locked
TCP header info from a TDI driver RRS feed

  • Question

  • I am creating a driver that uses TDI (deprecated i know, I have a working WFP version but need a TDI one as well).  The driver takes various info from incoming packets and passes the info up to a user-land app which logs it.  This works.  The problem I am experiencing is that I cannot find any way to access the information in the transport layer header.  Specifically I need to be able to access the syn/ack values in TCP headers when the pertinent packet is TCP.  In order to capture packet data I am using callback functions registered that are triggered on events as expained here:

    "A client can also receive data from its remote-node peer as an event notification from the underlying TDI transport driver. For these notifications, the driver removes the transport layer header from the TSDU that it receives from the remote node and calls the client's registered ClientEventReceive , ClientEventChainedReceive , ClientEventReceiveExpedited , or ClientEventChainedReceiveExpedited handler."   at this site: http://msdn.microsoft.com/en-us/library/ms801404.aspx

    O.K.  So it looks like the driver is removing my transport layer header from the TSDU before passing me my TSDU.  This is a problem.  I have no idea how I can access the transport layer header via TDI.  Ideally I would access this header from inside my ClientEventReceive handler as this is the function that is building the data struct that is passed to user land to be dumped to a log.

    I did find the following on the same page as above:

    "[In your handler you can] make another TDI_RECEIVE receive request to obtain the remainder of the TSDU data."

    But I have little reason to believe the "remainder" would have the header anyway.

    Can anyone suggest how to get at the tcp header information and thus associate a sequence number (syn/ack) with the other data I'm pulling up for each packet (source ip/port, / dest ip/port, data, etc.).


    P.S. Not sure if this should be here or winsock kernel formum (ln -s this there).
    Friday, February 19, 2010 6:01 AM

All replies

  • As far as I know there is no documented way to fetch the transport headers from ClientEventReceive.

    No, the "remainder" would not include the information you are looking for.

    In some cases a TDI filter may have a companion NDIS filter. Between the two of them all necessary information can be collected.

    Sorry!

    Thomas F. Divine
    http://www.pcausa.com



    Thomas F. Divine http://www.pcausa.com
    Friday, February 19, 2010 2:19 PM
  • Thanks for the reply!

    I am actually working from your excellent samples, and humbled to get the reply straight from you!  My company has purchased the TDI driver sample set.  You wouldn't happen to know if there is an example in this set that has a companion NDIS filter would you?

    If there is not such a sample, is there any chance you could point me to some keywords, tutorials, even msdn docs on the right topic to get me started in making a NDIS companion filter for an existing TDI driver?

    [EDIT]:


    Deleted edit 1, upon further examination, it was a trivial question.
    Monday, February 22, 2010 1:22 AM