Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

ndis filter driver : as install it, internet connect cut off

380nanometres380nanometres Member Posts: 11

Hello, I am trying to develop ndis filter driver working as NAT driver. I want to change destination address.

Here is my method to do it.

  1. read eth header and ip header from NB
  2. using NdisAdvanceNetBufferDataStart() function, logically remove eth header + ip header from NBL
  3. make clone of NBL using NdisAllocateCloneNetBufferList
  4. using NdisRetreatNetBufferDataStart() function, make space for header to cloned NBL (all underneath steps are 'to cloned NBL')
  5. get an starting address that eth header should be located in cloned NBL, using NdisGetDataBuffer() and add the eth header(got from 1st step)
  6. using NdisAdvanceNetBufferDataStart() and NdisGetDataBuffer, get an starting address of ip header and add the ip header(got from 1st step) to the address
  7. I want to modify dest ip from ip header, so get an dest ip address through using NdisAdvanceNetBufferDataStart() for sizeof(ipheader)-4 and NdisGetDataBuffer()
  8. overwrite dest ip in ip header (using RtlIpv4StringToAddress())
  9. in FilterSendNetBufferListsComplete, free the cloned NBL

I referenced "" to free the cloned NBL in FilterSendNetBufferListsComplete.

However, I built it and install at VM, but its internet access cut off.

So for testing, I wrote same destination ip addresses as original NBL in cloned NBL, by same methods above, and it worked normally.

So is it a problem with the one ip address that I arbitrarily overwrite? Or is it an ip checksum problem? or else?
I don't know because there is too little information to find.

After struggling a few weeks, I think I am close to what I want to make... but this problem is blocking me from progression.

Thank you


  • 380nanometres380nanometres Member Posts: 11

    I know there is TCP/IP checksum offload. nevertheless I have to calculate checksum through the code? or there is something to do after modify ip address I missed?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE