Thomas
Wed Sep 07 14:43:52 CDT 2005
This is a multi-part message in MIME format.
------=_NextPart_000_0007_01C5B3C2.F2691F10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-------------------------------------------------------------------------=
-----
From: Pavel A. [mailto:pavel_a@NOwritemeNO.com]=20
Posted At: Wednesday, September 07, 2005 7:07 AM
Posted To: microsoft.public.development.device.drivers
Conversation: A sniffer, fast and dirty...
Subject: Re: A sniffer, fast and dirty...=20
=
nntp://msnews.microsoft.com/microsoft.public.development.device.drivers/<=
u#EOIx5sFHA.1136@TK2MSFTNGP12.phx.gbl>=20
Thank you Thomas,
Why I'm reluctant about the IM approach - this will be installed on =
machines
where I can't put the test certificate, so users will have to click =
thru
signing popups :(=20
I sure wish Microsoft had implemented the driver signing check =
differently. One popup and approval by the administrator should have =
been sufficient to make the driver behave as if it was signed =
thereafter.
This signing feature has actually caused some developers who had =
perfectly good NDIS IM driver installations to switch to NDIS-Hooking. =
Although NDIS-Hooking is not a desirable thing, aborting a NDIS IM =
driver install halfway through 12 popups also leaves the machine in a =
sad state as well.
Your PCAUSA rawether protocol driver installs in the old good legacy =
way
and binds dynamically - a no hassle, user-proof solution.
Also, we've already payed for it :)=20
And - the current Rawether even works on XP x64 and Vista Beta 1 (with =
an interim NDIS 5 driver...).
If I find how to settle the popups issue - either convince the client =
to
use test signed driver, or write some anti-popup program - IM is =
definitely
better.
=20
Good luck,
Thomas
Regards,
--PA
"Thomas F. Divine [DDK MVP]" <tdivine@NOpcausaSPAM.com> wrote in =
message news:eg11zC1sFHA.3640@tk2msftngp13.phx.gbl...
>
> "Pavel A." <pavel_a@NOwritemeNO.com> wrote in message =
news:A7E95F52-6633-46E1-AED0-2D8EAD81E44C@microsoft.com...
>>I need to count certain packets sent thru a netcard during usual =
network
>> activity (internet, mail...).
>> The counting can be done in kernel mode, no need to pass data to =
usermode.
>> The card can be any usual 10/100 ethernet, connected either to LAN =
or DSL
>> modem (PPPoE).
>>
>> What of the following is less intrusive to the system and easier to =
do?
>>
>> a. IM filter based on Passthru
>> b. Protocol driver & set the packet filter to ALL_LOCAL
>>
>> Ah and this will be just a fast and dirty internal tool - not for =
production
>> :)
>>
>> Thanks for any advice,
>> --PA
>
> Take the Passthru driver from part 1 of the "Extending the =
Passthru.." article at
http://www.wd-3.com. (In the archives...).
>
> It has an IOCTL interface added. Should be able to add your counters =
to the drivers and an IOCTL to fetch them.
>
> You won't need to modify the packet filter. The NDIS IM driver will =
be using the packet filter setting specified by the=20
> higher-level protocols you are interested in monitoring.
>
> Thomas F. Divine, Windows DDK MVP
>
http://www.rawether.net
>=20
------=_NextPart_000_0007_01C5B3C2.F2691F10
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff=20
size=3D2></FONT> </DIV><BR>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Pavel A.=20
[mailto:pavel_a@NOwritemeNO.com] <BR><B>Posted At:</B> Wednesday, =
September=20
07, 2005 7:07 AM<BR><B>Posted To:</B>=20
microsoft.public.development.device.drivers<BR><B>Conversation:</B> A =
sniffer,=20
fast and dirty...<BR><B>Subject:</B> Re: A sniffer, fast and dirty...=20
<BR><BR></FONT></DIV>
<DIV>
<P class=3Dngpostlinks><A=20
=
href=3D"nntp://msnews.microsoft.com/microsoft.public.development.device.d=
rivers/<u#EOIx5sFHA.1136@TK2MSFTNGP12.phx.gbl>">nntp://msnews.microsoft.c=
om/microsoft.public.development.device.drivers/<u#EOIx5sFHA.1136@TK2MS=
FTNGP12.phx.gbl>=20
</A></P>
<DIV class=3Dplaintext>Thank you Thomas,<BR>Why I'm reluctant about =
the IM=20
approach - this will be installed on machines<BR>where I can't put the =
test=20
certificate, so users will have to click thru<BR>signing popups =
:(<SPAN=20
class=3D350433519-07092005><FONT face=3DArial color=3D#0000ff=20
size=3D2> </FONT></SPAN></DIV>
<DIV class=3Dplaintext><SPAN=20
class=3D350433519-07092005></SPAN> </DIV></DIV></BLOCKQUOTE>
<DIV class=3Dplaintext dir=3Dltr><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>I sure wish Microsoft had implemented the =
driver signing=20
check differently. One popup and approval by the administrator should =
have been=20
sufficient to make the driver behave as if it was signed=20
thereafter.</FONT></SPAN></DIV>
<DIV class=3Dplaintext dir=3Dltr><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV class=3Dplaintext dir=3Dltr><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>This signing feature has actually caused some =
developers=20
who had perfectly good NDIS IM driver installations to switch to =
NDIS-Hooking.=20
Although NDIS-Hooking is not a desirable thing, aborting a NDIS IM =
driver=20
install halfway through 12 popups also leaves the machine in a sad state =
as=20
well.</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3Dplaintext><SPAN =
class=3D350433519-07092005></SPAN><BR>Your PCAUSA=20
rawether protocol driver installs in the old good legacy way<BR>and =
binds=20
dynamically - a no hassle, user-proof solution.<BR>Also, we've already =
payed=20
for it :)<SPAN class=3D350433519-07092005><FONT face=3DArial =
color=3D#0000ff=20
size=3D2> </FONT></SPAN></DIV>
<DIV class=3Dplaintext><SPAN=20
class=3D350433519-07092005></SPAN> </DIV></BLOCKQUOTE>
<DIV class=3Dplaintext dir=3Dltr><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>And - the current Rawether even works =
on XP x64=20
and Vista Beta 1 (with an interim NDIS 5 driver...).</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3Dplaintext><SPAN class=3D350433519-07092005></SPAN><BR>If =
I find how=20
to settle the popups issue - either convince the client to<BR>use test =
signed=20
driver, or write some anti-popup program - IM is=20
definitely<BR>better.<BR><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2> </FONT></SPAN></DIV></BLOCKQUOTE>
<DIV class=3Dplaintext dir=3Dltr><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Good luck,</FONT></SPAN></DIV>
<DIV class=3Dplaintext dir=3Dltr><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV class=3Dplaintext dir=3Dltr><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Thomas</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3Dplaintext><SPAN class=3D350433519-07092005><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV class=3Dplaintext><SPAN=20
=
class=3D350433519-07092005></SPAN><BR>Regards,<BR>--PA<BR><BR><BR><BR>"Th=
omas F.=20
Divine [DDK MVP]" <tdivine@NOpcausaSPAM.com> wrote in message=20
news:eg11zC1sFHA.3640@tk2msftngp13.phx.gbl...<BR>><BR>> "Pavel =
A."=20
<pavel_a@NOwritemeNO.com> wrote in message=20
=
news:A7E95F52-6633-46E1-AED0-2D8EAD81E44C@microsoft.com...<BR>>>I =
need=20
to count certain packets sent thru a netcard during usual =
network<BR>>>=20
activity (internet, mail...).<BR>>> The counting can be done in =
kernel=20
mode, no need to pass data to usermode.<BR>>> The card can be =
any usual=20
10/100 ethernet, connected either to LAN or DSL<BR>>> modem=20
(PPPoE).<BR>>><BR>>> What of the following is less =
intrusive to=20
the system and easier to do?<BR>>><BR>>> a. IM filter =
based on=20
Passthru<BR>>> b. Protocol driver & set the packet filter to =
ALL_LOCAL<BR>>><BR>>> Ah and this will be just a fast and =
dirty=20
internal tool - not for production<BR>>> =
:)<BR>>><BR>>>=20
Thanks for any advice,<BR>>> --PA<BR>><BR>> Take the =
Passthru=20
driver from part 1 of the "Extending the Passthru.." article at=20
http://www.wd-3.com. (In the archives...).<BR>><BR>> It has an =
IOCTL=20
interface added. Should be able to add your counters to the drivers =
and an=20
IOCTL to fetch them.<BR>><BR>> You won't need to modify the =
packet=20
filter. The NDIS IM driver will be using the packet filter setting =
specified=20
by the <BR>> higher-level protocols you are interested in=20
monitoring.<BR>><BR>> Thomas F. Divine, Windows DDK MVP<BR>>=20
http://www.rawether.net<BR>> =
<BR><BR><BR></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0007_01C5B3C2.F2691F10--