NDIS packet capture driver, help :)

Gary_Little-3 · January 17, 2011, 8:55am

Have you considered Windows Filtering Platform?

Gary G. Little

----- Original Message -----
From: xxxxx@hotmail.com
To: “Windows System Software Devs Interest List”
Sent: Monday, January 17, 2011 3:03:41 AM
Subject: RE:[ntdev] NDIS packet capture driver, help

Hi again !!

I have one last question if you don’t mind

I need to get the source IP and desintation IP of each packet that goes through my driver, i went through a number of reading matriel yet i cant find anything.

can any one point me to a function or reading matriel i should look at to accomplish this??

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

David_R_Cattley · January 17, 2011, 9:06am

http://www.networksorcery.com/enp/protocol/ip.htm provides a convenient
explanation of the IP packet format.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Monday, January 17, 2011 4:04 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] NDIS packet capture driver, help

Hi again !!

I have one last question if you don’t mind

I need to get the source IP and desintation IP of each packet that goes
through my driver, i went through a number of reading matriel yet i cant
find anything.

can any one point me to a function or reading matriel i should look at to
accomplish this??

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 18, 2011, 8:08am

Okay but where is that information stored (I.E in which parameter)

ReciveHandler(IN NDIS_HANDLE ProtocolBindingContext,
IN NDIS_HANDLE MacReceiveContext,
IN PVOID HeaderBuffer, //I am guessing it is in here but how do
// i access it??
IN UINT HeaderBufferSize,
IN PVOID LookAheadBuffer,
UINT LookaheadBufferSize,
IN UINT PacketSize)

Thomas_Divine-2 · January 18, 2011, 8:33am

See the NDIS Packet Discussion on NDIS.com:

http://ndis.com/ndis-ndis5/default.htm

Good Luck!

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Tuesday, January 18, 2011 8:08 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS packet capture driver, help

> Okay but where is that information stored (I.E in which parameter)
>
> ReciveHandler(IN NDIS_HANDLE ProtocolBindingContext,
> IN NDIS_HANDLE MacReceiveContext,
> IN PVOID HeaderBuffer, //I am guessing
> it is in here but how do
> // i access it??
> IN UINT HeaderBufferSize,
> IN PVOID LookAheadBuffer,
> UINT LookaheadBufferSize,
> IN UINT PacketSize)
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

David_R_Cattley · January 18, 2011, 9:14am

> Okay but where is that information

In the frame data (packet data buffers).

Nothing in NDIS cares about IP address, or any other packet format for that
matter except for the MAC level packet formatting knowledge required to
extract a destination MAC address and apply the packet filter. Possibly
NDIS6 cares about the frame ‘ethertype’. NDIS is protocol agnostic. It
just shuffles frames around. You want to know if the frame contains an
IP packet? Parse it. Want the IP addresses? Extract them.

That is how it works. No majik fields in hidden NDIS_PACKET structures.
Just the raw frame.

Good Luck,
Dave Cattley