Is there a way to query a established connection FileObject created by the
Tcp driver to determine what remote address its connected to?
Currently I am filtering the tcp driver and caching this information for
newly created connections, however, for previously established connections I
obviously don’t have it and would like to gather it if possible.
Any help, hints or direction appreciated.
Stanislaw
netstat way, which eventualy ends querying TCP tables from the TCP device
using exteded TCP IOCTLs. However, its fully undocumented. Maybe you can
find some info in the Windows socket helper DLL source in Windows DDK.
----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Wednesday, June 26, 2002 5:56 PM
Subject: [ntdev] Remote Address query with TDI
>
> Is there a way to query a established connection FileObject created by the
> Tcp driver to determine what remote address its connected to?
>
> Currently I am filtering the tcp driver and caching this information for
> newly created connections, however, for previously established connections
I
> obviously don’t have it and would like to gather it if possible.
>
> Any help, hints or direction appreciated.
>
> Stanislaw
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
> Is there a way to query a established connection FileObject created
by the
Tcp driver to determine what remote address its connected to?
Currently I am filtering the tcp driver and caching this information
for
newly created connections, however, for previously established
connections I
obviously don’t have it and would like to gather it if possible.
IIRC it is not possible. Save the remote address in your connect() or
accept() path.
Max
The only helper is TDI_QUERY_CONNECTION_INFO. It fetches local address info.
It also fetches “connection info”; this includes statistics - but apparently
NOT the remote address.
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:
“Stanislaw Kowalczyk” wrote in message
news:xxxxx@ntdev…
>
>
> Is there a way to query a established connection FileObject created by the
> Tcp driver to determine what remote address its connected to?
>
> Currently I am filtering the tcp driver and caching this information for
> newly created connections, however, for previously established connections
I
> obviously don’t have it and would like to gather it if possible.
>
> Any help, hints or direction appreciated.
>
> Stanislaw
>
>
></http:></http:>
Netstat does it. So it must be possible.
Regards, Dan
----- Original Message -----
From: “Maxim S. Shatskih”
To: “NT Developers Interest List”
Sent: Wednesday, June 26, 2002 7:53 PM
Subject: [ntdev] Re: Remote Address query with TDI
> > Is there a way to query a established connection FileObject created
> by the
> > Tcp driver to determine what remote address its connected to?
> >
> > Currently I am filtering the tcp driver and caching this information
> for
> > newly created connections, however, for previously established
> connections I
> > obviously don’t have it and would like to gather it if possible.
>
> IIRC it is not possible. Save the remote address in your connect() or
> accept() path.
>
> Max
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
I’m currently using it to get the state of the connection. Unfortunately,
the state is not defined so I am in the process of mapping them, unless
someone already has this information and is willing to share?
Does anyone know why the remote address query is not exposed?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Thomas F. Divine
Sent: Wednesday, June 26, 2002 1:19 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Remote Address query with TDI
The only helper is TDI_QUERY_CONNECTION_INFO. It fetches local address info.
It also fetches “connection info”; this includes statistics - but apparently
NOT the remote address.
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:
“Stanislaw Kowalczyk” wrote in message
news:xxxxx@ntdev…
>
>
> Is there a way to query a established connection FileObject created by the
> Tcp driver to determine what remote address its connected to?
>
> Currently I am filtering the tcp driver and caching this information for
> newly created connections, however, for previously established connections
I
> obviously don’t have it and would like to gather it if possible.
>
> Any help, hints or direction appreciated.
>
> Stanislaw
>
>
>
—
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to %%email.unsub%%</http:></http:>
I already do, am concerned with connections established before successfully
attaching.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Wednesday, June 26, 2002 12:54 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Remote Address query with TDI
Is there a way to query a established connection FileObject created
by the
Tcp driver to determine what remote address its connected to?Currently I am filtering the tcp driver and caching this information
for
newly created connections, however, for previously established
connections I
obviously don’t have it and would like to gather it if possible.
IIRC it is not possible. Save the remote address in your connect() or
accept() path.
Max
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to %%email.unsub%%
netstat reports the open sockets by querying for them through SNMP, however,
I don’t see a way of mapping it back to either a HANDLE or FO.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
Sent: Wednesday, June 26, 2002 1:40 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Remote Address query with TDI
Netstat does it. So it must be possible.
Regards, Dan
----- Original Message -----
From: “Maxim S. Shatskih”
To: “NT Developers Interest List”
Sent: Wednesday, June 26, 2002 7:53 PM
Subject: [ntdev] Re: Remote Address query with TDI
> > Is there a way to query a established connection FileObject created
> by the
> > Tcp driver to determine what remote address its connected to?
> >
> > Currently I am filtering the tcp driver and caching this information
> for
> > newly created connections, however, for previously established
> connections I
> > obviously don’t have it and would like to gather it if possible.
>
> IIRC it is not possible. Save the remote address in your connect() or
> accept() path.
>
> Max
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to %%email.unsub%%
SNMP dynamic link libraryes will eventualy end sending IOCTLs to TCP. Thrust
me about this.
Regards, Dan
----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Wednesday, June 26, 2002 11:08 PM
Subject: [ntdev] Re: Remote Address query with TDI
> netstat reports the open sockets by querying for them through SNMP,
however,
> I don’t see a way of mapping it back to either a HANDLE or FO.
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
> Sent: Wednesday, June 26, 2002 1:40 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> Netstat does it. So it must be possible.
>
> Regards, Dan
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “NT Developers Interest List”
> Sent: Wednesday, June 26, 2002 7:53 PM
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> > > Is there a way to query a established connection FileObject created
> > by the
> > > Tcp driver to determine what remote address its connected to?
> > >
> > > Currently I am filtering the tcp driver and caching this information
> > for
> > > newly created connections, however, for previously established
> > connections I
> > > obviously don’t have it and would like to gather it if possible.
> >
> > IIRC it is not possible. Save the remote address in your connect() or
> > accept() path.
> >
> > Max
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@relicore.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
Thanks, I’ll look into this, hopefully it will solve my problem.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
Sent: Wednesday, June 26, 2002 9:46 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Remote Address query with TDI
SNMP dynamic link libraryes will eventualy end sending IOCTLs to TCP. Thrust
me about this.
Regards, Dan
----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Wednesday, June 26, 2002 11:08 PM
Subject: [ntdev] Re: Remote Address query with TDI
> netstat reports the open sockets by querying for them through SNMP,
however,
> I don’t see a way of mapping it back to either a HANDLE or FO.
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
> Sent: Wednesday, June 26, 2002 1:40 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> Netstat does it. So it must be possible.
>
> Regards, Dan
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “NT Developers Interest List”
> Sent: Wednesday, June 26, 2002 7:53 PM
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> > > Is there a way to query a established connection FileObject created
> > by the
> > > Tcp driver to determine what remote address its connected to?
> > >
> > > Currently I am filtering the tcp driver and caching this information
> > for
> > > newly created connections, however, for previously established
> > connections I
> > > obviously don’t have it and would like to gather it if possible.
> >
> > IIRC it is not possible. Save the remote address in your connect() or
> > accept() path.
> >
> > Max
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@relicore.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to %%email.unsub%%
Attach early during system boot, and you will be safe.
----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Thursday, June 27, 2002 12:08 AM
Subject: [ntdev] Re: Remote Address query with TDI
> I already do, am concerned with connections established before
successfully
> attaching.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S.
Shatskih
> Sent: Wednesday, June 26, 2002 12:54 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> > Is there a way to query a established connection FileObject
created
> by the
> > Tcp driver to determine what remote address its connected to?
> >
> > Currently I am filtering the tcp driver and caching this
information
> for
> > newly created connections, however, for previously established
> connections I
> > obviously don’t have it and would like to gather it if possible.
>
> IIRC it is not possible. Save the remote address in your connect()
or
> accept() path.
>
> Max
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@relicore.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> Does anyone know why the remote address query is not exposed?
I think it is not only “not exposed”, but just not coded in TCPIP.
Max
One thing I realized after I posted, is that indeed I see no way too to map
them back to file objects. SO it might unfortunatly
not solve your problem if you need a mapping and not just the information.
