ICMP Echo Filtering and Undocumented TDI IOCTLS

OSR_Community_User · September 29, 2004, 4:17am

Hi all,

Do anybody knows how to get the process name and destination ip or process id of an application which generates an icmp packet.

An Example:
ping localhost
… then Zonealarm shows me which application generates the icmp request with the ip.

I am currently developing a tdi hooking driver for my firewall and I’ve examined TDI’s UserRequest IOCTLS. I’ve found that DevFilter shows me the IOCTL Code
IOCTL_IP_ECHO_REQUEST. Then I searched with google and no results were found.

Is this the key to the solution of my problem?
Do anybody have a list of this undocumented IOTLs with a short description?

Regards,
Bruce Raynold

Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

OSR_Community_User · September 29, 2004, 8:35am

On Sep 29, 2004, at 3:15 AM, Bruce Raynold wrote:

Hi all,
?
Do anybody knows how to get the process name and destination?ip?or
process id of an application which generates an icmp packet.

This is typically done with a TDI filter. This isn’t a well-documented
driver type and is not officially supported by Microsoft. There is
more info about this on www.ndis.com and www.pcausa.com.

-sd

Steve Dispensa
MVP - Windows DDK
www.kernelmustard.com

OSR_Community_User · September 29, 2004, 10:15am

Steve Dispensa wrote:
On Sep 29, 2004, at 3:15 AM, Bruce Raynold wrote:

> Hi all,
>
> Do anybody knows how to get the process name and destination ip or
> process id of an application which generates an icmp packet.

This is typically done with a TDI filter. This isn’t a well-documented
driver type and is not officially supported by Microsoft. There is
more info about this on www.ndis.com and www.pcausa.com.

-sd

----------------------------------
Steve Dispensa
MVP - Windows DDK
www.kernelmustard.com

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

ok,

plz can you give me an example?

I receive only an IRP_MJ_DEVICE_CONTROL by using ping localhost. I want to get the dest ip and the process name which generates the icmp request.

---------------------------------
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now.

OSR_Community_User · September 29, 2004, 10:50am

On Sep 29, 2004, at 9:14 AM, Bruce Raynold wrote:

plz can you give me an example?

How about the one I pointed you to before?

http://www.pcausa.com/tdisamp/default.htm

Or, google for tdi samples.

-sd

Steve Dispensa
MVP - Windows DDK
www.kernelmustard.com