I am working on a TDI filter, which tracks the lifetime of TDI connection and address objects. To improve the functionality of the filter, I need to avoid rebooting the host after installing the filter driver.
I found a way to obtain a list of the existing TDI address and file objects and how to find the local endpoint address for each of them. I am struggling, however, to obtain the remote address information for a “connected” TDI connection object.
I tried using TDI_QUERY_INFORMATION with TDI_QUERY_CONNECTION_INFO, but it only returns some statistics about the connection. I also tried using IOCTL_TCP_QUERY_INFORMATION_EX, but it returns a list of all connections and ports and in some cases (with multiple connections to the same port) I do not have sufficient information to associate a TDI connection object with a remote IP address.
Is there a way to use IOCTL_TCP_QUERY_INFORMATION_EX so that it will return the remote address and port for a specific connection?
Is there some other mechanism that I could use to obtain the remote address given a TDI connection object?
Thank you very much,
–aydan
Have you tried watching what NETSTAT does when it (essentially) does what
you are trying to do?
-dave
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Tuesday, August 26, 2008 5:58 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to obtain remote address for a connected TDI connection
object
I am working on a TDI filter, which tracks the lifetime of TDI connection
and address objects. To improve the functionality of the filter, I need to
avoid rebooting the host after installing the filter driver.
I found a way to obtain a list of the existing TDI address and file objects
and how to find the local endpoint address for each of them. I am
struggling, however, to obtain the remote address information for a
“connected” TDI connection object.
I tried using TDI_QUERY_INFORMATION with TDI_QUERY_CONNECTION_INFO, but it
only returns some statistics about the connection. I also tried using
IOCTL_TCP_QUERY_INFORMATION_EX, but it returns a list of all connections and
ports and in some cases (with multiple connections to the same port) I do
not have sufficient information to associate a TDI connection object with a
remote IP address.
Is there a way to use IOCTL_TCP_QUERY_INFORMATION_EX so that it will return
the remote address and port for a specific connection?
Is there some other mechanism that I could use to obtain the remote address
given a TDI connection object?
Thank you very much,
–aydan
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
David,
Thank you for the reply.
I did look at netstat and netstat-like variants. It seems that netstat generally uses IOCTL_TCP_QUERY_INFORMATION_EX to obtain a list of *all* connections at once. Other variants I saw were using SNMP queries. Yet, some other code seems to be doing a lot of ReadProcessMemory together with IOCTL_TCP_QUERY_INFORMATION_EX. I believe this is done to find out the PID of the owning process. I do something similar, but in the kernel, to obtain the list of all TDI address and connection objects.
My problem, however, is: given a PFILE_OBJECT that represents a connection, how do I find the ip address and port of the remote end of that particular connection object.
I can obtain the list of the local and remote addresses of *all* established connections (using IOCTL_TCP_QUERY_INFORMATION_EX) and match them against the local-endpoint information for each PFILE_OBJECT obtained by calling TDI_QUERY_INFORMATION. This works if I have at most one connection to a single local address, but fails if there are more than one.
Thanks,
–aydan