----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Thursday, June 27, 2002 5:32 AM
Subject: [ntdev] Re: Remote Address query with TDI
> Thanks, I’ll look into this, hopefully it will solve my problem.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
> Sent: Wednesday, June 26, 2002 9:46 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> SNMP dynamic link libraryes will eventualy end sending IOCTLs to TCP.
Thrust
> me about this.
>
> Regards, Dan
>
> ----- Original Message -----
> From: “Stanislaw Kowalczyk”
> To: “NT Developers Interest List”
> Sent: Wednesday, June 26, 2002 11:08 PM
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> > netstat reports the open sockets by querying for them through SNMP,
> however,
> > I don’t see a way of mapping it back to either a HANDLE or FO.
> >
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
> > Sent: Wednesday, June 26, 2002 1:40 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: Remote Address query with TDI
> >
> >
> > Netstat does it. So it must be possible.
> >
> > Regards, Dan
> >
> > ----- Original Message -----
> > From: “Maxim S. Shatskih”
> > To: “NT Developers Interest List”
> > Sent: Wednesday, June 26, 2002 7:53 PM
> > Subject: [ntdev] Re: Remote Address query with TDI
> >
> >
> > > > Is there a way to query a established connection FileObject created
> > > by the
> > > > Tcp driver to determine what remote address its connected to?
> > > >
> > > > Currently I am filtering the tcp driver and caching this information
> > > for
> > > > newly created connections, however, for previously established
> > > connections I
> > > > obviously don’t have it and would like to gather it if possible.
> > >
> > > IIRC it is not possible. Save the remote address in your connect() or
> > > accept() path.
> > >
> > > Max
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@relicore.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@relicore.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
That’s basically correct, and there are some examples out there of how to
interrogate using SNMP.
However, the SNMP code actually calls TDI with the
IOCTL_TCP_QUERY_INFORMATION_EX ioctl and a bunch of largely undocumented
structures (though they do look familiar to anyone who has seen the BSD code).
As an exercise 6 or 7 years ago I reverse engineered it and all the
utilities such as netstat, arp, route etc use TCP_QUERY_INFORMATION_EX
directly rather than the SNMP method because the SNMP method is read
only. For arp and route you need to be able to delete and write information.
However, Stanislaw is correct in saying that there is no way to map this
information back to a specific file object, handle or process. If you need
to have this level of resolution then you must add your own TDI filter
driver to record the information.
Mark
At 16:08 26/06/2002 -0400, Stanislaw Kowalczyk wrote:
netstat reports the open sockets by querying for them through SNMP, however,
I don’t see a way of mapping it back to either a HANDLE or FO.-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dan Partelly
Sent: Wednesday, June 26, 2002 1:40 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Remote Address query with TDINetstat does it. So it must be possible.
Regards, Dan
----- Original Message -----
From: “Maxim S. Shatskih”
>To: “NT Developers Interest List”
>Sent: Wednesday, June 26, 2002 7:53 PM
>Subject: [ntdev] Re: Remote Address query with TDI
>
>
> > > Is there a way to query a established connection FileObject created
> > by the
> > > Tcp driver to determine what remote address its connected to?
> > >
> > > Currently I am filtering the tcp driver and caching this information
> > for
> > > newly created connections, however, for previously established
> > connections I
> > > obviously don’t have it and would like to gather it if possible.
> >
> > IIRC it is not possible. Save the remote address in your connect() or
> > accept() path.
> >
> > Max
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>—
>You are currently subscribed to ntdev as: xxxxx@relicore.com
>To unsubscribe send a blank email to %%email.unsub%%
>
>
>—
>You are currently subscribed to ntdev as: xxxxx@muttsnuts.com
>To unsubscribe send a blank email to %%email.unsub%%
> > Does anyone know why the remote address query is not exposed?
I think it is not only “not exposed”, but just not coded in TCPIP.
Max
That’s not correct. Tcpip.sys has functions to obtain TCP Control Block by
connection object which contains local and remote addresses and other
internal stuff but they’re not exported.
vlad-ntdev
Unfortunately, one of my requirements is not to reboot.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Thursday, June 27, 2002 2:22 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Remote Address query with TDI
Attach early during system boot, and you will be safe.
