You may have misunderstood what I am saying about Wireshark. Wireshark
itself is a fine tool. I just needs to be run on another host connected to
the network that can observe all the packets in & out of your system (either
through a special switch port or by inserting a ‘hub’ if you can find one).
Alternatively, running Wireshark at the ‘destination’ devices also is fine.
The point is that if you have incorrectly handled the loopback behavior in
your IM driver, it is quite possible that Wireshark will see the original
packet as being ‘sent’ (because it was, after all, sent to your IM driver)
but *not* see the actual packet sent (because nothing looped it back for
Wireshark to see).
But since you are convinced by external behavior that the packet is not
being sent *and* the original is being sent then only one possibility
exists. Your driver is not sending the copied packet.
Really now, think about it. The lower bound NIC does not send anything that
you don’t ask it to send if you have an exclusive binding to the NIC.
So now I have to ask, do you have an exclusive binding to the NIC? I assume
that you let Windows do all the heavy lifting and used the NetService class
and declared yourself a Filter. If you have a notify object and do the
binding calculation yourself, well then, break into the debugger and type
the following:
!ndisk.protocols
And verify that the binding to the NIC (actually, the binding path because
other IMs might be in there) is exclusive and that no other path exists to
the NIC.
But then again, you could tell this by running IPCONFIG. Two bindings would
show up as too many adapters in IPCONFIG.
Stop assuming that because it works on a number of adapters that somehow it
is not fundamentally broken. Perhaps the few adapters where it does not
work are the true behavior case and the others are just exceedingly lucky.
Nothing so far that you have shared with us indicates that you have analyzed
the difference in behavior (from the perspective of an NDIS protocol) that
these NICs exhibit. What are their adapter characteristics? Do they
support self-loopback? Do they differ in their NDIS version support? Are
they DMA devices or PIO or shared memory devices?
IM drivers have been written that modify send packets and that work fine
over all of these NICs (though I have not tested on the AN983 that I can
recall).
Here is what I would do:
-
Change the logic temporarily in the driver to ‘drop’ (not copy) every
packet that matches your criteria to be edited. Just complete it and don’t
send anything at all to the lower bound NIC. Look at your instrumentation.
Does it show the packet as still being sent? Look at the network
‘destination’ machines. Do they still see the packet as being sent?
-
Go look at your send path again. Make sure it that you are not
inadvertently sending the original buffers or packet or some-such because of
some code-path error.
But seriously, this is the send path only right? That is the least
troublesome of the two data paths. If you are making a complete & flat copy
of the send packet then how could that get screwed up. If you are trying
to be clever and re-use subranges of the original buffer chain then you
probably messed that up.
Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@freemail.hu
Sent: Friday, June 19, 2009 7:56 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] NDIS filter driver problem and question
We do the packet modification exactly the same way as you wrote above.
We check the packets with Wireshark so we not absolutely sure that we
capture the modified packets, but: we send a query packet to a web server.
Our driver modifies the query to redirect it to another server. It works in
most cases (the driver works fine on approximately 3000 clients), but in the
cases mentioned above we see that the reply packet comes from the original
server (but we see in the debugger that the packet modification was
successful), so the packet was not redirected (modified). There were some
NICs when device driver changing solved the problem (for example: sis 900
pci). On other NICs the problem seems to be constant. Cards:
- SMC Etherpower II
- BROADCOM NETXTREME 57XX
- AMDtek AN983
- National Semiconductor DP 83815
- Intel PRO/100VM
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer