none
Packets capture issue of handling the NET_BUFFER_LIST in NDIS LWF driver RRS feed

  • Question

  • Dear all:

    I'm working on establishing a NDIS LWF driver that handle the specific packets from other Ethernet device with Windows 7.

    What I want to do is to block those packets from the device.

    I've reference the NDIS LWF driver sample code and mainly modified the FilterReceiveNetBufferLists() routine for check & block packets, with established 2 linked lists for dropping packets and passing packets.

    This goes fine if I drop/pass the whole NetBufferLists within everytimes FilterReceiveNetBufferLists() called without divide the NetBufferLists into the 2 linked lists, but it comes to a strange situation that even if I only put every NetBufferLists into the linked lists for passing, I cannot get all output packets that I send to the Ethernet device by using Wireshark that is using WinPCap API.

    The output packets seems reached the device for that I can still receive the respond packet from the device which is for the packets I send. The packets will be seen if I detach the LWF driver.

    Since I only working on the received packets, I have no ideas about why this have any influence on the output packets capturing. Is there any clues about the reason why this happen? 

    Thank you in advance.

    BR

    Thursday, January 23, 2014 2:55 AM

Answers

  • Wireshark enables loopback mode. When loopback is enabled, packets that are sent are also received.

    You should do two things:

    Check each NBL for the NDIS_NBL_FLAGS_IS_LOOPBACK_PACKET flag.  If this flag is set, ignore the NBL and always pass it through.  This NBL is not a regular receive NBL; instead it's a send NBL that is routed through the receive path.

    Make sure you do not call NdisFSendNetBufferListsComplete when the ReceiveFlags contains NDIS_RECEIVE_FLAGS_RESOURCES.

    Thursday, January 23, 2014 10:28 PM