reading and printing NDIS network packets .

Discussion in 'Windows Vista Drivers' started by Gabriel Bogdan, Jan 17, 2005.

  1. DbgPrint(" IP source address %d", IPHeader.ip_dst.s_addr);
    s_addr is a DWORD, each byte in the DWORD represent one of your numbers
    x.y.z.t; this in network byte order;

    *((unsigned char*)(&s_addr)) will yeld the first number
    s_addr & 0xFF will also yeld the first number in the address.
    You ether are in the wrong place reading the port number or you don't
    account for the fact that the port is in network byte order, thus, probably
    the reverse of your machine byte order.
     
    Gabriel Bogdan, Jan 17, 2005
    #1
    1. Advertisements

  2. Gabriel Bogdan

    abiola Guest

    Hi I really need your help with NDIS Passthru,

    I am trying to read NDIS Network packet ( IP address, source port, tcp
    payload) and I have read www.ndis.com articles on this and also the
    reanonpacket source code function.

    I am working on Passthru extended version 2 with all its headers and files.

    My problem is this.

    I have a filter.c file that has a Readon Packet routine like this:



    struct ip IPHeader;
    struct tcphdr TCPHeader;

    FltReadOnPacket(
    mypacket,
    &IPHeader,
    sizeof(IPHeader),
    sizeof( struct ether_header),
    &NumberofBytesRead);

    DbgPrint(" IP source address %d", IPHeader.ip_dst.s_addr);

    // my output in dbgviwer is just a series of numbers, I assume I will
    see say 123.234.456.667 but instead I see 2141855440

    // I think it is my data type print out, I have tried using %s, %x but
    that did not work.



    My next problem is getting to the tcp payload, I tried this:

    FiltReadOnPacket(
    mypacket,
    &TCPHeader,
    sizeof(TCPHeader),
    sizeof( struct ether_header)+sizeof(struct ip)
    &NumberofBytesRead);

    DbgPrint(" TCP Payload %d", tcpheader.th_sport);

    // again in my output from eventviwer, all I have is a series of numbers
    like 57166096
    // I know port numbers are from 1-65.500 , but I am getting crazy large
    numbers.
    // I think it my data type specifyer again.

    So pls what data type specifyer can I use here, any help will do. I have
    no error or warning when I build my source codes.
     
    abiola, Jan 17, 2005
    #2
    1. Advertisements

  3. Decimal 2141855440 is hex 7FAA1ED0, the four bytes 7F.AA.1E.D0, which, back
    in decimal byte-by-byte is 127.170.30.208.
    The port number is a 16-bit value (USHORT) and I imagine that you're
    grabbing 32-bits from the header.

    Bryan S. Burgin


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bryan S. Burgin [MSFT], Jan 19, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.