Hi,
I am developing a NDIS packet capturing driver the aim of this driver (as the name implies)
is to caputure every packet that goes through the system and save it to a file.
I successfully registered the driver with the NDIS (using the NdisRegisterProtocol function)
and created a device for every valid adapter on the system (not pictured below)
CODE —>
RtlZeroMemory(&ndProChar,sizeof(NDIS_PROTOCOL_CHARACTERISTICS));
ndProChar.MajorNdisVersion = 5;
ndProChar.MinorNdisVersion = 0;
ndProChar.Reserved = 0;
ndProChar.OpenAdapterCompleteHandler = NPF_OpenAdapterComplete;
ndProChar.CloseAdapterCompleteHandler = NPF_CloseAdapterComplete;
ndProChar.SendCompleteHandler = NPF_SendComplete;
ndProChar.TransferDataCompleteHandler = NPF_TransferDataComplete;
ndProChar.ResetCompleteHandler = NPF_ResetComplete;
ndProChar.RequestCompleteHandler = NPF_RequestComplete;
ndProChar.ReceiveHandler = NPF_tap;
ndProChar.ReceiveCompleteHandler = NPF_ReceiveComplete;
ndProChar.StatusHandler = NPF_Status;
ndProChar.StatusCompleteHandler = NPF_StatusComplete;
ndProChar.BindAdapterHandler = NPF_BindAdapter;
ndProChar.UnbindAdapterHandler = NPF_UnbindAdapter;
ndProChar.PnPEventHandler = NPF_PowerChange;
ndProChar.ReceivePacketHandler = NULL;
ndProChar.Name = ProtoName;
NdisRegisterProtocol(&ntStatus,&_NDISHandle,&ndProChar,1000);
—<
The problem is that when i install the driver using the OSR loader utility
Only the NPF_PowerChange function gets called (once) and the rest of the functions dont including the IRP ones.
example the NPF_TAP should get called for every packet recived.
(NOte all of these functions are currently only stubs and only contain a DbgPrint statement)
what i am doing wrong? or what should i do more?
Your driver should be installed using the Network Control Panel applet using
an INF.
You don’t “create a device for every valid adapter on the system”. Instead,
NDIS will call your driver at the ProtocolBindAdapter entry point one or
more times.
Take a look at the WDK NDISPROT sample driver.
Good luck!
Thomas F. Divine
From:
Sent: Wednesday, January 05, 2011 4:06 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] NDIS packet capture driver, help 
> Hi,
>
> I am developing a NDIS packet capturing driver the aim of this driver (as
> the name implies)
> is to caputure every packet that goes through the system and save it to a
> file.
>
>
> I successfully registered the driver with the NDIS (using the
> NdisRegisterProtocol function)
> and created a device for every valid adapter on the system (not pictured
> below)
>
>
>
> CODE —>
>
> RtlZeroMemory(&ndProChar,sizeof(NDIS_PROTOCOL_CHARACTERISTICS));
>
> ndProChar.MajorNdisVersion = 5;
> ndProChar.MinorNdisVersion = 0;
> ndProChar.Reserved = 0;
> ndProChar.OpenAdapterCompleteHandler = NPF_OpenAdapterComplete;
> ndProChar.CloseAdapterCompleteHandler = NPF_CloseAdapterComplete;
> ndProChar.SendCompleteHandler = NPF_SendComplete;
> ndProChar.TransferDataCompleteHandler = NPF_TransferDataComplete;
> ndProChar.ResetCompleteHandler = NPF_ResetComplete;
> ndProChar.RequestCompleteHandler = NPF_RequestComplete;
> ndProChar.ReceiveHandler = NPF_tap;
> ndProChar.ReceiveCompleteHandler = NPF_ReceiveComplete;
> ndProChar.StatusHandler = NPF_Status;
> ndProChar.StatusCompleteHandler = NPF_StatusComplete;
>
>
> ndProChar.BindAdapterHandler = NPF_BindAdapter;
> ndProChar.UnbindAdapterHandler = NPF_UnbindAdapter;
> ndProChar.PnPEventHandler = NPF_PowerChange;
> ndProChar.ReceivePacketHandler = NULL;
> ndProChar.Name = ProtoName;
>
>
> NdisRegisterProtocol(&ntStatus,&_NDISHandle,&ndProChar,1000);
>
> —<
>
>
> The problem is that when i install the driver using the OSR loader utility
> Only the NPF_PowerChange function gets called (once) and the rest of
> the functions dont including the IRP ones.
>
> example the NPF_TAP should get called for every packet recived.
>
>
> (NOte all of these functions are currently only stubs and only contain a
> DbgPrint statement)
>
>
> what i am doing wrong? or what should i do more?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Oks so i manged to the the NDSI to call my ProtocolBindAdapter function,
so if i understood you right basicly instead of binding every adapter in the entry point . (like winpcap does)
NDIS will call this function for every adapter the system has and i must bind with it
right??
binding adapters to protocols occurs in two isolated and separate phases: (1) installation and (2) operation.
‘binding’ at installation time is where NetCfg calculates what adapters and protocols *should* be bound together for proper operation. THe result is a set of registry settings and provisioning of NDIS to cause the adapter and protocol to be bound.
‘binding’ at operation time is where NDIS processes the binding information provisioned and notifies (as appropriate) protocols at ProtocolBindAdapter() when adapters & protocols are to be bound.
A protocol may choose at runtime to ignore a binding notification from NDIS. That is to say, NDIS calls ProtocolBindAdapter() and the protocol just simply does nothing (it does not open the adapter). This is perfectly reasonable. Later, the protocol can ask NDIS to re-notify it of any adapters that it bound to but did not open by calling NdisReEnumerateProtocolBindings().
But how this all effects what you are doing is in summary that you must both ‘install’ your protocol so that NetCfg will calculate and provision a set of bindings for NDIS to act on (and that might be ‘all adapters’) and the your protocol at runtime must respond to ProtocolBindAdapter an an appropriate way for each adapter.
The NDIS documentation in the WDK has a pretty complete treatment of how protocol binding works. I recommend reading through the design guide for Protocol Drivers.
Good Luck,
Dave Cattley
Date: Thu, 6 Jan 2011 05:59:29 -0500
From: xxxxx@hotmail.com
To: xxxxx@lists.osr.com
Subject: RE:[ntdev] NDIS packet capture driver, help
Oks so i manged to the the NDSI to call my ProtocolBindAdapter function,
so if i understood you right basicly instead of binding every adapter in the entry point . (like winpcap does)
NDIS will call this function for every adapter the system has and i must bind with it
right??
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Humm…
The version of WinPcap your are trying to copy does indeed try to bind to
its adapters in DriverEntry. This does work, but is not the approach used in
many other NDIS protocol drivers. And, is not the approach recommended by
Microsoft.
If you are copying WinPcap - why not use WinPcap?
Thomas F. Divine
http://www.rawether.net
From:
Sent: Thursday, January 06, 2011 5:59 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS packet capture driver, help
> Oks so i manged to the the NDSI to call my ProtocolBindAdapter function,
>
> so if i understood you right basicly instead of binding every adapter in
> the entry point . (like winpcap does)
>
> NDIS will call this function for every adapter the system has and i must
> bind with it
>
> right??
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Thanks,
@Thomas - learning purposes
John
One last question,
according to MSDN there new versions of the “NdisRegisterProtocol” etc… functions
Keeping in mind i want my driver to be compatable with post-Windows XP OS’s (including Windows XP)
should i keep using the old versions of these function or go with the new one’s ?
The new functions are specific to NDIS 6.X, which is only available on
Windows Vista and later platforms.
Your choices are:
1.) Develop a NDIS 5 protocol driver. This will work on Windows XP. It will
also work on Windows Vista and later platforms in a compatibility mode.
Running a NDIS 5 protocol driver on Vista and later is functionally “OK”,
but may cause performance problems either to your driver or possibly to the
system (especially if high-performance network adapters are being used…).
2.) Write a NDIS 6 protocol driver fro Vista and later platforms.
You need to keep reading the WDK documentation. Especially the differences
between the Windows kernel-mode architecture at the split between Windows XP
and Windows Vista.
Good luck!
Thomas F. Divine
http://www.pcausa.com
From:
Sent: Thursday, January 06, 2011 11:28 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS packet capture driver, help
> One last question,
>
>
> according to MSDN there new versions of the “NdisRegisterProtocol” etc…
> functions
>
> Keeping in mind i want my driver to be compatable with post-Windows XP
> OS’s (including Windows XP)
>
> should i keep using the old versions of these function or go with the new
> one’s ?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
sorry to bother you again guys but i am kinda stuck 
i successfully binded with the NIC card using ProtocolBindAdapter function and Opened the device using the NdisOpenAdapter function.
(I.E i can successfully query the adapter to give me its connection state etc… using the NdisRequest function)
But the NDIS API still isn’t calling my ReceiveHandler (NPF_TAP) (it should call this function every time a packet goes through the adapter so i can capture it)
do i need to do something else before this happens? (NOTE: i haven’t implemented the IRP functions yet since i want the protocol driver to automatically start capturing packets when it starts up)
(my code is based on the NDISPROT sample provided by the WinDDK)
Thanks again !!!
When you called NdisRegisterProtocol did you register both of these
functions:
1.) ReceiveHandler
2.) ReceivePacketHandler
If so, then in most cases received packets will be indicated by calling the
ReceivePacketHandler - NOT the ReceiveHandler.
A most excellent idea is for you to build and install the NDISPROT sample
driver and then examine it’s operation under the debugger.
Good luck!
Thomas F. Divine
http://www.rawether.net
From:
Sent: Wednesday, January 12, 2011 9:02 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS packet capture driver, help
> sorry to bother you again guys but i am kinda stuck
>
> i successfully binded with the NIC card using ProtocolBindAdapter
> function and Opened the device using the NdisOpenAdapter function.
> (I.E i can successfully query the adapter to give me its connection state
> etc… using the NdisRequest function)
>
> But the NDIS API still isn’t calling my ReceiveHandler (NPF_TAP) (it
> should call this function every time a packet goes through the adapter so
> i can capture it)
>
> do i need to do something else before this happens? (NOTE: i haven’t
> implemented the IRP functions yet since i want the protocol driver to
> automatically start capturing packets when it starts up)
>
> (my code is based on the NDISPROT sample provided by the WinDDK)
>
> Thanks again !!!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> But the NDIS API still isn’t calling my ReceiveHandler (NPF_TAP)
Have you set OID_GEN_CURRENT_PACKET_FILTER?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
no i set the ReceivePacketHandler to null
and assigned the NPF_TAP function to ReceiveHandler (il try the doing the opposite)
so once you bind and open the adapter NDSI should start calling the Receive handler function for every packet right? I.E u don’t need to do anything else before it starts calling this function?
@Maxim: No, Il do that now
In addition to what Thomas says you also need to set the packet filter on
the binding to have packets actually be indicated to your protocol edge.
For packet capture style activity that wishes to see both received packets
as well as packets sent by other bound protocols that means
OID_GEN_CURRENT_PACKET_FILTER with
NDIS_PACKET_TYPE_DIRECTED |
NDIS_PACKET_TYPE_BROADCAST|
NDIS_PACKET_TYPE_ALL_LOCAL
And if you need to see multicast then read about
NDIS_PACKET_TYPE_ALL_MULTICAST vs. NDIS_PACKET_TYPE_MULTICAST.
Or you can just snort it all with NDIS_PACKET_TYPE_PROMISCUOUS.
BTW, on NT5 often you will get called at ReceiveHandler if your protocol is
not the highest priority (first bound) protocol. NDIS5 seems only to
indicate with ReceivePacketHandler to the first protocol because only one
protocol can actually take ownership of the packet. The other protocols
get called at ReceiveHandler and the NdisGetReceivedPacket() returns a
pointer to the packet that can be used only to make a copy of the packet
data. The protocol may not actually change *any* fields in the NDIS_PACKET
or attached NDIS_BUFFER structures.
I have not bothered to notice if that behavior is retained in NT6 when
shimming an NDIS5 protocol onto an interface stack.
Good Luck,
Dave Cattley
I got it to work Thanks alot!!
You cannot do the opposite. The ReceiveHandler is a MANDATORY callback.
PLEASE read documentation.
Setting the packet filter, as mentioned by Max, if probably the missing
piece. It is like an ON/OFF switch as far as reception is concerned.
Good luck!
Thomas F. Divine
http://www.pcausa.com
From:
Sent: Wednesday, January 12, 2011 9:42 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS packet capture driver, help
> no i set the ReceivePacketHandler to null
> and assigned the NPF_TAP function to ReceiveHandler (il try the doing the
> opposite)
>
> so once you bind and open the adapter NDSI should start calling the
> Receive handler function for every packet right? I.E u don’t need to do
> anything else before it starts calling this function?
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> I have not bothered to notice if that behavior is retained in NT6 when shimming an NDIS5 protocol onto an interface stack.
Yes. NDIS will transfer “ownership” of the packet to the first protocol that returns a non-zero value from its ProtocolReceivePacket handler. (Unless the protocol uses the NDIS_PROT_OPTION_NO_RSVD_ON_RCVPKT flag to promise it can share a packet with another protocol). After one protocol receives ownership, everybody else gets the ProtocolReceive callback. From the point-of-view of NDIS5 protocols, this behavior hasn’t really changed from XP to Win7.
NDIS6 handles this better [one more reason to upgrade :)]. If two protocols are destined to get the same NBL (e.g., they both registered for the same ethertype), NDIS will give both read access to the NBL and write access to ProtocolReserved. However, the indication will be made with NDIS_RECEIVE_FLAGS_RESOURCES to prod the protocols into copying the packet out quickly.
Hi again !!
I have one last question if you don’t mind
I need to get the source IP and desintation IP of each packet that goes through my driver, i went through a number of reading matriel yet i cant find anything.
can any one point me to a function or reading matriel i should look at to accomplish this??