Problem with matching kind of NDIS driver.

TheMSsForum.com: The Microsoft Software Forum

Hi,
I have to write the driver, which will be monitoring all network activity
(all protocols) and get PID (identity of the process) which is directly
responsible for that. Unfortunately, I don't know which kind of NDIS drivers
will be best for that. I think, the best will be NDIS Intermediate Driver,
but I can be mistaken. Please help me with matching kind of driver.

--
With regards
thanks,
Witek
Top

Re: Problem with matching kind of NDIS driver. by Maxim

Maxim
Mon Jul 09 13:32:00 CDT 2007

TDI filters or Vista's new filtering platform is the solution.

On NDIS level, process context is lost - too low a level.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

"Witoslaw Jozewicz" <wj78[NoSpaM](at)wp.pl> wrote in message
news:eu1FL%23kwHHA.1208@TK2MSFTNGP05.phx.gbl...
> Hi,
> I have to write the driver, which will be monitoring all network activity
> (all protocols) and get PID (identity of the process) which is directly
> responsible for that. Unfortunately, I don't know which kind of NDIS drivers
> will be best for that. I think, the best will be NDIS Intermediate Driver,
> but I can be mistaken. Please help me with matching kind of driver.
>
> --
> With regards
> thanks,
> Witek
>
>

Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Mon Jul 09 14:57:54 CDT 2007

"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:OUXjqdlwHHA.1756@TK2MSFTNGP05.phx.gbl...
> TDI filters or Vista's new filtering platform is the solution.
> On NDIS level, process context is lost - too low a level.

On TDI layer I can probably only get TCP/IP packets, but I need to get _all_
packets (all protocols - it is possible only on NDIS layer). I'm going to
write additional TDI filter driver which I associate with my NDIS driver
(then my NDIS driver will be able to relate packets to their
sender/recepient process via combination of the local address and port
number), but I still don't know what kind of NDIS drivers will be best for
monitoring of all network activity.

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Mon Jul 09 15:12:07 CDT 2007

"Witoslaw Jozewicz" <wj78[NoSpaM](at)wp.pl> wrote in message
news:uYNGtPmwHHA.2040@TK2MSFTNGP03.phx.gbl...
> "Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
> news:OUXjqdlwHHA.1756@TK2MSFTNGP05.phx.gbl...
>> TDI filters or Vista's new filtering platform is the solution.
>> On NDIS level, process context is lost - too low a level.
> On TDI layer I can probably only get TCP/IP packets, but I need to get
> _all_ packets (all protocols - it is possible only on NDIS layer). I'm
> going to write additional TDI filter driver which I associate with my
> NDIS driver (then my NDIS driver will be able to relate packets to their
> sender/recepient process via combination of the local address and port
> number), but I still don't know what kind of NDIS drivers will be best
> for monitoring of all network activity.

And my driver must work on Windows XP/2003 (NDIS 5.1).

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Thomas

Thomas
Mon Jul 09 16:21:25 CDT 2007

As MAX said, process information is simply not available at the NDIS level.

Thomas F. Divine

"Witoslaw Jozewicz" <wj78[NoSpaM](at)wp.pl> wrote in message
news:OhSfvVmwHHA.4592@TK2MSFTNGP05.phx.gbl...
> "Witoslaw Jozewicz" <wj78[NoSpaM](at)wp.pl> wrote in message
> news:uYNGtPmwHHA.2040@TK2MSFTNGP03.phx.gbl...
>> "Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
>> news:OUXjqdlwHHA.1756@TK2MSFTNGP05.phx.gbl...
>>> TDI filters or Vista's new filtering platform is the solution.
>>> On NDIS level, process context is lost - too low a level.
>> On TDI layer I can probably only get TCP/IP packets, but I need to get
>> _all_ packets (all protocols - it is possible only on NDIS layer). I'm
>> going to write additional TDI filter driver which I associate with my
>> NDIS driver (then my NDIS driver will be able to relate packets to their
>> sender/recepient process via combination of the local address and port
>> number), but I still don't know what kind of NDIS drivers will be best
>> for monitoring of all network activity.
>
> And my driver must work on Windows XP/2003 (NDIS 5.1).
>
> --
> With regards
> thanks,
> Witek
>
>

Top

Re: Problem with matching kind of NDIS driver. by AntonBassov

AntonBassov
Mon Jul 09 16:34:19 CDT 2007

> I'm
> > going to write additional TDI filter driver which I associate with my
> > NDIS driver (then my NDIS driver will be able to relate packets to their
> > sender/recepient process via combination of the local address and port
> > number),

This is what you should do - actually, this is how most firewalls and packet
filters work (i.e. NDIS-level filter plus TDI-level helper in order to relate
packets to the target process).

> >but I still don't know what kind of NDIS drivers will be best
> > for monitoring of all network activity.

You need NDIS IM filter here. However, please note that writing NDIS IM
filter properly is not the easiest thing one can imagine. I would advise you
to look at "Modified passthru" sample that has been written by Thomas F.
Divine.....

Anton Bassov


"Witoslaw Jozewicz" wrote:

> "Witoslaw Jozewicz" <wj78[NoSpaM](at)wp.pl> wrote in message
> news:uYNGtPmwHHA.2040@TK2MSFTNGP03.phx.gbl...
> > "Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
> > news:OUXjqdlwHHA.1756@TK2MSFTNGP05.phx.gbl...
> >> TDI filters or Vista's new filtering platform is the solution.
> >> On NDIS level, process context is lost - too low a level.
> > On TDI layer I can probably only get TCP/IP packets, but I need to get
> > _all_ packets (all protocols - it is possible only on NDIS layer). I'm
> > going to write additional TDI filter driver which I associate with my
> > NDIS driver (then my NDIS driver will be able to relate packets to their
> > sender/recepient process via combination of the local address and port
> > number), but I still don't know what kind of NDIS drivers will be best
> > for monitoring of all network activity.
>
> And my driver must work on Windows XP/2003 (NDIS 5.1).
>
> --
> With regards
> thanks,
> Witek
>
>
>
Top

Re: Problem with matching kind of NDIS driver. by Maxim

Maxim
Mon Jul 09 21:06:56 CDT 2007

> On TDI layer I can probably only get TCP/IP packets, but I need to get _all_
> packets (all protocols - it is possible only on NDIS layer).

You cannot match the arbitrary non-TCPIP packet to a particular PID. Such
matching requires you to have the knowledge of the packet sender internals.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Top

RE: Problem with matching kind of NDIS driver. by mirage2k2

mirage2k2
Tue Jul 10 00:44:02 CDT 2007

With TDI driver and NDIS IM you can match traffic to PID via port number only.
What does your driver really need to do? If you need to queue packets then
you must use NDIS IM driver. If you just want to sniff/modify packets then
there are some other options, i.e. filter hook, etc. Note also that you will
not see any packets in the TDI driver, rather you see IOCTRLs for operations
such as connect, send, receive, etc. Filtering such commands will allow you
to obtain PID/TID, port numbers and for some, remote ip addresses.

Mirage2k2

"Witoslaw Jozewicz" wrote:

> Hi,
> I have to write the driver, which will be monitoring all network activity
> (all protocols) and get PID (identity of the process) which is directly
> responsible for that. Unfortunately, I don't know which kind of NDIS drivers
> will be best for that. I think, the best will be NDIS Intermediate Driver,
> but I can be mistaken. Please help me with matching kind of driver.
>
> --
> With regards
> thanks,
> Witek
>
>
>
Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Tue Jul 10 12:38:12 CDT 2007

"Thomas F. Divine" <tdivine@NOpcausaSPAM> wrote in message
news:eoecb8mwHHA.736@TK2MSFTNGP06.phx.gbl...
> As MAX said, process information is simply not available at the NDIS
> level.

I know that it isn't simple, but I have to do.

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Tue Jul 10 12:45:07 CDT 2007

"Anton Bassov" <AntonBassov@discussions.microsoft.com> wrote in message
news:8C1675C2-BD8F-4347-912B-1C714D808BD0@microsoft.com...
>> I'm
>>> going to write additional TDI filter driver which I associate with my
>>> NDIS driver (then my NDIS driver will be able to relate packets to
>>> their sender/recepient process via combination of the local address
>>> and port number),
> This is what you should do - actually, this is how most firewalls and
> packet filters work (i.e. NDIS-level filter plus TDI-level helper in
> order to relate packets to the target process).
>> >but I still don't know what kind of NDIS drivers will be best
>>> for monitoring of all network activity.
> You need NDIS IM filter here. However, please note that writing NDIS IM
> filter properly is not the easiest thing one can imagine. I would advise
> you to look at "Modified passthru" sample that has been written by
> Thomas F. Divine.....
> Anton Bassov

Thanks for your reply Anton. I mean that you thought about infos included in
Mirage2k2? Of course I will analyze Thomas' sample. But what do you mean by
NDIS IM? I understand that it is NDIS Intermediate?

