Hi,
Thanks for the reply , one more question i got here where this packet
tagging information is stored, does it store in NET_BUFFER_LIST_CONTEXT if
so if any driver is doing deep copy will this information might lost?
Regards,
Rahul
On Fri, Nov 11, 2016 at 4:40 AM, wrote:
> You can use ALE or Stream layer in WFP to get the process name, and then
> use WFP packet tagging to tag the packet for your NDIS LWF to see the data
> you’ve attached to it.
>
> However, before you go do all of that work, consider that you’re only ever
> going to see one of two processes:
>
> * svchost.exe (Dns Client)
> * nslookup.exe
>
> Due to the fact almost all processes use DnsQuery which does standard
> caching through the DNS Client/CAche (except nslookup).
>
> –
> Best regards,
> Alex Ionescu
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>