This article was previously published under Q175396
This article describes how a network adapter is chosen for anoutbound Internet protocol (IP) datagram or stream of datagrams, and how a local source IPaddress is chosen for those datagrams on a multiple-homed computer.
Because of the method that is used to determine this behavior, multiple-homed computers may send packets through one network adapter but use the source IP address of another network adapter in the computer. Some hardware or software firewall products may identify these packets as "spoofed," and therefore generate an IP spoofing error.
This article applies specifically to programs that use the WindowsSockets interface to the TCP/IP stack.
For additional information about how an outbound network adapter is chosen forprograms that use NetBIOS over TCP/IP (such as file and print sharing), click the article number below to view the article in the Microsoft Knowledge Base:
166159 NetBIOS Connections from Multi-homed Computer
The TCP/IP component of all Microsoft Windows operating systems is modeled on a "Weak End System" or a "Weak E/S" model. This model gives program developers the greatest amount of leeway when they design programs that use the network and are compatible with Microsoft products. This model also puts the responsibility of the behavior of the networking program on the developers, because the developers specify how the program accesses the TCP/IP stack and responds to incoming and outgoing frames.
When a Windows Sockets program binds to a socket, one of theparameters that is passed in the bind() call is the local (source) IPaddress that should be used for outbound packets. Most programs do not haveany knowledge of network topology, so they specify IPADDR_ANY instead of aspecific IP address in their bind() call. IPADDR_ANY tells the stack thatthe program is going to let the stack choose the best local IPaddress to use; the program does not specify the local IP address.
On a computer that has one network adapter, the IP address that is chosen is the IP address ofthe network adaptor in the computer. However, on a multiple-homed computer, the stack must make a choice. The stack cannot make an intelligentchoice until it knows the target IP address for a Transmission Control Protocol (TCP) connection or a User Datagram Protocol (UDP)datagram.
When the program sends a connect() call to a target IP address, orsends a send() call to a UDP datagram, the stack references the target IPaddress, and then examines the IP route table so that it can choose thebest network adapter over which to send the packet. After this network adapter has beenchosen, the stack reads the source IP address associated with that network adapter anduses that IP address as the source IP address for the outbound packets.
If the program specifies a source IP address to use in the bind()call, that IP address is used as the source IP address for TCPconnections or UDP datagrams sourced from that socket. However, the routetable is still used to route the outbound IP datagrams, based on thetarget IP address. As a result of this behavior, the source IP address may not be theone associated with the network adapter that is chosen to send the packets.