UINT16 query

Hi,

I am working with the packet inspection example in the DDK. I want to be able to allow disallow packets based on local port number. I have put in a simple rules table, and want to be able to compare each packet against the table.

The code is in place, but I not working. I have put some debugging statements in the code to see what local port each packet has.

I am getting some really wacky port numbers so just wanted to check my logic.

DbgPrint (“The local port is %hi \n”,packet->localPort);

The local port is declared as

union
{
UINT16 localPort;
UINT16 icmpType;
};
union
{
UINT16 remotePort;
UINT16 icmpCode;
};

in the stucture so I guess am dealing with UINT16

Now my rules table has the port numbers declared as int.

Firstly, what is the correct formatting string to use with DbgPrint to check the value out to the DebugView window.

Secondly, is there a cast I need to do before comparing a UINT16 with an int?

Thanks in advance

Are you converting the ports from big endian to little endian?

Bill

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 12:34 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] UINT16 query

Hi,

I am working with the packet inspection example in the DDK. I want to be
able to allow disallow packets based on local port number. I have put in a
simple rules table, and want to be able to compare each packet against the
table.

The code is in place, but I not working. I have put some debugging
statements in the code to see what local port each packet has.

I am getting some really wacky port numbers so just wanted to check my
logic.

DbgPrint (“The local port is %hi \n”,packet->localPort);

The local port is declared as

union
{
UINT16 localPort;
UINT16 icmpType;
};
union
{
UINT16 remotePort;
UINT16 icmpCode;
};

in the stucture so I guess am dealing with UINT16

Now my rules table has the port numbers declared as int.

Firstly, what is the correct formatting string to use with DbgPrint to check
the value out to the DebugView window.

Secondly, is there a cast I need to do before comparing a UINT16 with an
int?

Thanks in advance

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

That’d be a no. How do I go about this?

>

Firstly, what is the correct formatting string to use with DbgPrint to
check the value out to the DebugView window.

IIRC that would be just like printf

Secondly, is there a cast I need to do before comparing a UINT16 with an
int?

The compiler warned you about signeed/unsigned comparision. You’ve seen in
the header files that UINT16 is unsigned short. So your question would be,
“is there a cast I need to do before comparing an unsigned short with an
int?” You could have a look at K&R for starters, or post C questions to
comp.lang.c as an alternative. Having said this, how about
((int)(unsigned_short_thing) compare-operator int_thing)) for a first
attempt?

I’m guessing you might need htons and ntohs here; just guessing.

Good luck!

Network data is in big endian format. For example, port 80 would be 0050 in
the network packet. If you use this as a USHORT it would be 5000 which is
not what you want. Use RtlUShortByteSwap to convert one to the other.

Bill

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 12:47 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

That’d be a no. How do I go about this?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

All good advice.

Also look out for structure alignment problems.

Network structures generally have byte alignment since network data
is stream of bytes.

On the other hand compilers like to “optimise” for the target O/S by
aligning structure fields on 4, 8 or 16 byte (or sometimes more)
boundaries. This can have some seemingly weird effect when assigning
or copying data from network structures/packets in to local structures.

You may need to look up the “#pragma pack()” compiler directive.

Mark.

At 18:01 17/11/2008, Bill Wandel wrote:

Network data is in big endian format. For example, port 80 would be 0050 in
the network packet. If you use this as a USHORT it would be 5000 which is
not what you want. Use RtlUShortByteSwap to convert one to the other.

Bill

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 12:47 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

That’d be a no. How do I go about this?

---

NTDEV is sponsored by OSR

Wow this is worse!

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

Now I don’t just get wacky port numbers I get negative wacky port numbers.

Anybody?

Thanks

When I do the google search ( of course, first I’ve to know the
terms/word I’m searching :-), in this case ntoh, hton etc… And I get a
bunch of source code that I can easily test ( and then port to the KM of
windows )…

Benifits –

(1) Generic routine to do the stuff over and over again.
(2) Porting to KM using DDI would be almost automatic/mechanical.

Here is one for ref -

http://www.student.cs.uwaterloo.ca/~cs350/common/os161-src-html/ntoh_8c-source.html

-pro

xxxxx@yahoo.co.uk wrote:

That’d be a no. How do I go about this?

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I think it might be helpful to show (1) what you are seeing; (2) the code that’s producing it; and
(3) what you are expecting to see.

mm

xxxxx@yahoo.co.uk wrote:

Wow this is worse!

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

Now I don’t just get wacky port numbers I get negative wacky port numbers.

Anybody?

