How do I extend NetMon to capture traffic from my NDIS miniport driver

NTDEV
1

I am developing a NDIS miniport driver for a WWAN device, which is not supported out of the box by any version of Windows. And in order to facilitate debugging my driver I would like to be able to capture the network traffic we generate and recieve using a tool such as NetMon. However, I have been unable to find any documentation that provides information on what I need to do in my driver to log those network packets so that NetMon can capture and parse them, assuming this is even possible.

Does a SDK for NetMon exist? I have seen references to a SDK for NetMon 2.0 that shipped previously with the Platform SDK, but I believe this is incompatible with NetMon versions 3.0 and 3.1. Can anyone confirm or deny?

Many thanks,
Kashif Hasan

2

I’m not particularly clear on what is not supported out of the box on
Windows. Just your WWAN card or the entire way you are exposing WWAN?

In any event, if you WWAN Miniport exposes an Ethernet upper edge, Netmon
will happily bind to your NIC.

Netmon 2.x has some ability to extend it but as you have pointed out, it was
a bit under-documented. I don’t know what the story is with Netmon3.x

If you are exposing some completely unsupported upper medium and framing
type for your WWAN, then, I suggest you get the sources to WinPCAP and look
at extending it and Ethereal to do your (proprietary) capture & analysis.

Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, September 28, 2007 3:08 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How do I extend NetMon to capture traffic from my NDIS
miniport driver

I am developing a NDIS miniport driver for a WWAN device, which is not
supported out of the box by any version of Windows. And in order to
facilitate debugging my driver I would like to be able to capture the
network traffic we generate and recieve using a tool such as NetMon.
However, I have been unable to find any documentation that provides
information on what I need to do in my driver to log those network packets
so that NetMon can capture and parse them, assuming this is even possible.

Does a SDK for NetMon exist? I have seen references to a SDK for NetMon 2.0
that shipped previously with the Platform SDK, but I believe this is
incompatible with NetMon versions 3.0 and 3.1. Can anyone confirm or deny?

Many thanks,
Kashif Hasan

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

Thanks for the reply. Let me provide a little background that might help. My NDIS miniport driver recieves 802.3 packets from the NDIS upper edge, but then stips off the ethernet headers and slaps on a PPP protocol, spoofing ARP and DHCP requests. I can bind NetMon or Ethereal to the protocol edge and see the 802.3 packets, but I actually want to log the PPP encapsulated packets I’m sending out on my lower edge.

If anyone has insights on how to do that within NetMon or Ethereal I would appreciate any pointers.

thanks,
Kashif Hasan

4

You might try exposing an auxilary miniport (adapter) which behaves the way
the NDISWAN “Bloodhound” adapter behaves. (Bloodhound is what Netmon was
once know as. I guess they were looking for something…)

Set your auxilary adapter up with

HKR, Ndi, BindForm, 0, “NdisWanBh”
HKR, Ndi\Interfaces, UpperRange, 0, “ndiswanbh”
HKR, Ndi\Interfaces, LowerRange, 0, “wan”

Look in %windir%\inf\netrasa.inf for more…

And have it report that the medium is NdisMediumWan. It wil *not* be an
NDISWAN driver but will be an normal NDIS ‘ethernet’ driver. Netmon should
bind to this and open it in promiscuous mode. At that point, you can
indicate all of your PPP encapsulated traffic in the Netmon
‘psuedo-ethernet’ format which is to say an Ethernet packet header appended
to a HDLC packet. Capture a few frames with Netmon from a PPP connection
via NDISWAN and you will get the idea. The MAC addresses are typically set
to the octets ‘SEND’ and ‘RECV’ to identify what path the packet was grabbed
from. I imagine that if you read through the sources for WinPCAP, it
probably lays out the ‘protocol’ side logic. From that, perhaps, you can
figure out what a miniport needs to do.

This mechanism is how NDISWAN provides netmon with PPP frames. I must admit
I have never tried to create a Miniport entity which emulates this behavior
so this all could be just about as good an idea as the original Tacoma
Narrows Bridge design.

Alternatively, you could just write the packets to a file (reflect them to
usermode and write them to a file that is) in one of the many (way to many)
capture formats available - all of which Ethereal will read.

Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, October 02, 2007 6:45 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How do I extend NetMon to capture traffic from my NDIS
miniport driver

Thanks for the reply. Let me provide a little background that might help.
My NDIS miniport driver recieves 802.3 packets from the NDIS upper edge, but
then stips off the ethernet headers and slaps on a PPP protocol, spoofing
ARP and DHCP requests. I can bind NetMon or Ethereal to the protocol edge
and see the 802.3 packets, but I actually want to log the PPP encapsulated
packets I’m sending out on my lower edge.

If anyone has insights on how to do that within NetMon or Ethereal I would
appreciate any pointers.

thanks,
Kashif Hasan

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer