Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Topics to study before writing a WFP driver to monitor all network events?

Mayur_KMayur_K Posts: 3
Hi All,
I have to write a WFP driver to monitor all network events. I did some driver work with WDM like a decade ago. A quick check of the DDK resources has left me with dumbfound that have occurred in the interim. Coming back to the topic. I assume I need to study the WDF way of doing things.
So I assume to read the following resources:
1. Windows Internals, 7th edition
2. Developing Drivers with the Windows Driver Foundation.
3. WFP MSDN resources.
Can the experts here, please advise me on the resources to be consulted for the task in question?

Thanks in advance.
--eminemence

Comments

  • Don_BurnDon_Burn Posts: 1,623
    First you might want to take a look at the Inspect sample in the WDK
    samples. It monitors network events. The second thing is to seriously
    think about what you mean by network events, as you will see by Inspect
    there are a lot of layers and I suspect you don't need all of them.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of
    xxxxx@gmail.com
    Sent: Monday, March 12, 2018 8:51 AM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntdev] Topics to study before writing a WFP driver to monitor all
    network events?

    Hi All,
    I have to write a WFP driver to monitor all network events. I did some
    driver work with WDM like a decade ago. A quick check of the DDK resources
    has left me with dumbfound that have occurred in the interim. Coming back to
    the topic. I assume I need to study the WDF way of doing things.
    So I assume to read the following resources:
    1. Windows Internals, 7th edition
    2. Developing Drivers with the Windows Driver Foundation.
    3. WFP MSDN resources.
    Can the experts here, please advise me on the resources to be consulted for
    the task in question?

    Thanks in advance.
    --eminemence

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • Bill_WandelBill_Wandel Posts: 210
    The inspect sample monitors the ALE and transport layers. The main thing
    about the sample is how to use the pend functions. I had to abandon using
    pend due to issues with it.

    Bill Wandel

    -----Original Message-----
    From: xxxxx@lists.osr.com <xxxxx@lists.osr.com>
    On Behalf Of xxxxx@windrvr.com
    Sent: Monday, March 12, 2018 9:37 AM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE: [ntdev] Topics to study before writing a WFP driver to monitor
    all network events?

    First you might want to take a look at the Inspect sample in the WDK
    samples. It monitors network events. The second thing is to seriously
    think about what you mean by network events, as you will see by Inspect
    there are a lot of layers and I suspect you don't need all of them.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of
    xxxxx@gmail.com
    Sent: Monday, March 12, 2018 8:51 AM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntdev] Topics to study before writing a WFP driver to monitor all
    network events?

    Hi All,
    I have to write a WFP driver to monitor all network events. I did some
    driver work with WDM like a decade ago. A quick check of the DDK resources
    has left me with dumbfound that have occurred in the interim. Coming back to
    the topic. I assume I need to study the WDF way of doing things.
    So I assume to read the following resources:
    1. Windows Internals, 7th edition
    2. Developing Drivers with the Windows Driver Foundation.
    3. WFP MSDN resources.
    Can the experts here, please advise me on the resources to be consulted for
    the task in question?

    Thanks in advance.
    --eminemence

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;


    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • Mayur_KMayur_K Posts: 3
    Thanks Don & Bill.
    I may be mixing a bit of terms here, but the main idea is to log all network activity.
    So will the pend issues still raise their ugly head for just logging?

    --Mayur K.
  • Bill_WandelBill_Wandel Posts: 210
    If you are only logging you I don't think that you will need to pend. The
    reason to pend is that you need to do something at PASSIVE irql before the
    connect/accept completes.

    Bill Wandel

    -----Original Message-----
    From: xxxxx@lists.osr.com <xxxxx@lists.osr.com>
    On Behalf Of xxxxx@gmail.com
    Sent: Monday, March 12, 2018 1:07 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE:[ntdev] Topics to study before writing a WFP driver to monitor
    all network events?

    Thanks Don & Bill.
    I may be mixing a bit of terms here, but the main idea is to log all network
    activity.
    So will the pend issues still raise their ugly head for just logging?

    --Mayur K.

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • Tim_RobertsTim_Roberts Posts: 12,615
    xxxxx@gmail.com wrote:
    > I may be mixing a bit of terms here, but the main idea is to log all network activity.
    > So will the pend issues still raise their ugly head for just logging?

    Wireshark can already do this today, no kernel programming required.

    Do you plan to log the data as well?  Where are you going to put it? 
    Network data comes at you pretty fast.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!