NDIS Application Protocols Query

OSR_Community_User · February 22, 2011, 3:07am

Hi,

Is it possible to determine what application protocol a packet belongs too(Example HTTP,HTTPS,FTP etc…) from an NIDS Protocol Driver?

Thanks

Anand_Iyer · February 22, 2011, 4:46am

Yes, Its possible. see the protocol.c in passthru sample for IM driver. you
need to parse the NDIS_PACKET w.r.t the header offsets.

On 22 February 2011 13:40, wrote:

> Hi,
>
> Is it possible to determine what application protocol a packet belongs
> too(Example HTTP,HTTPS,FTP etc…) from an NIDS Protocol Driver?
>
> Thanks
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
–
Referring to a story of the Buddha who had journeyed far from home only to
find disappointment with his destination. In visiting with an elephant one
day, the elephant pointed out that he, did not care to see the Buddha
depressed and unhappy. So, the elephant urged the Buddha to return to his
beginnings and start over. This the Buddha did, only to discover that :

“By returning to one’s beginnings, one can more clearly see one’s path
forward”.

Anand Iyer
Mobile:+91- 9741308545

OSR_Community_User · February 22, 2011, 5:37am

I looked at that sample but it doesn’t parse the packets to check for application protocols

Basically i developed an NDIS Protocol Driver (based on the NDISPROT sample)

I have a function which gets called by NDIS everytime a packet get received then what i do is extract the ipheader and the ehternet header and cast them two a structure respectively

i.e i get to view the source and destination ip of every packet also the protocol http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml (the protocols that i see are from that list)

how can i transform that to protocols from this list:
http://en.wikipedia.org/wiki/Application_Layer

(is there any sample that does this from the WDK?)

Thanks

OSR_Community_User · February 22, 2011, 10:06am

Ok so i did more research and it seems like i have to parse the ipv4 packet into a TCP\UDP packet then i can see the destination port number and determine what application protocol it is using

am I on the right track??

example HTTP uses port 80 so all HTTP packets will have destination port of 80, but how will i able to detect example bittorrent packets which dont have a defined port number per se ??

Thanks for your help

Rob · February 22, 2011, 2:05pm

You are indeed on the right track. I suggest you reference W. Richard Steven’s book - TCP/IP Illustrated, Vol. 1: The Protocols (Addison-Wesley Professional Computing Series). The book, though dated, is still on my shelf.