Hi All,
I have a working TDI filter driver filtering all SMB traffic. Normally the driver works properly but sometimes I see SMB traffic bypassing my driver. I verified this by sending some data from a remote client & putting a break point in SrvFsdTdiReceiveHandler. Call stack in both the cases (when I can capture and when I cannot) looks same except my recv event handler is bypassed. I have observed this problem more specifically on 64-bit setup than 32-bit setup.
My theory is- In terms of boot time loading, my driver gets loaded immediately after netbt. I think before my driver gets loaded NetBt creates some connections objects that I miss. If the remote client gets connected to one of these I miss the data otherwise I see it. Not sure if I am correct in guessing this. Somebody please corroborate.
Also I am not quite aware of how can I change my load order such that I get loaded after netBT but before it creates any ports.
Any help/pointers would be appreciated.
Thanks.
I have no idea if your theory is correct; not my thing. I don’t think that his what you want to know, but as far as load order, have you tried what is documented about Groups, Tags, GroupLoadOrder, et. c.? If no, search the WDK, and look at the registry entry for a driver. It sounds like you wish some sort of notifciation callback or something like that; I don’t know the answer to this one.
mm
You must load your driver BEFORE NetBT to catch everything.
Follow mm’s suggestions concerning load order fixup.
Thomas F. Divine
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-300414-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, September 14, 2007 12:15 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] TDI driver load order
Hi All,
I have a working TDI filter driver filtering all SMB traffic. Normally
the driver works properly but sometimes I see SMB traffic bypassing my
driver. I verified this by sending some data from a remote client &
putting a break point in SrvFsdTdiReceiveHandler. Call stack in both
the cases (when I can capture and when I cannot) looks same except my
recv event handler is bypassed. I have observed this problem more
specifically on 64-bit setup than 32-bit setup.
My theory is- In terms of boot time loading, my driver gets loaded
immediately after netbt. I think before my driver gets loaded NetBt
creates some connections objects that I miss. If the remote client gets
connected to one of these I miss the data otherwise I see it. Not sure
if I am correct in guessing this. Somebody please corroborate.
Also I am not quite aware of how can I change my load order such that I
get loaded after netBT but before it creates any ports.
Any help/pointers would be appreciated.
Thanks.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
MM, yes I have done group/tag/loadorder settings.
Thomas, NetBt does the job of parsing streamed packets from TCP giving me complete packets. If I load before NetBT I will have to do that task. If I sit on top of NetBT I can deligate this to NetBT. This is the only reason why I am loading after NetBT.
Other thing I observed is- if I disable the netbt over tcp/ip(i.e. disable port 139) I miss the smb traffic less frequently.