TechTalkz.com Logo Ask the Experts!

Go Back   TechTalkz.com Technology & Computer Troubleshooting Forums > Tech Support Archives > Microsoft > Microsoft Device Drivers

NDIS/Networking Newbie

Microsoft Device Drivers

 
 
Thread Tools Display Modes
Unread 03-12-2007, 07:51 AM   #1
Carl Woodward
Guest
 
Posts: n/a
NDIS/Networking Newbie

Dear all,

I am just beginning to start looking at NDIS and Networking and am
reasonably comfortable with the principles but am constantly confusing
myself and have found some of the NDIS documentation too technical. I guess
what I am looking for is an overview. Are there any resources on the
Internet that I can look at?

My first goal is to write a filter driver that captures all network activity
and the process context for the network request. I am principly interested
in TCP/IP connections but being able to filter all network traffic for all
adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.

Just to make sure that I am not wasting a vast amount of time, I am hoping
NDIS experts on here can set me straight on a few questions:

1. Should I be writing a filter driver similar to passthru?
2. Is it possible to capture process context for each outbound packet or is
the process context arbitrary?
3. The WDK and DDK docs hint that passthru may not be suitable for a
production driver. Is there anything significant missing from it?

Many thanks for any responses!

Carl

 
Unread 03-12-2007, 07:51 AM   #2
Stephan Wolf [MVP]
Guest
 
Posts: n/a
Re: NDIS/Networking Newbie

Not sure whether an NDIS Filter (so called "intermediate" = IM) driver
is the right approach for you. AFAIK, process context is not available
at driver (i.e. kernel-mode) level. Also, a TDI solution might serve
you better, but I am not a TDI expert after all.

Some thoughts on NDIS:

First note that each Windows version/variant usually introduces some
NDIS features, which is reflected by an incremented NDIS version
number. For a short overview, see here:

http://msdn.microsoft.com/library/
> Win32 and COM Development
> Windows Driver Kit
> Device and Driver Technologies
> Network
> Design Guide
> Introduction to Network Drivers
> Network Driver Programming Considerations
> NDIS Versions in Network Drivers


[Currently, this URL points there, but unfortunately MS is either
unwilling or unable to provide stable URLs for MSDN library contents:
http://msdn2.microsoft.com/en-us/library/aa938306.aspx]

Although MS propagates NDIS 6 should be used for Vista, this
unfortunately also means this NDIS driver will not run on any previous
Windows version/variant.

Thus, you might want to consider writing an NDIS 5 driver, because it
will run on all of Windows 2000, XP, 2003, and Vista (and even on
Windows 98/ME).

> 1. Should I be writing a filter driver similar to passthru?


An NDIS Filter intermediate (IM) driver implements a 1:1 relation
between a protocol and a network adapter (=miniport) driver. It thus
usually only "filters" the packet flow between some protocol and some
adapter. A MUX IMs can implement other relations as well, i.e. 1:n, n:
1, and even n:n. Packets can be redirected from/to any protocols and
adapters in any way. A MUX IM however requires a more complex design
and implementation (e.g., a so-called Notify Object user-mode program
is usually also required).

> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?


Not sure but AFAIK you will not be able to get any originating process
context information at driver level. I might be wrong here.

> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?


Well, passthru simply does "nothing". Many people have used it as a
starting point for their production IM drivers.

HTH, Stephan
---
On Mar 19, 10:29 am, "Carl Woodward" <pppooiiiu...@llkkjjhhgg.com>
wrote:
> Dear all,
>
> I am just beginning to start looking at NDIS and Networking and am
> reasonably comfortable with the principles but am constantly confusing
> myself and have found some of the NDIS documentation too technical. I guess
> what I am looking for is an overview. Are there any resources on the
> Internet that I can look at?
>
> My first goal is to write a filter driver that captures all network activity
> and the process context for the network request. I am principly interested
> in TCP/IP connections but being able to filter all network traffic for all
> adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
>
> Just to make sure that I am not wasting a vast amount of time, I am hoping
> NDIS experts on here can set me straight on a few questions:
>
> 1. Should I be writing a filter driver similar to passthru?
> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?
> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?
>
> Many thanks for any responses!
>
> Carl



 
Unread 03-12-2007, 07:51 AM   #3
Stephan Wolf [MVP]
Guest
 
Posts: n/a
Re: NDIS/Networking Newbie

Not sure whether an NDIS Filter (so called "intermediate" = IM) driver
is the right approach for you. AFAIK, process context is not available
at driver (i.e. kernel-mode) level. Also, a TDI solution might serve
you better, but I am not a TDI expert after all.

Some thoughts on NDIS:

First note that each Windows version/variant usually introduces some
NDIS features, which is reflected by an incremented NDIS version
number. For a short overview, see here:

http://msdn.microsoft.com/library/
> Win32 and COM Development
> Windows Driver Kit
> Device and Driver Technologies
> Network
> Design Guide
> Introduction to Network Drivers
> Network Driver Programming Considerations
> NDIS Versions in Network Drivers


[Currently, this URL points there, but unfortunately MS is either
unwilling or unable to provide stable URLs for MSDN library contents:
http://msdn2.microsoft.com/en-us/library/aa938306.aspx]

Although MS propagates NDIS 6 should be used for Vista, this
unfortunately also means this NDIS driver will not run on any previous
Windows version/variant.

Thus, you might want to consider writing an NDIS 5 driver, because it
will run on all of Windows 2000, XP, 2003, and Vista (and even on
Windows 98/ME).

> 1. Should I be writing a filter driver similar to passthru?


An NDIS Filter intermediate (IM) driver implements a 1:1 relation
between a protocol and a network adapter (=miniport) driver. It thus
usually only "filters" the packet flow between some protocol and some
adapter. A MUX IMs can implement other relations as well, i.e. 1:n, n:
1, and even n:n. Packets can be redirected from/to any protocols and
adapters in any way. A MUX IM however requires a more complex design
and implementation (e.g., a so-called Notify Object user-mode program
is usually also required).

> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?


Not sure but AFAIK you will not be able to get any originating process
context information at driver level. I might be wrong here.

> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?


Well, passthru simply does "nothing". Many people have used it as a
starting point for their production IM drivers.

HTH, Stephan
---
On Mar 19, 10:29 am, "Carl Woodward" <pppooiiiu...@llkkjjhhgg.com>
wrote:
> Dear all,
>
> I am just beginning to start looking at NDIS and Networking and am
> reasonably comfortable with the principles but am constantly confusing
> myself and have found some of the NDIS documentation too technical. I guess
> what I am looking for is an overview. Are there any resources on the
> Internet that I can look at?
>
> My first goal is to write a filter driver that captures all network activity
> and the process context for the network request. I am principly interested
> in TCP/IP connections but being able to filter all network traffic for all
> adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
>
> Just to make sure that I am not wasting a vast amount of time, I am hoping
> NDIS experts on here can set me straight on a few questions:
>
> 1. Should I be writing a filter driver similar to passthru?
> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?
> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?
>
> Many thanks for any responses!
>
> Carl



 
Unread 03-12-2007, 07:53 AM   #4
Pavel A.
Guest
 
Posts: n/a
RE: NDIS/Networking Newbie

"Carl Woodward" wrote:
> Dear all,
>
> I am just beginning to start looking at NDIS and Networking and am
> reasonably comfortable with the principles but am constantly confusing
> myself and have found some of the NDIS documentation too technical. I guess
> what I am looking for is an overview. Are there any resources on the
> Internet that I can look at?
>
> My first goal is to write a filter driver that captures all network activity
> and the process context for the network request. I am principly interested
> in TCP/IP connections but being able to filter all network traffic for all
> adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
>
> Just to make sure that I am not wasting a vast amount of time, I am hoping
> NDIS experts on here can set me straight on a few questions:
>
> 1. Should I be writing a filter driver similar to passthru?
> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?
> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?
>
> Many thanks for any responses!
>
> Carl


As Stephan wrote, Windows OS before Vista do not support filtering
on per-process level (at least, not as documented).
The IM model does not help here at all - it is a global filter on the
level far below TCP/IP.
For per-process hooking, one solution is TDI level filter, for which a good
starting point is http://www.pcausa.com/tdisamp/default.htm
Another solution is hooking in user mode (LSP). AFAIK, LSP are rarely
considered by serious developers these days, because they are too fragile and
commonly used by malware. MS recently published some new LSP samples, so
maybe this situation has changed.

Vista has a lot of new things: the filtering platform instead of TDI;
routing apartments, and also there are rumors on new developent in per-app
virtualization.
So, not sure that a single solution is good for Vista and previous OSes...
depends on the actual task.

Regards,
--PA

 
Unread 03-12-2007, 07:53 AM   #5
Pavel A.
Guest
 
Posts: n/a
RE: NDIS/Networking Newbie

"Carl Woodward" wrote:
> Dear all,
>
> I am just beginning to start looking at NDIS and Networking and am
> reasonably comfortable with the principles but am constantly confusing
> myself and have found some of the NDIS documentation too technical. I guess
> what I am looking for is an overview. Are there any resources on the
> Internet that I can look at?
>
> My first goal is to write a filter driver that captures all network activity
> and the process context for the network request. I am principly interested
> in TCP/IP connections but being able to filter all network traffic for all
> adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
>
> Just to make sure that I am not wasting a vast amount of time, I am hoping
> NDIS experts on here can set me straight on a few questions:
>
> 1. Should I be writing a filter driver similar to passthru?
> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?
> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?
>
> Many thanks for any responses!
>
> Carl


As Stephan wrote, Windows OS before Vista do not support filtering
on per-process level (at least, not as documented).
The IM model does not help here at all - it is a global filter on the
level far below TCP/IP.
For per-process hooking, one solution is TDI level filter, for which a good
starting point is http://www.pcausa.com/tdisamp/default.htm
Another solution is hooking in user mode (LSP). AFAIK, LSP are rarely
considered by serious developers these days, because they are too fragile and
commonly used by malware. MS recently published some new LSP samples, so
maybe this situation has changed.

Vista has a lot of new things: the filtering platform instead of TDI;
routing apartments, and also there are rumors on new developent in per-app
virtualization.
So, not sure that a single solution is good for Vista and previous OSes...
depends on the actual task.

Regards,
--PA

 
Unread 03-12-2007, 07:56 AM   #6
Steve Jackowski
Guest
 
Posts: n/a
RE: NDIS/Networking Newbie


Carl,

If you're interested in a cross-platform IM-like framework (9x through
64-bit Vista, CE/PocketPC/Mobile 5, Macintosh, Solaris, Linux) where a single
driver will run on all platforms, please take a look at our DNE product
www.determinsticnetworks.com/products/dne.asp. It is installed in millions
of systems and actually does have an option to provide a process context at
the IM level.


Steve
"Carl Woodward" wrote:

> Dear all,
>
> I am just beginning to start looking at NDIS and Networking and am
> reasonably comfortable with the principles but am constantly confusing
> myself and have found some of the NDIS documentation too technical. I guess
> what I am looking for is an overview. Are there any resources on the
> Internet that I can look at?
>
> My first goal is to write a filter driver that captures all network activity
> and the process context for the network request. I am principly interested
> in TCP/IP connections but being able to filter all network traffic for all
> adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
>
> Just to make sure that I am not wasting a vast amount of time, I am hoping
> NDIS experts on here can set me straight on a few questions:
>
> 1. Should I be writing a filter driver similar to passthru?
> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?
> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?
>
> Many thanks for any responses!
>
> Carl
>
>

 
Unread 03-12-2007, 07:56 AM   #7
Steve Jackowski
Guest
 
Posts: n/a
RE: NDIS/Networking Newbie


Carl,

If you're interested in a cross-platform IM-like framework (9x through
64-bit Vista, CE/PocketPC/Mobile 5, Macintosh, Solaris, Linux) where a single
driver will run on all platforms, please take a look at our DNE product
www.determinsticnetworks.com/products/dne.asp. It is installed in millions
of systems and actually does have an option to provide a process context at
the IM level.


Steve
"Carl Woodward" wrote:

> Dear all,
>
> I am just beginning to start looking at NDIS and Networking and am
> reasonably comfortable with the principles but am constantly confusing
> myself and have found some of the NDIS documentation too technical. I guess
> what I am looking for is an overview. Are there any resources on the
> Internet that I can look at?
>
> My first goal is to write a filter driver that captures all network activity
> and the process context for the network request. I am principly interested
> in TCP/IP connections but being able to filter all network traffic for all
> adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
>
> Just to make sure that I am not wasting a vast amount of time, I am hoping
> NDIS experts on here can set me straight on a few questions:
>
> 1. Should I be writing a filter driver similar to passthru?
> 2. Is it possible to capture process context for each outbound packet or is
> the process context arbitrary?
> 3. The WDK and DDK docs hint that passthru may not be suitable for a
> production driver. Is there anything significant missing from it?
>
> Many thanks for any responses!
>
> Carl
>
>

 
Unread 03-12-2007, 07:57 AM   #8
Pavel A.
Guest
 
Posts: n/a
RE: NDIS/Networking Newbie

Hi Steve,

But DNE provides process context by hooking on TDI level, it is not pure IM?

--PA


"Steve Jackowski" wrote:
>
> Carl,
>
> If you're interested in a cross-platform IM-like framework (9x through
> 64-bit Vista, CE/PocketPC/Mobile 5, Macintosh, Solaris, Linux) where a single
> driver will run on all platforms, please take a look at our DNE product
> www.determinsticnetworks.com/products/dne.asp. It is installed in millions
> of systems and actually does have an option to provide a process context at
> the IM level.
>
>
> Steve
> "Carl Woodward" wrote:
>
> > Dear all,
> >
> > I am just beginning to start looking at NDIS and Networking and am
> > reasonably comfortable with the principles but am constantly confusing
> > myself and have found some of the NDIS documentation too technical. I guess
> > what I am looking for is an overview. Are there any resources on the
> > Internet that I can look at?
> >
> > My first goal is to write a filter driver that captures all network activity
> > and the process context for the network request. I am principly interested
> > in TCP/IP connections but being able to filter all network traffic for all
> > adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
> >
> > Just to make sure that I am not wasting a vast amount of time, I am hoping
> > NDIS experts on here can set me straight on a few questions:
> >
> > 1. Should I be writing a filter driver similar to passthru?
> > 2. Is it possible to capture process context for each outbound packet or is
> > the process context arbitrary?
> > 3. The WDK and DDK docs hint that passthru may not be suitable for a
> > production driver. Is there anything significant missing from it?
> >
> > Many thanks for any responses!
> >
> > Carl
> >
> >

 
Unread 03-12-2007, 07:57 AM   #9
Pavel A.
Guest
 
Posts: n/a
RE: NDIS/Networking Newbie

Hi Steve,

But DNE provides process context by hooking on TDI level, it is not pure IM?

--PA


"Steve Jackowski" wrote:
>
> Carl,
>
> If you're interested in a cross-platform IM-like framework (9x through
> 64-bit Vista, CE/PocketPC/Mobile 5, Macintosh, Solaris, Linux) where a single
> driver will run on all platforms, please take a look at our DNE product
> www.determinsticnetworks.com/products/dne.asp. It is installed in millions
> of systems and actually does have an option to provide a process context at
> the IM level.
>
>
> Steve
> "Carl Woodward" wrote:
>
> > Dear all,
> >
> > I am just beginning to start looking at NDIS and Networking and am
> > reasonably comfortable with the principles but am constantly confusing
> > myself and have found some of the NDIS documentation too technical. I guess
> > what I am looking for is an overview. Are there any resources on the
> > Internet that I can look at?
> >
> > My first goal is to write a filter driver that captures all network activity
> > and the process context for the network request. I am principly interested
> > in TCP/IP connections but being able to filter all network traffic for all
> > adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
> >
> > Just to make sure that I am not wasting a vast amount of time, I am hoping
> > NDIS experts on here can set me straight on a few questions:
> >
> > 1. Should I be writing a filter driver similar to passthru?
> > 2. Is it possible to capture process context for each outbound packet or is
> > the process context arbitrary?
> > 3. The WDK and DDK docs hint that passthru may not be suitable for a
> > production driver. Is there anything significant missing from it?
> >
> > Many thanks for any responses!
> >
> > Carl
> >
> >

 
Unread 03-12-2007, 07:57 AM   #10
Steve Jackowski
Guest
 
Posts: n/a
RE: NDIS/Networking Newbie

PA,

We use different user-space mechanisms to get both process and user context
(including terminal services users). On pre-Vista, you are correct, we use
TDI along with user processes/services. On Vista, we're moving to WFP, and
on other platforms (e.g. Mac and CE/PPC/Mobile 5) we use whatever interfaces
are most efficient for collecting and matching process information with flows
(including pre-fetching user/process information before flows start).

But you are correct in your point that an IM-level module can't get this
information with native interfaces. Our goal is to offer a framework that
insulates the developer from the limitations of specific OSs.


Steve

"Pavel A." wrote:

> Hi Steve,
>
> But DNE provides process context by hooking on TDI level, it is not pure IM?
>
> --PA
>
>
> "Steve Jackowski" wrote:
> >
> > Carl,
> >
> > If you're interested in a cross-platform IM-like framework (9x through
> > 64-bit Vista, CE/PocketPC/Mobile 5, Macintosh, Solaris, Linux) where a single
> > driver will run on all platforms, please take a look at our DNE product
> > www.determinsticnetworks.com/products/dne.asp. It is installed in millions
> > of systems and actually does have an option to provide a process context at
> > the IM level.
> >
> >
> > Steve
> > "Carl Woodward" wrote:
> >
> > > Dear all,
> > >
> > > I am just beginning to start looking at NDIS and Networking and am
> > > reasonably comfortable with the principles but am constantly confusing
> > > myself and have found some of the NDIS documentation too technical. I guess
> > > what I am looking for is an overview. Are there any resources on the
> > > Internet that I can look at?
> > >
> > > My first goal is to write a filter driver that captures all network activity
> > > and the process context for the network request. I am principly interested
> > > in TCP/IP connections but being able to filter all network traffic for all
> > > adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.
> > >
> > > Just to make sure that I am not wasting a vast amount of time, I am hoping
> > > NDIS experts on here can set me straight on a few questions:
> > >
> > > 1. Should I be writing a filter driver similar to passthru?
> > > 2. Is it possible to capture process context for each outbound packet or is
> > > the process context arbitrary?
> > > 3. The WDK and DDK docs hint that passthru may not be suitable for a
> > > production driver. Is there anything significant missing from it?
> > >
> > > Many thanks for any responses!
> > >
> > > Carl
> > >
> > >

 
 

Thread Tools
Display Modes



< Home - Windows Help - MS Office Help - Hardware Support >


New To Site? Need Help?

All times are GMT. The time now is 04:37 AM.


vBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO
Copyright © 2005-2013, TechTalkz.com. All Rights Reserved - Privacy Policy
Valid XHTML 1.0 Transitional