how do i get the ip header of an ip packet?
do i have to create my own structures or are there pre-defined structures that windows offers to extract the header info of a packet?
i.e there are structs like iphdr or ipv6hdr on unix that makes it easy to identify which ip version the packet data belongs to. how do i do this in windows?
thanks much.
The answer all depends on what you are trying to do, and in what environment. The structure of IPv4 headers is extremely well-known, rather simple, and thoroughly documented in public RFCs. You can write your own IPv4 header structures in a few minutes; the basic IP header is only 20 bytes long.
But what will you do with them? Build them, parse them, filter them, etc.? You may need to understand different aspects of IPv4, such as how “optional” headers work (it’s optional to build them, but you still must know how to parse them), how protocol layering works, how IP interacts with ARP and other link-layer protocols, how IP routing works, etc. IPv6 has a very different structure, but it is also publicly documented.
So, before we can even begin to offer any guidance, you’ll have to decide (and articulate) what you are trying to accomplish. At this point, with the information you’ve given, all that can be said is, “go read the RFCs”. http://www.ietf.org. Start at RFC 791, and work your way forward in time, if you want to understand IPv4.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, January 17, 2007 11:27 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] getting the ip header
how do i get the ip header of an ip packet?
do i have to create my own structures or are there pre-defined structures that windows offers to extract the header info of a packet?
i.e there are structs like iphdr or ipv6hdr on unix that makes it easy to identify which ip version the packet data belongs to. how do i do this in windows?
thanks much.
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
On Jan 17, 2007, at 10:26 AM, xxxxx@gmail.com wrote:
how do i get the ip header of an ip packet?
You’ll need an NDIS Intermediate (IM) driver on <= Windows Server
2003 or optionally an NDIS6 filter driver on Vista. There are samples
of both types in the WDK.
do i have to create my own structures or are there pre-defined
structures that windows offers to extract the header info of a packet?
i.e there are structs like iphdr or ipv6hdr on unix that makes it
easy to identify which ip version the packet data belongs to. how
do i do this in windows?
I don’t know of any pre-existing structure definitions for IP parsing
in the WDK; regardless, writing your own isn’t that tricky. You can
refer to numerous sources (WinPCAP for one) for sample code.
-sd
> -----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-275902-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, January 17, 2007 11:27 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] getting the ip headerhow do i get the ip header of an ip packet?
do i have to create my own structures or are there pre-defined structures
that windows offers to extract the header info of a packet?
i.e there are structs like iphdr or ipv6hdr on unix that makes it easy to
identify which ip version the packet data belongs to. how do i do this in
windows?thanks much.
[PCAUSA] Don’t know exactly what kind of driver you are developing.
The “Extending the Passthru NDIS IM driver…” articles at
http://www.wd-3.com illustrate simple IPv4 packet parsing using modified
versions of the BSD network headers. This should give you an idea of an
approach that should work for you.
See:
http://www.wd-3.com
http://www.wd-3.com/archive/ExtendingPassthru2.htm
Good luck,
Thomas F. Divine
Thanks all,
Your inputs are appreciated.
What i was trying to achieve was simple -
Based on the header fields (protocol version - which would be 4 or 6), i would like to prepare an approprtiate ethernet header for the packet and send it along to higher level drivers (INDICATE RECEIVE as NDIS calls it).
Is this ok to do? Doesn’t the packet desciptor already have an header? I am thoroughly confused at the NDIS_PACKET structure and how i could tag along an ethernet header of my own to the incoming ip packet.
Where should i start?
Thanks.
-vj
If you are confused about what a NDIS packet is, see this information:
DDK 3790 Help:
Topic: " Network Driver Programming Considerations" and “Packet Structure”.
NDIS.com:
http://ndis.com/papers/default.htm
Thomas F. Divine
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-275928-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, January 17, 2007 1:15 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] getting the ip headerThanks all,
Your inputs are appreciated.
What i was trying to achieve was simple -
Based on the header fields (protocol version - which would be 4 or 6), i
would like to prepare an approprtiate ethernet header for the packet and
send it along to higher level drivers (INDICATE RECEIVE as NDIS calls it).Is this ok to do? Doesn’t the packet desciptor already have an header? I
am thoroughly confused at the NDIS_PACKET structure and how i could tag
along an ethernet header of my own to the incoming ip packet.Where should i start?
Thanks.
-vj
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
On Jan 17, 2007, at 12:15 PM, xxxxx@gmail.com wrote:
Thanks all,
Your inputs are appreciated.
What i was trying to achieve was simple -
Based on the header fields (protocol version - which would be 4 or
6), i would like to prepare an approprtiate ethernet header for the
packet and send it along to higher level drivers (INDICATE RECEIVE
as NDIS calls it).Is this ok to do? Doesn’t the packet desciptor already have an
header? I am thoroughly confused at the NDIS_PACKET structure and
how i could tag along an ethernet header of my own to the incoming
ip packet.Where should i start?
I’d recommend studying the DDK documentation, the ndis.h header file,
and Thomas’s extended passthru driver, such that you get a feel for
how to work with NDIS_PACKETs and NDIS_BUFFERs.
Out of curiosity, where are you getting the data to indicate up?
-Steve
Thanks Steve.
I am getting the data from a NIC.
The driver i am attempting to write is a miniport driver.
There are no protocol drivers or NDIS IM drivers or NDIS-WDM drivers above my miniport driver.
The packets are headed to an application that i have no code to modify.
So, this is where i am now -
I have parsed the header of the incoming packet.
Created an ethernet header based on the parsed information.
How do i now “stick” these two pieces together? [the ethernet header and the ip packet i received]?
Looks like i need to do some IP_ALIGNMENT before i stick everything into a NDIS_PACKET. How do i do this alignment?
Thanks all.
-vj
> -----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-275964-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, January 17, 2007 4:48 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] getting the ip headerThanks Steve.
I am getting the data from a NIC.
The driver i am attempting to write is a miniport driver.
There are no protocol drivers or NDIS IM drivers or NDIS-WDM drivers above
my miniport driver.
The packets are headed to an application that i have no code to modify.So, this is where i am now -
I have parsed the header of the incoming packet.
Created an ethernet header based on the parsed information.How do i now “stick” these two pieces together? [the ethernet header and
the ip packet i received]?
Looks like i need to do some IP_ALIGNMENT before i stick everything into a
NDIS_PACKET. How do i do this alignment?Thanks all.
-vj
[PCAUSA] Make sure you carefully read the DDK documentation concerning
NdisMIndicateReceivePacket and friends. In particular, don’t overlook this
admonition:
“The first buffer in the packet must contain the amount of data specified by
the lookahead setting plus the data size of the MAC header. The miniport
driver receives the lookahead setting in a set to
OID_GEN_CURRENT_LOOKAHEAD.”
In practice this means when constructing your own packet to indicate
“upwards” it is usually best to simply allocate a flat array of bytes
sufficiently large to contain the entire packet - including the 14-byte
Ethernet header and the Ethernet payload. Then fill the first 14-bytes with
the Ehternet header followed by the Ethernet payload (i.e. the IP headers
and such).
Then allocate a NDIS_BUFFER to contain the byte array VM and finally chain
the NDIS_BUFFER to a NDIS_PACKET. Then adjust flags, etc. in the NDIS_PACKET
as described in the DDK documentation.
Thomas F. Divine
> there are structs like iphdr or ipv6hdr on unix that makes it easy to
identify which ip version the packet data belongs to. how do i do this in
windows?
Exactly the same way - packet headers have to be the same for all OS, by their very definition.
Therefore, all packet header declarations that are meant to be used on UNIX can be simply copy-pasted to your driver. The only thing that you have to take into the account here is that you have to present the whole packet (i.e. MAC, IP and transport headers plus the actual data) not as a flat array but as respectively NDIS_PACKET for NDIS 4 and 5 and NET_BUFFER_LIST for NDIS 6.
