NDIS filter driver ETH MAC offset on WLAN Adapter

Hi,

currently we are extracting the MAC Header from a NET_BUFFER by using the NdisQueryMdl. This works for cabled networks. However some WLAN Adapters seem to pass some additional IEEE802.11 Headers in front of the MAC Header. There is a macro called NET_BUFFER_CURRENT_MDL_OFFSET which seems to represent the correct offset of the MAC Header within the payload. The MSDN states about NET_BUFFER_CURRENT_MDL_OFFSET:

“The return value specifies the offset, in bytes, to the beginning of the used data space in the MDL that is specified by the CurrentMdl member of the NET_BUFFER structure.”

I couldn’t find any definiton of what “used data space” actually means so I am not sure if I can safely apply the given offset to the address or if there are any pitfalls.
Can someone confirm that this is correct or give me any documentation that clarifies what has to be done to handle it correctly?
Any suggestions are appreciated.

Try ndisgetdatabuffer

https://msdn.microsoft.com/en-us/library/windows/hardware/ff562631(v=vs.85).aspx

On Fri, 14 Jul 2017 at 12:08, xxxxx@ids-imaging.de <
xxxxx@lists.osr.com> wrote:

Hi,

currently we are extracting the MAC Header from a NET_BUFFER by using the
NdisQueryMdl. This works for cabled networks. However some WLAN Adapters
seem to pass some additional IEEE802.11 Headers in front of the MAC Header.
There is a macro called NET_BUFFER_CURRENT_MDL_OFFSET which seems to
represent the correct offset of the MAC Header within the payload. The MSDN
states about NET_BUFFER_CURRENT_MDL_OFFSET:

“The return value specifies the offset, in bytes, to the beginning of the
used data space in the MDL that is specified by the CurrentMdl member of
the NET_BUFFER structure.”

I couldn’t find any definiton of what “used data space” actually means so
I am not sure if I can safely apply the given offset to the address or if
there are any pitfalls.
Can someone confirm that this is correct or give me any documentation that
clarifies what has to be done to handle it correctly?
Any suggestions are appreciated.


NTDEV is sponsored by OSR

Visit the list online at: <
http://www.osronline.com/showlists.cfm?list=ntdev\>

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>