Hi All,
I am writing a TDI Filter Driver to monitor the TCP network traffic.I have
one Question regarding TDI that can I get the packet headers and frame
number,Frame Size of the packets which are sent to loopback address
127.0.0.1 or localhost site if IIS is installed there ?
Any help is appreciated…
– Subodh Gupta
I would try doing a filter driver for the tcp DriverObject. Note that
tcpip.sys has tcpip, upd and other Driverobject in it. Do !Drvobj
tcpip.sys in NT. I would try to do a filter for tcpip.sys and look at
the packets.
TDI is the Transfer Device Interface that routes the packets to the
correct driver by way of the Winsocket dll.
I have not done this but it might help.
>> would try doing a filter driver for the tcp DriverObject.
Wont work. And officially you cant filter “driver objects”, only device
objects. Hooking directly the dispatch
points in the driver object is not supported by MS. And anyway, access to IP
header is not available for a
filter driver, layered above any of the TCP device objects. You can,
however, identify data which is targeted
against 127.0.0.1, but not by peeking the IP frame.
> I would try to do a filter for tcpip.sys and look at the packets.
> TDI is the Transfer Device Interface
Actually, its Transport Driver Interface. And has nothing to do with
winsockets and routing through sockets.
Dan
“William Michael Jones” wrote in message
news:xxxxx@ntdev…
>
> I would try doing a filter driver for the tcp DriverObject. Note that
> tcpip.sys has tcpip, upd and other Driverobject in it. Do !Drvobj
> tcpip.sys in NT. I would try to do a filter for tcpip.sys and look at
> the packets.
>
>
> TDI is the Transfer Device Interface that routes the packets to the
> correct driver by way of the Winsocket dll.
>
> I have not done this but it might help.
>
>
>
> Actually, its Transport Driver Interface. And has nothing to do with
winsockets
It has. It is a bottom layer of communication between common socket
code (AFD.SYS) and particular protocols.
You can also talk to TDI directly.
Max
> TDI is the Transfer Device Interface that routes the packets to the
correct driver by way of the Winsocket dll.
No, it is lower then WinSock. WinSock itself is based on TDI.
See my another message here about what TDI is.
Max
Sorry, Max , I did not statuated that the anciliary function driver aint a
TDI client, nor that socket implementation does not relay on TDI interface.
I maintain my statement , winsocket has to do and deal with TDI , and not
TDI with winsockets.
----- Original Message -----
From: “Maxim S. Shatskih”
To: “NT Developers Interest List”
Sent: Sunday, July 21, 2002 4:01 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> > Actually, its Transport Driver Interface. And has nothing to do with
> > winsockets
>
> It has. It is a bottom layer of communication between common socket
> code (AFD.SYS) and particular protocols.
> You can also talk to TDI directly.
>
> Max
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
Hi Friends,
I think i need to make it some more clear -
1-> What i am doing is i have created a filter driver which sits above the
TCP.SYS and monitors all the incoming and outgoing traffic.
2-> since i am watching all the IRP’s so my question is regarding specific
loopback and localhost IRP.
3-> I am also hooking the events.
4->is it possible for me to see the header details of those IRP’s ? I know
that probably not in case of outgoing IRP’s but what about Incoming IRP’s
which are sent back by NDIS and TCP as a result of loopback ??
I think this makes clear what i mean to say.
— Subodh
----- Original Message -----
From: “Dan Partelly”
Newsgroups: ntdev
To: “NT Developers Interest List”
Sent: Sunday, July 21, 2002 4:45 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> >> would try doing a filter driver for the tcp DriverObject.
>
> Wont work. And officially you cant filter “driver objects”, only device
> objects. Hooking directly the dispatch
> points in the driver object is not supported by MS. And anyway, access to
IP
> header is not available for a
> filter driver, layered above any of the TCP device objects. You can,
> however, identify data which is targeted
> against 127.0.0.1, but not by peeking the IP frame.
>
> >> I would try to do a filter for tcpip.sys and look at the packets.
>
> >> TDI is the Transfer Device Interface
>
> Actually, its Transport Driver Interface. And has nothing to do with
> winsockets and routing through sockets.
>
> Dan
>
> “William Michael Jones” wrote in message
> news:xxxxx@ntdev…
> >
> > I would try doing a filter driver for the tcp DriverObject. Note that
> > tcpip.sys has tcpip, upd and other Driverobject in it. Do !Drvobj
> > tcpip.sys in NT. I would try to do a filter for tcpip.sys and look at
> > the packets.
> >
> >
> > TDI is the Transfer Device Interface that routes the packets to the
> > correct driver by way of the Winsocket dll.
> >
> > I have not done this but it might help.
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
>
4->is it possible for me to see the header details of those IRP’s ? I know
that probably not in case of outgoing IRP’s but what about Incoming IRP’s
which are sent back by NDIS and TCP as a result of loopback ??
Im afarid it does not work this way. the loopback mechanism is implemented
internal to tcpip driver. And anyway,
NDIS wont talk to protocol drivers through IRPs.
Dan
----- Original Message -----
From: “Subodh Gupta”
To: “NT Developers Interest List”
Sent: Monday, July 22, 2002 12:18 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> Hi Friends,
>
> I think i need to make it some more clear -
>
> 1-> What i am doing is i have created a filter driver which sits above the
> TCP.SYS and monitors all the incoming and outgoing traffic.
>
> 2-> since i am watching all the IRP’s so my question is regarding specific
> loopback and localhost IRP.
> 3-> I am also hooking the events.
> 4->is it possible for me to see the header details of those IRP’s ? I know
> that probably not in case of outgoing IRP’s but what about Incoming IRP’s
> which are sent back by NDIS and TCP as a result of loopback ??
>
> I think this makes clear what i mean to say.
>
> — Subodh
> ----- Original Message -----
> From: “Dan Partelly”
> Newsgroups: ntdev
> To: “NT Developers Interest List”
> Sent: Sunday, July 21, 2002 4:45 PM
> Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
> of localhost packets ?
>
>
> > >> would try doing a filter driver for the tcp DriverObject.
> >
> > Wont work. And officially you cant filter “driver objects”, only device
> > objects. Hooking directly the dispatch
> > points in the driver object is not supported by MS. And anyway, access
to
> IP
> > header is not available for a
> > filter driver, layered above any of the TCP device objects. You can,
> > however, identify data which is targeted
> > against 127.0.0.1, but not by peeking the IP frame.
> >
> > >> I would try to do a filter for tcpip.sys and look at the packets.
> >
> > >> TDI is the Transfer Device Interface
> >
> > Actually, its Transport Driver Interface. And has nothing to do with
> > winsockets and routing through sockets.
> >
> > Dan
> >
> > “William Michael Jones” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > I would try doing a filter driver for the tcp DriverObject. Note that
> > > tcpip.sys has tcpip, upd and other Driverobject in it. Do !Drvobj
> > > tcpip.sys in NT. I would try to do a filter for tcpip.sys and look at
> > > the packets.
> > >
> > >
> > > TDI is the Transfer Device Interface that routes the packets to the
> > > correct driver by way of the Winsocket dll.
> > >
> > > I have not done this but it might help.
> > >
> > >
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
Hi,
I think the biggest confusion here is about where exactly the LOOPBACK
feature is implemented ??
DDK documentation says that it is inside NDIS library {for the hardware
which does not have loopback implemented in it} but you say that it is in
TCP ??
if it is in TCP then I am filtering the right thing so i must get the
details (atleast for reflected packets).
if NDIS is looping back then a filter {which will now be known as
Intermediate driver} should sit below tcp and above NDIS.
Pls clear the confusion…
thanks in advance…
–Subodh
----- Original Message -----
From: “Dan Partelly”
To: “NT Developers Interest List”
Sent: Monday, July 22, 2002 3:37 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> 4->is it possible for me to see the header details of those IRP’s ? I know
> that probably not in case of outgoing IRP’s but what about Incoming IRP’s
> which are sent back by NDIS and TCP as a result of loopback ??
>
> Im afarid it does not work this way. the loopback mechanism is implemented
> internal to tcpip driver. And anyway,
> NDIS wont talk to protocol drivers through IRPs.
>
> Dan
>
> ----- Original Message -----
> From: “Subodh Gupta”
> To: “NT Developers Interest List”
> Sent: Monday, July 22, 2002 12:18 PM
> Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
> of localhost packets ?
>
>
> > Hi Friends,
> >
> > I think i need to make it some more clear -
> >
> > 1-> What i am doing is i have created a filter driver which sits above
the
> > TCP.SYS and monitors all the incoming and outgoing traffic.
> >
> > 2-> since i am watching all the IRP’s so my question is regarding
specific
> > loopback and localhost IRP.
> > 3-> I am also hooking the events.
> > 4->is it possible for me to see the header details of those IRP’s ? I
know
> > that probably not in case of outgoing IRP’s but what about Incoming
IRP’s
> > which are sent back by NDIS and TCP as a result of loopback ??
> >
> > I think this makes clear what i mean to say.
> >
> > — Subodh
> > ----- Original Message -----
> > From: “Dan Partelly”
> > Newsgroups: ntdev
> > To: “NT Developers Interest List”
> > Sent: Sunday, July 21, 2002 4:45 PM
> > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
Details
> > of localhost packets ?
> >
> >
> > > >> would try doing a filter driver for the tcp DriverObject.
> > >
> > > Wont work. And officially you cant filter “driver objects”, only
device
> > > objects. Hooking directly the dispatch
> > > points in the driver object is not supported by MS. And anyway, access
> to
> > IP
> > > header is not available for a
> > > filter driver, layered above any of the TCP device objects. You can,
> > > however, identify data which is targeted
> > > against 127.0.0.1, but not by peeking the IP frame.
> > >
> > > >> I would try to do a filter for tcpip.sys and look at the packets.
> > >
> > > >> TDI is the Transfer Device Interface
> > >
> > > Actually, its Transport Driver Interface. And has nothing to do with
> > > winsockets and routing through sockets.
> > >
> > > Dan
> > >
> > > “William Michael Jones” wrote in message
> > > news:xxxxx@ntdev…
> > > >
> > > > I would try doing a filter driver for the tcp DriverObject. Note
that
> > > > tcpip.sys has tcpip, upd and other Driverobject in it. Do !Drvobj
> > > > tcpip.sys in NT. I would try to do a filter for tcpip.sys and look
at
> > > > the packets.
> > > >
> > > >
> > > > TDI is the Transfer Device Interface that routes the packets to the
> > > > correct driver by way of the Winsocket dll.
> > > >
> > > > I have not done this but it might help.
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
>
Hi,
If I recall right the loopback mechanism for localhost trafic is internal to
TCPIP driver. Packets are not passed to NDIS for reflection. So if you want
to monitor trafic on sockets used as a local IPC mechanism, connecting to
localhost, you need TDI level. I think that coneccting to NIC adapter IP
address will result in NDIS loopback behaviour only.
At TDI level filtering, you have no access to IP headers , anyway.
Maybe somone at MS can confirm this, I dont recall all details.
Dan
----- Original Message -----
From: “Subodh Gupta”
To: “NT Developers Interest List”
Sent: Monday, July 22, 2002 3:55 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> Hi,
>
> I think the biggest confusion here is about where exactly the LOOPBACK
> feature is implemented ??
>
> DDK documentation says that it is inside NDIS library {for the hardware
> which does not have loopback implemented in it} but you say that it is in
> TCP ??
>
> if it is in TCP then I am filtering the right thing so i must get the
> details (atleast for reflected packets).
>
> if NDIS is looping back then a filter {which will now be known as
> Intermediate driver} should sit below tcp and above NDIS.
>
> Pls clear the confusion…
> thanks in advance…
> --Subodh
>
>
> ----- Original Message -----
> From: “Dan Partelly”
> To: “NT Developers Interest List”
> Sent: Monday, July 22, 2002 3:37 PM
> Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
> of localhost packets ?
>
>
> > 4->is it possible for me to see the header details of those IRP’s ? I
know
> > that probably not in case of outgoing IRP’s but what about Incoming
IRP’s
> > which are sent back by NDIS and TCP as a result of loopback ??
> >
> > Im afarid it does not work this way. the loopback mechanism is
implemented
> > internal to tcpip driver. And anyway,
> > NDIS wont talk to protocol drivers through IRPs.
> >
> > Dan
> >
> > ----- Original Message -----
> > From: “Subodh Gupta”
> > To: “NT Developers Interest List”
> > Sent: Monday, July 22, 2002 12:18 PM
> > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
Details
> > of localhost packets ?
> >
> >
> > > Hi Friends,
> > >
> > > I think i need to make it some more clear -
> > >
> > > 1-> What i am doing is i have created a filter driver which sits above
> the
> > > TCP.SYS and monitors all the incoming and outgoing traffic.
> > >
> > > 2-> since i am watching all the IRP’s so my question is regarding
> specific
> > > loopback and localhost IRP.
> > > 3-> I am also hooking the events.
> > > 4->is it possible for me to see the header details of those IRP’s ? I
> know
> > > that probably not in case of outgoing IRP’s but what about Incoming
> IRP’s
> > > which are sent back by NDIS and TCP as a result of loopback ??
> > >
> > > I think this makes clear what i mean to say.
> > >
> > > — Subodh
> > > ----- Original Message -----
> > > From: “Dan Partelly”
> > > Newsgroups: ntdev
> > > To: “NT Developers Interest List”
> > > Sent: Sunday, July 21, 2002 4:45 PM
> > > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
> Details
> > > of localhost packets ?
> > >
> > >
> > > > >> would try doing a filter driver for the tcp DriverObject.
> > > >
> > > > Wont work. And officially you cant filter “driver objects”, only
> device
> > > > objects. Hooking directly the dispatch
> > > > points in the driver object is not supported by MS. And anyway,
access
> > to
> > > IP
> > > > header is not available for a
> > > > filter driver, layered above any of the TCP device objects. You can,
> > > > however, identify data which is targeted
> > > > against 127.0.0.1, but not by peeking the IP frame.
> > > >
> > > > >> I would try to do a filter for tcpip.sys and look at the
packets.
> > > >
> > > > >> TDI is the Transfer Device Interface
> > > >
> > > > Actually, its Transport Driver Interface. And has nothing to do with
> > > > winsockets and routing through sockets.
> > > >
> > > > Dan
> > > >
> > > > “William Michael Jones” wrote in message
> > > > news:xxxxx@ntdev…
> > > > >
> > > > > I would try doing a filter driver for the tcp DriverObject. Note
> that
> > > > > tcpip.sys has tcpip, upd and other Driverobject in it. Do !Drvobj
> > > > > tcpip.sys in NT. I would try to do a filter for tcpip.sys and
look
> at
> > > > > the packets.
> > > > >
> > > > >
> > > > > TDI is the Transfer Device Interface that routes the packets to
the
> > > > > correct driver by way of the Winsocket dll.
> > > > >
> > > > > I have not done this but it might help.
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > > To unsubscribe send a blank email to %%email.unsub%%
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
No, a TDI filter CANNOT get headers and frame details of any TCP stream data
not can it get headers and frame details of any Udp datagrams sent or
received.
At the TDI interface over Tcp or Udp you will be able to see the DATA being
sent or received.
You will also be able to see (filter) SOME ancillary data. For example, you
will be able to examine the parameters (e.g., Flags, address information
passed to create and completion routines, etc.). The ancillary data gives
you indirect and partial visibility into SOME of the details of the stream
or datagrams besides the data itself. But NOT the complete picture.
Think of TDI logically as just the kernel mode TCP/IP API. Although the
details of the API differ from the user mode Winsock API, the logical
equivalence is the same. In most cases, if you can’t perform an operation in
user mode (e.g., fetch packet details through Winsock), then there is little
reason to expect to be able to do it with TDI.
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:
“Subodh Gupta” wrote in message news:xxxxx@ntdev…
>
> Hi All,
>
> I am writing a TDI Filter Driver to monitor the TCP network traffic.I have
> one Question regarding TDI that can I get the packet headers and frame
> number,Frame Size of the packets which are sent to loopback address
> 127.0.0.1 or localhost site if IIS is installed there ?
>
> Any help is appreciated…
>
> – Subodh Gupta
>
></http:></http:>
> I think the biggest confusion here is about where exactly the
LOOPBACK
feature is implemented ??
127.0.0.1 is implemented in IP.
NDIS also has loopback feature, which comes into play if the packet is
sent to local MAC address. In this cases, the NIC driver is bypassed.
Max
Hi Maxim ,
Thanks clearing the confusion…
But now my question is can i filter IP {I mean to say that is there IP
device which can be created by filter driver and monitored…}… or i need
to hook TCP as i am currently doing .
I have seen some samples which create UDP devices {but none of IP} … so i
think in the same way i can create IP device also.If its true then i think
hooking to IP can solve the problem…
Pls let me know what do you think…
—Subodh
----- Original Message -----
From: “Maxim S. Shatskih”
To: “NT Developers Interest List”
Sent: Wednesday, July 24, 2002 5:23 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> > I think the biggest confusion here is about where exactly the
> LOOPBACK
> > feature is implemented ??
>
> 127.0.0.1 is implemented in IP.
> NDIS also has loopback feature, which comes into play if the packet is
> sent to local MAC address. In this cases, the NIC driver is bypassed.
>
> Max
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
>
You where told more than once by 5 ppl at least that filtering over TCP /
UDP or IP devices
wont allow you to see IP headers of data, only the payload. Through
filtering you can however get SOME data which eventualy ends into IP header.
As for where you have to layer , that really depends what protocols you want
to intercept. Wouldnt be simple to ask us “I wanna implement this driver
which must do “xxxxx”, tell me how to doit.”
----- Original Message -----
From: “Subodh Gupta”
To: “NT Developers Interest List”
Sent: Thursday, July 25, 2002 4:23 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> Hi Maxim ,
>
> Thanks clearing the confusion…
> But now my question is can i filter IP {I mean to say that is there IP
> device which can be created by filter driver and monitored…}… or i need
> to hook TCP as i am currently doing .
> I have seen some samples which create UDP devices {but none of IP} … so i
> think in the same way i can create IP device also.If its true then i think
> hooking to IP can solve the problem…
>
> Pls let me know what do you think…
>
> —Subodh
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “NT Developers Interest List”
> Sent: Wednesday, July 24, 2002 5:23 PM
> Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
> of localhost packets ?
>
>
> > > I think the biggest confusion here is about where exactly the
> > LOOPBACK
> > > feature is implemented ??
> >
> > 127.0.0.1 is implemented in IP.
> > NDIS also has loopback feature, which comes into play if the packet is
> > sent to local MAC address. In this cases, the NIC driver is bypassed.
> >
> > Max
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
Hi ,
yes, I think you are right i must pinpoint the problem…
So now i put it that way …
I want to implement a driver which must capture packets drirected to
127.0.0.1 adress can any one tell tell me how to doit ?
Any suggestions are welcome…
— Subodh
----- Original Message -----
From: “Dan Partelly”
To: “NT Developers Interest List”
Sent: Thursday, July 25, 2002 7:25 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> You where told more than once by 5 ppl at least that filtering over TCP /
> UDP or IP devices
> wont allow you to see IP headers of data, only the payload. Through
> filtering you can however get SOME data which eventualy ends into IP
header.
> As for where you have to layer , that really depends what protocols you
want
> to intercept. Wouldnt be simple to ask us “I wanna implement this driver
> which must do “xxxxx”, tell me how to doit.”
>
> ----- Original Message -----
> From: “Subodh Gupta”
> To: “NT Developers Interest List”
> Sent: Thursday, July 25, 2002 4:23 PM
> Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
> of localhost packets ?
>
>
> > Hi Maxim ,
> >
> > Thanks clearing the confusion…
> > But now my question is can i filter IP {I mean to say that is there IP
> > device which can be created by filter driver and monitored…}… or i
need
> > to hook TCP as i am currently doing .
> > I have seen some samples which create UDP devices {but none of IP} … so
i
> > think in the same way i can create IP device also.If its true then i
think
> > hooking to IP can solve the problem…
> >
> > Pls let me know what do you think…
> >
> > —Subodh
> > ----- Original Message -----
> > From: “Maxim S. Shatskih”
> > To: “NT Developers Interest List”
> > Sent: Wednesday, July 24, 2002 5:23 PM
> > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
Details
> > of localhost packets ?
> >
> >
> > > > I think the biggest confusion here is about where exactly the
> > > LOOPBACK
> > > > feature is implemented ??
> > >
> > > 127.0.0.1 is implemented in IP.
> > > NDIS also has loopback feature, which comes into play if the packet is
> > > sent to local MAC address. In this cases, the NIC driver is bypassed.
> > >
> > > Max
> > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
>
Hi ,
Sorry I forgot to write which protocols i want to intercept -IP
-TCP
-ICMP -if possible.
Sorry for the mistake…
– Subodh
----- Original Message -----
From: “Dan Partelly”
To: “NT Developers Interest List”
Sent: Thursday, July 25, 2002 7:25 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> You where told more than once by 5 ppl at least that filtering over TCP /
> UDP or IP devices
> wont allow you to see IP headers of data, only the payload. Through
> filtering you can however get SOME data which eventualy ends into IP
header.
> As for where you have to layer , that really depends what protocols you
want
> to intercept. Wouldnt be simple to ask us “I wanna implement this driver
> which must do “xxxxx”, tell me how to doit.”
>
> ----- Original Message -----
> From: “Subodh Gupta”
> To: “NT Developers Interest List”
> Sent: Thursday, July 25, 2002 4:23 PM
> Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
> of localhost packets ?
>
>
> > Hi Maxim ,
> >
> > Thanks clearing the confusion…
> > But now my question is can i filter IP {I mean to say that is there IP
> > device which can be created by filter driver and monitored…}… or i
need
> > to hook TCP as i am currently doing .
> > I have seen some samples which create UDP devices {but none of IP} … so
i
> > think in the same way i can create IP device also.If its true then i
think
> > hooking to IP can solve the problem…
> >
> > Pls let me know what do you think…
> >
> > —Subodh
> > ----- Original Message -----
> > From: “Maxim S. Shatskih”
> > To: “NT Developers Interest List”
> > Sent: Wednesday, July 24, 2002 5:23 PM
> > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
Details
> > of localhost packets ?
> >
> >
> > > > I think the biggest confusion here is about where exactly the
> > > LOOPBACK
> > > > feature is implemented ??
> > >
> > > 127.0.0.1 is implemented in IP.
> > > NDIS also has loopback feature, which comes into play if the packet is
> > > sent to local MAC address. In this cases, the NIC driver is bypassed.
> > >
> > > Max
> > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
>
Try the “TDI Monitor” application from SysInternals
http://www.sysinternals.com. If TDI Mon sees the packets you are interested
in, then you can write a TDI filter driver to intercept them.
TDI Mon operation is based on use of a TDI filter.
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:
“Subodh Gupta” wrote in message news:xxxxx@ntdev…
>
> Hi ,
>
> Sorry I forgot to write which protocols i want to intercept -IP
> -TCP
> -ICMP -if possible.
>
> Sorry for the mistake…
> – Subodh
> ----- Original Message -----
> From: “Dan Partelly”
> To: “NT Developers Interest List”
> Sent: Thursday, July 25, 2002 7:25 PM
> Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
> of localhost packets ?
>
>
> > You where told more than once by 5 ppl at least that filtering over TCP
/
> > UDP or IP devices
> > wont allow you to see IP headers of data, only the payload. Through
> > filtering you can however get SOME data which eventualy ends into IP
> header.
> > As for where you have to layer , that really depends what protocols you
> want
> > to intercept. Wouldnt be simple to ask us “I wanna implement this
driver
> > which must do “xxxxx”, tell me how to doit.”
> >
> > ----- Original Message -----
> > From: “Subodh Gupta”
> > To: “NT Developers Interest List”
> > Sent: Thursday, July 25, 2002 4:23 PM
> > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
Details
> > of localhost packets ?
> >
> >
> > > Hi Maxim ,
> > >
> > > Thanks clearing the confusion…
> > > But now my question is can i filter IP {I mean to say that is there
IP
> > > device which can be created by filter driver and monitored…}… or i
> need
> > > to hook TCP as i am currently doing .
> > > I have seen some samples which create UDP devices {but none of IP} …
so
> i
> > > think in the same way i can create IP device also.If its true then i
> think
> > > hooking to IP can solve the problem…
> > >
> > > Pls let me know what do you think…
> > >
> > > —Subodh
> > > ----- Original Message -----
> > > From: “Maxim S. Shatskih”
> > > To: “NT Developers Interest List”
> > > Sent: Wednesday, July 24, 2002 5:23 PM
> > > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
> Details
> > > of localhost packets ?
> > >
> > >
> > > > > I think the biggest confusion here is about where exactly the
> > > > LOOPBACK
> > > > > feature is implemented ??
> > > >
> > > > 127.0.0.1 is implemented in IP.
> > > > NDIS also has loopback feature, which comes into play if the packet
is
> > > > sent to local MAC address. In this cases, the NIC driver is
bypassed.
> > > >
> > > > Max
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > > To unsubscribe send a blank email to %%email.unsub%%
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
></http:></http:>
Hi Thomas,
Thanks for the inputs…
I just want to put few more facts and thoughts in front of you all -
I have seen TDIMon few days ago and analysed its output when i ping to the
localhost or try to open the localhost site using Internet Explorer.
This is what it shows. When I try to pint localhost using command >ping
localhost
Local Remote Result
1 0.00000000 ping.exe:560 8118CAA8 IRP_MJ_CREATE TCP:Control obj
SUCCESS
2 0.00006509 ping.exe:560 810B1188 IRP_MJ_CREATE TCP:Control obj SUCCESS
3 0.00019863 ping.exe:560 8118CAA8 IRP_MJ_DEVICE_CONTROL TCP:Control obj
SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX
4 0.00031261 ping.exe:560 8118CAA8 IRP_MJ_DEVICE_CONTROL TCP:Control obj
SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX
…
…
and at the end when ping terminates-
62 3.01438814 ping.exe:560 8118CAA8 IRP_MJ_CLEANUP TCP:Control
obj SUCCESS
63 3.01441999 ping.exe:560 8118CAA8 IRP_MJ_CLOSE
TCP:Control obj SUCCESS
64 3.01444457 ping.exe:560 810B1188 IRP_MJ_CLEANUP
TCP:Control obj SUCCESS
65 3.01446217 ping.exe:560 810B1188 IRP_MJ_CLOSE
TCP:Control obj SUCCESS
66 3.01712927 ping.exe:560 8118CB48 IRP_MJ_CLEANUP
TCP:Control obj SUCCESS
67 3.01716084 ping.exe:560 8118CB48 IRP_MJ_CLOSE
TCP:Control obj SUCCESS
This output clearly shows that TDIMon is able to capture the following
details -
Process -which process sent data {originator}
Object - which object in the object manager sent data
Request - which was the request sent to tcp device
Local - local device object name
Remote - address object on remote end (None in case of pinging to the
localhost…)
Result -of operation
Again I have also encountered an article which was written in MSJ october
2000 issue http://msdn.microsoft.com/msdnmag/issues/1000/VTrace/VTrace.asp ,
In which the creators of famous VTrace tool have discussed about their
practice of capturing networking data in VTrace. Here is a snapshot of what
they say -
---->>>>>
Network Filter
Unlike the other filter drivers we needed, we found no source code for a
network transport layer filter driver. This meant we had to write one
essentially from scratch.
In Windows NT and Windows 2000, all transport protocols must use the same
programming interface: the transport driver interface (TDI). Figure 6 shows
the minor function codes of some useful TDI internal device control requests
(from the Windows NT DDK help). I/O requests passed to the transport layer
all conform to the single format described in the DDK help and the DDK files
TDI.H and TDIKRNL.H. It seems this would make our job easy, but building a
filter for these requests still presented us with a challenge.
One problem we encountered is that some IRPs have the major function code
“device control,” but we couldn’t find anything describing their parameter
format. However, we learned from the DDK help that the first thing a device
does when it receives such a request is call the function TdiMapUserRequest
to convert it to one with a major function code of “internal device control”
(which we know how to interpret). So, in our filter driver dispatch routine
for device control requests, we first call TdiMapUserRequest.
Another problem is an apparent bug in the way Windows NT handles network
filter devices. When Windows NT constructs an IRP, it must allocate enough
stack space in it to account for the maximum depth of the device stack that
the IRP will pass through. To allow this, each device object has a stack
count field indicating how large the stack must be in IRPs it receives.
Unfortunately, Windows NT sometimes brazenly ignores the stack count field
in our filter device objects and sends it an IRP with insufficient stack
space. If we push a new location onto this stack and pass it on, eventually
the stack overflows and we see the blue screen. We solve the stack problem
by checking for insufficient stack space, and creating a new IRP to pass to
the lower-level driver when needed.
Yet another problem is that not all network I/O uses IRPs. If I/O must
happen in response to some event, such as a datagram arrival, the system
invokes an event handler function rather than a dispatch routine. This is
unfortunate, since while Windows NT and Windows 2000 provide the elegant,
well-supported filter driver approach for intercepting IRPs sent to dispatch
routines, it gives no such help in intercepting calls to event handlers.
We overcame this with our own technique for intercepting calls to event
handlers. The key is our ability-thanks to filter devices-to intercept and
change any request that sets a new event handler for a file object. (These
are the requests with minor function code TDI_SET_HANDLER.) Each of these
requests contains the location of the event-handling function, the type of
event it handles, and a four-byte context value to pass to that function.
All the driver must do, then, is allocate a structure to store this
information, then modify the request so that instead of containing the
location of the real event-handling function and the real four-byte context
value, it contains the location of a special logging event-handling function
and the four-byte address of the allocated structure. So whenever an event
of the given type happens, our special logging event-handling function is
called and passed the address of the structure we allocated. This function
logs the event, and then inspects the structure in order to call the
appropriate event-handling function with the appropriate context value. When
that function returns, our special logging function can trace its return
value. (We later refined this approach so the driver allocates a single
structure per file object, not per event handler, so it can quickly free all
the memory allocated for a file object when it closes.)
----->>>>
So both of this software are built using TDI Filter driver .This are my
inspirations.Now I also want to do the same…
what do you think now can i do it using TDI Filter driver or i must go for
other options like IP Filter hooks .
Pls let me know your comments…
Regards…
—SUBODH
----- Original Message -----
From: “Thomas F. Divine”
Newsgroups: ntdev
To: “NT Developers Interest List”
Sent: Thursday, July 25, 2002 9:08 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> Try the “TDI Monitor” application from SysInternals
> http://www.sysinternals.com. If TDI Mon sees the packets you are
interested
> in, then you can write a TDI filter driver to intercept them.
>
> TDI Mon operation is based on use of a TDI filter.
>
> Good luck,
> –
> Thomas F. Divine
>
> PCAUSA - Tools & Resources For Network Software Developers
> NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> http: - http:
>
> “Subodh Gupta” wrote in message news:xxxxx@ntdev…
> >
> > Hi ,
> >
> > Sorry I forgot to write which protocols i want to intercept -IP
> > -TCP
> > -ICMP -if possible.
> >
> > Sorry for the mistake…
> > – Subodh
> > ----- Original Message -----
> > From: “Dan Partelly”
> > To: “NT Developers Interest List”
> > Sent: Thursday, July 25, 2002 7:25 PM
> > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
Details
> > of localhost packets ?
> >
> >
> > > You where told more than once by 5 ppl at least that filtering over
TCP
> /
> > > UDP or IP devices
> > > wont allow you to see IP headers of data, only the payload. Through
> > > filtering you can however get SOME data which eventualy ends into IP
> > header.
> > > As for where you have to layer , that really depends what protocols
you
> > want
> > > to intercept. Wouldnt be simple to ask us “I wanna implement this
> driver
> > > which must do “xxxxx”, tell me how to doit.”
> > >
> > > ----- Original Message -----
> > > From: “Subodh Gupta”
> > > To: “NT Developers Interest List”
> > > Sent: Thursday, July 25, 2002 4:23 PM
> > > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
> Details
> > > of localhost packets ?
> > >
> > >
> > > > Hi Maxim ,
> > > >
> > > > Thanks clearing the confusion…
> > > > But now my question is can i filter IP {I mean to say that is there
> IP
> > > > device which can be created by filter driver and monitored…}… or
i
> > need
> > > > to hook TCP as i am currently doing .
> > > > I have seen some samples which create UDP devices {but none of IP}
…
> so
> > i
> > > > think in the same way i can create IP device also.If its true then i
> > think
> > > > hooking to IP can solve the problem…
> > > >
> > > > Pls let me know what do you think…
> > > >
> > > > —Subodh
> > > > ----- Original Message -----
> > > > From: “Maxim S. Shatskih”
> > > > To: “NT Developers Interest List”
> > > > Sent: Wednesday, July 24, 2002 5:23 PM
> > > > Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame
> > Details
> > > > of localhost packets ?
> > > >
> > > >
> > > > > > I think the biggest confusion here is about where exactly the
> > > > > LOOPBACK
> > > > > > feature is implemented ??
> > > > >
> > > > > 127.0.0.1 is implemented in IP.
> > > > > NDIS also has loopback feature, which comes into play if the
packet
> is
> > > > > sent to local MAC address. In this cases, the NIC driver is
> bypassed.
> > > > >
> > > > > Max
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > —
> > > > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > > > To unsubscribe send a blank email to %%email.unsub%%
> > > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > > To unsubscribe send a blank email to %%email.unsub%%
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
></http:></http:>
TDI is (currently) a legacy NT-style device.
One approach to writing a TDI Filter is simply to write a NT layered device
driver (NOT PnP/WDM driver).
Books discussing NT driver programming describe NT layered device drivers.
One I found helpful was Rajeev Nagar’s “Windows NT File System Internals”.
Other then that, you have sufficient information to write your filter. All
you need to do is add time and testing and mix well.
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:
“Subodh Gupta” wrote in message news:xxxxx@ntdev…
>
>
> So both of this software are built using TDI Filter driver .This are my
> inspirations.Now I also want to do the same…
> what do you think now can i do it using TDI Filter driver or i must go for
> other options like IP Filter hooks .
></http:></http:>
Hi Thomas,
Thanks for the valuable advices and incouragement… i am starting with tdi
filter driver {first non PNP and if built successfully then i will go for
PNP WDM driver using pcausa samples and others… }
Thanks again i will keep posted about the progress…
— SUBODH
----- Original Message -----
From: “Thomas F. Divine”
Newsgroups: ntdev
To: “NT Developers Interest List”
Sent: Friday, July 26, 2002 7:02 PM
Subject: [ntdev] Re: Can a TDI Filter Driver get Headers and Frame Details
of localhost packets ?
> TDI is (currently) a legacy NT-style device.
>
> One approach to writing a TDI Filter is simply to write a NT layered
device
> driver (NOT PnP/WDM driver).
>
> Books discussing NT driver programming describe NT layered device drivers.
> One I found helpful was Rajeev Nagar’s “Windows NT File System Internals”.
>
> Other then that, you have sufficient information to write your filter. All
> you need to do is add time and testing and mix well.
>
> Regards,
> –
> Thomas F. Divine
>
> PCAUSA - Tools & Resources For Network Software Developers
> NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> http: - http:
>
> “Subodh Gupta” wrote in message news:xxxxx@ntdev…
> >
> >
> > So both of this software are built using TDI Filter driver .This are my
> > inspirations.Now I also want to do the same…
> > what do you think now can i do it using TDI Filter driver or i must go
for
> > other options like IP Filter hooks .
> >
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
></http:></http:>