NET_BUFFER_LIST organization

Michal_Ladanowski · August 12, 2011, 9:11am

I’d like to ask whether my understanding of the organization of network data in NET_BUFFER_LIST is good. My task is to create a ndis6.0 lw filter which filters incoming and outcoming packets and get info from tcp header (I have to do this using ndis). Ofcourse I spend a few days reading forums, articles and documentation before.

I understood that when the first NB in NBL contains tcp header, the rest NBs in this NBL are from the same tcp stream. I checked it myself but I am not sure if it’s a rule.

But my biggest problem is how to understand NB organization. As I understand NB represents network data. It contains mdl chain, which describes a logically contiguous but virtual discontiguous ‘buffer’.

So after using NET_BUFFER_CURRENT_MDL and NET_BUFFER_CURRENT_MDL_OFFSET I get the address of EthernetHeader,
I read that each header cannot be split in two mdls, there can be more headers in one mdl but headers cannot be split
between mdls. I guess I could iterate through mdl till I read the last byte(using MmGetMdlByteCount to get mdl size)
and jump to next mdl. But assuming that headers cannot be split when I need to get to next header I could
consider two options, next header is in the same mdl right afther the previous or I reached the end of this mdl
and next header is in the next mdl.

My target OS is Windows 7 x32(on VB) and I ofcourse tried to find answear by myself but all headers seems to be in
one mdl.

I know about functions like NdisGetDataBuffer but I’d like to avoid copying, allocating buffers etc as data is already in mdls and I only need to access few fields(and I thinks it’s more efficient).

Appreciate Your Help!
Michal Ladanowski

Thomas_Divine · August 12, 2011, 9:28am

NdisGetDataBuffer does NOT copy if the data you are fetching is in one MDL.
The Storage pointer can be NULL.

If the data is in one MDL, then you just get the pointer. In fact, even if
you supply a Storage buffer there will be no copy operation if the data is
contiguous.

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Friday, August 12, 2011 9:10 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] NET_BUFFER_LIST organization

> I’d like to ask whether my understanding of the organization of network
> data in NET_BUFFER_LIST is good. My task is to create a ndis6.0 lw filter
> which filters incoming and outcoming packets and get info from tcp header
> (I have to do this using ndis). Ofcourse I spend a few days reading
> forums, articles and documentation before.
>
> I understood that when the first NB in NBL contains tcp header, the rest
> NBs in this NBL are from the same tcp stream. I checked it myself but I am
> not sure if it’s a rule.
>
> But my biggest problem is how to understand NB organization. As I
> understand NB represents network data. It contains mdl chain, which
> describes a logically contiguous but virtual discontiguous ‘buffer’.
>
> So after using NET_BUFFER_CURRENT_MDL and NET_BUFFER_CURRENT_MDL_OFFSET I
> get the address of EthernetHeader,
> I read that each header cannot be split in two mdls, there can be more
> headers in one mdl but headers cannot be split
> between mdls. I guess I could iterate through mdl till I read the last
> byte(using MmGetMdlByteCount to get mdl size)
> and jump to next mdl. But assuming that headers cannot be split when I
> need to get to next header I could
> consider two options, next header is in the same mdl right afther the
> previous or I reached the end of this mdl
> and next header is in the next mdl.
>
> My target OS is Windows 7 x32(on VB) and I ofcourse tried to find answear
> by myself but all headers seems to be in
> one mdl.
>
> I know about functions like NdisGetDataBuffer but I’d like to avoid
> copying, allocating buffers etc as data is already in mdls and I only need
> to access few fields(and I thinks it’s more efficient).
>
> Appreciate Your Help!
> Michal Ladanowski
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Michal_Ladanowski · August 12, 2011, 9:38am

Thanks for Your reply.

Could You please tell me whether my understanding of NBL is good,
especially MDL chain?

Thomas_Divine · August 12, 2011, 9:57am

Your understanding seems OK. I have a writeup about handling MDL chaing for
NDIS 5 here:

http://ndis.com/ndis-ndis5/ndispacket/ndispacket1.htm

Understand that a NDIS 5 NDIS_BUFFER is actually a MDL.

I will update that article for NDIS 6 when I get a chance.

In the receive path you will probably see the entire packet in one MDL.
There may be exceptions - especially if the received packet is a LOOPBACK
packet.

In the send path you will almost always see multiple MDLs for Ethernet, IP,
TCP/UPD headers and data. The only safe assumption is to assume that NB
consists of multiple MDLs with the only constraint being that headers are
contiguous in one MDL. (Understand that an IP option header is a different
“header” and may or may not be in the same MDL as the IP header…).

Good luck!

Thomas F. Divine
http://www.pcausa.com

From: “Michal Ladanowski”
Sent: Friday, August 12, 2011 9:37 AM
To: “Windows System Software Devs Interest List”
Subject: Re: [ntdev] NET_BUFFER_LIST organization

> Thanks for Your reply.
>
> Could You please tell me whether my understanding of NBL is good,
> especially MDL chain?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Michal_Ladanowski · August 12, 2011, 10:22am

Thank You once again!

And I am looking forward your next articles(they are very helpful
while learning).