Topics to study before writing a WFP driver to monitor all network events?

Hi All,
I have to write a WFP driver to monitor all network events. I did some driver work with WDM like a decade ago. A quick check of the DDK resources has left me with dumbfound that have occurred in the interim. Coming back to the topic. I assume I need to study the WDF way of doing things.
So I assume to read the following resources:

  1. Windows Internals, 7th edition
  2. Developing Drivers with the Windows Driver Foundation.
  3. WFP MSDN resources.
    Can the experts here, please advise me on the resources to be consulted for the task in question?

Thanks in advance.
–eminemence

First you might want to take a look at the Inspect sample in the WDK
samples. It monitors network events. The second thing is to seriously
think about what you mean by network events, as you will see by Inspect
there are a lot of layers and I suspect you don’t need all of them.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, March 12, 2018 8:51 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Topics to study before writing a WFP driver to monitor all
network events?

Hi All,
I have to write a WFP driver to monitor all network events. I did some
driver work with WDM like a decade ago. A quick check of the DDK resources
has left me with dumbfound that have occurred in the interim. Coming back to
the topic. I assume I need to study the WDF way of doing things.
So I assume to read the following resources:
1. Windows Internals, 7th edition
2. Developing Drivers with the Windows Driver Foundation.
3. WFP MSDN resources.
Can the experts here, please advise me on the resources to be consulted for
the task in question?

Thanks in advance.
–eminemence


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

The inspect sample monitors the ALE and transport layers. The main thing
about the sample is how to use the pend functions. I had to abandon using
pend due to issues with it.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
On Behalf Of xxxxx@windrvr.com
Sent: Monday, March 12, 2018 9:37 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Topics to study before writing a WFP driver to monitor
all network events?

First you might want to take a look at the Inspect sample in the WDK
samples. It monitors network events. The second thing is to seriously
think about what you mean by network events, as you will see by Inspect
there are a lot of layers and I suspect you don’t need all of them.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, March 12, 2018 8:51 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Topics to study before writing a WFP driver to monitor all
network events?

Hi All,
I have to write a WFP driver to monitor all network events. I did some
driver work with WDM like a decade ago. A quick check of the DDK resources
has left me with dumbfound that have occurred in the interim. Coming back to
the topic. I assume I need to study the WDF way of doing things.
So I assume to read the following resources:
1. Windows Internals, 7th edition
2. Developing Drivers with the Windows Driver Foundation.
3. WFP MSDN resources.
Can the experts here, please advise me on the resources to be consulted for
the task in question?

Thanks in advance.
–eminemence


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:></http:></http:></http:>

Thanks Don & Bill.
I may be mixing a bit of terms here, but the main idea is to log all network activity.
So will the pend issues still raise their ugly head for just logging?

–Mayur K.

If you are only logging you I don’t think that you will need to pend. The
reason to pend is that you need to do something at PASSIVE irql before the
connect/accept completes.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
On Behalf Of xxxxx@gmail.com
Sent: Monday, March 12, 2018 1:07 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Topics to study before writing a WFP driver to monitor
all network events?

Thanks Don & Bill.
I may be mixing a bit of terms here, but the main idea is to log all network
activity.
So will the pend issues still raise their ugly head for just logging?

–Mayur K.


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

xxxxx@gmail.com wrote:

I may be mixing a bit of terms here, but the main idea is to log all network activity.
So will the pend issues still raise their ugly head for just logging?

Wireshark can already do this today, no kernel programming required.

Do you plan to log the data as well?  Where are you going to put it? 
Network data comes at you pretty fast.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.