Network packet intercept without rebooting the system

OSR_Community_User · March 12, 2004, 10:07am

Hi,
For the network packet intercept and forward function, we need to choose
from the following 3 ways:

NDIS intermediate driver
NDIS hooking
TDI filter driver
I do not know which one is suitalbe for our needs without rebooting the
system (Win2k/XP) to get the driver working.
Please help! Thanks in advance.

Dan_Partelly · March 12, 2004, 10:09am

One thing is clear, at TDI level you do not get access to the packets as
seen on “wire”. not even as seen by the protocol drivers.

----- Original Message -----
From: “Xia Tao”
To: “Windows System Software Devs Interest List”
Sent: Friday, March 12, 2004 3:05 PM
Subject: [ntdev] Network packet intercept without rebooting the system

> Hi,
> For the network packet intercept and forward function, we need to choose
> from the following 3 ways:
> 1. NDIS intermediate driver
> 2. NDIS hooking
> 3. TDI filter driver
> I do not know which one is suitalbe for our needs without rebooting the
> system (Win2k/XP) to get the driver working.
> Please help! Thanks in advance.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Prokash_Sinha-1 · March 12, 2004, 10:39am

Nyet, Nyet, Neyt - I will pass this discussion.

But if you hack the internet, you will still get lot of informations about
how to do it. For upcoming Windows version, a firewalling comonent in the
kernel is due for primetime.

Even there are cos selling SDK for it.

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
Sent: Friday, March 12, 2004 7:09 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Network packet intercept without rebooting the
system

One thing is clear, at TDI level you do not get access to the packets as
seen on “wire”. not even as seen by the protocol drivers.

----- Original Message -----
From: “Xia Tao”
To: “Windows System Software Devs Interest List”
Sent: Friday, March 12, 2004 3:05 PM
Subject: [ntdev] Network packet intercept without rebooting the system

> Hi,
> For the network packet intercept and forward function, we need to choose
> from the following 3 ways:
> 1. NDIS intermediate driver
> 2. NDIS hooking
> 3. TDI filter driver
> I do not know which one is suitalbe for our needs without rebooting the
> system (Win2k/XP) to get the driver working.
> Please help! Thanks in advance.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim_S_Shatskih · March 12, 2004, 10:43am

> 1. NDIS intermediate driver

The best way.

NDIS hooking

Impossible to unload. Also the interop issues with other similar software are
inevitable.

TDI filter driver

You have no packets on TDI level. You have only the data stream, while the
packet headers and boundaries are lost.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · March 12, 2004, 11:20am

On Fri, 2004-03-12 at 09:46, Maxim S. Shatskih wrote:

> 1. NDIS intermediate driver

The best way.

> 2. NDIS hooking

Impossible to unload. Also the interop issues with other similar software are
inevitable.

> 3. TDI filter driver

You have no packets on TDI level. You have only the data stream, while the
packet headers and boundaries are lost.

This is good advice. However, if you don’t care about maintaining
packet boundaries (and I don’t see why you should; send() has no packet
boundary semantics for stream sockets, and datagram sends are already
packets by definition), a TDI filter may be a reasonable choice.

IM drivers do have installation issues. I’ve had a couple of IMs in
production for a while now, and every so often, the network class
installer just freaks out and refuses to bind the IM correctly. This is
particularly common in cases where the customer’s networking setup is
loaded down with extra crap (qos scheduler, bridge miniport, a firewall,
a vpn client, multiple nics, crappy NICs with crappy INFs, etc).

If you’re going to do an IM driver, which is still probably what you
want, make sure to base it on passthru from the latest DDK.

-sd

Dan_Partelly · March 12, 2004, 12:34pm

>>This is good advice. However, if you don’t care about maintaining

> packet boundaries (and I don’t see why you should

The original poster asked about “packet interception and forwarding”.
I think this is reason enough to care about packet boundaries.

----- Original Message -----
From: “Steve Dispensa”
To: “Windows System Software Devs Interest List”
Sent: Friday, March 12, 2004 4:14 PM
Subject: Re: [ntdev] Network packet intercept without rebooting the system

> On Fri, 2004-03-12 at 09:46, Maxim S. Shatskih wrote:
> > > 1. NDIS intermediate driver
> >
> > The best way.
> >
> > > 2. NDIS hooking
> >
> > Impossible to unload. Also the interop issues with other similar
software are
> > inevitable.
> >
> > > 3. TDI filter driver
> >
> > You have no packets on TDI level. You have only the data stream, while
the
> > packet headers and boundaries are lost.
>
> This is good advice. However, if you don’t care about maintaining
> packet boundaries (and I don’t see why you should; send() has no packet
> boundary semantics for stream sockets, and datagram sends are already
> packets by definition), a TDI filter may be a reasonable choice.
>
> IM drivers do have installation issues. I’ve had a couple of IMs in
> production for a while now, and every so often, the network class
> installer just freaks out and refuses to bind the IM correctly. This is
> particularly common in cases where the customer’s networking setup is
> loaded down with extra crap (qos scheduler, bridge miniport, a firewall,
> a vpn client, multiple nics, crappy NICs with crappy INFs, etc).
>
> If you’re going to do an IM driver, which is still probably what you
> want, make sure to base it on passthru from the latest DDK.
>
> -sd
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Farooque_Khan · March 13, 2004, 12:41am

Filter hook drivers on 2K/XP is also an option.
It also provides you packets and IIRC, does not
require rebooting. See this link:

http://www.codeproject.com/useritems/drvfltip.asp

–

-Farooque Khan
http://farooque.150m.com

“Xia Tao” wrote in message news:xxxxx@ntdev…
> Hi,
> For the network packet intercept and forward function, we need to choose
> from the following 3 ways:
> 1. NDIS intermediate driver
> 2. NDIS hooking
> 3. TDI filter driver
> I do not know which one is suitalbe for our needs without rebooting the
> system (Win2k/XP) to get the driver working.
> Please help! Thanks in advance.
>
>
>
>