Prev: ZwWriteFile return 0xC0000002.. why??
Next: How to open two USB pipes (0x81 - 0x02) in USB - vendor HID devi
From: Gianluca Varenni on 30 Oct 2006 15:26

"Jess Howe" <JessHowe(a)discussions.microsoft.com> wrote in message
news:403CF7BA-F8A7-47A2-9EBE-E4D1A2FD58BC(a)microsoft.com...
> Gianluca,
>
> Yes, NICSetPacketFilter is called in ndiswdm setting it to PROMISCUOUS,
> just
> like what happens in my driver. It is interesting to note, however, that
> when
> I'm running wireshark on top of ndiswdm, a ping request shows up twice,
> and
> the reply once. And when wireshark is running on my driver, I only see the
> request once and the reply once, but the ping app doesn't see the reply.

This is quite interesting. You are basically saying that the behavior of
NdisProt and winpcap (both bound to your ndiswdm miniport) is different:
they both set the miniport into promiscuous mode, but in the case of
ndisprot, the ping app (actually tcpip.sys) still receives the packet. In
the case of winpcap, tcpip.sys doesn't not receive the ping reply. Right? If
so, are you sure that ndisprot is receiving both the request and the reply?

Have a nice day
GV

>
> Regards,
> Jess
>
> "Gianluca Varenni" wrote:
>
>> Are you sure that ndisprot sets the HW filter to PROMISCUOUS or
>> ALL_LOCAL?
>> The problem arises when the HW filter is set to either these values
>> (WinPcap
>> uses these two filters).
>>
>> Have a nice day
>> Gianluca Varenni
>> WinPcap Team
>>
>>
>> "Jess Howe" <Jess Howe(a)discussions.microsoft.com> wrote in message
>> news:57A60130-4F27-40E3-86A0-FB1D18C4C107(a)microsoft.com...
>> > Hi,
>> > I am writing a deserialized NDIS virtual miniport driver that indicates
>> > packets up to protocols with NdisMIndicateReceivePacket, one at a time.
>> > Under
>> > normal operation, packets are indicated up just fine. However, when I
>> > run
>> > a
>> > packet sniffer like wireshark on winpcap, the sniffer sees all the
>> > packets,
>> > but the app that was using the packets doesn't see the receive packets.
>> > For
>> > example, I'll ping a remote computer and it'll receive the ping replies
>> > just
>> > fine until I start capturing the packets with wireshark. Then it just
>> > times
>> > out. I can see the reply packets getting indicated up just like always
>> > in
>> > the
>> > windows windbg, but somehow they're not getting copied to tcpip and the
>> > packet capturer. I can't understand why it works fine with the
>> > ndiswdm/ndisprot sample setup and not with mine, when my stuff is based
>> > on
>> > netvmini, the same base as ndiswdm.
>>
>>
>>


From: Alireza Dabagh [MS] on 1 Nov 2006 02:54
Can you break into debugger and do !ndiskd.protocols and see if when things
work fine, tcpip happens to be the only protocol bound to your adapter?

When there is only one protocol bound to an adapter, NDIS pretty much
indicates everything it gets from the underlying adapter to the bound
protocol without any filtering. However when more than one protocol binds to
the adapter (for example TCPIP + WINPCAP) then NDIS does some filtering
before indicating the packets up.

The behavior above has the side affect of (for example) letting the driver
to get away with using a "multicast" address as its MAC address when TCPIP
is the only bound protocol. But as soon as another protocol binds to the
adapter, TCPIP will not see those packets.

-ali

--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jess Howe" <JessHowe(a)discussions.microsoft.com> wrote in message
news:403CF7BA-F8A7-47A2-9EBE-E4D1A2FD58BC(a)microsoft.com...
> Gianluca,
>
> Yes, NICSetPacketFilter is called in ndiswdm setting it to PROMISCUOUS,
> just
> like what happens in my driver. It is interesting to note, however, that
> when
> I'm running wireshark on top of ndiswdm, a ping request shows up twice,
> and
> the reply once. And when wireshark is running on my driver, I only see the
> request once and the reply once, but the ping app doesn't see the reply.
>
> Regards,
> Jess
>
> "Gianluca Varenni" wrote:
>
>> Are you sure that ndisprot sets the HW filter to PROMISCUOUS or
>> ALL_LOCAL?
>> The problem arises when the HW filter is set to either these values
>> (WinPcap
>> uses these two filters).
>>
>> Have a nice day
>> Gianluca Varenni
>> WinPcap Team
>>
>>
>> "Jess Howe" <Jess Howe(a)discussions.microsoft.com> wrote in message
>> news:57A60130-4F27-40E3-86A0-FB1D18C4C107(a)microsoft.com...
>> > Hi,
>> > I am writing a deserialized NDIS virtual miniport driver that indicates
>> > packets up to protocols with NdisMIndicateReceivePacket, one at a time.
>> > Under
>> > normal operation, packets are indicated up just fine. However, when I
>> > run
>> > a
>> > packet sniffer like wireshark on winpcap, the sniffer sees all the
>> > packets,
>> > but the app that was using the packets doesn't see the receive packets.
>> > For
>> > example, I'll ping a remote computer and it'll receive the ping replies
>> > just
>> > fine until I start capturing the packets with wireshark. Then it just
>> > times
>> > out. I can see the reply packets getting indicated up just like always
>> > in
>> > the
>> > windows windbg, but somehow they're not getting copied to tcpip and the
>> > packet capturer. I can't understand why it works fine with the
>> > ndiswdm/ndisprot sample setup and not with mine, when my stuff is based
>> > on
>> > netvmini, the same base as ndiswdm.
>>
>>
>>


From: Jess Howe on 1 Nov 2006 09:25
Alireza,
I did as you suggested, and it was bound to tcpip and another protocol
before running wireshark. After running wireshark, it was bound to "Protocol"
as well as tcp and the other one ("Ndisoiu" or something like that ).
Anyway, I tried changing the base code that I used to put my functionality on
from netvmini to ndiswdm, and it appears to be working now as it should! I
still don't understand why though.

Regards,
Jess

"Alireza Dabagh [MS]" wrote:

> Can you break into debugger and do !ndiskd.protocols and see if when things
> work fine, tcpip happens to be the only protocol bound to your adapter?
>
> When there is only one protocol bound to an adapter, NDIS pretty much
> indicates everything it gets from the underlying adapter to the bound
> protocol without any filtering. However when more than one protocol binds to
> the adapter (for example TCPIP + WINPCAP) then NDIS does some filtering
> before indicating the packets up.
>
> The behavior above has the side affect of (for example) letting the driver
> to get away with using a "multicast" address as its MAC address when TCPIP
> is the only bound protocol. But as soon as another protocol binds to the
> adapter, TCPIP will not see those packets.
>
> -ali
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Jess Howe" <JessHowe(a)discussions.microsoft.com> wrote in message
> news:403CF7BA-F8A7-47A2-9EBE-E4D1A2FD58BC(a)microsoft.com...
> > Gianluca,
> >
> > Yes, NICSetPacketFilter is called in ndiswdm setting it to PROMISCUOUS,
> > just
> > like what happens in my driver. It is interesting to note, however, that
> > when
> > I'm running wireshark on top of ndiswdm, a ping request shows up twice,
> > and
> > the reply once. And when wireshark is running on my driver, I only see the
> > request once and the reply once, but the ping app doesn't see the reply.
> >
> > Regards,
> > Jess
> >
> > "Gianluca Varenni" wrote:
> >
> >> Are you sure that ndisprot sets the HW filter to PROMISCUOUS or
> >> ALL_LOCAL?
> >> The problem arises when the HW filter is set to either these values
> >> (WinPcap
> >> uses these two filters).
> >>
> >> Have a nice day
> >> Gianluca Varenni
> >> WinPcap Team
> >>
> >>
> >> "Jess Howe" <Jess Howe(a)discussions.microsoft.com> wrote in message
> >> news:57A60130-4F27-40E3-86A0-FB1D18C4C107(a)microsoft.com...
> >> > Hi,
> >> > I am writing a deserialized NDIS virtual miniport driver that indicates
> >> > packets up to protocols with NdisMIndicateReceivePacket, one at a time.
> >> > Under
> >> > normal operation, packets are indicated up just fine. However, when I
> >> > run
> >> > a
> >> > packet sniffer like wireshark on winpcap, the sniffer sees all the
> >> > packets,
> >> > but the app that was using the packets doesn't see the receive packets.
> >> > For
> >> > example, I'll ping a remote computer and it'll receive the ping replies
> >> > just
> >> > fine until I start capturing the packets with wireshark. Then it just
> >> > times
> >> > out. I can see the reply packets getting indicated up just like always
> >> > in
> >> > the
> >> > windows windbg, but somehow they're not getting copied to tcpip and the
> >> > packet capturer. I can't understand why it works fine with the
> >> > ndiswdm/ndisprot sample setup and not with mine, when my stuff is based
> >> > on
> >> > netvmini, the same base as ndiswdm.
> >>
> >>
> >>
>
>
>
First  |  Prev  | 
Pages: 1 2
Prev: ZwWriteFile return 0xC0000002.. why??
Next: How to open two USB pipes (0x81 - 0x02) in USB - vendor HID devi