And to add something more…
**Please** do not implement an NDIS hook driver. As the maintainer of the WinPcap protocol driver (yes, you can yell at me if it doesn’t work!) I can tell you that debugging crashes due to buggy NDIS hooks is A PAIN. And bugs in the hook cause crashes mostly in the NDIS miniport and protocol drivers. This is what users will see in the BSOD. It’s always a joy to see a completely scrambled stack trace in which a protocol driver jumps somewhere in some mysterious binary.
Just my two cents
GV
----- Original Message -----
From: David R. Cattley
To: Windows System Software Devs Interest List
Sent: Wednesday, June 13, 2007 11:10 AM
Subject: RE: [ntdev] NDIS Pseudo IM Driver (PIM)
What Thomas said and more…
NDIS Hook Drivers that replace function (pointers) in the internal NDIS datastructures (Miniport Block, Protocol Block) at one time could work if you were real careful and lucky. Now, however (and I think that starts *with* Win2K, not after) there are problems and edge conditions that just cannot be dealt with ‘external to NDIS’. Getting a safe ‘lock’ for instance to even begin to traverse these data structures on a multiprocessor system is, well, pretty darn difficult. Moreover, with the removal of the “Full MAC” driver and the exclusive use of NDIS4+ style Miniport drivers for NICs, there are some things that just cannot be managed correctly. Some really fun stuff occurs when media is connected and disconnected, for instance, that breaks data transfer when one of the more popular NDIS hooking drivers is installed.
If all you want to do is capture packets then go get WinPCAP and use it.
Good Luck,
-dave
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Wednesday, June 13, 2007 12:39 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NDIS Pseudo IM Driver (PIM)
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of shobhit shingla
Sent: Wednesday, June 13, 2007 11:16 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] NDIS Pseudo IM Driver (PIM)
Hi all
can anyone guide me about NDIS Pseudo IM Driver?
I want to write a pseudo IM Driver to capture all the packets from both the TCp/Ip Stack and the NIC driver.
[PCAUSA] No you don’t!!!
You have been asking about packet filtering on this newsgroup and others for a long time and have been given the answer that you need to use a NDIS IM driver and interface it to your application.
You have apparently also seemed to think that using a NDIS IM driver is too difficult. I may be wrong on this because you have never stated your requirements clearly enough for me to know.
Well, let me tell you that using a PIM driver (AKA “NDIS-Hooking”) driver is unthinkable for someone with your level of experience. Based on the kinds of questions you have asked about very fundamental things in driver development you are years away from even beginning this sort of driver.
A NDIS-Hooking solution on current Windows platforms will have all of the problems of a NDIS IM solution plus will almost certainly lead to system instability if deployed.
Let me say one additional thing. NDIS-Hooking drivers were absolutely required on Windows 9X/ME and on Windows NT 4.0. NDIS IM filter drivers were just a failed experiment on those platforms because they could not be installed reliably and could not deal robustly with adapter removal, etc. In fact, on some of those platforms Microsoft actually published system APIs that made “hooking” a first-class, supported technique.
Not so anymore!!!
Windows 2000 introduced the first Windows version where NDIS IM drivers actually worked. On that platform NDIS-Hooking also worked.
However, given a choice it is clear that one should not consider NDIS-Hooking unless there is a truly monumental requirement that must be satisfied.
If you go down the NDIS-Hooking path you will be shooting yourself in the foot.
Thomas F. Divine
The description given on the www.pcausa.com is not enough for writing the NDIS PIM.
Thanks in advance.
Sunny
— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer