Hello!
I’m writing a NDIS Filter Driver. Now my driver analyses all incoming/outcoming packets and parses protocol headers. I need to find a HTTP GET-request. So my driver analyses first bytes of data in outbound packets and if they’re equals 0x47, 0x45, 0x54 (GET according to ASCII) then it’s GET-request.
I use Wireshark to check how correct is my driver parses packets. When Wireshark works parallel with my driver, all GET-requests successfully detects. BUT when my driver works alone there is no result. I use the same code, open the same Web-resources but no HTTP-request detects.
What is the relationship between my driver and WinPcap? I know that WinPcap is an Intermediate Driver. Is it modifyes packets in some way?
P.S. Sorry for my English, it’s not good enough.
Hello!
What about your AttachHandler? Is still the callback function called for nessesery miniport when your driver works alone?
And as I know, WinPcap doesn’t modifyes any packets. I write the NDIS Filter Driver too and have NO problems when Wireshark works or not. I also get the same NetBufferList’s in both situations.
In order to correctly parse HTTP, you must follow a TCP stream. In order to correctly follow a TCP stream, you must perform all TCP de-duplication, error-checking, and reassembly. It is 100% valid to send a HTTP request with 1 byte per packet – in reverse order.
Parsing this is difficult.
If possible, I suggest writing your driver using WFP instead of NDIS LWF. Then the OS will do the packet reassembly for you, and all you need to do is listen on the stream.
WinPcap is not an intermediate driver. It is a protocol driver named NPF that enables promiscuous mode and layer2 loopback. As a guess, I imagine that you’re seeing more traffic when NPF enables loopback mode, because then both the Tx and Rx paths are shunted through the Rx path. You should make sure that you implement both the FilterReceiveNetBufferLists and FilterSendNetBufferLists.
Amalthea_UA wrote:
I use Wireshark to check how correct is my driver parses packets. When Wireshark works parallel with my driver, all GET-requests successfully detects. BUT when my driver works alone there is no result. I use the same code, open the same Web-resources but no HTTP-request detects.
What is the relationship between my driver and WinPcap? I know that WinPcap is an Intermediate Driver. Is it modifyes packets in some way?
Are you filtering packets that are coming from your own machine?
Remember that WinPcap turns on “promiscuous mode” so you can see packets
to/from other computers.
All is ok with AttachHandler and my driver implements FilterReceiveNetBufferLists as well as FilterSendNetBufferLists. It looks like using WFP instead is more efficient in my case. After reading the documentation about WFP I came to the conclusion that the goals of my work can be successfully solved with this technology.
Thanks to all for replies!