Setting up multicast MAC address.

NTDEV
1

Hi,
I am using WinPcap to listen over a specific interface ethernet packets. My user mode application is after a specific ethernet type however the packets are send over a multicast MAC address.

I understand that I need to register my multicast MAC address to the NIC before my user mode application can listen and capture these packets. I have searched all over and couldn’t find any way to do this.

it seems that as an NDIS protocol driver I can do it, but I have no comtrol over the PCAP NDIS driver.

I understand that the multicast list is : OID_802_3_MULTICAST_LIST. Is there any way to add an item to that list via user mode ? or any other way to control the NIC multicast list ?

I have to use non-promscious mode cant be in promscious mode.

Thanks in advance,
Jim

2

You’ll have to examine the PCAP sources. It IS a protocol driver, and can
call the miniport to query/set OIDs like OID_802_3_MULTICAST_LIST. There
likely a user-mode API exposed by PCAP DLL that you can use.

There is no other way. The protocol driver that you are using (PCAP) must
query the list, add you new one and then set the new list. When you’re done,
reverse the process to undo it.

Good luck!

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Sunday, September 05, 2010 10:47 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] Setting up multicast MAC address.

> Hi,
> I am using WinPcap to listen over a specific interface ethernet packets.
> My user mode application is after a specific ethernet type however the
> packets are send over a multicast MAC address.
>
> I understand that I need to register my multicast MAC address to the NIC
> before my user mode application can listen and capture these packets. I
> have searched all over and couldn’t find any way to do this.
>
> it seems that as an NDIS protocol driver I can do it, but I have no
> comtrol over the PCAP NDIS driver.
>
> I understand that the multicast list is : OID_802_3_MULTICAST_LIST. Is
> there any way to add an item to that list via user mode ? or any other way
> to control the NIC multicast list ?
>
> I have to use non-promscious mode cant be in promscious mode.
>
> Thanks in advance,
> Jim
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

3

> I understand that I need to register my multicast MAC address to the NIC before my user mode

Is it IP multicast?

If yes - then just open the UDP socket with the address of 224.x.x.x and call setsockopt of “join group” on it.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

4

Nope. MAC addresses.

Looking at WinPcap, the current inteface does not allow to add multicast
address. However, to add such a feature to the open-source code means I’ll
have to sign the driver with a valid verified kernel sig for 64 bit support
and pass WHQL to avoid the annoying windows Message box. It just to much…

Anyone can suggest why shoudn’t I use promiscious mode instead ? WinPCAP do
have a very strong filtering. I can filter only the MAC addresses that fits
my multicast but in promiscious mode. what are the precentage of NICs that
do not support promiscious mode ?

On Sun, Sep 5, 2010 at 10:39 PM, Maxim S. Shatskih
wrote:

> > I understand that I need to register my multicast MAC address to the NIC
> before my user mode
>
> Is it IP multicast?
>
> If yes - then just open the UDP socket with the address of 224.x.x.x and
> call setsockopt of “join group” on it.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

5

All Ethernet NICs support promiscuous mode. 802.11 does not.

Only downside is that the host will receive all traffic on the interface - which may be OK for you. Depends on your network.

Thomas F. Divine
http://www.pcausa.com

From: Jim
Sent: Sunday, September 05, 2010 4:13 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Setting up multicast MAC address.

Nope. MAC addresses.

Looking at WinPcap, the current inteface does not allow to add multicast address. However, to add such a feature to the open-source code means I’ll have to sign the driver with a valid verified kernel sig for 64 bit support and pass WHQL to avoid the annoying windows Message box. It just to much…

Anyone can suggest why shoudn’t I use promiscious mode instead ? WinPCAP do have a very strong filtering. I can filter only the MAC addresses that fits my multicast but in promiscious mode. what are the precentage of NICs that do not support promiscious mode ?

On Sun, Sep 5, 2010 at 10:39 PM, Maxim S. Shatskih wrote:

> I understand that I need to register my multicast MAC address to the NIC before my user mode

Is it IP multicast?

If yes - then just open the UDP socket with the address of 224.x.x.x and call setsockopt of “join group” on it.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

6

> what are the percentage of NICs that do not support promiscuous mode

Zero.

Especially since you just need it to mean ?at least all multicast
addresses?.

Good Luck,

Dave Cattley

7

Many thanks for your help guys.

I didn’t let go and continue to investigate if it is possible to set a
multicast address via user mode (with no NDIS protocol driver).

After some reverse engineering of the dot3svc service which add a multicast
address to the multicast list, I figure out it using NDISUIO (Ndis User mode
interface) ?

However, I find out that it is not documented for windows XP/Vista/7 but
only for WinCE. but I do see the dot3svc using that driver.

NDISUIO is a protocol driver, and they are enabling the multicast address
via a device io control that is “IOCTL_NDISUIO_SET_OID_VALUE”.

Is there any documentation for this interface ? maybe it was deprecated ?