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Tue Jul 10 12:50:35 CDT 2007

"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:%23K6T5bpwHHA.4140@TK2MSFTNGP04.phx.gbl...
>> On TDI layer I can probably only get TCP/IP packets, but I need to get
>> _all_ packets (all protocols - it is possible only on NDIS layer).
> You cannot match the arbitrary non-TCPIP packet to a particular PID. Such
> matching requires you to have the knowledge of the packet sender
> internals.

What do you mean by "packet sender internals"? I suppose that it is typical
packet from which I will be able to extract informations for identify
protocols?

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Tue Jul 10 13:31:56 CDT 2007

"mirage2k2" <mirage2k2@discussions.microsoft.com> wrote in message
news:E5F3B882-1DD7-45A2-909D-97DC4E02FECD@microsoft.com...
> With TDI driver and NDIS IM you can match traffic to PID via port number
> only. What does your driver really need to do? If you need to queue

That is them of my Master of Science Job, I have to find a way how to solve
that problem on NDIS driver layer.

> packets then you must use NDIS IM driver. If you just want to
> sniff/modify packets then there are some other options, i.e. filter
> hook, etc. Note also that you will not see any packets in the TDI
> driver, rather you see IOCTRLs for operations such as connect, send,
> receive, etc. Filtering such commands will allow you to obtain
> PID/TID, port numbers and for some, remote ip addresses. Mirage2k2

I need a driver which will catch all packets going through network card,
find PID's for that, and sends all the informations for application on users
layer (that application will be logging all network activieties - it has to
work as the "netstat -anb" application but in real time). Thanks for your
advices, Mirage2k2.

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Thomas

Thomas
Tue Jul 10 14:16:22 CDT 2007

I think we understand what you want.

We are telling you that in a NDIS Intermediate (IM) driver the process
information simply is not available. This is because NDIS calls (such as the
call to your drivers MPSendPackets...) are made in "arbitrary thread
context". This means that the process information of the sender simply does
cannot be found from the information available in that call.

Process information is only available at higher layers when the process
information is actually valid.

For all protocols that use TDI you can use a TDI filter to identify the
process. Even in TDI process information is only actually valid ad a few
specific moments. In particular, you can only actually identify the process
at the point that objects are initially created. You must keep a database of
process information around if you want to know PID later.

Going further, it is certainly possible for folks to write a NDIS protocol
that operates solely in the kernel attached to the system process. All you
will know is that "the system" sent the packet.

Good luck. It is a project that Windows simply isn't designed to support
conveniently.

Perhaps you would have better luck if you only worked on Vista. MS has
invented some new APIs that may be of help there.

Thomas F. Divine


"Witoslaw Jozewicz" <wj78[NoSpaM](at)wp.pl> wrote in message
news:uGeIbCywHHA.1484@TK2MSFTNGP06.phx.gbl...
> "mirage2k2" <mirage2k2@discussions.microsoft.com> wrote in message
> news:E5F3B882-1DD7-45A2-909D-97DC4E02FECD@microsoft.com...
>> With TDI driver and NDIS IM you can match traffic to PID via port number
>> only. What does your driver really need to do? If you need to queue
>
> That is them of my Master of Science Job, I have to find a way how to
> solve that problem on NDIS driver layer.
>
>> packets then you must use NDIS IM driver. If you just want to
>> sniff/modify packets then there are some other options, i.e. filter
>> hook, etc. Note also that you will not see any packets in the TDI
>> driver, rather you see IOCTRLs for operations such as connect, send,
>> receive, etc. Filtering such commands will allow you to obtain
>> PID/TID, port numbers and for some, remote ip addresses. Mirage2k2
>
> I need a driver which will catch all packets going through network card,
> find PID's for that, and sends all the informations for application on
> users layer (that application will be logging all network activieties - it
> has to work as the "netstat -anb" application but in real time). Thanks
> for your advices, Mirage2k2.
>
> --
> With regards
> thanks,
> Witek
>
>

Top

Re: Problem with matching kind of NDIS driver. by AntonBassov

AntonBassov
Tue Jul 10 15:16:00 CDT 2007

> We are telling you that in a NDIS Intermediate (IM) driver the process
> information simply is not available. This is because NDIS calls (such as the
> call to your drivers MPSendPackets...) are made in "arbitrary thread
> context". This means that the process information of the sender simply does
> cannot be found from the information available in that call.

