We have a product that uses a TDI filter on Windows 5.x and we are in the process of updating the product to support Windows 6.x.
The TDI filter loads OK and visibility into the network events seems to be fine. Two things do not work right now (there may be others, though):
-
Enumeration of extant bound ports and network connections (based on the undocumented IOCTL_TCP_QUERY_INFORMATION_EX)
-
Detection of the offsets of TDI_EVENT_* in pFileObject->FsContext, where pFileObject is a TDI address object. I believe when a TDI client in Vista registers event callbacks, these are stored in a different location as compared to where they were stored in Windows 5.x. On 5.x one could detect these offsets by creating a TDI connection object and registering a handler and scanning pFileObject->FsContext until a match was found.
This brings me to my questions:
-
How well do TDI filters perform in Vista? I caught a few references on the forums about TDI being emulated under Vista (tdx.sys). Is there a big performance penalty? Does emulation cover only TDI clients or TDI filters are also supported?
-
My filter attaches to \Device\Tcp and on Windows 5.x sees all requests sent to \Device\Tcp (both in-kernel and from user-space via AFD.sys). Is layering different in the new networking stack? Is there a request path that I may miss with a TDI filter in Vista? Are AFD.sys, HTTP.sys, and NETBT.sys still TDI clients or they have been rewritten using Winsock Kernel?
-
Is there a way to get the extant ports and links using a variant of IOCTL_TCP_QUERY_INFORMATION_EX? What is the correct way to get this information in Vista? I am looking for the equivalent of netstat -anop tcp in the kernel.
-
I realize that the recommended way of porting a TDI filter is to use WFP. Does WFP provide the same visibility as the one obtained by a TDI filter? For example, a year ago, when I looked at WFP I did not find a callout for a port being unbound.
Thank you in advance,
Best,
–aydan
> 1. How well do TDI filters perform in Vista?
They do not perform at all.
Lots of new Vista’s components do not use TDI and their traffic cannot be filtered by TDI.
Use WFP on Vista+ instead.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> 2. My filter attaches to \Device\Tcp and on Windows 5.x sees all requests sent to \Device\Tcp (both
in-kernel and from user-space via AFD.sys). Is layering different in the new networking stack?
Yes. \Device\Tcp is a TDI emulator’s device and is not used by most other components.
Is there a request path that I may miss with a TDI filter in Vista? Are AFD.sys, HTTP.sys, and
NETBT.sys still TDI clients or they have been rewritten using Winsock Kernel?
AFD.SYS - yes for sure, HTTP - yes IIRC, NETBT - don’t remember.
Look at import tables of these binaries, if you will see WskXxx and/or NmrXxx - then they are not TDI.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Please give an example of traffic not filterable using TDI drivers on Vista. From my experience TDI filters work OK in Vista and W7. There are some drivers which bypass TDI filters (I don’t remember exactly, but I think some VPN traffic goes directly to TCPIP sys) but this is true on XP also.
WFP is still new, it probably is faster, it certainly is easier to write a WFP filter, but there are still some issues remaining to be solved. Port closing callouts are available in W7.
Maxim,
Thank you for the reply. I did fix some of my issues and now I have my TDI filter work on Vista. It requires a reboot to see all connection activities, but it does see traffic going through AFD.sys and through HTTP.sys. I have not run any performance tests, though.
Given that the AFD and HTTP drivers should be using WSK, I wonder how does my TDI filter see their activity. Does the act for attaching to \Device\Tcp trigger an emulation mode that forces WSK calls to be translated and passed through \Device\Tcp?
I still may be missing some traffic, e.g., so send and receives. TDI used to have the direct send handler option, which does not seem to be provided by TDX.sys (IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER returns a NULL handler in Vista).
Thanks, again.
–aydan