I've written an NDIS LWF.
It modifies a subset of the packets passing through it.
For debugging purposes, I wanted to optionally see in Wireshark the two versions of each packet: the original one passed to the filter driver and the altered version generated by it.
I didn't wanted other layers, for example Winsock (with the exception of, perhaps, RAW sockets), to process the original packets, just the altered ones.
I devised a plan to achieve it by using especially crafted loopback packets.
For the sending path, it seems to be working:
Unfortunately, the receiving path shows an unexpected side effect. The algorithm is similar:
Any ideas to help me achieve this?
Why do sending path loopbacks work so well? Are they discarded by Windows TCP/IP just because the destination MAC/IP addresses do not match those assigned to the receiving network interface regardless of their being loopbacks?
Another question just to check the requirements for the manual looping back: only for the sending path, a NET_BUFFER_LIST can contain several NET_BUFFERs. My current understanding is that I have to extract and clone the NET_BUFFERs one by one (creating a new NET_BUFFER_LIST for each original NET_BUFFER, instead of one for the whole group) in order to satisfy "indicating frames" restrictions (a received Ethernet NET_BUFFER_LIST must carry exactly one NET_BUFFER). Is my understanding correct or can a loopback NET_BUFFER_LIST contain several NET_BUFFERs, simplifying the cloning process?
Thank you very much.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||20 Apr 2020||OSR Seminar Space & ONLINE|
|Writing WDF Drivers||11 May 2020||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|