Apparently, the OP just does not want to take NO as an answer (which is good
thing in itself). The best thing to do here is to explain to him WHY his task
in infeasible....

When it comes to outgoing packets, the reasons why his task is infeasible
are different for TCP and datagram-based protocols. Once TCP guarantees
delivery of packets in specified order, any TCP operation involves both
sending and receiving data, so that TCPIP will send part of the transmission
and wait for the confirmation from the counter-party before sending the next
part. Therefore, different parts of the same transmission may get sent in
context of different threads.

When it comes to datagrams, the situation is somehow different - once
datagrams never get fragmented, TCPIP always sends them in context of the
client thread. Therefore, NDIS IM filter that is located immediately below
TCPIP will
get these packets in context of the client thread. However, there is no
guarantee that all lower-level will be able to do the same - everything
depends on how the highest-level IM decides to proceed. Taking into account
that highest-level IM filters are packet schedulers, in practical terms you
cannot expect to receive packets in context of the same thread in lower-level
filters.

The above applies to sends. When it comes to receives, incoming packet may
arrive at any moment, so that IM filter cannot expect to receive it in
context of any particular thread, for understandable reasons, regardless of
protocol.

Hopefully, the above explanation is going to convince the OP that his task
is simply infeasible....

> Perhaps you would have better luck if you only worked on Vista. MS has
> invented some new APIs that may be of help there.

Again, process context is available only at some certain filtering levels.
For example,
at the level of IP packets (i.e. internal sends and raw socket-related
traffic) you have no chance to relate a packet to its sender process,
although you can do it at higher filtering levels....

Anton Bassov


"Thomas F. Divine" wrote:

> I think we understand what you want.
>
> We are telling you that in a NDIS Intermediate (IM) driver the process
> information simply is not available. This is because NDIS calls (such as the
> call to your drivers MPSendPackets...) are made in "arbitrary thread
> context". This means that the process information of the sender simply does
> cannot be found from the information available in that call.
>
> Process information is only available at higher layers when the process
> information is actually valid.
>
> For all protocols that use TDI you can use a TDI filter to identify the
> process. Even in TDI process information is only actually valid ad a few
> specific moments. In particular, you can only actually identify the process
> at the point that objects are initially created. You must keep a database of
> process information around if you want to know PID later.
>
> Going further, it is certainly possible for folks to write a NDIS protocol
> that operates solely in the kernel attached to the system process. All you
> will know is that "the system" sent the packet.
>
> Good luck. It is a project that Windows simply isn't designed to support
> conveniently.
>
> Perhaps you would have better luck if you only worked on Vista. MS has
> invented some new APIs that may be of help there.
>
> Thomas F. Divine
>
>
> "Witoslaw Jozewicz" <wj78[NoSpaM](at)wp.pl> wrote in message
> news:uGeIbCywHHA.1484@TK2MSFTNGP06.phx.gbl...
> > "mirage2k2" <mirage2k2@discussions.microsoft.com> wrote in message
> > news:E5F3B882-1DD7-45A2-909D-97DC4E02FECD@microsoft.com...
> >> With TDI driver and NDIS IM you can match traffic to PID via port number
> >> only. What does your driver really need to do? If you need to queue
> >
> > That is them of my Master of Science Job, I have to find a way how to
> > solve that problem on NDIS driver layer.
> >
> >> packets then you must use NDIS IM driver. If you just want to
> >> sniff/modify packets then there are some other options, i.e. filter
> >> hook, etc. Note also that you will not see any packets in the TDI
> >> driver, rather you see IOCTRLs for operations such as connect, send,
> >> receive, etc. Filtering such commands will allow you to obtain
> >> PID/TID, port numbers and for some, remote ip addresses. Mirage2k2
> >
> > I need a driver which will catch all packets going through network card,
> > find PID's for that, and sends all the informations for application on
> > users layer (that application will be logging all network activieties - it
> > has to work as the "netstat -anb" application but in real time). Thanks
> > for your advices, Mirage2k2.
> >
> > --
> > With regards
> > thanks,
> > Witek
> >
> >
>
>
Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Wed Jul 11 13:39:22 CDT 2007

"Thomas F. Divine" <tdivine@NOpcausaSPAM> wrote in message
news:ObYuObywHHA.840@TK2MSFTNGP03.phx.gbl...
> I think we understand what you want.
> We are telling you that in a NDIS Intermediate (IM) driver the process
> information simply is not available. This is because NDIS calls (such as
> the call to your drivers MPSendPackets...) are made in "arbitrary thread
> context". This means that the process information of the sender simply
> does cannot be found from the information available in that call.
> Process information is only available at higher layers when the process
> information is actually valid.
> For all protocols that use TDI you can use a TDI filter to identify the
> process. Even in TDI process information is only actually valid ad a few
> specific moments. In particular, you can only actually identify the
> process at the point that objects are initially created. You must keep
> a database of process information around if you want to know PID later.
> Going further, it is certainly possible for folks to write a NDIS
> protocol that operates solely in the kernel attached to the system
> process. All you will know is that "the system" sent the packet.
> Good luck. It is a project that Windows simply isn't designed to support
> conveniently.
> Perhaps you would have better luck if you only worked on Vista. MS has
> invented some new APIs that may be of help there.

Thank you for your exhaustive answer.

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Witoslaw

Witoslaw
Wed Jul 11 13:41:02 CDT 2007

"Anton Bassov" <AntonBassov@discussions.microsoft.com> wrote in message
news:40E794CB-F50D-46CC-9312-E96B5091394D@microsoft.com...
>> We are telling you that in a NDIS Intermediate (IM) driver the process
>> information simply is not available. This is because NDIS calls (such
>> as the call to your drivers MPSendPackets...) are made in "arbitrary
>> thread context". This means that the process information of the
>> sender simply does cannot be found from the information available in
>> that call.
> Apparently, the OP just does not want to take NO as an answer (which is
> good thing in itself). The best thing to do here is to explain to him
> WHY his task in infeasible....
> When it comes to outgoing packets, the reasons why his task is infeasible
> are different for TCP and datagram-based protocols. Once TCP guarantees
> delivery of packets in specified order, any TCP operation involves both
> sending and receiving data, so that TCPIP will send part of the
> transmission and wait for the confirmation from the counter-party
> before sending the next part. Therefore, different parts of the same
> transmission may get sent in context of different threads.
> When it comes to datagrams, the situation is somehow different - once
> datagrams never get fragmented, TCPIP always sends them in context of the
> client thread. Therefore, NDIS IM filter that is located immediately
> below TCPIP will
> get these packets in context of the client thread. However, there is no
> guarantee that all lower-level will be able to do the same - everything
> depends on how the highest-level IM decides to proceed. Taking into
> account that highest-level IM filters are packet schedulers, in
> practical terms you cannot expect to receive packets in context of the
> same thread in lower-level filters.
> The above applies to sends. When it comes to receives, incoming packet
> may arrive at any moment, so that IM filter cannot expect to receive it
> in context of any particular thread, for understandable reasons,
> regardless of protocol.
> Hopefully, the above explanation is going to convince the OP that his
> task is simply infeasible....
>> Perhaps you would have better luck if you only worked on Vista. MS has
>> invented some new APIs that may be of help there.
> Again, process context is available only at some certain filtering
> levels. For example,
> at the level of IP packets (i.e. internal sends and raw socket-related
> traffic) you have no chance to relate a packet to its sender process,
> although you can do it at higher filtering levels....

Thank you for your exhaustive explanations.

--
With regards
thanks,
Witek


Top

Re: Problem with matching kind of NDIS driver. by Maxim

Maxim
Wed Jul 11 14:50:39 CDT 2007

> I need a driver which will catch all packets going through network card,
> find PID's for that,

For TCP/IP - possible.
For IPX - maybe possible too.

But for any arbitrary protocol it is impossible. NDIS keeps no track of the
originating process.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Top

Re: Problem with matching kind of NDIS driver. by Maxim

Maxim
Wed Jul 11 14:49:41 CDT 2007

> What do you mean by "packet sender internals"? I suppose that it is typical
> packet from which I will be able to extract informations for identify
> protocols?

"Typical packet" is just an Ethernet frame without any traces of the
originating process.

TCP/IP packet is more complex, and contains the port number information, which
can be matched to a particular process.

But just any arbitrary packet?

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Top