extract destination from NDIS_PACKET

Sergey_Pisarev · July 19, 2010, 2:38am

Good day everyone !

i’m writing some sort of firewall.
for now it’s just slightly modified passthru example from ddk.

my goal - block all traffic except one particular destination address, but i don’t know how to get destination from packet.

i understand that ndis intermediate driver below ip, so this destination info won’t be ip address.
but still, packet must contain some sort of target information, right ?

ys1 · July 19, 2010, 3:53am

You should know ethernet packet and ip packet format . TCP/IP
illustrated vol1 is what you want.

2010/7/19 sergey pisarev :
> Good day everyone !
>
> i’m writing some sort of firewall.
> for now it’s just slightly modified passthru example from ddk.
>
> my goal - block all traffic except one particular destination address, but i don’t know how to get destination from packet.
>
> i understand that ndis intermediate driver below ip, so this destination info won’t be ip address.
> but still, packet must contain some sort of target information, right ?
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Sergey_Pisarev · July 19, 2010, 4:24am

thx, i’ll check this book

On Jul 19, 2010, at 11:52 AM, yushang wrote:

You should know ethernet packet and ip packet format . TCP/IP
illustrated vol1 is what you want.

2010/7/19 sergey pisarev :
>> Good day everyone !
>>
>> i’m writing some sort of firewall.
>> for now it’s just slightly modified passthru example from ddk.
>>
>> my goal - block all traffic except one particular destination address, but i don’t know how to get destination from packet.
>>
>> i understand that ndis intermediate driver below ip, so this destination info won’t be ip address.
>> but still, packet must contain some sort of target information, right ?
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thomas_Divine · July 19, 2010, 7:57am

See the articles “Extending the Passthru…” at http://wd-3.com/.

From: “yushang”
Sent: Monday, July 19, 2010 3:52 AM
To: “Windows System Software Devs Interest List”
Subject: Re: [ntdev] extract destination from NDIS_PACKET

> You should know ethernet packet and ip packet format . TCP/IP
> illustrated vol1 is what you want.
>
> 2010/7/19 sergey pisarev :
>> Good day everyone !
>>
>> i’m writing some sort of firewall.
>> for now it’s just slightly modified passthru example from ddk.
>>
>> my goal - block all traffic except one particular destination address,
>> but i don’t know how to get destination from packet.
>>
>> i understand that ndis intermediate driver below ip, so this destination
>> info won’t be ip address.
>> but still, packet must contain some sort of target information, right ?
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Sergey_Pisarev · July 19, 2010, 9:01am

great thanks, Thomas !!
i think second article is exactly what i need

On Jul 19, 2010, at 3:56 PM, Thomas F. Divine wrote:

See the articles “Extending the Passthru…” at http://wd-3.com/.

From: “yushang”
> Sent: Monday, July 19, 2010 3:52 AM
> To: “Windows System Software Devs Interest List”
> Subject: Re: [ntdev] extract destination from NDIS_PACKET
>
>> You should know ethernet packet and ip packet format . TCP/IP
>> illustrated vol1 is what you want.
>>
>> 2010/7/19 sergey pisarev :
>>> Good day everyone !
>>>
>>> i’m writing some sort of firewall.
>>> for now it’s just slightly modified passthru example from ddk.
>>>
>>> my goal - block all traffic except one particular destination address, but i don’t know how to get destination from packet.
>>>
>>> i understand that ndis intermediate driver below ip, so this destination info won’t be ip address.
>>> but still, packet must contain some sort of target information, right ?
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Gary_Little-3 · July 19, 2010, 10:04am

Write a Windows Filtering Platform driver as you will find in
\WinDDK<version>\src\network\general\trans, specify the layer, ALE/STREAM
you and to filter, the IP address you want to permit and boom you’re done.
Or, you don’t need a driver, simply follow msnfilter in the same path and do
it in your application.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of sergey pisarev
Sent: Monday, July 19, 2010 1:38 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] extract destination from NDIS_PACKET

Good day everyone !

i’m writing some sort of firewall.
for now it’s just slightly modified passthru example from ddk.

my goal - block all traffic except one particular destination address, but i
don’t know how to get destination from packet.

i understand that ndis intermediate driver below ip, so this destination
info won’t be ip address.
but still, packet must contain some sort of target information, right ?
—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Sergey_Pisarev · July 19, 2010, 10:10am

WFP is great, but we need solution for pre-vista too

On Jul 19, 2010, at 6:03 PM, Gary G. Little wrote:

Write a Windows Filtering Platform driver as you will find in
\WinDDK<version>\src\network\general\trans, specify the layer, ALE/STREAM
> you and to filter, the IP address you want to permit and boom you’re done.
> Or, you don’t need a driver, simply follow msnfilter in the same path and do
> it in your application.
>
> Gary G. Little
> H (952) 223-1349
> C (952) 454-4629
> xxxxx@comcast.net
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of sergey pisarev
> Sent: Monday, July 19, 2010 1:38 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] extract destination from NDIS_PACKET
>
> Good day everyone !
>
> i’m writing some sort of firewall.
> for now it’s just slightly modified passthru example from ddk.
>
> my goal - block all traffic except one particular destination address, but i
> don’t know how to get destination from packet.
>
> i understand that ndis intermediate driver below ip, so this destination
> info won’t be ip address.
> but still, packet must contain some sort of target information, right ?
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Maxim_S_Shatskih · July 19, 2010, 3:30pm

>i understand that ndis intermediate driver below ip, so this destination info won’t be ip address.

NDIS_PACKET has a MDL chain which describes the MAC header + IP header + the rest.

Find the IP header and the dst address there.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

anton_bassov · July 19, 2010, 5:21pm

> my goal - block all traffic except one particular destination address,

Are you trying to implement IP tunnelling? In such case I would suggest investigating MUX, rather than filter, option…

but i don’t know how to get destination from packet.

WEll, I am afraid your chances are pretty slim then -NDIS is not-so-well-documented, so that writing NDIS drivers requires the ability to investigate things on your own…

Anton Bassov