Hi all. Can anyone please tell me why the NDIS filter driver, which is installed between the network card driver and the protocol driver, sees all packets on its network segment. Why does the network card not filter packets that do not belong to it, but passes packets to the NDIS filter driver. How to get rid of these packages from inside the NDIS filter driver and is it correct?
Many filter drivers and monitoring packages, like Winshark and libpcap, set the NIC into “promiscuous mode”, which causes it to snag ALL the packets that pass by.
Thank you. But I get all packets without running Wireshark. How can I block other packages and prevent their promotion programmatically from inside NDIS filter driver. My goal is to only receive packets in my filter driver that belong to my host…
You check for and ignore the ones that you don’t care about.
Ethernet hardware / drivers are required to deliver at least all the packets addressed to this host. In the old days of hubs, it was very common for all packets to be flooded to all hosts on a network segment. Even modern switches do that while learning MAC addresses. And of course multicast traffic has to be flooded at least until the leaves are known
Thank you very much. I understand all this, but the role of the network card is to filter all packets addressed to a different MAC address. Otherwise, each host will receive all packets, and the host will take extra time. If you suggest to do it in my driver, what will the network card do?
And the second. If there is such a mod (promiscuous mode), as Mr. Tim_Roberts says, there should be an NDIS command to enable this mode. This will save the driver from this additional work.
The NIC will do whatever it will do. It’s job is to deliver to you at least all of the packets that you need. It has no obligation not to deliver you extra ones that you don’t care about
Mr. MBond2 and Mr. Tim_Roberts. Thanks for your helpful answers. I changed the card and all is well now.
I’m glad to hear it. Remember that if you are developing a product for general use, you won’t have that luxury in the field. You will have to deal with whatever NIC the user has decided to use
1 Like