Interesting, I have always been interested on how windows software firewall
actually work behind the scenes.
Does TDI provide full control over the packets like NDIS? ie, can you block
or modify the contents of the network packets, before it is forwarded on up
the network stack?
I have written an NDIS IM Driver in the past, with the previous experence of
NDIS drivers, how easy would it be to implement some sort of TDI driver
which simply forwards packets up and down the stack which operates like a
filter driver? for example, something which operates like the IMSAMP sample
for NDIS?
-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: 08 October 2002 13:52
To: NT Developers Interest List
Subject: [ntdev] Re: NDIS IM Driver, how to determine which process is
sending/receivi ng data??
Its done at TDI level, not NDIS.
----- Original Message -----
From: “James Dunning”
To: “NT Developers Interest List”
Sent: Tuesday, October 08, 2002 3:29 PM
Subject: [ntdev] NDIS IM Driver, how to determine which process is
sending/receivi ng data??
> Norton Internet Security is able to determine which process (application)
is
> sending or receiving data on a particular IP port, and alert the user if
its
> of an unknown type, so they can either permit block or create a rule
filter
> for the current alert.
>
> Does anyone know how an NDIS IM Driver can determine which process
> (application) is sending or receiving data on a particular IP port?
>
> I’ve looked at the following link
> http://www.pcausa.com/resources/winpktfilter.htm which seems to shed some
> light on to how this is done, but i got kinda lost when i read the
following
> paragraph…
>
> “It should also be noted that some network services operate by creating a
> thread attached to the system process. In this case the process
information
> that is available does not specifically identify the actual process that
> initially created the thread. This is especially true of Windows services
> that exist solely in kernel-mode (kernel-mode TDI clients).”
>
> could anyone explain to me in english what this means? and advise me how
to
> determine which process is sending/receving data on a particular ip port?
>
> Thanks in advance,
> James Dunning
>
>
>
>
> General Dynamics United Kingdom Limited
> Registered in England and Wales No. 1911653
> Registered Office: 100 New Bridge Street, London, EC4V 6JA
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntdev as:
xxxxx@generaldynamics.uk.com
To unsubscribe send a blank email to %%email.unsub%%
General Dynamics United Kingdom Limited
Registered in England and Wales No. 1911653
Registered Office: 100 New Bridge Street, London, EC4V 6JA