Packet header in ndis hooking driver

Hi,
I have an NDIS hooking driver, and I need to figure out
where the IP header begins. The problem is I can’t seem
to get it reliably. I don’t want to end up writing code for
each level 2 protocol type, is there a function that will
get this for me?

I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount
of the first buffer chained to the NDIS_PACKET. This works
sometimes, but TCP seems to randomly include the
IP header in the first buffer, which causes me to look too
far into the packet.

-Jeff

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************

> ----------

From: xxxxx@concord.com[SMTP:xxxxx@concord.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, March 20, 2003 4:16 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] Packet header in ndis hooking driver

Hi,
I have an NDIS hooking driver, and I need to figure out
where the IP header begins. The problem is I can’t seem
to get it reliably. I don’t want to end up writing code for
each level 2 protocol type, is there a function that will
get this for me?

This is what you should do. It isn’t so hard, IIRC for Ethernet there are
only 2 possibilities. I’m not aware of a function and doubt there is one.

I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount
of the first buffer chained to the NDIS_PACKET. This works
sometimes, but TCP seems to randomly include the
IP header in the first buffer, which causes me to look too
far into the packet.

Driver must not depend on the way how buffers are chained to packet. It can
only examine data in buffers. TCPIP and any driver layered above yours is
allowed to use buffers any way; there could be even one buffer per data
byte. Also, you shouldn’t access buffers directly, there are functions and
macros for it.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

Hi,

Ethernet isn’t too hard, I have that one done. The one I am working on
now is the NdisMediumWan. I am going to have to write a function to decode
each NDIS_WAN_MEDIUM_SUBTYPE that I want to support I guess? Well that
kinda stinks…

Could you explain the OID_WAN_HEADER_FORMAT query? I noticed that the DDK
says that:

NdisWanHeaderNative
Selects the format native to the NdisWanMediumXxx subtype
supported by
the underlying driver. NDISWAN always uses Ethernet.

So what is the difference between NdisWanHeaderNative and
NdisWanHeaderEthernet
for the NDISWAN miniport? And when they say “NDISWAN” are they talking
about
NdisMediumWan, or the miniport driver?

Thanks,
-Jeff

-----Original Message-----
From: Michal Vodicka [mailto:xxxxx@veridicom.cz.nospam]
Sent: Wednesday, March 19, 2003 10:31 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Packet header in ndis hooking driver

---

From: xxxxx@concord.com[SMTP:xxxxx@concord.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, March 20, 2003 4:16 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] Packet header in ndis hooking driver

Hi,
I have an NDIS hooking driver, and I need to figure out
where the IP header begins. The problem is I can’t seem
to get it reliably. I don’t want to end up writing code for
each level 2 protocol type, is there a function that will
get this for me?

This is what you should do. It isn’t so hard, IIRC for Ethernet there are
only 2 possibilities. I’m not aware of a function and doubt there is one.

I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount
of the first buffer chained to the NDIS_PACKET. This works
sometimes, but TCP seems to randomly include the
IP header in the first buffer, which causes me to look too
far into the packet.

Driver must not depend on the way how buffers are chained to packet. It can
only examine data in buffers. TCPIP and any driver layered above yours is
allowed to use buffers any way; there could be even one buffer per data
byte. Also, you shouldn’t access buffers directly, there are functions and
macros for it.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************

If you’re layered above NdisWan, all you need is Ethernet. Mentioned
constants are IMHO for WAN miniports layered under NdisWan. Docs is a bit
confusing regarding NdisWan, most info is for WAN miniports. For filter
above you need to process only NDIS_WAN_LINE_UP/DOWN and maybe FRAGMENT.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From: xxxxx@concord.com[SMTP:xxxxx@concord.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, March 20, 2003 4:57 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Packet header in ndis hooking driver

Hi,

Ethernet isn’t too hard, I have that one done. The one I am working on
now is the NdisMediumWan. I am going to have to write a function to
decode
each NDIS_WAN_MEDIUM_SUBTYPE that I want to support I guess? Well that
kinda stinks…

Could you explain the OID_WAN_HEADER_FORMAT query? I noticed that the DDK
says that:

NdisWanHeaderNative
Selects the format native to the NdisWanMediumXxx subtype
supported by
the underlying driver. NDISWAN always uses Ethernet.

So what is the difference between NdisWanHeaderNative and
NdisWanHeaderEthernet
for the NDISWAN miniport? And when they say “NDISWAN” are they talking
about
NdisMediumWan, or the miniport driver?

Thanks,
-Jeff

-----Original Message-----
From: Michal Vodicka [mailto:xxxxx@veridicom.cz.nospam]
Sent: Wednesday, March 19, 2003 10:31 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Packet header in ndis hooking driver

> ----------
> From: xxxxx@concord.com[SMTP:xxxxx@concord.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, March 20, 2003 4:16 AM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] Packet header in ndis hooking driver
>
> Hi,
> I have an NDIS hooking driver, and I need to figure out
> where the IP header begins. The problem is I can’t seem
> to get it reliably. I don’t want to end up writing code for
> each level 2 protocol type, is there a function that will
> get this for me?
>
This is what you should do. It isn’t so hard, IIRC for Ethernet there are
only 2 possibilities. I’m not aware of a function and doubt there is one.

> I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
> NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount
> of the first buffer chained to the NDIS_PACKET. This works
> sometimes, but TCP seems to randomly include the
> IP header in the first buffer, which causes me to look too
> far into the packet.
>
Driver must not depend on the way how buffers are chained to packet. It
can
only examine data in buffers. TCPIP and any driver layered above yours is
allowed to use buffers any way; there could be even one buffer per data
byte. Also, you shouldn’t access buffers directly, there are functions and
macros for it.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************

---

You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thank you! You just made it a lot more clear to me and
cut out a lot of work I thought I had to do.

Now all I have to do is parse the layer 2 headers I want
to look at IP over and I’ll be home free.

Thanks!
-Jeff

-----Original Message-----
From: Michal Vodicka [mailto:xxxxx@veridicom.cz.nospam]
Sent: Wednesday, March 19, 2003 11:09 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Packet header in ndis hooking driver

If you’re layered above NdisWan, all you need is Ethernet. Mentioned
constants are IMHO for WAN miniports layered under NdisWan. Docs is a bit
confusing regarding NdisWan, most info is for WAN miniports. For filter
above you need to process only NDIS_WAN_LINE_UP/DOWN and maybe FRAGMENT.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From: xxxxx@concord.com[SMTP:xxxxx@concord.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, March 20, 2003 4:57 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Packet header in ndis hooking driver

Hi,

Ethernet isn’t too hard, I have that one done. The one I am working on
now is the NdisMediumWan. I am going to have to write a function to
decode
each NDIS_WAN_MEDIUM_SUBTYPE that I want to support I guess? Well that
kinda stinks…

Could you explain the OID_WAN_HEADER_FORMAT query? I noticed that the DDK
says that:

NdisWanHeaderNative
Selects the format native to the NdisWanMediumXxx subtype
supported by
the underlying driver. NDISWAN always uses Ethernet.

So what is the difference between NdisWanHeaderNative and
NdisWanHeaderEthernet
for the NDISWAN miniport? And when they say “NDISWAN” are they talking
about
NdisMediumWan, or the miniport driver?

Thanks,
-Jeff

-----Original Message-----
From: Michal Vodicka [mailto:xxxxx@veridicom.cz.nospam]
Sent: Wednesday, March 19, 2003 10:31 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Packet header in ndis hooking driver

> ----------
> From: xxxxx@concord.com[SMTP:xxxxx@concord.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, March 20, 2003 4:16 AM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] Packet header in ndis hooking driver
>
> Hi,
> I have an NDIS hooking driver, and I need to figure out
> where the IP header begins. The problem is I can’t seem
> to get it reliably. I don’t want to end up writing code for
> each level 2 protocol type, is there a function that will
> get this for me?
>
This is what you should do. It isn’t so hard, IIRC for Ethernet there are
only 2 possibilities. I’m not aware of a function and doubt there is one.

> I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
> NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount
> of the first buffer chained to the NDIS_PACKET. This works
> sometimes, but TCP seems to randomly include the
> IP header in the first buffer, which causes me to look too
> far into the packet.
>
Driver must not depend on the way how buffers are chained to packet. It
can
only examine data in buffers. TCPIP and any driver layered above yours is
allowed to use buffers any way; there could be even one buffer per data
byte. Also, you shouldn’t access buffers directly, there are functions and
macros for it.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************

---

You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Parse the Ethernet header, determine its size (14 bytes usually) and
skip it, the IP header is the next byte - possibly in another MDL in
the chain.

Max

----- Original Message -----
From: “Curless, Jeffrey”
To: “NT Developers Interest List”
Sent: Thursday, March 20, 2003 6:16 AM
Subject: [ntdev] Packet header in ndis hooking driver

> Hi,
> I have an NDIS hooking driver, and I need to figure out
> where the IP header begins. The problem is I can’t seem
> to get it reliably. I don’t want to end up writing code for
> each level 2 protocol type, is there a function that will
> get this for me?
>
> I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
> NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount
> of the first buffer chained to the NDIS_PACKET. This works
> sometimes, but TCP seems to randomly include the
> IP header in the first buffer, which causes me to look too
> far into the packet.
>
> -Jeff
>
>
>

> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please
notify
> the system manager.
> This footnote also confirms that this email message has been swept
by
> the latest virus scan software available for the presence of
computer
> viruses.
>

>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>

There is a pretty good example of how to scan NDIS_BUFFERS in the mux
sample from the ddk that might help you. Look in the transmit / receive
path to find it.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, March 20, 2003 10:03 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Packet header in ndis hooking driver

Parse the Ethernet header, determine its size (14 bytes usually) and
skip it, the IP header is the next byte - possibly in another MDL in the
chain.

Max

----- Original Message -----
From: “Curless, Jeffrey”
To: “NT Developers Interest List”
Sent: Thursday, March 20, 2003 6:16 AM
Subject: [ntdev] Packet header in ndis hooking driver

> Hi,
> I have an NDIS hooking driver, and I need to figure out
> where the IP header begins. The problem is I can’t seem
> to get it reliably. I don’t want to end up writing code for each
> level 2 protocol type, is there a function that will get this for me?
>
> I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
> NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount of

> the first buffer chained to the NDIS_PACKET. This works sometimes,
> but TCP seems to randomly include the IP header in the first buffer,
> which causes me to look too far into the packet.
>
> -Jeff
>
>
>

> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please
notify
> the system manager.
> This footnote also confirms that this email message has been swept
by
> the latest virus scan software available for the presence of
computer
> viruses.
>

>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
> unsubscribe send a blank email to
xxxxx@lists.osr.com
>

—
You are currently subscribed to ntdev as: xxxxx@transat-tech.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Don’t forget about 802.3 format. There are LLC and SNAP headers between 14
byte Ethernet and IP address. Or do you take it as part of eth. header? It
is several years I worked in this area and I’m already not sure about
terminology…

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From: xxxxx@storagecraft.com[SMTP:xxxxx@storagecraft.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, March 20, 2003 5:02 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] Re: Packet header in ndis hooking driver

Parse the Ethernet header, determine its size (14 bytes usually) and
skip it, the IP header is the next byte - possibly in another MDL in
the chain.

Max

----- Original Message -----
From: “Curless, Jeffrey”
> To: “NT Developers Interest List”
> Sent: Thursday, March 20, 2003 6:16 AM
> Subject: [ntdev] Packet header in ndis hooking driver
>
>
> > Hi,
> > I have an NDIS hooking driver, and I need to figure out
> > where the IP header begins. The problem is I can’t seem
> > to get it reliably. I don’t want to end up writing code for
> > each level 2 protocol type, is there a function that will
> > get this for me?
> >
> > I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
> > NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at MDL->ByteCount
> > of the first buffer chained to the NDIS_PACKET. This works
> > sometimes, but TCP seems to randomly include the
> > IP header in the first buffer, which causes me to look too
> > far into the packet.
> >
> > -Jeff
> >
> >
> >
>
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please
> notify
> > the system manager.
> > This footnote also confirms that this email message has been swept
> by
> > the latest virus scan software available for the presence of
> computer
> > viruses.
> >
>
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

According to RFC1122, the default packets created by IP stack do not
use 802.3, and use the 14 byte header. For Windows, this is governed
by “UseDixOverEthernet” registry setting of IP stack, which is TRUE by
default.

Anyway I said “usually” - so, the code must get the length/protocol ID
field, check whether it is < Ethernet MTU, and do the 802.3 processing
if yes.

Max

----- Original Message -----
From: “Michal Vodicka”
To: “NT Developers Interest List”
Sent: Friday, March 21, 2003 1:43 AM
Subject: [ntdev] Re: Packet header in ndis hooking driver

> Don’t forget about 802.3 format. There are LLC and SNAP headers
between 14
> byte Ethernet and IP address. Or do you take it as part of eth.
header? It
> is several years I worked in this area and I’m already not sure
about
> terminology…
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
> > ----------
> > From: xxxxx@storagecraft.com[SMTP:xxxxx@storagecraft.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Thursday, March 20, 2003 5:02 PM
> > To: xxxxx@lists.osr.com
> > Subject: [ntdev] Re: Packet header in ndis hooking driver
> >
> > Parse the Ethernet header, determine its size (14 bytes usually)
and
> > skip it, the IP header is the next byte - possibly in another MDL
in
> > the chain.
> >
> > Max
> >
> > ----- Original Message -----
> > From: “Curless, Jeffrey”
> > To: “NT Developers Interest List”
> > Sent: Thursday, March 20, 2003 6:16 AM
> > Subject: [ntdev] Packet header in ndis hooking driver
> >
> >
> > > Hi,
> > > I have an NDIS hooking driver, and I need to figure out
> > > where the IP header begins. The problem is I can’t seem
> > > to get it reliably. I don’t want to end up writing code for
> > > each level 2 protocol type, is there a function that will
> > > get this for me?
> > >
> > > I have tried hooking OID_GEN_TRANSPORT_HEADER_OFFSET, calling
> > > NDIS_GET_PACKET_HEADER_SIZE, and now I am looking at
MDL->ByteCount
> > > of the first buffer chained to the NDIS_PACKET. This works
> > > sometimes, but TCP seems to randomly include the
> > > IP header in the first buffer, which causes me to look too
> > > far into the packet.
> > >
> > > -Jeff
> > >
> > >
> > >
> >

> > > This email and any files transmitted with it are confidential
and
> > > intended solely for the use of the individual or entity to whom
they
> > > are addressed. If you have received this email in error please
> > notify
> > > the system manager.
> > > This footnote also confirms that this email message has been
swept
> > by
> > > the latest virus scan software available for the presence of
> > computer
> > > viruses.
> > >
> >

> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: michal.vodicka@st.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>