Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Packets on the net
Hi all. Can anyone please tell me why the NDIS filter driver, which is installed between the network card driver and the protocol driver, sees all packets on its network segment. Why does the network card not filter packets that do not belong to it, but passes packets to the NDIS filter driver. How to get rid of these packages from inside the NDIS filter driver and is it correct?
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
Many filter drivers and monitoring packages, like Winshark and libpcap, set the NIC into "promiscuous mode", which causes it to snag ALL the packets that pass by.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Thank you. But I get all packets without running Wireshark. How can I block other packages and prevent their promotion programmatically from inside NDIS filter driver. My goal is to only receive packets in my filter driver that belong to my host..
You check for and ignore the ones that you don't care about.
Ethernet hardware / drivers are required to deliver at least all the packets addressed to this host. In the old days of hubs, it was very common for all packets to be flooded to all hosts on a network segment. Even modern switches do that while learning MAC addresses. And of course multicast traffic has to be flooded at least until the leaves are known
Thank you very much. I understand all this, but the role of the network card is to filter all packets addressed to a different MAC address. Otherwise, each host will receive all packets, and the host will take extra time. If you suggest to do it in my driver, what will the network card do?
And the second. If there is such a mod (promiscuous mode), as Mr. Tim_Roberts says, there should be an NDIS command to enable this mode. This will save the driver from this additional work.
The NIC will do whatever it will do. It's job is to deliver to you at least all of the packets that you need. It has no obligation not to deliver you extra ones that you don't care about
Mr. MBond2 and Mr. Tim_Roberts. Thanks for your helpful answers. I changed the card and all is well now.
I'm glad to hear it. Remember that if you are developing a product for general use, you won't have that luxury in the field. You will have to deal with whatever NIC the user has decided to use