Re: NDIS IM driver vs TDI filter
From: Strauss (strauss_at_microsoft.com)
Date: 02/09/04
- Next message: Strauss: "Re: NDIS IM driver vs TDI filter"
- Previous message: G.: "Re: Kernel malloc/realloc?"
- In reply to: Brian Catlin: "Re: NDIS IM driver vs TDI filter"
- Next in thread: Maxim S. Shatskih: "Re: NDIS IM driver vs TDI filter"
- Reply: Maxim S. Shatskih: "Re: NDIS IM driver vs TDI filter"
- Reply: Brian Catlin: "Re: NDIS IM driver vs TDI filter"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 08 Feb 2004 22:09:54 -0300
Brian:
Considering:
- Intercepting RAS over modem is EXTREMELY difficult (and I need
this). Intercepting the protocol, I'll see the traffic from all adapters.
- To develop a NDIS IM I need to study NDIS (not too hard, but... :-))
- In NDIS I will deal with packets, and I don't want to go so low-level
- I know how to replace an IRP buffer, deal with MDLs, etc.
Isn't TDI filter the better option? In the beginning, I'll need only to
reject connections based on the destination address, so I'll need to
hook the connection IRP only
Thank you in advance,
Strauss
>>I want to develop a TCP/IP filter. The requisites are:
>>
>>- I don't need to view/change raw or ethernet packets
>>- I need to reject incoming/outgoing connections based on IP/port
>>- I need to deal with RAS.
>>- It would be good if I could modify data, but I don't need it now.
>>
>>I have been reading lot of stuff about the pros/cons of NDIS IM driver
>>and TDI filter drivers. That's my conclusion, please correct me if my
>>assumptions are wrong:
>>
>>- NDIS IM will filter interfaces/adapters. So, I'll need to attach to
>>all adapters, and monitor new adapters (RAS?). I'll also need to deal
>>with packet data and raw IP.
>
>
> Intercepting RAS over modem is EXTREMELY difficult in an intermediate driver.
> I've done it, and I don't wish it on anyone else. If you don't need to worry
> about modem, then an intermediate is probably OK
>
>
>>- To develop a NDIS IM, common kernel development skills and layered
>>driver knowledge is not enough, since NDIS use other
>>functions/interfaces. But, there's a sample in DDK and some pages about
>>how to deal with RAS adapters.
>
>
> True. You need to understand the NDIS upper-edge (miniport edge) and the NDIS
> lower-edge (protocol edge). Just about everything you know about driver
> development - with the exception of debugging - won't be useful when developing
> an NDIS driver
>
>
>>- A TDI filter is a common layered (legacy) driver, like File System
>>Filters. And hooking TCP and UDP device objects I'll hook all TCP/IP
>>traffic. If I know how to attach to a device object and how to deal with
>>IRPs I'll not have (big) problems.
>
>
> If you sit on top of TCP, then filtering the connection is a little harder.
> Also, there are some big issues with layering on top of TCP, specifically
> because NETBEUI/NETBIOS is broken in the way it assumes that there isn't any
> layers on top of TCP. The trick is to get attached before NETBIOS does. You
> also have to make sure that nothing else is going on in the system when you do
> your attachment - a difficult thing to do.
>
>
>>What's the best option, considering I have NT FileSystem development
>>background? I think what I need is a low level LSP, not a packet analyzer.
>
>
> That depends upon what type of RAS filtering you have to do. If you don't have
> to worry about RAS over WAN things (modem) then an intermediate driver will
> probably be OK.
>
>
>>I hope I made my self clear.
>
>
> Clear enough.
>
> -Brian
>
> Brian Catlin, Sannas Consulting 310-944-9492
> Windows Network, Video, WDM Device Driver Training & Consulting
> See WWW.AZIUS.COM.bad for courses and scheduling
> REMOVE .BAD FROM EMAIL AND WEB ADDRESS
>
>
- Next message: Strauss: "Re: NDIS IM driver vs TDI filter"
- Previous message: G.: "Re: Kernel malloc/realloc?"
- In reply to: Brian Catlin: "Re: NDIS IM driver vs TDI filter"
- Next in thread: Maxim S. Shatskih: "Re: NDIS IM driver vs TDI filter"
- Reply: Maxim S. Shatskih: "Re: NDIS IM driver vs TDI filter"
- Reply: Brian Catlin: "Re: NDIS IM driver vs TDI filter"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
