I’m trying to find an IPv6 packet inside a kernel full memory dump. The
packet buffer may be referenced from a stack parameter or inside a list.
My attempt at opening the raw DMP file and searching for things that look
like IPv6 (0x6* as first byte, 0x40, 0x80 or 0xff as TTL, one of the
standard next-header values, etc) so far turns up valid packets when I feed
it a netmon trace, but nothing valid when processing a few 2GB DMP files
from BSODs.
The usermode has some stacks in which openvpn is sending IPv6 packets that
end up in NDIS. Should this naive approach turn up any packets ? Is there
some additional processing needed before I can get to the data in NDIS
mdl’s ?
if you havent done yet give codemachines windbg extension cmkd.dll a
try it has an extension command !packet
or try windbgshark
On 3/16/15, Bogdan Harjoc wrote: > I’m trying to find an IPv6 packet inside a kernel full memory dump. The > packet buffer may be referenced from a stack parameter or inside a list. > > My attempt at opening the raw DMP file and searching for things that look > like IPv6 (0x6* as first byte, 0x40, 0x80 or 0xff as TTL, one of the > standard next-header values, etc) so far turns up valid packets when I feed > it a netmon trace, but nothing valid when processing a few 2GB DMP files > from BSODs. > > The usermode has some stacks in which openvpn is sending IPv6 packets that > end up in NDIS. Should this naive approach turn up any packets ? Is there > some additional processing needed before I can get to the data in NDIS > mdl’s ? > > Thanks, > Bogdan > > — > WINDBG is sponsored by OSR > > OSR is hiring!! Info at http://www.osr.com/careers > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer