none
802.11 and Ethernet traffic capture and send in a single NDIS LWF RRS feed

  • Question

  • I have a modifying NDIS LWF driver. It's like linux's libpcap by providing API for software to capture and send packets. I know changing FilterClass to something like ms_medium_converter_128 can bind my filter between the NIC and Native Wifi Filter. So my filter can get 802.11 traffic instead of Ethernet traffic.

    But as you know, libpcap provides 802.11 packets in monitor mode and Ethernet traffic in other conditions on Linux. I want to follow this behavior. So I need a way to "switch" between "below NWifi" and "above NWifi" without changing INF's FilterClass and reinstalling the driver. So I can do this "switch" when the wifi adapter's operation mode changes immediately.

    So the problem is how to do this. I can think of several ways.

    1. Bind my filter below NWifi and do the Wifi-Lan emulation all by myself. However, this is just re-implementing what NWifi does, and it seems to be too complicated after searching so many posts. (I even think there's still nobody ever managed to do this)
    2. Make two filters, one is below NWifi and the other is above NWifi, then let user-mode DLLs choose which driver to use based on the operation mode. This seems to work but I don't like it. Because it requires me to maintain two drivers. And two drivers will also prolong the installation time on the end-user side.

    So I'm waiting for a better solution. Like: is there a way for my filter to bind both "below NWifi" and "above NWifi"? Or change the FilterClass without driver re-installation? Thanks!

    Wednesday, August 10, 2016 2:50 PM

Answers

  • Use two filters, most of the core code will be the same, if you are clever this can be handled by structuring things so there is only a couple of unique files per driver.   The installation time is so small it is unlikely ever to be noticed.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, August 11, 2016 12:48 AM