, WFP and more.
Barak
Layered Service Provider or its more known form is Winsock LSP is used to perform various packet interception/manipulation tasks. The main advantage of Winsock LSP is that it works on stream level and it’s implemented in user level.
Barak
On fly modify HTTP traffic can be easily be done with Komodia’s Network Redirection SDK which uses Winsock LSP as the base for its operations. It also has many optional modules, one of the most popular is the SSL Decryption module.
Barak
What is LSP? LSP stand for Layered Service Provider and in a nutshell it’s a component that intercepts all Winsock API calls and allows the programmer to inspect the data and even modify it.
You can read about more LSP resources on Komodia’s web site.
Barak
NDIS Filter is used to perform packet filtering, modification and inspection, unlike other technologies like LSP and TDI which operate on streams.
NDIS Filter is actually a NDIS IM driver which receives packets (to send or receive), can perform processing on them and then send them to the next layer or drop them, that’s why NDIS IM drivers are used for: Firewalls, corporate firewalls, custom network solutions and more.
When stream operations is requires, NDIS IM is sometimes a bad choice because it imposes additional work to convert packets to streams, which can be avoided if using TDI or LSP.
Barak
There are several ways to implement a firewall:
Barak
API interception via DLL redirection is a method that can be used to modify the default behaviour of an application that you don’t have the source code to.
Since this Blog is about network interception, I’ll address that point. It’s possible to intercept the Winsock API via DLL injection (also called detouring). This method has advantages and disadvantages (at Komodia we use Winsock LSP to do that), the main advantages of network DLL injection:
Disadvantages are:
Barak
Each time a Platform SDK comes out for a specific OS it comes with a new LSP sample for the latest OS, the Windows XP one was the first decent sample, but then came Vista and the default installer for Vista isn’t the best one – and that’s an understatement.
Like mentioned before we packed the Windows XP LSP sample to be easily compiled, and as we always remind that the default samples will work perfect in the lab, but will fail miserably in real computers. We have a nice article just about why you should outsource your LSP development.
Barak