WinDivertDevice.SendPacket wrongly infers interface index

[verdie-g]

When I use WinDivertDevice.SendPacket without specifying an ICaptureHeader, the wrong interface is chosen.

WinDivertDevice device = new()
{
    Filter = "XXX",
    Layer = WinDivertLayer.Network,
    Flags = 0,
};

// ...

device.GetNextPacket(out PacketCapture capture);

// ...

// 1. This works fine
device.SendPacket(capture.GetPacket(), capture.Header);
// 2. This doesn't work fine
device.SendPacket(capture.GetPacket());

After some debugging, I saw that 1. uses IfIdx=0, SubIfIdx=7 but 2. uses IfIdx=7, SubIfIdx=0 (unset).

Does this code do the best it can to get the right interface or do you think it could be improved?

sharppcap/SharpPcap/WinDivert/WinDivertDevice.cs

Lines 280 to 303 in 15c95ec

	private static WinDivertAddress GetAddress(ReadOnlySpan<byte> p)
	{
	var version = p[0] >> 4;
	ReadOnlySpan<byte> srcBytes;
	ReadOnlySpan<byte> dstytes;
	if (version == 4)
	{
	srcBytes = p.Slice(IPv4Fields.SourcePosition, IPv4Fields.AddressLength);
	dstytes = p.Slice(IPv4Fields.DestinationPosition, IPv4Fields.AddressLength);
	}
	else
	{
	srcBytes = p.Slice(IPv6Fields.SourceAddressPosition, IPv6Fields.AddressLength);
	dstytes = p.Slice(IPv6Fields.DestinationAddressPosition, IPv6Fields.AddressLength);
	}
	var src = new IPAddress(srcBytes.ToArray());
	var dst = new IPAddress(dstytes.ToArray());
	WinDivertAddress addr = default;
	addr.IfIdx = (uint)IpHelper.GetBestInterfaceIndex(dst);
	if (IpHelper.IsOutbound((int)addr.IfIdx, src, dst))
	{
	addr.Flags |= WinDivertPacketFlags.Outbound;
	}
	return addr;

I'm on Windows 11 23H2

> Get-NetAdapter | Select-Object Name, InterfaceIndex, Status

Name       InterfaceIndex Status
----       -------------- ------
Ethernet 2              8 Disconnected
Ethernet                7 Up

[kayoub5]

@verdie-g

// 1. This works fine
device.SendPacket(capture.GetPacket(), capture.Header);

This call preserve the metadata of the received packet, the metadata include the direction of the packet, what interface it was received on, etc

the metadata is stored in the capture header.

// 2. This doesn't work fine
device.SendPacket(capture.GetPacket());

In this case, you took the packet data, and removed all associated metadata, in this case sharppcap will use the default configuration libpcap driver would use, this means it will assume the packet is outgoing from the system, which may not be the case in the original metadata.

[verdie-g]

it will assume the packet is outgoing from the system

Could you help me understand where in the code that assumption is made.

if (IpHelper.IsOutbound((int)addr.IfIdx, src, dst)) 
     { 
         addr.Flags |= WinDivertPacketFlags.Outbound; 
     } 

here it looks like it can know if the packet is inbound or outbound.

[kayoub5]

@verdie-g what ip addresses does the interferences and the packet have?

os version?

windivert driver version?

[verdie-g]

Remote ip: 54.171.35.223
OS: 11 23H2
Windivert: 2.2.2

[kayoub5]

@verdie-g I can't reproduce the problem, the logic implemented in sharppcap does a "Best Effort" guess of what interface should be used, and uses GetBestInterfaceEx API

@basil00 Is there a better API to infer the interface from the packet address?

[verdie-g]

It's fine, I realized later that using WinDivertSend without the original WINDIVERT_ADDRESS was probably a bad idea.