NDIS Intermediate Driver dump traffic into pcap format

i modified the passthru in winddk and intercept, capture all the network traffic dump to logfile c:\xxx.dat.

Its direct dump in driver level using winapi ZwWriteFile in workitem method. Now my problems is how to dump the log in pcap format?

Any source for refer?

thanks

>

i modified the passthru in winddk and intercept, capture all the
network
traffic dump to logfile c:\xxx.dat.

Its direct dump in driver level using winapi ZwWriteFile in workitem
method.
Now my problems is how to dump the log in pcap format?

Any source for refer?

Try the documentation of any open source app that uses that format.
Google for ‘pcap format’ and you’ll find all sorts of goodness.
http://wiki.wireshark.org/Development/LibpcapFileFormat for instance.

James

Wireshark is remarkably capable at dealing with just about every format
conceivable. You might find that packet dumping to one of the other formats
is more convenient unless you want to add more information than just the
packet.

However, you might also find the following an interesting approach that gets
you out of the business of having to figure out how to snort up all of those
packets, synchronize to PASSIVE_LEVEL, and do disk I/O in a worker thread.

Take a page from NDISWAN (an IM driver as well) and expose an extra ‘upper’
miniport (or two, or as many as you need) that serve only to be bound to
packet sniffers like Wireshark/PCAP or NetMon. That way standard tools can
capture, filter, and save to disk (as appropriate) without you having to
write such utilities or get caught in the “I like sniffer blah…, your
sniffer sucks…” arguments. Indicating all of those packets to another
miniport is not such a big deal (far less trouble than queuing them,
servicing the queue on a worker thread, figuring out when you should roll
over the capture file, etc. etc. etc.) If you are mixing both inbound and
outbound packets in the same capture file, you can get away with a single
‘extra’ miniport.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of James Harper
Sent: Tuesday, June 01, 2010 6:02 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NDIS Intermediate Driver dump traffic into pcap format

i modified the passthru in winddk and intercept, capture all the
network
traffic dump to logfile c:\xxx.dat.

Its direct dump in driver level using winapi ZwWriteFile in workitem
method.
Now my problems is how to dump the log in pcap format?

Any source for refer?

Try the documentation of any open source app that uses that format.
Google for ‘pcap format’ and you’ll find all sorts of goodness.
http://wiki.wireshark.org/Development/LibpcapFileFormat for instance.

James


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

if u want it in pcap format, why use ur own driver - use pcap lib.

>if u want it in pcap format, why use ur own driver - use pcap lib.

First this is the tracking project, im planning to use ndis intermediate driver to make sure capture every packets. correct me if im wrong, the winpcap just intercept the network at ndis TDI level. ndis intermediate lower level than TDI.


From:
Sent: Wednesday, June 02, 2010 1:18 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS Intermediate Driver dump traffic into pcap format

>>if u want it in pcap format, why use ur own driver - use pcap lib.
>
> First this is the tracking project, im planning to use ndis intermediate
> driver to make sure capture every packets. correct me if im wrong, the
> winpcap just intercept the network at ndis TDI level. ndis intermediate
> lower level than TDI.

WinPcap is a protocol driver. It basically captures whatever any other
protocol driver would see. An NDIS IM driver can be useful if there are
other IM drivers in the stack (e.g. VPN, encryption) and you want to capture
whatever is actually passed to/from the NIC miniport. Please remember that
if the NIC card implements any offloading (checksum offloading, TOE and
such), what you see from either a protocol or an IM driver are not the
actual packets sent over the wire. You see whatever gets sent to the NIC
(i.e. before the NIC performs the offloading itself).

Have a nice day
GV

>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

all,

i try to direct dump intercepted network traffic in c:**.pcap using ndis intermediate driver (modified from passthru winddk). But now the problems is how can i define the structure timeval, do i need to use NdisGetCurrentSystemTime? or ??


typedef struct PACKET_FILE_HEADER{
UINT magic;
USHORT version_major;
USHORT version_minor;
UINT thiszone;
UINT sigfigs;
UINT snaplen;
UINT linktype;
}PACKET_FILE_HEADER, *PPACKET_FILE_HEADER;

typedef struct timeval{
long tv_sec;
long tv_usec;
}timeval, *PTIMEVAL;

typedef struct SF_PKTHDR{
struct timeval;
UINT caplen;
UINT len;
}SF_PKTHDR, *PSF_PKTHDR;

…\skipped the code

VOID MyDriverWriteFile(IN PVOID Buffer, IN ULONG Length, IN OUT HANDLE FileHandle)
{
NTSTATUS ntStatus;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
UNICODE_STRING UniFileName;
PFILE_WORK_ITEM workitem;
LARGE_INTEGER ByteOffset;
struct PACKET_FILE_HEADER hdr;

hdr.magic = TCPDUMP_MAGIC;
hdr.version_major = PCAP_VERSION_MAJOR;
hdr.version_minor = PCAP_VERSION_MINOR;
hdr.thiszone = 0;
hdr.snaplen = 1514;
hdr.sigfigs = 0;

if(KeGetCurrentIrql() < DISPATCH_LEVEL)
{
ntStatus=ZwWriteFile(FileHandle, 0, 0, 0, &IoStatusBlock, &hdr, sizeof(hdr), NULL, NULL);

>from passthru winddk). But now the problems is how can i define the structure timeval, do i need to

use NdisGetCurrentSystemTime?

Why not?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

You can use NdisGetCurrentSystemTime and then convert it to a timeval
structure with something similar to this (code coming from WinPcap, slightly
adapted):

__inline void GetTimeQST(struct timeval *dst, struct time_conv *data)
{
LARGE_INTEGER SystemTime;

NdisGetCurrentSystemTime(&SystemTime);

dst->tv_sec = (LONG)(SystemTime.QuadPart/10000000-11644473600);
dst->tv_usec = (LONG)((SystemTime.QuadPart%10000000)/10);

}

Have a nice day
GV


From:
Sent: Sunday, June 06, 2010 8:53 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS Intermediate Driver dump traffic into pcap format

> all,
>
> i try to direct dump intercepted network traffic in c:**.pcap using ndis
> intermediate driver (modified from passthru winddk). But now the problems
> is how can i define the structure timeval, do i need to use
> NdisGetCurrentSystemTime? or ??
>
> ------------------------
> typedef struct PACKET_FILE_HEADER{
> UINT magic;
> USHORT version_major;
> USHORT version_minor;
> UINT thiszone;
> UINT sigfigs;
> UINT snaplen;
> UINT linktype;
> }PACKET_FILE_HEADER, *PPACKET_FILE_HEADER;
>
>
> typedef struct timeval{
> long tv_sec;
> long tv_usec;
> }timeval, *PTIMEVAL;
>
>
> typedef struct SF_PKTHDR{
> struct timeval;
> UINT caplen;
> UINT len;
> }SF_PKTHDR, *PSF_PKTHDR;
>
> …\skipped the code
>
> VOID MyDriverWriteFile(IN PVOID Buffer, IN ULONG Length, IN OUT HANDLE
> FileHandle)
> {
> NTSTATUS ntStatus;
> OBJECT_ATTRIBUTES ObjectAttributes;
> IO_STATUS_BLOCK IoStatusBlock;
> UNICODE_STRING UniFileName;
> PFILE_WORK_ITEM workitem;
> LARGE_INTEGER ByteOffset;
> struct PACKET_FILE_HEADER hdr;
>
> hdr.magic = TCPDUMP_MAGIC;
> hdr.version_major = PCAP_VERSION_MAJOR;
> hdr.version_minor = PCAP_VERSION_MINOR;
> hdr.thiszone = 0;
> hdr.snaplen = 1514;
> hdr.sigfigs = 0;
>
> if(KeGetCurrentIrql() < DISPATCH_LEVEL)
> {
> ntStatus=ZwWriteFile(FileHandle, 0, 0, 0, &IoStatusBlock, &hdr,
> sizeof(hdr), NULL, NULL);
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

im trying to dump all the network traffic intercept by ndis im driver(modified from passthru) in pcap format direct from kernel mode. My problems are:

  1. implement dump process using workitems method (done)
  2. arrange the hexdump output follow the pcap format

regarding the (2), any code i can refer?