NDIS Filter--puzzle about the net_buffer_list and net_buffer

Hi all.

I would like to get the content of every TCP or UDP stream.

Now, use some macro and funcions , such as follow:
pMdl = NET_BUFFER_CURRENT_MDL(pCurrentNetBuffer)
NdisQueryMdl(pMdl,&pEthHeader…)
pEthHeader=(PUCHAR)pEthHeader + NET_BUFFER_CURRENT_MDL_OFFSET(pCurrentNetBuffer)
then pEthHeader point to he packet buffer.

I want to do deep packet inspection, is it proper way to get the packet buffer or there are better ways?

My second questions:
i dont understand the meaning of datalength and dataoffet defined in NET_BUFFER_DATA.
How can i use them? Is datalength and dataoffset associated with the packet buffer?

The third questions: if the application layer send a message, and the packet is small need not frag, then the corresponding NBL should only have one net_buffer, is it right? and if the packet fraged to 3, the NBL should have 3 net_buffers?? and each net_buffer have the TCP/IPheader or only the first buffer have ?

Maybe too more questions, but there are too more puzzle, Thanks a lot for your time!

any idea?

Look in WDK for the topics on NET_BUFFER functions. Then find WDK samples
that illustrate it’s use.

Search archives of this list for previous discussions on this topic.

Functions like NdisGetDataBuffer, NdisAdvanceNetBufferList and
NdisRetreatNetBufferList look promising.

Thomas F. Divine
http://www.pcausa.com


From:
Sent: Sunday, July 31, 2011 3:50 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] NDIS Filter–puzzle about the net_buffer_list and
net_buffer

> Hi all.
>
> I would like to get the content of every TCP or UDP stream.
>
> Now, use some macro and funcions , such as follow:
> pMdl = NET_BUFFER_CURRENT_MDL(pCurrentNetBuffer)
> NdisQueryMdl(pMdl,&pEthHeader…)
> pEthHeader=(PUCHAR)pEthHeader +
> NET_BUFFER_CURRENT_MDL_OFFSET(pCurrentNetBuffer)
> then pEthHeader point to he packet buffer.
>
> I want to do deep packet inspection, is it proper way to get the packet
> buffer or there are better ways?
>
> My second questions:
> i dont understand the meaning of datalength and dataoffet defined in
> NET_BUFFER_DATA.
> How can i use them? Is datalength and dataoffset associated with the
> packet buffer?
>
> The third questions: if the application layer send a message, and the
> packet is small need not frag, then the corresponding NBL should only have
> one net_buffer, is it right? and if the packet fraged to 3, the NBL should
> have 3 net_buffers?? and each net_buffer have the TCP/IPheader or only the
> first buffer have ?
>
> Maybe too more questions, but there are too more puzzle, Thanks a lot for
> your time!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

I searched some information:the datalength in NET_BUFFER_DATA means the total length of the packet data, when the size of the MDL less than the datalength, it means there are more MDLs in NET_BUFFER.
it is right,isn’t it?

Thank you for your answer. I?ll find some samples and look the document.

Yes.


From:
Sent: Monday, August 01, 2011 8:24 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS Filter–puzzle about the net_buffer_list and
net_buffer

> I searched some information:the datalength in NET_BUFFER_DATA means the
> total length of the packet data, when the size of the MDL less than the
> datalength, it means there are more MDLs in NET_BUFFER.
> it is right,isn’t it?
>
> Thank you for your answer. I?ll find some samples and look the document.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer