How to modify NetBufferList in FilterReceiveNetBufferLists?

OSR_Community_User · December 20, 2009, 10:15am

Hi Dear All,
I am writing a filter driver to modify the traffic network packet. According to the doc of msdn, filter drivers can filter received data before indicating the data to overlying drivers. For each buffer that is submitted to its FilterReceiveNetBufferLists function, a filter driver can modify the contents of the buffer before calling NdisFIndicateReceiveNetBufferLists.

I reference to the sample of the filter driver “ndislwf” and modify the FilterReceiveNetBufferLists function. I queue the NetBufferList in a local structure and do the modification. And then I pass the local structure as the NetBufferList to the NdisFIndicateReceiveNetBufferLists function, but blue screen at once.

I want to ask that how can I modify the contents of the buffer before calling NdisFIndicateReceiveNetBufferLists? Any sample or advice?

Regards,
Daisy

OSR_Community_User · December 20, 2009, 10:29am

Hi Sir:
What u do is fully wrong. You should create new NetBuffer to manipulate MDL (previously NDIS_BUFFER) and chain it to newly created NET_BUFFER. Moreover maybe u misuse some API at wrong DISPATCH level. I advise u to refer to NDIS 6.0 mux intermediate driver and protocol driver sample included with WDK 7600.
In fact, I also come up similar question and posted a thread, but as to yet nobody responses. It is fortune that I have gone through all barriers to completed our own filter driver.

George Lee

David_R_Cattley · December 20, 2009, 10:42am

You are not generally permitted to modify something that your driver does
not ‘own’. A NBL indicated to your driver is usually treated as
‘read-only’. To ‘modify’ the packet, your driver typically would copy the
NBL, modify the copy, indicate the copy, and when the copy is returned, free
it and return the original (unmodified) NBL to the entity that indicated it
to you.

Depending on the nature of the change you wish to make to the NBL, there are
various degrees of ‘depth’ that you might make to ‘copy’ the original NBL.
Review carefully the WDK documentation on Cloning Net Buffers (and NBLs) as
well as the effect of Advance/Retreat operations on Net Buffers.

If you want to be able to scribble all of the entire indicated ‘frame’ from
MAC header to end of transport payload, you could make the ‘copy’ by doing:

Shrink the Original NB to ‘nothing’ temporarily with an Advance operation
of its entire length.
Clone the Original NB.
Restore the Original NB by retreating the amount you advanced.
Retreat the Clone to the size the Clone will be (whatever it will be
after modification say).
Copy what you want form the Original to the Clone making whatever
modifications you want.
Indicate the Clone.
… etc.

Other approaches are possible depending on how much you want to modify.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of hellodaisy@139.com
Sent: Sunday, December 20, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to modify NetBufferList in FilterReceiveNetBufferLists?

Hi Dear All,
I am writing a filter driver to modify the traffic network packet. According
to the doc of msdn, filter drivers can filter received data before
indicating the data to overlying drivers. For each buffer that is submitted
to its FilterReceiveNetBufferLists function, a filter driver can modify the
contents of the buffer before calling NdisFIndicateReceiveNetBufferLists.

I reference to the sample of the filter driver “ndislwf” and modify the
FilterReceiveNetBufferLists function. I queue the NetBufferList in a local
structure and do the modification. And then I pass the local structure as
the NetBufferList to the NdisFIndicateReceiveNetBufferLists function, but
blue screen at once.

I want to ask that how can I modify the contents of the buffer before
calling NdisFIndicateReceiveNetBufferLists? Any sample or advice?

Regards,
Daisy

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · December 20, 2009, 10:50am

Dave:
Pls show some code snippt to demonstrate what u advise.

REegards,

George

OSR_Community_User · December 20, 2009, 8:00pm

Dave, Thank you for your advices and these help me so much. But as George said, would you please kindly give me some code snippt to demonstrate what u advise?

Regards,
Daisy

OSR_Community_User · December 20, 2009, 8:12pm

Hello George, thank you for your respondence. You said that you have gone through all barriers to
complete your own filter driver, and would u please kindly give me some code snippt that how you can overcome the barriers and modify the NB? Thank you~

Regards,
Daisy