Thanks

Why in the world would you define your own, when OS’es either have these
defined, or that you could easily do a #define nton RtlUlongByteSwap for the
windows.

Sorry, when I see this stuff in code I inherit it immediately fires off the
“crappy code warning” since if the bozo who did this felt they needed to
repro the OS code, they probably got it wrong.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> When I do the google search ( of course, first I’ve to know the terms/word
> I’m searching :-), in this case ntoh, hton etc… And I get a bunch of
> source code that I can easily test ( and then port to the KM of
> windows )…
>
> Benifits –
>
> (1) Generic routine to do the stuff over and over again.
> (2) Porting to KM using DDI would be almost automatic/mechanical.
>
> Here is one for ref -
>
> http://www.student.cs.uwaterloo.ca/~cs350/common/os161-src-html/ntoh_8c-source.html
>
> -pro
>
>
> xxxxx@yahoo.co.uk wrote:
>> That’d be a no. How do I go about this?
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>
>

Yes. You passed an unsigned short and asked it to be written out as a signed short. On two’s complement systems with 16-bit shorts, any unsigned short with the 0x8000 bit set will be formatted as a negative value if you specify that it’s to be treated as a signed short.

If you want an unsigned value printed, you need to use the right format string. DbgPrint uses the same format strings as standard printf, with some extensions for displaying counted strings (%Z).

The same thing would have happened if you passed an unsigned short with the 0x8000 bit set to standard printf() using %hi in user mode on your computer. Recall that “i” specifies a signed and not an unsigned quantity.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 1:26 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow this is worse!

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

Now I don’t just get wacky port numbers I get negative wacky port numbers.

Anybody?

Thanks

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

No it does not have to be copied verbatim. If a single API does the job,
that is the best… but the person has to know what (s)he is after…

If the person does not know the basics, then just taking something as
granted would be dangerous. Did not seem like the person knew what those
ordering…

According to me, every one has their level to shoot first, then proceed.

And please try to guess others intention, Don, mind you for your crappy
words

-pro

-pro

Don Burn wrote:

Why in the world would you define your own, when OS’es either have these
defined, or that you could easily do a #define nton RtlUlongByteSwap for the
windows.

Sorry, when I see this stuff in code I inherit it immediately fires off the
“crappy code warning” since if the bozo who did this felt they needed to
repro the OS code, they probably got it wrong.

I stand by my words, there is no way anyone could interpret you earlier
posting as being anything other than roll your own. And, yes when I see
people invent their own code when there are well known OS facilities to do
it, then the rest of the code is likely to be crap also. Note: I say
likely, I think I have seen one case where it wasn’t but that was over 20
years ago.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> No it does not have to be copied verbatim. If a single API does the job,
> that is the best… but the person has to know what (s)he is after…
>
> If the person does not know the basics, then just taking something as
> granted would be dangerous. Did not seem like the person knew what those
> ordering…
>
> According to me, every one has their level to shoot first, then proceed.
>
> And please try to guess others intention, Don, mind you for your crappy
> words
>
> -pro
>

You stand by your word, stand tall…, thats fine by me … I’ve no
objection to that. I never encouraged anyone to roll something on their
own without justification, I even had arguments with Alberto, and others
on this list on that area… Here I mentioned as a ref, that should be
an enough indication that it is not THE SOLUTION.

Here is a case, where I suggested one way to know what the person is
after. This is I call, stepwise refinement. The person don’t know what
those orderings, much less is to use even a single API.

Can we cut this shit now !

-pro

Don Burn wrote:

I stand by my words, there is no way anyone could interpret you earlier
posting as being anything other than roll your own. And, yes when I see
people invent their own code when there are well known OS facilities to do
it, then the rest of the code is likely to be crap also. Note: I say
likely, I think I have seen one case where it wasn’t but that was over 20
years ago.

There are intrinsic functions in the current WDK compiler that will do the
16, 32 or 64 bit byte swaps in one instruction once the big-endian value is
loaded into a register.

wrote in message news:xxxxx@ntdev…
> That’d be a no. How do I go about this?
>

I can hardly believe that here on ntdev we’re explaining 2’s complement
versus 1’s complement

“Skywing” wrote in message
news:xxxxx@ntdev…
Yes. You passed an unsigned short and asked it to be written out as a
signed short. On two’s complement systems with 16-bit shorts, any unsigned
short with the 0x8000 bit set will be formatted as a negative value if you
specify that it’s to be treated as a signed short.

If you want an unsigned value printed, you need to use the right format
string. DbgPrint uses the same format strings as standard printf, with some
extensions for displaying counted strings (%Z).

