I wanna to query user ip address from treadid. But a lot of other tools are
based on processid query. I wonder if it is possible to make such query
based on threadid?
Users do not have IP addresses, network protocol stacks do. What are you
really asking?
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“sj” wrote in message news:xxxxx@ntdev…
>I wanna to query user ip address from treadid. But a lot of other tools are
>based on processid query. I wonder if it is possible to make such query
>based on threadid?
>
>
> I wonder if it is possible to make such query based on threadid?
Sure - just get PID from thread ID (please note that the unique combination of IP address and port number identifies process, rather than thread)…
Anton Bassov
> What are you really asking?
Apparently, he means the unique combination of IP address and port number that identifies a process that sends/receives data…
Anton Bassov
Hmm, AFAIK, the unique combination of IP Address and port number identifies a socket. Beyond that, the use of that socket (endpoint object) by threads/processes is governed by host specific semantics. The TCP/IP notion of ‘process’ is unrelated to the host concept of ‘process’. And TCP/IP ‘process’ is a socket. On NT, the host process is, well, many things but not that. But perhaps I am nit-picking and if so, sorry. The OP’s OQ (original question, can I invent that?) seems to me to be unanswerable as there is not real relationship mandated by the system.
-dave
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, April 09, 2008 8:42 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Is it Possible to query ip address from threadid?
I wonder if it is possible to make such query based on threadid?
Sure - just get PID from thread ID (please note that the unique combination of IP address and port number identifies process, rather than thread)…
Anton Bassov
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I don’t think you are nitpicking. I may be totally missing the point
here, but even at the layman level, which is what I qualify as at best
when it comes to networking, a computer could have multiple ip addresses.
mm
David R. Cattley wrote:
Hmm, AFAIK, the unique combination of IP Address and port number identifies a socket.
Beyond that, the use of that socket (endpoint object) by
threads/processes is governed by host specific semantics.
The TCP/IP notion of ‘process’ is unrelated to the host concept of
‘process’. And TCP/IP ‘process’ is a socket.
On NT, the host process is, well, many things but not that. But perhaps
I am nit-picking and if so, sorry.
The OP’s OQ (original question, can I invent that?) seems to me to be
unanswerable as there is not real relationship mandated by the system.-dave
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, April 09, 2008 8:42 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Is it Possible to query ip address from threadid?> I wonder if it is possible to make such query based on threadid?
Sure - just get PID from thread ID (please note that the unique combination of IP address and port number identifies process, rather than thread)…
Anton Bassov
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Or none 
That is often the edge case to look at when analyzing a ‘relationship’ graph.
But in this case, my point is simply that there is no defined correlation (traversable relationship) between IPAddr (or IPAddr:protocol:socket) to or from Process other than to ask (as netstat can do) ‘what process seems to own this socket’ (with emphasis on ‘seems’). Like any handle accessed object (file object), the object can have handles duplicated to different processes and thus ‘ownership’ is a bit hard to define beyond ‘creator process’.
-dave
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Wednesday, April 09, 2008 9:27 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Is it Possible to query ip address from threadid?
I don’t think you are nitpicking. I may be totally missing the point
here, but even at the layman level, which is what I qualify as at best
when it comes to networking, a computer could have multiple ip addresses.
mm
David R. Cattley wrote:
Hmm, AFAIK, the unique combination of IP Address and port number identifies a socket.
Beyond that, the use of that socket (endpoint object) by
threads/processes is governed by host specific semantics.
The TCP/IP notion of ‘process’ is unrelated to the host concept of
‘process’. And TCP/IP ‘process’ is a socket.
On NT, the host process is, well, many things but not that. But perhaps
I am nit-picking and if so, sorry.
The OP’s OQ (original question, can I invent that?) seems to me to be
unanswerable as there is not real relationship mandated by the system.-dave
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, April 09, 2008 8:42 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Is it Possible to query ip address from threadid?> I wonder if it is possible to make such query based on threadid?
Sure - just get PID from thread ID (please note that the unique combination of IP address and port number identifies process, rather than thread)…
Anton Bassov
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
What I want to do is to add some audit function to the srv.sys. Much similar
to the smb monitor in application mode. I want to do some filter on
lanmanserver in kernel mode. But I can only get the threadid or user token
from irp filter. So I wonder if I can query the IP address from the
sessionid or threadid or token.
Are you trying to get the *remote* IP address of a session peer connected
via SMB? I ask not because I have any idea how to do that but because your
questions are not yet making complete sense to me. Perhaps it would be
best to keep trying to describe the general problem you are trying to solve
instead of asking for a way to implement what you think the solution might
be.
Good Luck,
-dave
From: “sj”
Sent: Wednesday, April 09, 2008 9:52 PM
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Subject: Re:[ntdev] Is it Possible to query ip address from threadid?
> What I want to do is to add some audit function to the srv.sys. Much
> similar to the smb monitor in application mode. I want to do some filter
> on lanmanserver in kernel mode. But I can only get the threadid or user
> token from irp filter. So I wonder if I can query the IP address from the
> sessionid or threadid or token.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Yes. I did want to get the *remote* IP address of a session peer connected
via SMB. I want to capture the network file I/O operations and remote
information in FSD layer or maybe upper level. In kernel mode I intercept
FSD IRPs from lanmanserver. But these irps does not contain any information
with the remote IP address. With the help of some kernel functions like
SeQuerySecurityDescriptorInfo I can get the User access token and sessionid
from these IRPs. But I still have no idea how to get the remote IP address
from the current IRP or stacklocation.
“David R. Cattley” ???:xxxxx@ntdev…
> Are you trying to get the remote IP address of a session peer connected
> via SMB? I ask not because I have any idea how to do that but because
> your questions are not yet making complete sense to me. Perhaps it would
> be best to keep trying to describe the general problem you are trying to
> solve instead of asking for a way to implement what you think the solution
> might be.
>
> Good Luck,
> -dave
>
> --------------------------------------------------
> From: “sj”
> Sent: Wednesday, April 09, 2008 9:52 PM
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Subject: Re:[ntdev] Is it Possible to query ip address from threadid?
>
>> What I want to do is to add some audit function to the srv.sys. Much
>> similar to the smb monitor in application mode. I want to do some filter
>> on lanmanserver in kernel mode. But I can only get the threadid or user
>> token from irp filter. So I wonder if I can query the IP address from the
>> sessionid or threadid or token.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> Hmm, AFAIK, the unique combination of IP Address and port number identifies a socket.
Correct - if we want to be even more technically correct, it identifies a *bound* socket. If you are able to identify a bound socket, you are automatically able to identify a process that owns it (or multiple processes, if socket handle got duplicated). The way I understood it, this is what the OP wanted to do
But perhaps I am nit-picking
Not at all - instead, you have just corrected the terminology…
The TCP/IP notion of ‘process’ is unrelated to the host concept of ‘process’.
I would say this is already not so correct -AFAIK, TCPIP does not have some special meaning for the
the term “processes” that is basically different from the generally used one . You can think of a socket as of file object (as it is). Once you always know the process that owns a file object, as long as you are able to relate a packet to a file object by address/port combination, you are always able to deliver data to the right process…
Anton Bassov
IMHO
If you want the ip of the ,machine your code is on , you can read it through the registry
http://support.microsoft.com/kb/314053
DhcpIPAddress
Key: Tcpip\Parameters\Interfaces\ID for Adapter
Value Type: REG_SZ - Dotted decimal IP address
Valid Range: Any valid IP address
Default: None
Description: This parameter specifies the DHCP-configured IP address for the interface. If the IPAddress parameter contains a first value other than 0.0.0.0, that value will override this parameter.
IPAddress
Key: Tcpip\Parameters\Interfaces\ID for Adapter
Value Type: REG_MULTI_SZ - List of dotted- decimal IP addresses
Valid Range: Any set of valid IP addresses
Default: None
Description: This parameter specifies the IP addresses of the IP interfaces to be bound to the adapter. If the first address in the list is 0.0.0.0, the primary interface on the adapter will be configured from DHCP. A computer with more than one IP interface for an adapter is known as “logically multihomed.” There must be a valid subnet mask value in the SubnetMask parameter for each IP address that is specified in this parameter.
If you want the remote ips connecting to your machine in a TCP session you might want to see how network sniffers work
Ethereal and wireshark are network sniffers with available source code
-anurag