soviet_bloke
Tue Jan 02 17:25:11 CST 2007
Stephan,
> Check the "type code / length" field in the MAC header. Note that all
> network fields are in high-low (big endian) order. If the type/length
> is greater than 1500 decimal (5DC hex), then this is an Ethernet type
> code, see
>
>
http://standards.ieee.org/regauth/ethertype/eth.txt
>
> Otherwise, if the type/length is smaller than 1500 decimal, then this
> is the length of the payload data behind the MAC header. In this case,
> what follows directly behind the MAC header is a three byte 802.2
> Logical Link Control (LLC) header consisting of the destination service
> access point (DSAP), source SAP (SSAP), and Control fields, see
>
>
http://standards.ieee.org/regauth/llc/llcassignments.pdf
>
> If DSAP=SSAP=0xAA and Control=0x03, then what follows next is a five
> byte 802.2 SNAP header: 3 bytes OUI (=vendor id, see
>
http://standards.ieee.org/regauth/oui/index.shtml) and two bytes type
> information.
>
> If the OUI = 000000 then the type is an Ethernet type code as already
> outlined above.
I am afraid all the stuff that you mentioned is just irrelevant for IP
packets that are indicated to NDIS IM - they have 14-byte MAC header
with 'Type' field set to 0x0800, which is immediately followed by IP
header and protocol header......
Anton Bassov
Stephan Wolf [MVP] wrote:
> NDIS does not know anything about packet types. Strictly speaking, NDIS
> handles (raw) frames rather than packets as a packet is what you find
> behind the MAC header.
>
> Determination of the "packet type" takes several steps:
>
> Check the "type code / length" field in the MAC header. Note that all
> network fields are in high-low (big endian) order. If the type/length
> is greater than 1500 decimal (5DC hex), then this is an Ethernet type
> code, see
>
>
http://standards.ieee.org/regauth/ethertype/eth.txt
>
> Otherwise, if the type/length is smaller than 1500 decimal, then this
> is the length of the payload data behind the MAC header. In this case,
> what follows directly behind the MAC header is a three byte 802.2
> Logical Link Control (LLC) header consisting of the destination service
> access point (DSAP), source SAP (SSAP), and Control fields, see
>
>
http://standards.ieee.org/regauth/llc/llcassignments.pdf
>
> If DSAP=SSAP=0xAA and Control=0x03, then what follows next is a five
> byte 802.2 SNAP header: 3 bytes OUI (=vendor id, see
>
http://standards.ieee.org/regauth/oui/index.shtml) and two bytes type
> information.
>
> If the OUI = 000000 then the type is an Ethernet type code as already
> outlined above.
>
> For more information, see e.g.
>
>
http://standards.ieee.org/regauth/publiclistings.html
>
> Now IP uses Ethernet type code 0x0800. TCP, UDP, and others sit on top
> of IP so they use the same type code (0x0800). You need to inspect the
> IP header in order to determine which protocol follows. That's fpr
> further study. See the various RFC documents or get yourself a good
> book on network basics.
>
> Stephan
> ---
> Saurav wrote:
> > Hi All
> >
> > I am writing a NDIS intermediate filter driver, to analyse the network
> > traffic. I need to know what is the type of the packet which i received
> > from ProtocolRecieve() & ProtocolRecievePacket() callback routines i.e.
> > whether the packet is of UDP or TCP etc.??
> >
> > In case anybody knows about this then please let me know.
> >
> > Thanks in advance
> >
> > Saurav