How to distinguish my packet in ndis filter?

Hi all,

I have a ndis filter in host PC,
and I use the free ware(Packet sender) to send a TCP packet from other PC,
two machines are linked to the same wifi LAN,(there IP are both 192.168.1.xxx)
now I want to use my ndis filter to filter out the packet I sent,
but I don’t know how to distinguish which packet is mine in FilterReceiveNetBufferLists routine,
is there any suggestion?

Question 2, I use ping command in prompt is able to work(Host response to the client),
but the wireshark would show [SYN] and [TCP Retransmission] only if I use Packet sender to send the tcp packet to host.
It looks like the ping command is workable but the sending TCP packet is failed,
I have no idea why.

Thanks in advanced.
//dlcu

You can look at some of the NDIS samples in the WDK. In the Windows 7 WDK
the NDIS 6 MUX sample gives a fairly simple example of how to examine the
MAC address in the Ethernet header.

To examine the IP address you would need to dig deeper into the packet ising
the same approach. For example:

1.) Examine the Ethernet type field to determine if the Ethernet payload is
an IPv4 packet. Be sure to account for the possibility that the packet has
an 802.1Q tag.
2.) If packet is IPv4 use NdisAdvanceNetBufferDataStart to move to the start
of the IPv4 header.
3a.) If you are in the receive path, dig up the destination IP address and
compare with the receiving adapter’s IP address.
3a.) If you are in the send path, dig up the source IP address and compare
with the sending adapter’s IP address.
4.) After comparison use NdisRetreatnetBufferDataStart to restore the packet
to its original condition.

Be sure to understand what “network byte order” and “host byte order” mean
and how that effects comparing IPv4 addresses.

If you don’t understand the above you need to study on your own until you
do. For sure you must thoroughly understand the structure of network frames.

Good luck!!!

Thomas F. Divine

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, April 29, 2015 10:05 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to distinguish my packet in ndis filter?

Hi all,

I have a ndis filter in host PC,
and I use the free ware(Packet sender) to send a TCP packet from other PC,
two machines are linked to the same wifi LAN,(there IP are both
192.168.1.xxx) now I want to use my ndis filter to filter out the packet I
sent, but I don’t know how to distinguish which packet is mine in
FilterReceiveNetBufferLists routine, is there any suggestion?

Question 2, I use ping command in prompt is able to work(Host response to
the client), but the wireshark would show [SYN] and [TCP Retransmission]
only if I use Packet sender to send the tcp packet to host.
It looks like the ping command is workable but the sending TCP packet is
failed, I have no idea why.

Thanks in advanced.
//dlcu


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer