Hi everyone,
First of all, I apologize if this question has already been addressed, I have found previous threads about similar issues, but couldn’t find exactly the answer I’m looking for.
I’m getting into kernel development and I am trying to write a basic packet capturer callout driver using WFP. The goal is to pass incoming and outgoing packets to a user mode application.
When a net buffer list hits the callout filter, I walk its net buffers and MDLs to retrieve the packet bytes, however, I don’t know how to pass them up to user space without creating significant overhead. My idea would be to copy the MDLs in a separate buffer that I can read from later, but I don’t know how to proceed.
the first option, the easy one, would be to copy the MDLs synchronously whenever my callout driver is called to process an NBL, but I’m afraid it would create performance issues if I retain ownership of the NBL for too long, especially if I have to copy the contents of every single NBL that my driver processes synchronously.
the second option I have would be to clone passing through NBLs, store them in a linked list of NBLs and process them asynchronously without retaining ownership of the original NBL. however since cloned NBLs do not copy the contents of the original NBL, it doesn’t guarantee that the underlying MDLs would still be valid after some time?
so, the bottom line is: should I do a hard copy of every NBL processed by my driver synchronously and potentially run into performance issues, or should I clone them and process them asynchronously, but with no real guarantee that the underlying MDLs will still exist?