FW: NDIS Version

OSR_Community_User · January 25, 2013, 6:00am

Good Morning,

I am currently attempting to write some code to monitor the opening and
closing of ports, across a Windows machine. Initially I approached this
by looking to write a Winsock LSP and have subsequently been warned off
this by the seemingly impossible task of writing an install which will
be compatible across all the operating systems I support (Windows XP SP1
up to Windows 7 including server editions) and their potential AV
solutions in place. My other thought was to write a cut-down packet
sniffer and so I was looking to do this with an NDIS Filter driver.

I have been reading up on this but am a little unsure as to what version
of NDIS I need to aim at because of the wide variety of Operating
Systems I need to support. Is their one version that encompasses all of
the operating systems I have listed above or do I need to, as I suspect,
write several drivers aimed at different NDIS versions?

Apologies if this is a simple question but I have not been able to
satisfactorily find the answer

Kind Regards

Mark

Please consider the environment before printing this email.

This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.

Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory.

The contents of this email may relate to dealings with other companies under the control of BAE Systems plc details of which can be found at http://www.baesystems.com/Businesses/index.htm.

Detica Limited is a BAE Systems company trading as BAE Systems Detica.
Detica Limited is registered in England and Wales under No: 1337451.
Registered office: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.

David_R_Cattley · January 25, 2013, 8:38am

If all you want to do is observe packets sent from or to the local host you
do not need a ?Filter?. All that is required is a ?Protocol?. I would
suggest that you start with WinPCAP and stay out of kernel mode until you
know that:

a) Your scheme will work.

b) Your scheme requires you to implement your own driver instead of
using a readily available, robust, tested, and free one.

http://www.winpcap.org/

Now to answer your question: NDIS version 5.1 protocols & miniports are
supported across all of those noted platforms. However, if you decide to
implement a KM component to monitor endpoint establishment, I highly
recommend that you build two solutions: An NT6 (Vista/2K8+) solution built
around WFP and an NT5 (XP/2K3) built around whatever skullduggery you find
necessary. I would say that most Port Monitoring solutions on NT5 (and
earlier) platforms tend to filter TDI.

Good Luck,

Dave Cattley

OSR_Community_User · January 28, 2013, 9:04am

Thank you very much, that really clarifies things. I will investigate
working in user-mode to accomplish this first.

Kind Regards

Mark

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David R.
Cattley
Sent: 25 January 2013 13:37
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] FW: NDIS Version

If all you want to do is observe packets sent from or to the local host
you do not need a “Filter”. All that is required is a “Protocol”. I
would suggest that you start with WinPCAP and stay out of kernel mode
until you know that:

a) Your scheme will work.

b) Your scheme requires you to implement your own driver instead of
using a readily available, robust, tested, and free one.

http://www.winpcap.org/

Now to answer your question: NDIS version 5.1 protocols & miniports
are supported across all of those noted platforms. However, if you
decide to implement a KM component to monitor endpoint establishment, I
highly recommend that you build two solutions: An NT6 (Vista/2K8+)
solution built around WFP and an NT5 (XP/2K3) built around whatever
skullduggery you find necessary. I would say that most Port Monitoring
solutions on NT5 (and earlier) platforms tend to filter TDI.

Good Luck,

Dave Cattley

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Please consider the environment before printing this email.

This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.

Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory.

The contents of this email may relate to dealings with other companies under the control of BAE Systems plc details of which can be found at http://www.baesystems.com/Businesses/index.htm.

Detica Limited is a BAE Systems company trading as BAE Systems Detica.
Detica Limited is registered in England and Wales under No: 1337451.
Registered office: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.