Dear all,

I am just beginning to start looking at NDIS and Networking and am
reasonably comfortable with the principles but am constantly confusing
myself and have found some of the NDIS documentation too technical. I guess
what I am looking for is an overview. Are there any resources on the
Internet that I can look at?

My first goal is to write a filter driver that captures all network activity
and the process context for the network request. I am principly interested
in TCP/IP connections but being able to filter all network traffic for all
adapters is my ultimate goal. My target platforms are XP, 2K3 and Vista.

Just to make sure that I am not wasting a vast amount of time, I am hoping
NDIS experts on here can set me straight on a few questions:

1. Should I be writing a filter driver similar to passthru?
2. Is it possible to capture process context for each outbound packet or is
the process context arbitrary?
3. The WDK and DDK docs hint that passthru may not be suitable for a
production driver. Is there anything significant missing from it?

Many thanks for any responses!

Carl

Not sure whether an NDIS Filter (so called "intermediate" = IM) driver
is the right approach for you. AFAIK, process context is not available
at driver (i.e. kernel-mode) level. Also, a TDI solution might serve
you better, but I am not a TDI expert after all.

Some thoughts on NDIS:

First note that each Windows version/variant usually introduces some
NDIS features, which is reflected by an incremented NDIS version
number. For a short overview, see here:

http://msdn.microsoft.com/library/
[Currently, this URL points there, but unfortunately MS is either
unwilling or unable to provide stable URLs for MSDN library contents:
http://msdn2.microsoft.com/en-us/library/aa938306.aspx]

Although MS propagates NDIS 6 should be used for Vista, this
unfortunately also means this NDIS driver will not run on any previous
Windows version/variant.

Thus, you might want to consider writing an NDIS 5 driver, because it
will run on all of Windows 2000, XP, 2003, and Vista (and even on
Windows 98/ME).

An NDIS Filter intermediate (IM) driver implements a 1:1 relation
between a protocol and a network adapter (=miniport) driver. It thus
usually only "filters" the packet flow between some protocol and some
adapter. A MUX IMs can implement other relations as well, i.e. 1:n, n:
1, and even n:n. Packets can be redirected from/to any protocols and
adapters in any way. A MUX IM however requires a more complex design
and implementation (e.g., a so-called Notify Object user-mode program
is usually also required).

Not sure but AFAIK you will not be able to get any originating process
context information at driver level. I might be wrong here.

Well, passthru simply does "nothing". Many people have used it as a
starting point for their production IM drivers.

HTH, Stephan
---
On Mar 19, 10:29 am, "Carl Woodward" <pppooiiiu...@llkkjjhhgg.com>
wrote:

"Carl Woodward" wrote:
As Stephan wrote, Windows OS before Vista do not support filtering
on per-process level (at least, not as documented).
The IM model does not help here at all - it is a global filter on the
level far below TCP/IP.
For per-process hooking, one solution is TDI level filter, for which a good
starting point is http://www.pcausa.com/tdisamp/default.htm
Another solution is hooking in user mode (LSP). AFAIK, LSP are rarely
considered by serious developers these days, because they are too fragile and
commonly used by malware. MS recently published some new LSP samples, so
maybe this situation has changed.

Vista has a lot of new things: the filtering platform instead of TDI;
routing apartments, and also there are rumors on new developent in per-app
virtualization.
So, not sure that a single solution is good for Vista and previous OSes...
depends on the actual task.

Regards,
--PA

Carl,

If you're interested in a cross-platform IM-like framework (9x through
64-bit Vista, CE/PocketPC/Mobile 5, Macintosh, Solaris, Linux) where a single
driver will run on all platforms, please take a look at our DNE product
www.determinsticnetworks.com/products/dne.asp. It is installed in millions
of systems and actually does have an option to provide a process context at
the IM level.


Steve
"Carl Woodward" wrote:

Hi Steve,

But DNE provides process context by hooking on TDI level, it is not pure IM?

--PA


"Steve Jackowski" wrote:

PA,

We use different user-space mechanisms to get both process and user context
(including terminal services users). On pre-Vista, you are correct, we use
TDI along with user processes/services. On Vista, we're moving to WFP, and
on other platforms (e.g. Mac and CE/PPC/Mobile 5) we use whatever interfaces
are most efficient for collecting and matching process information with flows
(including pre-fetching user/process information before flows start).

But you are correct in your point that an IM-level module can't get this
information with native interfaces. Our goal is to offer a framework that
insulates the developer from the limitations of specific OSs.


Steve

"Pavel A." wrote:

Steve,

A little less sales talk would be nice. If we all pushed our products and
services here this wouldn't be a useful group.

Certainly one aspect of some folks participation (myself included) can be
called "advertising". Being helpful promotes at least the illusion that we
might be worth contacting in private for possible business.

Thomas F. Divine

"Steve Jackowski" <SteveJackowski@discussions.microsoft.com> wrote in
message news:973584FD-F997-4587-BA23-BCD7E0B58FEE@microsoft.com...

Thomas,

Point taken.


Steve

"Thomas F. Divine" wrote:

Pavel, thank you for your reply!

This seems to be pretty much what I am looking for. Essentially, I am
looking to work out if a given process is making connections, and sending
and receiving packets. From what I can gather from call stacks, it seems
that these occur in the context of the process that issued the request and
that providing there aren't any other TDI filters in the stack the Irp is
not re-rolled. As far as I can tell most of the requests are via
IRP_MJ_DEVICE_CONTROL. It seems that ZoneAlarm uses this approach to provide
per process traffic filtering and blocking. I will end up buying the pcausa
sample and seeing what it can do so I wont demand any more of your time with
extra questions until I have had a look at the source.

I do like WFP, it looks really good. Something that wasn't clear to me is
that if it possible to block packets. I expect that I will have a Vista
solution and previous OS solution.

Thank you once again!

Carl

Stephan,

Thanks for your reply!

I think your are right, NDIS does not necessarily look like the best
solution for me. TDI does seem to be the way to go. Thank you for your help!

Carl

"Stephan Wolf [MVP]" <stewo68@hotmail.com> wrote in message
news:1174298631.751792.151010@l77g2000hsb.googlegr oups.com...

That sounds quite cool! As of 9:30 GMT 20th March 2007 the link you posted
seems to be broken though.

Thank you for your response!

Carl

"Steve Jackowski" <SteveJackowski@discussions.microsoft.com> wrote in
message news:7F4D6EF9-4D2C-47CC-B9C2-697DCA33B54A@microsoft.com...

Carl,

It's a long URL. Perhaps you mistyped it. Feel free to email me offline at
stevej@deterministicnetworks.com if you'd like more information.


Steve

"Carl Woodward" wrote: