Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How to get Packet's payload or data in WFP sampler code while examining the packet.

Nishant_VarshneyNishant_Varshney Member Posts: 14
Hello,

I have a filter driver based on Windows Filtering Platform (WFPSampler) which examine or capture all the UDP packets received by the system. I am able to capture or extract the header from the UDP packet (NET_BUFFER). Now I want to get the packet's actual data or packet's payload (which contains the information) and write that to a .txt file. But I am not able to get the packet's actual data or packet's payload (NET_BUFFER) from the received UDP packet. I am capturing packet on FWPM_LAYER_INBOUND_TRANSPORT_V4 layer.

Reply as soon as possible.

Thank you.

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Try to do it at stream layer and check the streamedit sample. There there is a function something like CopyDataToFlatBuffer where it copies the data payload from a netbuffer to a PVOID allocated buffer.

    --------------------------------------------------------

    Gabriel Bercea

    Windows Kernel Driver Consulting

    www.kasardia.com






    On Tue, Apr 26, 2016 at 11:08 PM -0700, wrote:










    Hello,

    I have a filter driver based on Windows Filtering Platform (WFPSampler) which examine or capture all the UDP packets received by the system. I am able to capture or extract the header from the UDP packet (NET_BUFFER). Now I want to get the packet's actual data or packet's payload (which contains the information) and write that to a .txt file. But I am not able to get the packet's actual data or packet's payload (NET_BUFFER) from the received UDP packet. I am capturing packet on FWPM_LAYER_INBOUND_TRANSPORT_V4 layer.

    Reply as soon as possible.

    Thank you.


    ---
    NTFSD is sponsored by OSR


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at

    To unsubscribe, visit the List Server section of OSR Online at
  • Nishant_VarshneyNishant_Varshney Member Posts: 14
    Hello Gabriel Bercea,

    I am using Basic Packet Examination scenario in WFPSampler example. I tried to do it at stream layer. But I am not getting any packet at that layer. I am trying to do it at FWPM_LAYER_INBOUND_IPPACKET_V4 layer and I am able to get the value of header for UDP protocol. But I don't know how to get the data payload from the packet.

    Thanks
  • Sap_GrSap_Gr Member Posts: 9
    Hi,
    As far as I know you can not inspect UDP packets at the stream layer. You
    should register to the datagram data layer and get the data from the net
    buffers.
    בתאריך 27 באפר׳ 2016 3:25 PM,‏ כתב:

    > Hello Gabriel Bercea,
    >
    > I am using Basic Packet Examination scenario in WFPSampler example. I
    > tried to do it at stream layer. But I am not getting any packet at that
    > layer. I am trying to do it at FWPM_LAYER_INBOUND_IPPACKET_V4 layer and I
    > am able to get the value of header for UDP protocol. But I don't know how
    > to get the data payload from the packet.
    >
    > Thanks
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • Nishant_VarshneyNishant_Varshney Member Posts: 14
    Hello Sap Gr,


    Thanks for your reply. But you didn't tell me how to extract or get the payload from NET_BUFFER structure. I am able to get the packet and the header from the packet. But i want to write the actual data from packet (payload of the packet) to a file.
  • xusyshxusysh Member Posts: 2

    same problem here :'(
    did you solv it bro?

  • xusyshxusysh Member Posts: 2

    @Nishant_Varshney said:
    Hello Sap Gr,

    Thanks for your reply. But you didn't tell me how to extract or get the payload from NET_BUFFER structure. I am able to get the packet and the header from the packet. But i want to write the actual data from packet (payload of the packet) to a file.

    same problem here :'(
    did you solve it bro?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,796

    Dude... you seriously think somebody from 2016 is still following this thread?

    Which is, bythe way, posted to the wrong forum.

    SERIOUSLY?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA