locked
PACKET HEADER RRS feed

  • Question

  • HI every one :

    I want to ask why i needed to used the function NdisRetreatNetBufferDataStart()(I know its uses to increases the used area),but i did not understand why i need to increase used area

    second question: How i can got the time of arrived of packet because i needed this time in my program

    Saturday, July 14, 2012 11:47 AM

All replies

  • It's essentially a wrapper for doing pointer arithmetic (with extra functionality). As the packet traverses the stack, the data offset changes due to stripping of the headers.  This means that at different layers, the data offset points to different locations in the packet.  in order to see the previous locations, this function simplifies walking the pointer back. 

    See the WFPSampler for how it is being used:
    http://code.msdn.microsoft.com/windowshardware/Windows-Filtering-Platform-27553baa/sourcecode?fileId=51338&pathId=1593545230

    and the NBL's data offsets for the various layers:
    http://msdn.microsoft.com/en-us/library/windows/hardware/ff546324(v=vs.85).aspx

    As for the time received, you would need to implement a callout and get the time yourself.  You would sit at FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET (Win8+ and if you are picky about when NDIS first sees the packet) or FWPM_LAYER_INBOUND_IPPACKET_V{4 | 6} (Vista+ and if you only care about when the TCP/IP stack first sees it).

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, July 16, 2012 4:53 PM
    Moderator