Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Packets on the net

ArsenArsen Member Posts: 195

Hi all. Can anyone please tell me why the NDIS filter driver, which is installed between the network card driver and the protocol driver, sees all packets on its network segment. Why does the network card not filter packets that do not belong to it, but passes packets to the NDIS filter driver. How to get rid of these packages from inside the NDIS filter driver and is it correct?


  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,837

    Many filter drivers and monitoring packages, like Winshark and libpcap, set the NIC into "promiscuous mode", which causes it to snag ALL the packets that pass by.

    Tim Roberts, [email protected]
    Software Wizard Emeritus

  • ArsenArsen Member Posts: 195
    edited August 2023

    Thank you. But I get all packets without running Wireshark. How can I block other packages and prevent their promotion programmatically from inside NDIS filter driver. My goal is to only receive packets in my filter driver that belong to my host..

    Post edited by Arsen on
  • MBond2MBond2 Member Posts: 708

    You check for and ignore the ones that you don't care about.

    Ethernet hardware / drivers are required to deliver at least all the packets addressed to this host. In the old days of hubs, it was very common for all packets to be flooded to all hosts on a network segment. Even modern switches do that while learning MAC addresses. And of course multicast traffic has to be flooded at least until the leaves are known

  • ArsenArsen Member Posts: 195

    Thank you very much. I understand all this, but the role of the network card is to filter all packets addressed to a different MAC address. Otherwise, each host will receive all packets, and the host will take extra time. If you suggest to do it in my driver, what will the network card do?

  • ArsenArsen Member Posts: 195

    And the second. If there is such a mod (promiscuous mode), as Mr. Tim_Roberts says, there should be an NDIS command to enable this mode. This will save the driver from this additional work.

  • MBond2MBond2 Member Posts: 708

    The NIC will do whatever it will do. It's job is to deliver to you at least all of the packets that you need. It has no obligation not to deliver you extra ones that you don't care about

  • ArsenArsen Member Posts: 195
    edited August 2023

    Mr. MBond2 and Mr. Tim_Roberts. Thanks for your helpful answers. I changed the card and all is well now.

  • MBond2MBond2 Member Posts: 708

    I'm glad to hear it. Remember that if you are developing a product for general use, you won't have that luxury in the field. You will have to deal with whatever NIC the user has decided to use

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online