Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


TCP hooks question

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hello!

I'd like to write some kind of software that can listen to network traffic.

Until now, I've used a kernel mode driver, based on the PACKET.SYS file
given in the DDK.

Now, it's time to port that thing to Windows 2000.

I heard that the TCP stack of 2000 has "hooks", where I can specify function
that will
process incoming packets before they reach the TCP stack.

It sounds great, but the question is:

Does it hear ALL the frames on the network (promiscuous mode)?

If not - is it the one that FIRST "sees" the incoming packet?

(for example - suppose I get an ACK frame, designated to my machine, but
I did not send a SYN packet before. Will I still hear it, or will the
kernel
"catch" it before me, and will send a RST packet, and thus I won't see the
ASK
packet?)

If it doesn't work in promiscuous mode - can I change its mode using IOCTL
of some kind?


thanks in advance,

- Barak

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Barak,

    W2K does indeed have an "IP Hook" feature in the protocol stack. This gives
    your driver a shot at each IP packet before it is passed up (on incoming
    data) to the transport protocol (TCP or UDP.) It also gives you a look at
    each outgoing packet before it goes down to NDIS. You are allowed to modify
    the behavior of the protocol stack with respect to each packet by the return
    value you supply to your hook function.

    No it is not operating in promiscuous mode, and I don't know what would
    happen if you put the NDIS layer in promiscuous mode. Either you will see
    all IP datagrams, or you will see only those IP datagrams that match the IP
    target address. Note that for most networks (i.e. switched Ethernet)
    promiscuous mode is not as useful as it sounds. At any rate probably some
    NDIS wonk can tell you how to get NDIS to fetch everything off the wire.

    I have a sample IP hook driver on my web site: http:\\www.hollistech.com
    feel free to download it and use or abuse it as you see fit.

    > -----Original Message-----
    > From: Barak Mandelovich [mailto:[email protected]]
    > Sent: Sunday, May 14, 2000 9:04 AM
    > To: NT Developers Interest List
    > Subject: [ntdev] TCP hooks question
    >
    >
    > Hello!
    >
    > I'd like to write some kind of software that can listen to
    > network traffic.
    >
    > Until now, I've used a kernel mode driver, based on the
    > PACKET.SYS file
    > given in the DDK.
    >
    > Now, it's time to port that thing to Windows 2000.
    >
    > I heard that the TCP stack of 2000 has "hooks", where I can
    > specify function
    > that will
    > process incoming packets before they reach the TCP stack.
    >
    > It sounds great, but the question is:
    >
    > Does it hear ALL the frames on the network (promiscuous mode)?
    >
    > If not - is it the one that FIRST "sees" the incoming packet?
    >
    > (for example - suppose I get an ACK frame, designated to my
    > machine, but
    > I did not send a SYN packet before. Will I still hear it, or will the
    > kernel
    > "catch" it before me, and will send a RST packet, and thus I
    > won't see the
    > ASK
    > packet?)
    >
    > If it doesn't work in promiscuous mode - can I change its
    > mode using IOCTL
    > of some kind?
    >
    >
    > thanks in advance,
    >
    > - Barak
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online