Hi all,
I’m trying to write a NDIS filter driver in VISTA.
I saw a “filter” sample source in WDK, but I can’t know
how to get the source IP address or destination IP address from the
NET_BUFFER_LIST structure.
Can someone please tell me how to get the packet information such as
source IP address from the NET_BUFFER_LIST structure.
Thanks Regards.
Yes this is something i would like to know as well. I would also like to know how to get the size of the data the structure holds. Ie. if intercepted at the transport layer, how large the packet is.
You must parse the packet data and find the IP header in it.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hi all,
> I’m trying to write a NDIS filter driver in VISTA.
> I saw a “filter” sample source in WDK, but I can’t know
> how to get the source IP address or destination IP address from the
> NET_BUFFER_LIST structure.
> Can someone please tell me how to get the packet information such as
> source IP address from the NET_BUFFER_LIST structure.
> Thanks Regards.
>
> I can’t know how to get the source IP address or destination IP address from the
NET_BUFFER_LIST structure.
Indeed, you cannot know it - neither NET_BUFFER_LIST nor NDIS_PACKET have such info. You have to extract the network packet that happens to be just NET_BUFFER_LIST’s or NDIS_PACKET’s data, and parse its headers…
Anton Bassov
How can I extract the network packet from the NET_BUFFER_LIST?
Can someone tell me the sample source parsing the packet headers.
Thanks.
> How can I extract the network packet from the NET_BUFFER_LIST?
Can someone tell me the sample source parsing the packet headers.
Maybe you want us to write all the code for your driver as well??? Look - someone who wants to be a kernel-level developer just cannot be that helpless (after all, the task in itself is just trivial).
If you don’t want to learn and experiment … well, then just move to .NET languages, and that’s it…
Anton Bassov
On May 3, 2007, at 9:28 PM, xxxxx@yahoo.co.kr wrote:
How can I extract the network packet from the NET_BUFFER_LIST?
Can someone tell me the sample source parsing the packet headers.
There is a ton of source code for this in the world. Search Google.
Better yet, read the RFCs. www.ietf.org/rfc/rfc791.txt is a good
place to start.
Please be careful doing this; it’s easy to write insecure code while
parsing network packets if you make assumptions about the format of
the input data (i.e. length fields that point past the end of your
buffer, etc). If you’re writing an NDIS component, you’ll be below
(many) firewalls, so if you write a bug, your code could easily lead
to a remotely exploitable bug.
-sd
> There is a ton of source code for this in the world. Search Google.
Better yet, read the RFCs. www.ietf.org/rfc/rfc791.txt is a good place to start.
It looks like the OP does not know how to get a network packet from NET_BUFFER_LIST, in the first place, so that he asks us to provide him with the code that does the above ( LWF sample in WDK does not show how to parse packets, so that the OP is in panic because he has to write his own code, rather that dumbly reusing the existing sample…)
Please be careful doing this; it’s easy to write insecure code while
parsing network packets if you make assumptions about the format of
the input data (i.e. length fields that point past the end of your
buffer, etc). If you’re writing an NDIS component, you’ll be below
(many) firewalls, so if you write a bug, your code could easily lead
to a remotely exploitable bug.
Actually, this is the only reason why I gave a bit harsh reply to his request - someone who does not want to bother himself with trying to figure out how to extract data from NET_BUFFER_LIST without requesting outside assistance is very unlikely to write a good filter
Anton Bassov
> Actually, this is the only reason why I gave a bit harsh reply to his request - someone who does not
want to bother himself with trying to figure out how to extract data from NET_BUFFER_LIST without
requesting outside assistance is very unlikely to write a good filter.
So that actually means that if you are a beginner you are not intitled to any information from this forum??? How warm that makes me feel.
I just started making drivers and have a REALY hard time figuring out how the netbufferlist structure works. I have looked around for information and can find nothing. NET_BUFFER_LIST gives 248 hits on google, and msdn doesnt have any examples or usefull information.
Actually the WDK NDISPROT sample illustrates access to the contents of a NET_BUFFER_LIST. See the Recv.c module.
It is a simple example and only examines the Ethernet header Type field. However, once you get the basic idea you should be able to understand how to examine the rest of the packet payload.
Good luck,
Thomas F. Divine
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-285712-
xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Sunday, May 06, 2007 9:25 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] get IP address from NET_BUFFER_LIST in NDIS driver> Actually, this is the only reason why I gave a bit harsh reply to his
request - someone who does not
> want to bother himself with trying to figure out how to extract data
from NET_BUFFER_LIST without
> requesting outside assistance is very unlikely to write a good
filter.So that actually means that if you are a beginner you are not intitled
to any information from this forum??? How warm that makes me feel.I just started making drivers and have a REALY hard time figuring out
how the netbufferlist structure works. I have looked around for
information and can find nothing. NET_BUFFER_LIST gives 248 hits on
google, and msdn doesnt have any examples or usefull information.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thx alot for the info Thomas. Thats all i needed.
Jesper Kragh
Thomas,
Actually the WDK NDISPROT sample illustrates access to the contents of a NET_BUFFER_LIST.
The “problem” (at least from the OP’s perspective) here is that its is demonstrated in NDISPROT sample and not in LWF one that he is modifying - he seems to expect getting ready-to run code straight away, rather than doing a basic research …
This is the only reason why I gave him a bit harsh response …
Anton Bassov
Thanks Tomas.
In fact I wrote a packet filtering driver in XP, but it doesn’t work in VISTA.
Im a beginner for NDIS, so I had confused at NDIS_NUFFER how can I get the ethernet frame header.
I got a helpful data from ReactOS source a few days ago, but
WDK NDISPROT sample is more useful for me.
Thanks.
Good luck.
And thanks to Anton.
On May 6, 2007, at 8:25 PM, xxxxx@yahoo.co.kr wrote:
Thanks Tomas.
In fact I wrote a packet filtering driver in XP, but it doesn’t
work in VISTA.
Im a beginner for NDIS, so I had confused at NDIS_NUFFER how can I
get the ethernet frame header.
I got a helpful data from ReactOS source a few days ago, but
WDK NDISPROT sample is more useful for me.
NDIS IM drivers work fine on Vista; the new filtering model is
certainly easier and more efficient, but if you wrote an NDIS5-style
IM driver that works on XP, it ought to work on Vista.
-Steve
> I just started making drivers and have a REALY hard time figuring out how the
netbufferlist structure works.
netbufferlist (like the old NDIS_PACKET) describes some memory. The memory is
maybe not contiguous, and is a collection of contiguous chunks - netbufferlist
holds all of them.
You must code the logical view of memory described by netbufferlist as a single
piece of memory. The easiest and stupidiest way is to memcpy all chunks to one
large buffer, but there are smarter ways (state machine based or so).
Then - 14byte MAC header is in the very beginning of this memory, and the IP
header (look at RFCs for layout) is after it. TCP header follows (again - look
at RFCs for layout).
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Just to clarify a little bit…
NBL can contain one or more NBs, each NB is carrying one frame. So the
OP needs to look into the NB. Also pay attention to the DataOffset field
of the NB.
Calvin Guan
Broadcom Corporation
Connecting Everything(r)
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-286151-
xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, May 09, 2007 12:30 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] get IP address from NET_BUFFER_LIST in NDIS driver> I just started making drivers and have a REALY hard time figuring
out
how the
>netbufferlist structure works.netbufferlist (like the old NDIS_PACKET) describes some memory. The
memory
is
maybe not contiguous, and is a collection of contiguous chunks -
netbufferlist
holds all of them.You must code the logical view of memory described by netbufferlist as
a
single
piece of memory. The easiest and stupidiest way is to memcpy all
chunks to
one
large buffer, but there are smarter ways (state machine based or so).Then - 14byte MAC header is in the very beginning of this memory, and
the
IP
header (look at RFCs for layout) is after it. TCP header follows
(again -
look
at RFCs for layout).–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer