Capturing Raw Native 802.11 packets in Vista using ndislwf
in [Device Drivers]
|
From: g b on 4 Dec 2009 17:56 I'm trying to write code that can capture raw native 802.11 packets to essentially write a packet sniffer. I'm using Vista with 802.11 device which uses an NDIS 6.0 native 802.11 driver. Perhaps I am going about this the wrong way (and please let me know if there are better alternatives!) I'm trying to do this all through the Windows SDK or Windows DDK for Vista and higher. Doing some googling and reading the documentation, it seems like the best way to do this is run a monitoring light weight filter using the Windows DDK. I modified the ndislwf sample to be a monitoring filter driver and attach to "wlan" media types. I seem to be able to put the device into monitor mode and extensible station mode via OID_DOT11_CURRENT_OPERATION_MODE. I can also confirm that ndislwf is attaching successfully to the NdisMediumNtive802_11 type. The problem is my calls to set OID_GEN_CURRENT_PACKET_FILTER with { NDIS_PACKET_TYPE_PROMISCUOUS |NDIS_PACKET_TYPE_802_11_RAW_DATA | NDIS_PACKET_TYPE_802_11_PROMISCUOUS_MGMT | NDIS_PACKET_TYPE_802_11_RAW_MGMT | NDIS_PACKET_TYPE_802_11_PROMISCUOUS_CTRL } (as described here: http://msdn.microsoft.com/en-us/library/bb648512.aspx) Seem to never take effect even though they return successfully from NdisFOidRequest. According to the documentation the DOT11_EXTSTA_RECV_CONTEXT associated with the NET_BUFFER_LIST passed to FilterReceiveNetBufferLists should indicate DOT11_RECV_FLAG_RAW_PACKET but this flag is never set. Am I doing something wrong here? How can I capture the raw packets? Thanks!
From: Thomas F. Divine on 6 Dec 2009 09:47 I am trying to do the same thing with no joy so far. You might take a look at WlanSetInterface function. It includes methods to disable auto configuration and background scan for an interface. The PCAUSA "PCAGizmo" tool is a LWF that logs OIDs and Status. Not the most elegant tool, but might help determine what is going on. http://pcausa.com/Utilities/PCAGizmo/PCAGizmo.htm Good luck! Thomas F. Divine http://www.pcausa.com "g b" <gb952325(a)gmail.com> wrote in message news:d54805b2-0018-4456-be4a-6fba5c9c86eb(a)d20g2000yqh.googlegroups.com... > I'm trying to write code that can capture raw native 802.11 packets to > essentially write a packet sniffer. I'm using Vista with 802.11 > device which uses an NDIS 6.0 native 802.11 driver. > > Perhaps I am going about this the wrong way (and please let me know if > there are better alternatives!) I'm trying to do this all through the > Windows SDK or Windows DDK for Vista and higher. > > Doing some googling and reading the documentation, it seems like the > best way to do this is run a monitoring light weight filter using the > Windows DDK. I modified the ndislwf sample to be a monitoring filter > driver and attach to "wlan" media types. I seem to be able to put the > device into monitor mode and extensible station mode via > OID_DOT11_CURRENT_OPERATION_MODE. I can also confirm that ndislwf is > attaching successfully to the NdisMediumNtive802_11 type. > > The problem is my calls to set OID_GEN_CURRENT_PACKET_FILTER with > { NDIS_PACKET_TYPE_PROMISCUOUS |NDIS_PACKET_TYPE_802_11_RAW_DATA | > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_MGMT | > NDIS_PACKET_TYPE_802_11_RAW_MGMT | > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_CTRL } > > (as described here: http://msdn.microsoft.com/en-us/library/bb648512.aspx) > Seem to never take effect even though they return successfully from > NdisFOidRequest. According to the documentation the > DOT11_EXTSTA_RECV_CONTEXT associated with the NET_BUFFER_LIST passed > to FilterReceiveNetBufferLists should indicate > DOT11_RECV_FLAG_RAW_PACKET but this flag is never set. > > Am I doing something wrong here? How can I capture the raw packets? > > Thanks!
From: g b on 6 Dec 2009 20:59 If you get it working I'd be interested in knowing what you did. I also noticed that making sets to OID_GEN_CURRENT_PACKET_FILTER do not seem to be taking effect. For example, if I set the filter to 0, it shouldn't receive anything but it still does. I'm not noticing other OID calls being made to revert my filter sets, so maybe this is a clue... It's unclear from the documentation whether monitoring light weight filters are affected by filters differently somehow and maybe I need to set the filters from user mode or from a prot driver? That would still wouldn't make sense, though, since everything else binds above native wifi in theory the only possible way to access the raw native 802.11 packets should be from the filter driver... There must be something I'm doing wrong here... On Dec 6, 9:47 am, "Thomas F. Divine" <tdivineATpcausaDOTcom> wrote: > I am trying to do the same thing with no joy so far. > > You might take a look at WlanSetInterface function. It includes methods to > disable auto configuration and background scan for an interface. > > The PCAUSA "PCAGizmo" tool is a LWF that logs OIDs and Status. Not the most > elegant tool, but might help determine what is going on. > > http://pcausa.com/Utilities/PCAGizmo/PCAGizmo.htm > > Good luck! > > Thomas F. Divinehttp://www.pcausa.com > > "g b" <gb952...(a)gmail.com> wrote in message > > news:d54805b2-0018-4456-be4a-6fba5c9c86eb(a)d20g2000yqh.googlegroups.com... > > > I'm trying to write code that can capture raw native 802.11 packets to > > essentially write a packet sniffer. I'm using Vista with 802.11 > > device which uses an NDIS 6.0 native 802.11 driver. > > > Perhaps I am going about this the wrong way (and please let me know if > > there are better alternatives!) I'm trying to do this all through the > > Windows SDK or Windows DDK for Vista and higher. > > > Doing some googling and reading the documentation, it seems like the > > best way to do this is run a monitoring light weight filter using the > > Windows DDK. I modified the ndislwf sample to be a monitoring filter > > driver and attach to "wlan" media types. I seem to be able to put the > > device into monitor mode and extensible station mode via > > OID_DOT11_CURRENT_OPERATION_MODE. I can also confirm that ndislwf is > > attaching successfully to the NdisMediumNtive802_11 type. > > > The problem is my calls to set OID_GEN_CURRENT_PACKET_FILTER with > > { NDIS_PACKET_TYPE_PROMISCUOUS |NDIS_PACKET_TYPE_802_11_RAW_DATA | > > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_MGMT | > > NDIS_PACKET_TYPE_802_11_RAW_MGMT | > > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_CTRL } > > > (as described here:http://msdn.microsoft.com/en-us/library/bb648512.aspx) > > Seem to never take effect even though they return successfully from > > NdisFOidRequest. According to the documentation the > > DOT11_EXTSTA_RECV_CONTEXT associated with the NET_BUFFER_LIST passed > > to FilterReceiveNetBufferLists should indicate > > DOT11_RECV_FLAG_RAW_PACKET but this flag is never set. > > > Am I doing something wrong here? How can I capture the raw packets? > > > Thanks!
From: Thomas F. Divine on 6 Dec 2009 21:49 I suspect that there's something missing in the documentation - or perhaps something we have overlooked. The best I can do is get traces on the current connection. The logs are here: Native Wi-Fi Traces: http://ndis.com/ndis-ndis6/default.htm#NativeTraces Good luck! Thomas F. Divine http://rawether.net "g b" <gb952325(a)gmail.com> wrote in message news:b28068fa-93fa-414f-affe-a249714ee4e4(a)g1g2000vbr.googlegroups.com... > If you get it working I'd be interested in knowing what you did. I > also noticed that making sets to OID_GEN_CURRENT_PACKET_FILTER do not > seem to be taking effect. For example, if I set the filter to 0, it > shouldn't receive anything but it still does. I'm not noticing other > OID calls being made to revert my filter sets, so maybe this is a > clue... It's unclear from the documentation whether monitoring light > weight filters are affected by filters differently somehow and maybe I > need to set the filters from user mode or from a prot driver? That > would still wouldn't make sense, though, since everything else binds > above native wifi in theory the only possible way to access the raw > native 802.11 packets should be from the filter driver... There must > be something I'm doing wrong here... > > On Dec 6, 9:47 am, "Thomas F. Divine" <tdivineATpcausaDOTcom> wrote: >> I am trying to do the same thing with no joy so far. >> >> You might take a look at WlanSetInterface function. It includes methods >> to >> disable auto configuration and background scan for an interface. >> >> The PCAUSA "PCAGizmo" tool is a LWF that logs OIDs and Status. Not the >> most >> elegant tool, but might help determine what is going on. >> >> http://pcausa.com/Utilities/PCAGizmo/PCAGizmo.htm >> >> Good luck! >> >> Thomas F. Divinehttp://www.pcausa.com >> >> "g b" <gb952...