Hi,
I developed an NDIS Protocol Driver that captures packets.
In order to examine the packets i transfered the information a to user mode application using DeviceIoControl.
basicly the driver will insert the packets in a buffer and when the user requests to see a packet it will send it to him and remove it from the buffer (one packet for every IRP)
(the user mode applition is in an endless loop always calling the driver)
This works fine when there are only a few packets but when there are thousand of packets going through the sniffer, i end up losing packets since the user mode application isnt keeping up with the driver (the driver has a buffer of a maximum number of packets irt will rcv before it starts deleting them to make space for new ones)
I came up with the folloing soultions that might help:
-
Instead of using IRPs to communicate copy the packets to a text file from the driver then read them from user space.
-
Send more then 1 packet per IRP to user space.
-
Queue The IRP in a list and when packet gets recived, complete the IRP.
any thoughts on what would be best?
Thanks !
> 1. Instead of using IRPs to communicate copy the packets to a text file from the driver then read them
from user space.
This will be by far slower.
- Send more then 1 packet per IRP to user space.
Yes, good idea.
- Queue The IRP in a list and when packet gets recived, complete the IRP.
This is a good idea too. You can also queue many IRPs.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi
I implemented idea number 3 ( Queue The IRP in a list and when packet gets recived, complete the IRP)
This proved to be a big perfromance boost and less packets where lost
but when i stream example a youtube video there is still a significant amount of packet loss.
(i am guessing the reason is that a huge amount of packets enter the driver and has it no choice)
any other ideas that i could use do to reduce the packet loss? (does anyone now how whireshark does it?)
I could also increase the buffer size (the number of packets it will store untill it will start deleting them) it is currently set to 25 , what would be a good size?
Thanks
The biggest bottleneck is probably simply the number of IRPs that are being
processed. So, an improvement is to:
1.) Use big buffers with each IRP so that multiple packets are transferred
in each read (or IOCTL) call.
2. ) Go further and use multiple big buffers with multiple reads in progress
concurrently.
This will be better, but will still have some packet loss.
Here is some old information:
http://rawether.net/support/KB06300101.htm
Good luck,
Thomas F. Divine
From:
Sent: Monday, January 31, 2011 10:45 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS Communication Between User-Space and kernal space
> Hi
>
> I implemented idea number 3 ( Queue The IRP in a list and when packet
> gets recived, complete the IRP)
>
> This proved to be a big perfromance boost and less packets where lost
> but when i stream example a youtube video there is still a significant
> amount of packet loss.
> (i am guessing the reason is that a huge amount of packets enter the
> driver and has it no choice)
>
> any other ideas that i could use do to reduce the packet loss? (does
> anyone now how whireshark does it?)
>
> I could also increase the buffer size (the number of packets it will store
> untill it will start deleting them) it is currently set to 25 , what
> would be a good size?
>
> Thanks
>
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> (does anyone now how whireshark does it?)
Yes, it uses WinPCAP which is a fine packet capture facility for which
source code is readily available.
http://www.winpcap.org/
Good Luck,
Dave Cattley
Thanks for your replies!!
one more thing i am currently using buffered I/O (to transfer the packet info from kernel space to user space.)
which is faster? Buffered? Direct? or neither?
Thanks!!
There is no one answer to that question. You can read through the history
of discussions (some quite recent) in this list about Buffered I/O vs Direct
I/O. I will paraphrase what I recall PeterGV said recently: “CPUs and
memory copies are darn fast these days.” implying that the break-point for
finding when it is less costly to have the OS map your buffer instead of
bounce it is a moving target. If your transfer size is short like an
Ethernet packet and the amount of time you ‘hold’ the buffer in the driver
pending is short, I would suggest you stay with buffered I/O until you are
absolutely convinced that the buffering scheme of the kernel is why you are
not hitting your performance goals.
Good Luck,
Dave Cattley
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Wednesday, February 02, 2011 11:32 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] NDIS Communication Between User-Space and kernal space
Thanks for your replies!!
one more thing i am currently using buffered I/O (to transfer the packet
info from kernel space to user space.)
which is faster? Buffered? Direct? or neither?
Thanks!!
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer