Hi,
I am trying to monitor every IP packet by registering an outbound and inbound IPPACKET callouts in my WFP. But the problem is that when i try to read the NetBuffers of the NBL (layerData), in the outbound the NetBuffer starts at the start of IP header, and in the inbound it starts with the TCP header. I understand that this is due to the fact that the WFP engine has only parsed certain parts of the packet in each direction, but i don’t care about that, i just want to get the entire packet content (not parsed, just the raw byte buffer), so how can i do this in the inbound and outbound callouts of IPPACKET? (Currently only working on IPv4)
@Jason_Stephenson said:
You need to advance and retreat the NBL’s to get at the data. Offsets of each layer are documented here: https://docs.microsoft.com/en-us/windows-hardware/drivers/network/data-offset-positions?redirectedfrom=MSDN
So is it safe to retreat in this case? Because for a second i thought maybe since the data that i get from NdisGetDataBuffer doesn’t start at the start of the packet, maybe I’m not allowed to retreat and the memory could be invalid?
Also another question: Do i need to only retreat the first NetBuffer, or do i need to retreat every single NetBuffer in an NBL? (Although so far i have not seen any NBL with more than 1 NB in my ippacket callout)
And it seems like at least on windows 7, the ethernet header is not available at all, even tho i knew that ethernet header support for WFP started from WIN8, i thought maybe we can still get the actual non parsed ethernet header via NdisRetreatNetBufferDataStart, but i guess not, because when we retreat in that case, the previous bytes are just random bytes.