The same thing would have happened if you passed an unsigned short with the
0x8000 bit set to standard printf() using %hi in user mode on your computer.
Recall that “i” specifies a signed and not an unsigned quantity.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 1:26 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow this is worse!

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

Now I don’t just get wacky port numbers I get negative wacky port numbers.

Anybody?

Thanks

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

That was primarily included as a self-defense against the pedantic nitpicker types.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Monday, November 17, 2008 4:08 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RE:UINT16 query

I can hardly believe that here on ntdev we’re explaining 2’s complement
versus 1’s complement

“Skywing” wrote in message
news:xxxxx@ntdev…
Yes. You passed an unsigned short and asked it to be written out as a
signed short. On two’s complement systems with 16-bit shorts, any unsigned
short with the 0x8000 bit set will be formatted as a negative value if you
specify that it’s to be treated as a signed short.

If you want an unsigned value printed, you need to use the right format
string. DbgPrint uses the same format strings as standard printf, with some
extensions for displaying counted strings (%Z).

The same thing would have happened if you passed an unsigned short with the
0x8000 bit set to standard printf() using %hi in user mode on your computer.
Recall that “i” specifies a signed and not an unsigned quantity.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 1:26 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow this is worse!

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

Now I don’t just get wacky port numbers I get negative wacky port numbers.

Anybody?

Thanks

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

You’re so paranoid, there’s definitely no one like that around here

I like this thread because I learned two new ways to swap the bytes in a
short (would have been three if Prokash had posted his implementation).

-scott

–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Skywing” wrote in message
news:xxxxx@ntdev…
That was primarily included as a self-defense against the pedantic nitpicker
types.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Monday, November 17, 2008 4:08 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RE:UINT16 query

I can hardly believe that here on ntdev we’re explaining 2’s complement
versus 1’s complement

“Skywing” wrote in message
news:xxxxx@ntdev…
Yes. You passed an unsigned short and asked it to be written out as a
signed short. On two’s complement systems with 16-bit shorts, any unsigned
short with the 0x8000 bit set will be formatted as a negative value if you
specify that it’s to be treated as a signed short.

If you want an unsigned value printed, you need to use the right format
string. DbgPrint uses the same format strings as standard printf, with some
extensions for displaying counted strings (%Z).

The same thing would have happened if you passed an unsigned short with the
0x8000 bit set to standard printf() using %hi in user mode on your computer.
Recall that “i” specifies a signed and not an unsigned quantity.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.co.uk
Sent: Monday, November 17, 2008 1:26 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] UINT16 query

Wow this is worse!

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

Now I don’t just get wacky port numbers I get negative wacky port numbers.

Anybody?

Thanks

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I think that part of the problem is that not everyone knows all the
functions that are available. Someone new to Windows driver development
needs to sit down with the WDK documentation and go through all the
functions to get an idea of whats available. Even someone who is not new
should occasionally go through the documentation. And, I definitely know
developers who have implemented their own ntohs functions who do not write
“crappy” code.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Don Burn
Sent: Monday, November 17, 2008 2:11 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] UINT16 query

I stand by my words, there is no way anyone could interpret you earlier
posting as being anything other than roll your own. And, yes when I see
people invent their own code when there are well known OS facilities to do
it, then the rest of the code is likely to be crap also. Note: I say
likely, I think I have seen one case where it wasn’t but that was over 20
years ago.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> No it does not have to be copied verbatim. If a single API does the job,
> that is the best… but the person has to know what (s)he is after…
>
> If the person does not know the basics, then just taking something as
> granted would be dangerous. Did not seem like the person knew what those
> ordering…
>
> According to me, every one has their level to shoot first, then proceed.
>
> And please try to guess others intention, Don, mind you for your crappy
> words
>
> -pro
>

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Wow, lots of cross fire.

As I said before, I am no further forward. I have swapped bytes around using RtlUShortByteSwap
and someone helpfully posted that DbgPrint and printf are the same function (yawn). Still I NEED someone to go to the try line and stop speaking in riddles.

I posted code

DbgPrint (“The local port is %hi \n”,RtlUShortByteSwap(packet->localPort));

And someone pointed out that i is for signed integers. But noone actually posted how to correctly DbgPrint a UINT16. That is really all Im asking. The big endian to little endian byte swapping was a big steer I’m sure.

I remember 2’s complement from years ago, but do we really have to go bit flipping? Surely to close this thread off someone just needs to dump some code that will work.

I have recently tried

DbgPrint (“The local port is %hu \n”,RtlUShortByteSwap(packet->localPort));

I am expecting to see port 80, as it is a browser I am using to generate the packets.

Thanks