none
OID Request Handling for an NDIS miniport RRS feed

  • Question

  • 1) I'm able to see Sent Packets being updated in the Adapter Status GUI but the Received Packets remains 0.  The code snippet is below

     case OID_GEN_RCV_OK:
               /* ulInfo64 = Adapter->FramesRxBroadcast
                        + Adapter->FramesRxMulticast
                        + Adapter->FramesRxDirected;*/
                //ulInfo64 = Adapter->RxFramesSent;
                ulInfo64 = Adapter->RxFramesReceived;
                pInfo = &ulInfo64;
                if (Query->InformationBufferLength >= sizeof(ULONG64) ||
                    Query->InformationBufferLength == 0)
                {
                    ulInfoLen = sizeof(ULONG64);
                }
                else
                {
                    ulInfoLen = sizeof(ULONG);
                }
                // We should always report that only 8 bytes are required to keep ndistest happy
                Query->BytesNeeded =  sizeof(ULONG64);
                break;
    

    2. Also do I need to update all the General statistics members if my HW keeps track of the multicast,broadcast,directed packets and their stats ? I am not using a receive queue filter to filter out the packets, or for that matter even in the transmit path. I'm only zero padding runt packets even though the hardware also is capable of zero padding packets < 60 bytes. 


    With regards, Jenson Alex Pais

    Tuesday, November 8, 2016 1:22 PM

Answers

  • OID_GEN_RCV_OK is legacy. You need both

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by JENSON PAIS Tuesday, November 8, 2016 9:09 PM
    Tuesday, November 8, 2016 8:49 PM
    Moderator

All replies

  • 1. Are you also handling OID_GEN_STATISTICS? It is required

    2. No, you don't need to maintain updated copies in the driver until a query comes in

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, November 8, 2016 8:33 PM
    Moderator
  • Hi Brian, cheers for the reply.

    1. Yes, I am going to handle OID_GEN_STATISTICS. But which OID request ends up displaying the number of received packets in the status part of the adapter GUI ? Even thought I keep incrementing the received packets in the RX datapath of my driver, the value being given to OID_GEN_RCV_OK isn't getting updated.


    With regards, Jenson Alex Pais

    Tuesday, November 8, 2016 8:47 PM
  • OID_GEN_RCV_OK is legacy. You need both

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by JENSON PAIS Tuesday, November 8, 2016 9:09 PM
    Tuesday, November 8, 2016 8:49 PM
    Moderator
  • Thanks, will give it a try tomorrow. 

    With regards, Jenson Alex Pais

    Tuesday, November 8, 2016 9:09 PM
  • Hi Brian,

    The issue I'm facing is that the CRC errors and discards are done by the hardware. But since my hardware is a triple redundancy Ethernet card. I can't be sure which of the 3 ports provided the packet that I'm receiving. So is it okay if I ignore those members of the OID_GEN_STATISTICS structure ?


    With regards, Jenson Alex Pais


    • Edited by JENSON PAIS Friday, November 11, 2016 8:28 AM
    Friday, November 11, 2016 8:28 AM
  • That's a poorly designed piece of hardware if you cannot query that for each interface, but if you cannot, then just return zeroes for those fields - and inform the hardware team that they screwed up, and that they should look at the requirements for a Windows driver before they design hardware, again. 

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, November 11, 2016 11:18 PM
    Moderator
  • Followed up on your advice and pestered the H/W guys. It seems I can access each port statistics but I won't know which port has received the packet. I would need to check which port's link is up and then query the NIC registers for stats. 

    Also they realized that the H/W will need to make a lot of changes to the NIC in order for it to work harmoniously on Windows than on Linux. For any new cards, they'll look at the requirements for Windows first. 

    The only other issue I have is that Microsoft Network Monitor is able to detect my adapter when the driver is installed. But Wireshark detects the adapter only after a system restart/reboot. I get "No Interfaces" found when I install the driver for the first time. Does WireShark need some other filter ?

    Thanks again Brian. 


    With regards, Jenson Alex Pais

    Monday, November 14, 2016 5:49 AM
  • Do you mean the Microsoft Message Analyzer? (NetMon hasn't been supported in about a decade). In either case, I don't know which APIs/methods are used by WireSharek or the MS tools, and it would take me a few hours to figure it out. You might try ProcMon or WPA to figure out how those tools are accessing the NICs. Check the C:\Windows\INF\SetupAPI.Dev.Log file for errors and why it wants a reboot

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, November 14, 2016 6:21 AM
    Moderator
  • I forgot to mention my driver is for Windows 7 and NetMon seems to be working fine with it. Will also take a look at the log file and check if there are any errors or not. 

    With regards, Jenson Alex Pais

    Monday, November 14, 2016 12:59 PM
  • Try Microsoft Message Analyzer and see if that works

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, November 14, 2016 10:36 PM
    Moderator
  • Hi Brian,

    Microsoft Message Analyzer managed to get the adapter interface and display the packets being sent and received. It's only Wireshark who can't access the interface unless I restart the system. Obviously I can ask the client to use Microsoft Message Analyzer instead of Wireshark instead of restarting the system. They are using Wireshark on their Linux Systems. 

    p.s.: As per my understanding, WinPCap is the protocol driver that provides Wireshark with the packets. I believe that there is no binding between my driver and WinPCap, which is why there is no interface detected. But after a restart the binding is successful and I can access my interface through Wireshark. Please correct me if I'm wrong. 


    With regards, Jenson Alex Pais


    • Edited by JENSON PAIS Wednesday, November 16, 2016 9:39 AM WinPCap added
    Tuesday, November 15, 2016 6:34 AM
  • OID_GEN_RCV_OK is legacy. You need both

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Hi Brian,

    I have noticed the Activity in the LAN Status shows packets instead of bytes. I checked other adapter on the development machine and it shows bytes. Is there an explicit way to show bytes instead of packets ?



    With regards, Jenson Alex Pais

    Thursday, November 17, 2016 4:33 AM
  • I'm not sure. Are you returning non-zero for all the fields in OID_GEN_STATISTICS?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, November 17, 2016 5:32 AM
    Moderator
  • Brian, thanks for the prompt reply even thought it's late in the night.

    I'm returning zeroes for the ifInErrors and ifOutErrors and discards. Will see if that is why the statistics are being ignored and packets are displayed instead.  So Oid general statistics is fussy about all members being filled correctly. 

    p.s: Also the Wireshark issue seems to be a WinPCap limitation/bug according to this: http://www.winpcap.org/pipermail/winpcap-bugs/2010-March/001183.html  Could you please confirm if this true or who should I mail/contact to confirm. 


    With regards, Jenson Alex Pais




    • Edited by JENSON PAIS Thursday, November 17, 2016 1:07 PM Wireshark Issue
    Thursday, November 17, 2016 6:41 AM
  • It looks like WinPCap either doesn't have a notify object, or it isn't processing notifies correctly. WinPCap (www.winpcap.org) doesn't appear to have had any active development for 3-4 years. Yang Luo  was here asking questions about 18 months, and he created something named NPCap for NDIS 6 (https://github.com/nmap/npcap) that appears to be a replacement for WinPCap. I don't know if it has a notify object. You would have to figure out how to get WireShark to use NPCap.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Saturday, November 19, 2016 2:06 AM
    Moderator
  • Hi Brian,

    Cheers for that bit of information. For now, I just needed some sort of proof that WinPCap had some limitations. I'll look into NPCap and see if I can get it to work with Wireshark.

    Both issues have been resolved, thanks to you. Your help is much appreciated as always.  


    With regards, Jenson Alex Pais

    Monday, November 21, 2016 4:30 AM