how to find L2 header size in NDIS LWF

NTDEV
1

(Sorry for the repost, but I forgot to set the title of the thread in the first time)

Hi,

I am currently developing a NDIS 6 lightweight filter driver.

I need to obtain the Layer 2 Header Size so I can find the IP header. For this I compute the difference between the result of 2 OIDs (OID_GEN_MAXIMUM_TOTAL_SIZE and OID_GEN_MAXIMUM_FRAME_SIZE).

The problem is that for a RNDIS USB device, the OID_GEN_MAXIMUM_TOTAL_SIZE reports 2048 and OID_GEN_MAXIMUM_FRAME_SIZE (MTU) 1400.

Actually, the packets have a ETHERNET size header (14).

Can anyone suggest a better method to find the correct L2 Header Size?

Thanks in advance.

2

Use information from the AttachParameters passed to FilterAttach to
determine the MediaType. That should be definitive.

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Thursday, January 06, 2011 11:59 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] how to find L2 header size in NDIS LWF

> (Sorry for the repost, but I forgot to set the title of the thread in the
> first time)
>
> Hi,
>
> I am currently developing a NDIS 6 lightweight filter driver.
>
> I need to obtain the Layer 2 Header Size so I can find the IP header. For
> this I compute the difference between the result of 2 OIDs
> (OID_GEN_MAXIMUM_TOTAL_SIZE and OID_GEN_MAXIMUM_FRAME_SIZE).
>
> The problem is that for a RNDIS USB device, the OID_GEN_MAXIMUM_TOTAL_SIZE
> reports 2048 and OID_GEN_MAXIMUM_FRAME_SIZE (MTU) 1400.
>
> Actually, the packets have a ETHERNET size header (14).
>
> Can anyone suggest a better method to find the correct L2 Header Size?
>
> Thanks in advance.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

3

Keep in mind that the location of the transport (IP) header relative to the start of the frame is influenced by many things in Ethernet. You really have to ‘parse’ the header to accomodate the possiblities of:

802.3 vs. LLC/SNAP encoding.
Presence of VLAN/Priority tag.
etc.

The MediaType tells you the starting point for that process. You may choose to ignore the possiblity of curious and infrequently encountered MAC header encoding if you wish (many do). Just be aware of the peril of assuming Ethernet == 14 octets to the IP header.

Good Luck,
Dave Cattley

4

If you are *only* interested in IP headers, then take a look at the WFP driver model. It’s designed specifically for drivers that want to manipulate IP (or TCP etc.) headers. The stack will do all the grunt work of parsing the layer2 headers for you. Also, WFP tends to be easier to write to than the (already quite easy) NDIS LWF driver model.

5

Hi,

Thank you all for answering.

@Mr. Divine: The media type in this case is 802.3

@Mr. Cattley: For now, I will ignore LLC/SNAP frames.

@Mr. Tippet: I know about WFP, but I want to filter packets before they reach tcpip.sys.

6

The beautiful thing about WFP is that you *can* filter packets before they
effectively reach tcpip.sys. The even nicer thing is that if you want to
let tcpip.sys do the heavy lifting like reassembly, check-sum verification,
etc. then you can filter at an intermediate layer where you see *exactly*
what you need to do whatever it is you are trying to do. Unless whatever it
is you are trying to do really really really cannot let the framing layer of
tcpip.sys see the network frames. Well, there is even a WFP layer for that
but it is rather ‘under’ documented - perhaps even unsupported until post
Win7 RTM - but it simply is a LWF that is a classification altitude in WFP.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Friday, January 07, 2011 7:02 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how to find L2 header size in NDIS LWF

Hi,

Thank you all for answering.

@Mr. Divine: The media type in this case is 802.3

@Mr. Cattley: For now, I will ignore LLC/SNAP frames.

@Mr. Tippet: I know about WFP, but I want to filter packets before they
reach tcpip.sys.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

7

> Well, there is even a WFP layer for that but it is rather ‘under’ documented - perhaps even unsupported until post Win7 RTM - but it simply is a LWF that is a classification altitude in WFP.

Do not use this layer. Not only is it unsupported, it has already been removed from “post Win7 RTM”. It’s an odd little artifact, which isn’t intended for 3rd party use.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of David R. Cattley
Sent: Friday, January 07, 2011 5:42 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] how to find L2 header size in NDIS LWF

The beautiful thing about WFP is that you *can* filter packets before they
effectively reach tcpip.sys. The even nicer thing is that if you want to
let tcpip.sys do the heavy lifting like reassembly, check-sum verification, etc. then you can filter at an intermediate layer where you see *exactly* what you need to do whatever it is you are trying to do. Unless whatever it is you are trying to do really really really cannot let the framing layer of
tcpip.sys see the network frames. Well, there is even a WFP layer for that
but it is rather ‘under’ documented - perhaps even unsupported until post
Win7 RTM - but it simply is a LWF that is a classification altitude in WFP.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Friday, January 07, 2011 7:02 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how to find L2 header size in NDIS LWF

Hi,

Thank you all for answering.

@Mr. Divine: The media type in this case is 802.3

@Mr. Cattley: For now, I will ignore LLC/SNAP frames.

@Mr. Tippet: I know about WFP, but I want to filter packets before they reach tcpip.sys.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

8

Well, there you have it. I wondered what ever happened to it. :slight_smile:

Cheers,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jeffrey Tippet
Sent: Friday, January 07, 2011 5:22 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] how to find L2 header size in NDIS LWF

Well, there is even a WFP layer for that but it is rather ‘under’
documented - perhaps even unsupported until post Win7 RTM - but it simply is
a LWF that is a classification altitude in WFP.

Do not use this layer. Not only is it unsupported, it has already been
removed from “post Win7 RTM”. It’s an odd little artifact, which isn’t
intended for 3rd party use.