Hi,
I have written a Windows Filtering Platform(WFP) callout driver to capture the outgoing network traffic. I am using Stream layer callouts i.e. FWPS_LAYER_STREAM_V4 to capture the Outgoing IPv4 network data. I am handling only one NET_BUFFER_LIST and inside that NBL also I am reading its first NET_BUFFER and and one MDL only. In normal scenario with my test network application I am able to get complete data using above approach. But when I tested my driver with actual browser i.e IE then in some cases I have observed the NET_BUFFER_LIST coming is a chain of NBL not a single NBL. So I have following question regarding the same
- Since I want to capture complete data going out from computer in my WFP driver, Is it sufficient to monitor only first NET_BUFFER_LIST ?
- If all other NBLs can also contain the packet data then, can someone point me out how to read complete data from one stream callback ?
- Browser send chain of NBL in very intermittent manner, so I am not sure when such data is arriving because I am just opening browser and browsing the sites. So if anybody have idea about this
Thanks,
Bishnu
Consider expanding your logic to read all MDLs on each NetBuffer and also
all NetBuffers chained to each NetBufferList.
Thomas F. Divine
http://www.pcausa.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, May 19, 2014 5:22 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to Read complete data in Stream callback function
Hi,
I have written a Windows Filtering Platform(WFP) callout driver to capture
the outgoing network traffic. I am using Stream layer callouts i.e.
FWPS_LAYER_STREAM_V4 to capture the Outgoing IPv4 network data. I am
handling only one NET_BUFFER_LIST and inside that NBL also I am reading its
first NET_BUFFER and and one MDL only. In normal scenario with my test
network application I am able to get complete data using above approach. But
when I tested my driver with actual browser i.e IE then in some cases I have
observed the NET_BUFFER_LIST coming is a chain of NBL not a single NBL. So I
have following question regarding the same 1. Since I want to capture
complete data going out from computer in my WFP driver, Is it sufficient to
monitor only first NET_BUFFER_LIST ?
2. If all other NBLs can also contain the packet data then, can someone
point me out how to read complete data from one stream callback ?
3. Browser send chain of NBL in very intermittent manner, so I am not sure
when such data is arriving because I am just opening browser and browsing
the sites. So if anybody have idea about this
Thanks,
Bishnu
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thanks Thomas …!!!
I will add logic to iterate through all NBL, NB and MDL, but after further debugging I have seen multiple NBLs are coming for incoming data only. I have not seen any case where it is coming for outgoing data.
To understand it further if you can tell me whether all these NBLs will have different-2 data or they can also have same data with different headers?