The packet in itself has to be presented as MDL that above mentioned structures must have a pointer to. Check NDIS.H for more info. In general, when it comes to NDIS (al least versions < 6), the official MSDN documentation is not that helpfull, so that there are quite a few not-so-obvious details here. Therefore, don’t forget to download the modified “Passthru” sample that Thomas wrote - it will help you quite a lot…
Anton Bassov
It is just after the MAC header in the first NDIS buffer of the packet.
Write the structure declaration yourself according to RFC.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> how do i get the ip header of an ip packet?
> do i have to create my own structures or are there pre-defined structures
that windows offers to extract the header info of a packet?
> i.e there are structs like iphdr or ipv6hdr on unix that makes it easy to
identify which ip version the packet data belongs to. how do i do this in
windows?
>
> thanks much.
>
>
>the account here is that you have to present the whole packet (i.e. MAC, IP
and
transport headers plus the actual data) not as a flat array but as
respectively
TCP+IP+MAC headers are always a flat array - the first NDIS_BUFFER. This is how
TCPIP sets the lookahead size.
Nevertheless, the check for the first NDIS_BUFFER size (before dereferencing
the fields) would not be extra.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Maxim,
> the account here is that you have to present the whole packet (i.e. MAC, IP and
>transport headers plus the actual data) not as a flat array but as respectively
TCP+IP+MAC headers are always a flat array - the first NDIS_BUFFER. This is how
TCPIP sets the lookahead size.
You just don’t indicate flat arrays to NDIS - instead, you indicate NDIS_PACKETs under NDIS 4 and 5
(unless you use media-specific, rather than per-packet, indication, which does not seem to be the OP’s case) and NET_BUFFER_LISTs under NDIS 6. No matter how many MDLs (aka NDIS_BUFFERs) are in it, it is still NDIS_PACKET or NET_BUFFER_LISTs, rather than flat array. Taking into consideration the fact that the OP is not sure what NDIS_PACKET is, I believe it makes sense to give him a detailed explanation…
Anton Bassov
None the less, it is dangerous to assume this to be true. TCP/IP is under
no obligation to *send* packets with this arrangement and these may end up
in the RX path due to loopback.
Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, January 18, 2007 3:53 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] getting the ip header
the account here is that you have to present the whole packet (i.e.
MAC, IP
and
transport headers plus the actual data) not as a flat array but as
respectively
TCP+IP+MAC headers are always a flat array - the first NDIS_BUFFER. This
TCP+IP+is how
TCPIP sets the lookahead size.
Nevertheless, the check for the first NDIS_BUFFER size (before dereferencing
the fields) would not be extra.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I was about incoming packets, not outgoing.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
“David R. Cattley” wrote in message news:xxxxx@ntdev…
> None the less, it is dangerous to assume this to be true. TCP/IP is under
> no obligation to send packets with this arrangement and these may end up
> in the RX path due to loopback.
>
> Good Luck,
> Dave Cattley
> Consulting Engineer
> Systems Software Development
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
> Sent: Thursday, January 18, 2007 3:53 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] getting the ip header
>
> >the account here is that you have to present the whole packet (i.e.
> >MAC, IP
> and
> >transport headers plus the actual data) not as a flat array but as
> respectively
>
> TCP+IP+MAC headers are always a flat array - the first NDIS_BUFFER. This
> TCP+IP+is how
> TCPIP sets the lookahead size.
>
> Nevertheless, the check for the first NDIS_BUFFER size (before dereferencing
> the fields) would not be extra.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
If you’re looking to just get the raw packet data into your application, why not just install WinPcap on the machine and use their API to access the raw packet data… Alternatively you could make your miniport driver NDIS_WDM and implement your own read/write.
I will start testing this driver in a day or two. Will let you know either way (pass/fail) on what happens.
Thanks to all for your inputs.
-vj