----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Thursday, June 27, 2002 12:08 AM
Subject: [ntdev] Re: Remote Address query with TDI
> I already do, am concerned with connections established before
successfully
> attaching.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S.
Shatskih
> Sent: Wednesday, June 26, 2002 12:54 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Remote Address query with TDI
>
>
> > Is there a way to query a established connection FileObject
created
> by the
> > Tcp driver to determine what remote address its connected to?
> >
> > Currently I am filtering the tcp driver and caching this
information
> for
> > newly created connections, however, for previously established
> connections I
> > obviously don’t have it and would like to gather it if possible.
>
> IIRC it is not possible. Save the remote address in your connect()
or
> accept() path.
>
> Max
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@relicore.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to %%email.unsub%%
> > I think it is not only “not exposed”, but just not coded in TCPIP.
>
> Max
>That’s not correct. Tcpip.sys has functions to obtain TCP Control
Block by
Yes, but not from TDI’s file objects and not by TDI IOCTLs.
These are proprierary IOCTLs for TCPIP.
Also note that setsockopt(IPPROTO_IP) are also implemented by such
IOCTLs sent from WSHTCPIP.DLL. This bypasses AFD and TDI.
Max
Can you explain what you ultimately want to achieve ? Our TCP/IP developers
don’t want you do this.
"Unfortunately, TDI doesn’t define a mechanism for a client to retrieve the
remote address of a connection. Sub-note: “please don’t filter IRPs on
\Device\Tcp”.
Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Stanislaw Kowalczyk” wrote in message
news:xxxxx@ntdev…
>
>
> Is there a way to query a established connection FileObject created by the
> Tcp driver to determine what remote address its connected to?
>
> Currently I am filtering the tcp driver and caching this information for
> newly created connections, however, for previously established connections
I
> obviously don’t have it and would like to gather it if possible.
>
> Any help, hints or direction appreciated.
>
> Stanislaw
>
>
>
maybe TdiBuildQueryInformation might help you.
specify the QType to TDI_QUERY_CONNECTION_INFO
-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Wednesday, June 26, 2002 8:10 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Remote Address query with TDI
netstat way, which eventualy ends querying TCP tables from the TCP device
using exteded TCP IOCTLs. However, its fully undocumented. Maybe you can
find some info in the Windows socket helper DLL source in Windows DDK.
----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Wednesday, June 26, 2002 5:56 PM
Subject: [ntdev] Remote Address query with TDI
>
> Is there a way to query a established connection FileObject created by the
> Tcp driver to determine what remote address its connected to?
>
> Currently I am filtering the tcp driver and caching this information for
> newly created connections, however, for previously established connections
I
> obviously don’t have it and would like to gather it if possible.
>
> Any help, hints or direction appreciated.
>
> Stanislaw
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to %%email.unsub%%
Nar,
> Our TCP/IP developers don’t want you do this.
Can you please clarify this a little? MS is against the whole concept of
filter driver applied against TCP / UDP devices ? If so can you explain
why? Or only against talking directly to TCP device , bypassing TDI ?
Dan
----- Original Message -----
From: “Nar Ganapathy [MS]”
Newsgroups: ntdev
To: “NT Developers Interest List”
Sent: Thursday, June 27, 2002 9:04 PM
Subject: [ntdev] Re: Remote Address query with TDI
> Can you explain what you ultimately want to achieve ? Our TCP/IP
developers
> don’t want you do this.
>
> "Unfortunately, TDI doesn’t define a mechanism for a client to retrieve
the
> remote address of a connection. Sub-note: “please don’t filter IRPs on
> \Device\Tcp”.
>
> —
> Nar Ganapathy
> Windows Core OS group
> This posting is provided “AS IS” with no warranties, and confers no
rights.
>
> “Stanislaw Kowalczyk” wrote in message
> news:xxxxx@ntdev…
> >
> >
> > Is there a way to query a established connection FileObject created by
the
> > Tcp driver to determine what remote address its connected to?
> >
> > Currently I am filtering the tcp driver and caching this information for
> > newly created connections, however, for previously established
connections
> I
> > obviously don’t have it and would like to gather it if possible.
> >
> > Any help, hints or direction appreciated.
> >
> > Stanislaw
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>