How to parse a packet in NDIS intermediat driver?

Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK Sample.
According to the source code, the packet must be passed through MPSend()
and PtRecive(), with the packet descriptor, after we install the
Passthru driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method to
access the OOB information associated to the packet. However, it does
not provide an available approach to access the context of the packet,
such as IP header, TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS driver?

Thanks!

-Liang

Liang,

NDIS does not provide any mechanism for parsing a “Layer 3” protocol header
from a packet. NDIS provides the management of “Layer 2” (MAC level) packet
exchange in the system. If your IM driver requires access to the L3 (IP,
IPX, etc.) header, you will need to parse the packet yourself.

Each packet is organized as a chain of buffers. The NDIS functions
NdisGetFirstBufferFromPacketSafe() and NdisGetNextBuffer() can be used to
access the data stored in the buffers. I recommend you look at the DDK
sample NDISPROT.

The TCPIP protocol generally sets the minimum lookahead size to be large
enough to cause the first buffer in the chain of a recieve packet to contain
the full MAC header and the entire IP+(TCP/UDP) header.

Some additional details you should be aware of:

  1. TCPIP may send packets that have not yet had the checksum calculated and
    inserted when using the checksum offload capabiltiy of certain NICs. You
    can assume when checksum offload is specified in a packet that the packet is
    valid.
  2. TCPIP may send very large TCP packets that will be fragmented and sent
    as separate packets by the NIC when tcp large send offload is specified.
    Your processing should recognize that this will occur.
  3. The MAC header might not always be 14 octets in length, for instance
    SNAP encoding.

Good Luck,
Dave Cattley
Systems Software Development


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of CHEN, LIANG -HCHBJ
Sent: Tuesday, June 07, 2005 4:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to parse a packet in NDIS intermediat driver?

Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK Sample.
According to the source code, the packet must be passed through MPSend() and
PtRecive(), with the packet descriptor, after we install the Passthru
driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method to access the
OOB information associated to the packet. However, it does not provide an
available approach to access the context of the packet, such as IP header,
TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS driver?

Thanks!

-Liang


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

You will have to use NdisQueryPacket/NdisQueryBuffer(Safe) to get the contiguous byte data from the NDIS_PACKET. Then parse this contiguous byte data for respective protocol headers. There is no built in kernel function for this. Google for protocol header format.

Good luck,
Abhijit

“CHEN, LIANG -HCHBJ” wrote in message news:xxxxx@ntdev…
Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK Sample. According to the source code, the packet must be passed through MPSend() and PtRecive(), with the packet descriptor, after we install the Passthru driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method to access the OOB information associated to the packet. However, it does not provide an available approach to access the context of the packet, such as IP header, TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS driver?

Thanks!

-Liang

NDIS does not differentiate the TCP and IP headers from data. They are just the beginning of the data.

Accessing the data in PASSTHRU is simple - NdisQueryPacket (IIRC), NdisGetFirstBufferFromPacket, NdisQueryBuffer and friends.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: CHEN, LIANG -HCHBJ
To: Windows System Software Devs Interest List
Sent: Tuesday, June 07, 2005 12:51 PM
Subject: [ntdev] How to parse a packet in NDIS intermediat driver?

Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK Sample. According to the source code, the packet must be passed through MPSend() and PtRecive(), with the packet descriptor, after we install the Passthru driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method to access the OOB information associated to the packet. However, it does not provide an available approach to access the context of the packet, such as IP header, TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS driver?

Thanks!

-Liang


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

…and even the MAC header is just a part of the data in NDIS.

Windows TCP/IP only supports SNAP (aka 802.3) and DIX Ethernet frame formats. According to RFC1122, IP over Ethernet must use DIX as a default, and Windows really behaves this way. It can receive both though.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: David R. Cattley
To: Windows System Software Devs Interest List
Sent: Tuesday, June 07, 2005 4:14 PM
Subject: RE: [ntdev] How to parse a packet in NDIS intermediat driver?

Liang,

NDIS does not provide any mechanism for parsing a “Layer 3” protocol header from a packet. NDIS provides the management of “Layer 2” (MAC level) packet exchange in the system. If your IM driver requires access to the L3 (IP, IPX, etc.) header, you will need to parse the packet yourself.

Each packet is organized as a chain of buffers. The NDIS functions NdisGetFirstBufferFromPacketSafe() and NdisGetNextBuffer() can be used to access the data stored in the buffers. I recommend you look at the DDK sample NDISPROT.

The TCPIP protocol generally sets the minimum lookahead size to be large enough to cause the first buffer in the chain of a recieve packet to contain the full MAC header and the entire IP+(TCP/UDP) header.

Some additional details you should be aware of:

  1. TCPIP may send packets that have not yet had the checksum calculated and inserted when using the checksum offload capabiltiy of certain NICs. You can assume when checksum offload is specified in a packet that the packet is valid.
  2. TCPIP may send very large TCP packets that will be fragmented and sent as separate packets by the NIC when tcp large send offload is specified. Your processing should recognize that this will occur.
  3. The MAC header might not always be 14 octets in length, for instance SNAP encoding.

Good Luck,
Dave Cattley
Systems Software Development


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of CHEN, LIANG -HCHBJ
Sent: Tuesday, June 07, 2005 4:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to parse a packet in NDIS intermediat driver?

Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK Sample. According to the source code, the packet must be passed through MPSend() and PtRecive(), with the packet descriptor, after we install the Passthru driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method to access the OOB information associated to the packet. However, it does not provide an available approach to access the context of the packet, such as IP header, TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS driver?

Thanks!

-Liang


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yeah, I get the data of MAC header. It will not be a big problem to
parse the remained packet. Thank you!

By the way, I learned from “TCP/IP Illustrated”, by W.R. Stevens, that
the buffer of a packet is chained to reduce the overhead of moving
memory. Does NDIS adopt the similar idea? Is it necessary for me to
trace the buffer blocks one by one in order to get all data of a packet?

Thanks!

-Liang


From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, June 08, 2005 12:18 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to parse a packet in NDIS intermediat driver?

…and even the MAC header is just a part of the data in NDIS.

Windows TCP/IP only supports SNAP (aka 802.3) and DIX Ethernet frame
formats. According to RFC1122, IP over Ethernet must use DIX as a
default, and Windows really behaves this way. It can receive both
though.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----

From: David R. Cattley mailto:xxxxx

To: Windows System Software Devs Interest List
mailto:xxxxx

Sent: Tuesday, June 07, 2005 4:14 PM

Subject: RE: [ntdev] How to parse a packet in NDIS intermediat
driver?

Liang,

NDIS does not provide any mechanism for parsing a “Layer 3”
protocol header from a packet. NDIS provides the management of “Layer
2” (MAC level) packet exchange in the system. If your IM driver
requires access to the L3 (IP, IPX, etc.) header, you will need to parse
the packet yourself.

Each packet is organized as a chain of buffers. The NDIS
functions NdisGetFirstBufferFromPacketSafe() and NdisGetNextBuffer() can
be used to access the data stored in the buffers. I recommend you look
at the DDK sample NDISPROT.

The TCPIP protocol generally sets the minimum lookahead size to
be large enough to cause the first buffer in the chain of a recieve
packet to contain the full MAC header and the entire IP+(TCP/UDP)
header.

Some additional details you should be aware of:

1. TCPIP may send packets that have not yet had the checksum
calculated and inserted when using the checksum offload capabiltiy of
certain NICs. You can assume when checksum offload is specified in a
packet that the packet is valid.

2. TCPIP may send very large TCP packets that will be
fragmented and sent as separate packets by the NIC when tcp large send
offload is specified. Your processing should recognize that this will
occur.

3. The MAC header might not always be 14 octets in length, for
instance SNAP encoding.

Good Luck,

Dave Cattley

Systems Software Development

_____

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of CHEN, LIANG
-HCHBJ
Sent: Tuesday, June 07, 2005 4:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to parse a packet in NDIS intermediat
driver?

Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK
Sample. According to the source code, the packet must be passed through
MPSend() and PtRecive(), with the packet descriptor, after we install
the Passthru driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method
to access the OOB information associated to the packet. However, it
does not provide an available approach to access the context of the
packet, such as IP header, TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS
driver?

Thanks!

-Liang


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx>

“CHEN, LIANG -HCHBJ” wrote in message news:xxxxx@ntdev…
Yeah, I get the data of MAC header. It will not be a big problem to parse the remained packet. Thank you!

By the way, I learned from “TCP/IP Illustrated”, by W.R. Stevens, that the buffer of a packet is chained to reduce the overhead of moving memory. Does NDIS adopt the similar idea? Is it necessary for me to trace the buffer blocks one by one in order to get all data of a packet?

See the "NDIS Packet Discussion at ndis.com.

http://www.ndis.com/papers/default.htm

Good luck,

Thomas F. Divine, Windows DDK MVP

http://www.rawether.net

Thanks!

-Liang

------------------------------------------------------------------------------

From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, June 08, 2005 12:18 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to parse a packet in NDIS intermediat driver?

…and even the MAC header is just a part of the data in NDIS.

Windows TCP/IP only supports SNAP (aka 802.3) and DIX Ethernet frame formats. According to RFC1122, IP over Ethernet must use DIX as a default, and Windows really behaves this way. It can receive both though.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----

From: David R. Cattley

To: Windows System Software Devs Interest List

Sent: Tuesday, June 07, 2005 4:14 PM

Subject: RE: [ntdev] How to parse a packet in NDIS intermediat driver?

Liang,

NDIS does not provide any mechanism for parsing a “Layer 3” protocol header from a packet. NDIS provides the management of “Layer 2” (MAC level) packet exchange in the system. If your IM driver requires access to the L3 (IP, IPX, etc.) header, you will need to parse the packet yourself.

Each packet is organized as a chain of buffers. The NDIS functions NdisGetFirstBufferFromPacketSafe() and NdisGetNextBuffer() can be used to access the data stored in the buffers. I recommend you look at the DDK sample NDISPROT.

The TCPIP protocol generally sets the minimum lookahead size to be large enough to cause the first buffer in the chain of a recieve packet to contain the full MAC header and the entire IP+(TCP/UDP) header.

Some additional details you should be aware of:

1. TCPIP may send packets that have not yet had the checksum calculated and inserted when using the checksum offload capabiltiy of certain NICs. You can assume when checksum offload is specified in a packet that the packet is valid.

2. TCPIP may send very large TCP packets that will be fragmented and sent as separate packets by the NIC when tcp large send offload is specified. Your processing should recognize that this will occur.

3. The MAC header might not always be 14 octets in length, for instance SNAP encoding.

Good Luck,

Dave Cattley

Systems Software Development

----------------------------------------------------------------------------

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of CHEN, LIANG -HCHBJ
Sent: Tuesday, June 07, 2005 4:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to parse a packet in NDIS intermediat driver?

Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK Sample. According to the source code, the packet must be passed through MPSend() and PtRecive(), with the packet descriptor, after we install the Passthru driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method to access the OOB information associated to the packet. However, it does not provide an available approach to access the context of the packet, such as IP header, TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS driver?

Thanks!

-Liang


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yes, surely NDIS uses it.

In incoming packets, Ethernet+IP+TCP or UDP headers are all in the first buffer (or in the lookahead if you use old-style indications).

In outgoing packets, usually it is 1 buffer for Ethernet header + 1 buffer for IP+TCP headers, and then 1 or more buffers for payload. I would not rely on this though, and make the full header reassembly for the outgoing packets.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: CHEN, LIANG -HCHBJ
To: Windows System Software Devs Interest List
Sent: Wednesday, June 08, 2005 4:20 PM
Subject: RE: [ntdev] How to parse a packet in NDIS intermediat driver?

Yeah, I get the data of MAC header. It will not be a big problem to parse the remained packet. Thank you!

By the way, I learned from “TCP/IP Illustrated”, by W.R. Stevens, that the buffer of a packet is chained to reduce the overhead of moving memory. Does NDIS adopt the similar idea? Is it necessary for me to trace the buffer blocks one by one in order to get all data of a packet?

Thanks!

-Liang


From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, June 08, 2005 12:18 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to parse a packet in NDIS intermediat driver?

…and even the MAC header is just a part of the data in NDIS.

Windows TCP/IP only supports SNAP (aka 802.3) and DIX Ethernet frame formats. According to RFC1122, IP over Ethernet must use DIX as a default, and Windows really behaves this way. It can receive both though.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----

From: David R. Cattley

To: Windows System Software Devs Interest List

Sent: Tuesday, June 07, 2005 4:14 PM

Subject: RE: [ntdev] How to parse a packet in NDIS intermediat driver?

Liang,

NDIS does not provide any mechanism for parsing a “Layer 3” protocol header from a packet. NDIS provides the management of “Layer 2” (MAC level) packet exchange in the system. If your IM driver requires access to the L3 (IP, IPX, etc.) header, you will need to parse the packet yourself.

Each packet is organized as a chain of buffers. The NDIS functions NdisGetFirstBufferFromPacketSafe() and NdisGetNextBuffer() can be used to access the data stored in the buffers. I recommend you look at the DDK sample NDISPROT.

The TCPIP protocol generally sets the minimum lookahead size to be large enough to cause the first buffer in the chain of a recieve packet to contain the full MAC header and the entire IP+(TCP/UDP) header.

Some additional details you should be aware of:

  1. TCPIP may send packets that have not yet had the checksum calculated and inserted when using the checksum offload capabiltiy of certain NICs. You can assume when checksum offload is specified in a packet that the packet is valid.

  2. TCPIP may send very large TCP packets that will be fragmented and sent as separate packets by the NIC when tcp large send offload is specified. Your processing should recognize that this will occur.

  3. The MAC header might not always be 14 octets in length, for instance SNAP encoding.

Good Luck,

Dave Cattley

Systems Software Development


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of CHEN, LIANG -HCHBJ
Sent: Tuesday, June 07, 2005 4:52 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to parse a packet in NDIS intermediat driver?

Dear all,

Currently, I am experiencing the ndis driver Passthru in WinDDK Sample. According to the source code, the packet must be passed through MPSend() and PtRecive(), with the packet descriptor, after we install the Passthru driver. NDIS provides a NDIS_OOB_DATA_FROM_PACKET method to access the OOB information associated to the packet. However, it does not provide an available approach to access the context of the packet, such as IP header, TCP/UDP header and data.

Could you please give me a hint to parse the packet in NDIS driver?

Thanks!

-Liang


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com