locked
GETTING HEADER FROM PACKET RRS feed

  • Question

  • hi every one:

    When i use the function (   NdisGetDataBuffer) to get the data i ask ,how i am sure that the data is belong to the packet i catched,

    and another question i did not understand how i use the NdisRetreatNetBufferDataStart and NdisAdvanceNetBufferDataStart function

    Thursday, July 5, 2012 8:55 AM

All replies

  • You know it is the correct packet, as you are passing in the NBL that was classified.  This NBL is, by default, a representation of a single packet (with a few exceptions like fragments and batch classifies).

    As the NBL traverses the TCPIP stack, headers are added or removed.  This affects the offset of the NBL.  You can use the following link to see where the data offset is for the layer you are classifying:  http://msdn.microsoft.com/en-us/library/ff546324(v=VS.85).aspx

    Based on which layer you are at, and what part of the packet you wish to inspect, you can determine whether you need to advance or retreat the offset.  If you look at the WFPSampler, you can see this logic as well as comments for the advancing and retreating (http://code.msdn.microsoft.com/Windows-Filtering-Platform-27553baa sys\ClassifyFunctions_BasicPacketInjection.cpp::PerformBasicPacketInjectionAtInboundNetwork)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, July 5, 2012 5:30 PM
    Moderator