Any help will be appreciated,
Thanks,
Jim

On Sun, Sep 5, 2010 at 11:37 PM, David R. Cattley wrote:

> > what are the percentage of NICs that do not support promiscuous mode
>
>
>
> Zero.
>
>
>
> Especially since you just need it to mean ?at least all multicast
> addresses?.
>
>
>
> Good Luck,
>
> Dave Cattley
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

8

NDISPROT is a sample NDIS protocol driver whose source in in the Windows Driver Kit.

If you use NDISPROT and its API (IOCTL_NDISUIO_SET_OID_VALUE) then NDISPROT WILL receive packets with the desired MC address.

I’m not sure whether that will actually change what Pcap receives.

Thomas F. Divine
http://www.pcausa.com

From: Jim
Sent: Tuesday, September 07, 2010 5:27 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Setting up multicast MAC address.

Many thanks for your help guys.

I didn’t let go and continue to investigate if it is possible to set a multicast address via user mode (with no NDIS protocol driver).

After some reverse engineering of the dot3svc service which add a multicast address to the multicast list, I figure out it using NDISUIO (Ndis User mode interface) ?

However, I find out that it is not documented for windows XP/Vista/7 but only for WinCE. but I do see the dot3svc using that driver.

NDISUIO is a protocol driver, and they are enabling the multicast address via a device io control that is “IOCTL_NDISUIO_SET_OID_VALUE”.

Is there any documentation for this interface ? maybe it was deprecated ?

Any help will be appreciated,
Thanks,
Jim

On Sun, Sep 5, 2010 at 11:37 PM, David R. Cattley wrote:

> what are the percentage of NICs that do not support promiscuous mode

Zero.

Especially since you just need it to mean ?at least all multicast addresses?.

Good Luck,

Dave Cattley



NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

9

I believe that the NDIS DDI contract around the packet filter (settings) and the multicast list is that it is managed ‘per binding’ by NDIS and the merged result is presented to the adapter. However, a protocol can only rely on receiving those packets which match the specification of packet filter (mask) and multicast address list that the protocol has registered with that binding.

NDIS is free to send a protocol more than it bargained for in some circumstances of course but in general I would say that it is *not* possible to manipulate the packet filter and multicast list from NDISPROT (for example) and effect PCap’s binding (for example). THat would be a rather dicey situation for sure.

Of course doing it all via a private incarnation of NDISPROT where the dataflow and control operations all operate over a single binding is totally reasonable and the correct approach. Considering that is exactly what NDISPROT was created for - to provide such support for the 802.1x supplicant to send & receive EAPOL packets.

Good Luck,
Dave Cattley

From: xxxxx@pcausa.com
To: xxxxx@lists.osr.com
Subject: Re: [ntdev] Setting up multicast MAC address.
Date: Tue, 7 Sep 2010 08:32:36 -0400

NDISPROT is a sample NDIS protocol driver whose source in in the Windows Driver Kit.

If you use NDISPROT and its API (IOCTL_NDISUIO_SET_OID_VALUE) then NDISPROT WILL receive packets with the desired MC address.

I’m not sure whether that will actually change what Pcap receives.

Thomas F. Divine
http://www.pcausa.com

From: Jim
Sent: Tuesday, September 07, 2010 5:27 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Setting up multicast MAC address.

Many thanks for your help guys.

I didn’t let go and continue to investigate if it is possible to set a multicast address via user mode (with no NDIS protocol driver).

After some reverse engineering of the dot3svc service which add a multicast address to the multicast list, I figure out it using NDISUIO (Ndis User mode interface) ?

However, I find out that it is not documented for windows XP/Vista/7 but only for WinCE. but I do see the dot3svc using that driver.

NDISUIO is a protocol driver, and they are enabling the multicast address via a device io control that is “IOCTL_NDISUIO_SET_OID_VALUE”.

Is there any documentation for this interface ? maybe it was deprecated ?

Any help will be appreciated,
Thanks,
Jim

On Sun, Sep 5, 2010 at 11:37 PM, David R. Cattley wrote:

> what are the percentage of NICs that do not support promiscuous mode

Zero.

Especially since you just need it to mean ?at least all multicast addresses?.

Good Luck,
Dave Cattley


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

10

I endorse Dave’s explanation. Even if you added your own protocol driver that sets a packet filter, that would not change the packet filter of other protocols, like PCap. If PCap’s usermode API doesn’t allow you to make its protocol driver change its multicast settings, then you have to resort to asking it to set promiscuous mode (which presumably it *does* allow). Or politely asking the maintainer of PCap to add this feature.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of David Cattley
Sent: Tuesday, September 07, 2010 7:24 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Setting up multicast MAC address.

I believe that?the NDIS DDI contract around the packet filter?(settings) and the multicast list is that it is managed ‘per binding’ by NDIS and the merged result is presented to the adapter.? However, a protocol can only rely on receiving those packets which match the specification of?packet filter (mask) and multicast address list that?the protocol has registered with that binding.
?
NDIS is free to send a protocol more than it bargained for in some circumstances of course but in general I would say that it is *not* possible to manipulate the packet filter and multicast list from NDISPROT (for example) and effect PCap’s binding (for example).?? THat would be a rather dicey?situation for sure.
?
Of course doing it all via a private incarnation of NDISPROT where the dataflow and control operations all operate over a single binding is totally reasonable?and?the correct approach.?? Considering that is exactly what NDISPROT was created for - to provide such support for the 802.1x supplicant to send & receive EAPOL packets.
?
Good Luck,
Dave Cattley
?

From: xxxxx@pcausa.com
To: xxxxx@lists.osr.com
Subject: Re: [ntdev] Setting up multicast MAC address.
Date: Tue, 7 Sep 2010 08:32:36 -0400
NDISPROT is a sample NDIS protocol driver whose source in in the Windows Driver Kit.
?
If you use?NDISPROT and?its API (IOCTL_NDISUIO_SET_OID_VALUE) then NDISPROT WILL receive packets with the desired MC address.
?
I’m not sure whether that will actually change what Pcap receives.
?
Thomas F. Divine
http://www.pcausa.com
?

From: Jim
Sent: Tuesday, September 07, 2010 5:27 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Setting up multicast MAC address.

Many thanks for your help guys.
?
I didn’t let go and continue to investigate if it is possible to set a multicast address via user mode (with no NDIS protocol driver).
?
After some reverse engineering of the dot3svc service which?add a multicast address to the multicast list, I figure out it using NDISUIO (Ndis User mode interface) ?
?
However, I find out that it is not documented for windows XP/Vista/7 but only for WinCE. but I do see the dot3svc using that driver.
?
NDISUIO is a protocol driver, and they are enabling the multicast address via a device io control that is “IOCTL_NDISUIO_SET_OID_VALUE”.
?
Is there any documentation for this interface ? maybe it was deprecated ?
?
Any help will be appreciated,
Thanks,
Jim
On Sun, Sep 5, 2010 at 11:37 PM, David R. Cattley wrote:
> what are the percentage of NICs that do not support promiscuous mode
?
Zero.
?
Especially since you just need it to mean “at least all multicast addresses”.
?
Good Luck,
Dave Cattley


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

11

>NDISUIO is a protocol driver, and they are enabling the multicast address via a device io control that

is “IOCTL_NDISUIO_SET_OID_VALUE”.

NDISUIO is documented for WinCE and not documented for WinNT family. MS wants you to implement your own replacement for NDISUIO and use it, instead of using the OS-provided ndisuio.sys.

NDISPROT sample is a skeleton of such driver.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

12

If your NIC is connected to a switch you will also need to send the appropriate IGMP messages to the switch to join the multicast group. The switch will prune the multicast messages and only send them out the ports that have joined the group.

Larry C

13

> If your NIC is connected to a switch you will also need to send the appropriate IGMP messages to the

switch to join the multicast group. The switch will prune the multicast messages and only send them
out the ports that have joined the group.

You mix the layers here.

IGMP is IP notion, while “switch” is a MAC-level notion.

IGMPs are sent not to a switch, but to a multicast router, most networks do not have one at all.

If the OP would like to use IP multicasts - then setsockopt(“join group I’ve forgot the exact option name”) is the way to go. This will send IGMP automatically.

But I think that the OP wants something other then IP, for instance, EAPOL or such. In this case, IGMP is not in the picture.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

14

GMRP ? :slight_smile:

And I do think that some switches pay attention to IGMP via snooping to minimize unwanted Multicast Traffic to a port.

But Larry’s core point is valid. The switching/routing infrastructure may need to be ‘signaled’ to indicate that the station wishes to receive the particular group traffic.

Cheers,
Dave Cattley

From: xxxxx@storagecraft.com
Subject: Re:[ntdev] Setting up multicast MAC address.
Date: Wed, 8 Sep 2010 21:58:47 +0400
To: xxxxx@lists.osr.com

> If your NIC is connected to a switch you will also need to send the appropriate IGMP messages to the
>switch to join the multicast group. The switch will prune the multicast messages and only send them
>out the ports that have joined the group.

You mix the layers here.

IGMP is IP notion, while “switch” is a MAC-level notion.

IGMPs are sent not to a switch, but to a multicast router, most networks do not have one at all.

If the OP would like to use IP multicasts - then setsockopt(“join group I’ve forgot the exact option name”) is the way to go. This will send IGMP automatically.

But I think that the OP wants something other then IP, for instance, EAPOL or such. In this case, IGMP is not in the picture.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

15

All of the networks we setup for our customers have switches that do Multicast snooping and requires the node to send the IGMP messages to the switch to receive the multicast packets. I don’t know if Winsock is available to the OP, but in user mode, WSAJoinLeaf(…) and a couple of setsockopt(…) does this for you. Our driver uses the Fieldbus Foundation’s assigned multicast address and does the IGMP messages manually.

Larry C