Its done at TDI level, not NDIS.
----- Original Message -----
From: “James Dunning”
To: “NT Developers Interest List”
Sent: Tuesday, October 08, 2002 3:29 PM
Subject: [ntdev] NDIS IM Driver, how to determine which process is
sending/receivi ng data??
> Norton Internet Security is able to determine which process (application)
is
> sending or receiving data on a particular IP port, and alert the user if
its
> of an unknown type, so they can either permit block or create a rule
filter
> for the current alert.
>
> Does anyone know how an NDIS IM Driver can determine which process
> (application) is sending or receiving data on a particular IP port?
>
> I’ve looked at the following link
> http://www.pcausa.com/resources/winpktfilter.htm which seems to shed some
> light on to how this is done, but i got kinda lost when i read the
following
> paragraph…
>
> “It should also be noted that some network services operate by creating a
> thread attached to the system process. In this case the process
information
> that is available does not specifically identify the actual process that
> initially created the thread. This is especially true of Windows services
> that exist solely in kernel-mode (kernel-mode TDI clients).”
>
> could anyone explain to me in english what this means? and advise me how
to
> determine which process is sending/receving data on a particular ip port?
>
> Thanks in advance,
> James Dunning
>
>
>
>
> General Dynamics United Kingdom Limited
> Registered in England and Wales No. 1911653
> Registered Office: 100 New Bridge Street, London, EC4V 6JA
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>