(a)gmail.com> wrote in message >> >> news:d54805b2-0018-4456-be4a-6fba5c9c86eb(a)d20g2000yqh.googlegroups.com... >> >> > I'm trying to write code that can capture raw native 802.11 packets to >> > essentially write a packet sniffer. I'm using Vista with 802.11 >> > device which uses an NDIS 6.0 native 802.11 driver. >> >> > Perhaps I am going about this the wrong way (and please let me know if >> > there are better alternatives!) I'm trying to do this all through the >> > Windows SDK or Windows DDK for Vista and higher. >> >> > Doing some googling and reading the documentation, it seems like the >> > best way to do this is run a monitoring light weight filter using the >> > Windows DDK. I modified the ndislwf sample to be a monitoring filter >> > driver and attach to "wlan" media types. I seem to be able to put the >> > device into monitor mode and extensible station mode via >> > OID_DOT11_CURRENT_OPERATION_MODE. I can also confirm that ndislwf is >> > attaching successfully to the NdisMediumNtive802_11 type. >> >> > The problem is my calls to set OID_GEN_CURRENT_PACKET_FILTER with >> > { NDIS_PACKET_TYPE_PROMISCUOUS |NDIS_PACKET_TYPE_802_11_RAW_DATA | >> > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_MGMT | >> > NDIS_PACKET_TYPE_802_11_RAW_MGMT | >> > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_CTRL } >> >> > (as described >> > here:http://msdn.microsoft.com/en-us/library/bb648512.aspx) >> > Seem to never take effect even though they return successfully from >> > NdisFOidRequest. According to the documentation the >> > DOT11_EXTSTA_RECV_CONTEXT associated with the NET_BUFFER_LIST passed >> > to FilterReceiveNetBufferLists should indicate >> > DOT11_RECV_FLAG_RAW_PACKET but this flag is never set. >> >> > Am I doing something wrong here? How can I capture the raw packets? >> >> > Thanks! >
From: Pavel A. on 7 Dec 2009 11:18 It can be helpful to know the device model and vendor driver version. Sometimes this matters. Regards, --pa "g b" <gb952325(a)gmail.com> wrote in message news:b28068fa-93fa-414f-affe-a249714ee4e4(a)g1g2000vbr.googlegroups.com... > If you get it working I'd be interested in knowing what you did. I > also noticed that making sets to OID_GEN_CURRENT_PACKET_FILTER do not > seem to be taking effect. For example, if I set the filter to 0, it > shouldn't receive anything but it still does. I'm not noticing other > OID calls being made to revert my filter sets, so maybe this is a > clue... It's unclear from the documentation whether monitoring light > weight filters are affected by filters differently somehow and maybe I > need to set the filters from user mode or from a prot driver? That > would still wouldn't make sense, though, since everything else binds > above native wifi in theory the only possible way to access the raw > native 802.11 packets should be from the filter driver... There must > be something I'm doing wrong here... > > On Dec 6, 9:47 am, "Thomas F. Divine" <tdivineATpcausaDOTcom> wrote: >> I am trying to do the same thing with no joy so far. >> >> You might take a look at WlanSetInterface function. It includes methods >> to >> disable auto configuration and background scan for an interface. >> >> The PCAUSA "PCAGizmo" tool is a LWF that logs OIDs and Status. Not the >> most >> elegant tool, but might help determine what is going on. >> >> http://pcausa.com/Utilities/PCAGizmo/PCAGizmo.htm >> >> Good luck! >> >> Thomas F. Divinehttp://www.pcausa.com >> >> "g b" <gb952...(a)gmail.com> wrote in message >> >> news:d54805b2-0018-4456-be4a-6fba5c9c86eb(a)d20g2000yqh.googlegroups.com... >> >> > I'm trying to write code that can capture raw native 802.11 packets to >> > essentially write a packet sniffer. I'm using Vista with 802.11 >> > device which uses an NDIS 6.0 native 802.11 driver. >> >> > Perhaps I am going about this the wrong way (and please let me know if >> > there are better alternatives!) I'm trying to do this all through the >> > Windows SDK or Windows DDK for Vista and higher. >> >> > Doing some googling and reading the documentation, it seems like the >> > best way to do this is run a monitoring light weight filter using the >> > Windows DDK. I modified the ndislwf sample to be a monitoring filter >> > driver and attach to "wlan" media types. I seem to be able to put the >> > device into monitor mode and extensible station mode via >> > OID_DOT11_CURRENT_OPERATION_MODE. I can also confirm that ndislwf is >> > attaching successfully to the NdisMediumNtive802_11 type. >> >> > The problem is my calls to set OID_GEN_CURRENT_PACKET_FILTER with >> > { NDIS_PACKET_TYPE_PROMISCUOUS |NDIS_PACKET_TYPE_802_11_RAW_DATA | >> > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_MGMT | >> > NDIS_PACKET_TYPE_802_11_RAW_MGMT | >> > NDIS_PACKET_TYPE_802_11_PROMISCUOUS_CTRL } >> >> > (as described >> > here:http://msdn.microsoft.com/en-us/library/bb648512.aspx) >> > Seem to never take effect even though they return successfully from >> > NdisFOidRequest. According to the documentation the >> > DOT11_EXTSTA_RECV_CONTEXT associated with the NET_BUFFER_LIST passed >> > to FilterReceiveNetBufferLists should indicate >> > DOT11_RECV_FLAG_RAW_PACKET but this flag is never set. >> >> > Am I doing something wrong here? How can I capture the raw packets? >> >> > Thanks! >
|
Pages: 1 Prev: FS filter driver post create Next: Unable to unload driver in Win 7 |