メイン   モジュール   デー タ構造   ファイルリスト   データフィールド   グローバル   関連ページ   注意事項   English

NPF functions
[NPF driver internals manual]


Functions

NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
 The initialization routine of the driver.

PWCHAR getAdaptersList (VOID)
 Returns the list of the MACs available on the system.

PKEY_VALUE_PARTIAL_INFORMATION getTcpBindings (VOID)
 Returns the MACs that bind to TCP/IP.

BOOLEAN createDevice (IN OUT PDRIVER_OBJECT adriverObjectP, IN PUNICODE_STRING amacNameP, NDIS_HANDLE aProtoHandle)
 Creates a device for a given MAC.

NTSTATUS NPF_Open (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Opens a new instance of the driver.

VOID NPF_OpenAdapterComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN NDIS_STATUS OpenErrorStatus)
 Ends the opening of an adapter.

NTSTATUS NPF_Close (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Closes an instance of the driver.

VOID NPF_CloseAdapterComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status)
 Ends the closing of an adapter.

NDIS_STATUS NPF_tap (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookaheadBufferSize, IN UINT PacketSize)
 Callback invoked by NDIS when a packet arrives from the network.

VOID NPF_TransferDataComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET Packet, IN NDIS_STATUS Status, IN UINT BytesTransferred)
 Ends the transfer of a packet.

VOID NPF_ReceiveComplete (IN NDIS_HANDLE ProtocolBindingContext)
 Callback function that signals the end of a packet reception.

NTSTATUS NPF_IoControl (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Handles the IOCTL calls.

VOID NPF_RequestComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_REQUEST pRequest, IN NDIS_STATUS Status)
 Ends an OID request.

NTSTATUS NPF_Write (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Writes a raw packet to the network.

INT NPF_BufferedWrite (IN PIRP Irp, IN PCHAR UserBuff, IN ULONG UserBuffSize, BOOLEAN sync)
 Writes a buffer of raw packets to the network.

VOID NPF_SendComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET pPacket, IN NDIS_STATUS Status)
 Ends a send operation.

VOID NPF_ResetComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status)
 Ends a reset of the adapter.

VOID NPF_Status (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN PVOID StatusBuffer, IN UINT StatusBufferSize)
 Callback for NDIS StatusHandler. Not used by NPF.

VOID NPF_StatusComplete (IN NDIS_HANDLE ProtocolBindingContext)
 Callback for NDIS StatusCompleteHandler. Not used by NPF.

VOID NPF_Unload (IN PDRIVER_OBJECT DriverObject)
 Function called by the OS when NPF is unloaded.

NTSTATUS NPF_Read (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Function that serves the user's reads.

NTSTATUS NPF_ReadRegistry (IN PWSTR *MacDriverName, IN PWSTR *PacketDriverName, IN PUNICODE_STRING RegistryPath)
 Reads the registry keys associated woth NPF if the driver is manually installed via the control panel.

NTSTATUS NPF_QueryRegistryRoutine (IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext)
 Function used by NPF_ReadRegistry() to quesry the registry keys associated woth NPF if the driver is manually installed via the control panel.

VOID NPF_BindAdapter (OUT PNDIS_STATUS Status, IN NDIS_HANDLE BindContext, IN PNDIS_STRING DeviceName, IN PVOID SystemSpecific1, IN PVOID SystemSpecific2)
 Callback for NDIS BindAdapterHandler. Not used by NPF.

VOID NPF_UnbindAdapter (OUT PNDIS_STATUS Status, IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE UnbindContext)
 Callback for NDIS UnbindAdapterHandler.

int bpf_validate (struct bpf_insn *f, int len, uint32 mem_ex_size)
 Validates a filtering program arriving from the user-level app.

UINT bpf_filter (register struct bpf_insn *pc, register UCHAR *p, UINT wirelen, register UINT buflen, PMEM_TYPE mem_ex, PTME_CORE tme, struct time_conv *time_ref)
 The filtering pseudo-machine interpreter.

UINT bpf_filter_with_2_buffers (register struct bpf_insn *pc, register UCHAR *p, register UCHAR *pd, register int headersize, UINT wirelen, register UINT buflen, PMEM_TYPE mem_ex, PTME_CORE tme, struct time_conv *time_ref)
 The filtering pseudo-machine interpreter with two buffers. This function is slower than bpf_filter(), but works correctly also if the MAC header and the data of the packet are in two different buffers.

NTSTATUS NPF_OpenDumpFile (POPEN_INSTANCE Open, PUNICODE_STRING fileName, BOOLEAN append)
 Creates the file that will receive the packets when the driver is in dump mode.

NTSTATUS NPF_StartDump (POPEN_INSTANCE Open)
 Starts dump to file.

VOID NPF_DumpThread (PVOID Open)
 The dump thread.

NTSTATUS NPF_SaveCurrentBuffer (POPEN_INSTANCE Open)
 Saves the content of the packet buffer to the file associated with current instance.

VOID NPF_WriteDumpFile (PFILE_OBJECT FileObject, PLARGE_INTEGER Offset, ULONG Length, PMDL Mdl, PIO_STATUS_BLOCK IoStatusBlock)
 Writes a block of packets on the dump file.

NTSTATUS NPF_CloseDumpFile (POPEN_INSTANCE Open)
 Closes the dump file associated with an instance of the driver.

UINT GetBuffOccupation (POPEN_INSTANCE Open)
 Returns the amount of bytes present in the packet buffer.

JIT_BPF_FilterBPF_jitter (struct bpf_insn *fp, INT nins)
 BPF jitter, builds an x86 function from a BPF program.

BPF_filter_function BPFtoX86 (struct bpf_insn *prog, UINT nins, INT *mem)
 Translates a set of BPF instructions in a set of x86 ones.

void BPF_Destroy_JIT_Filter (JIT_BPF_Filter *Filter)
 Deletes a filtering function that was previously created by BPF_jitter().


Function Documentation

void BPF_Destroy_JIT_Filter JIT_BPF_Filter   Filter
 

Deletes a filtering function that was previously created by BPF_jitter().

Parameters:
Filter The filter to destroy.
This function frees the variuos buffers (code, memory, etc.) associated with a filtering function.

Definition at line 659 of file jitter.c.

References JIT_BPF_Filter::Function, and JIT_BPF_Filter::mem.

Referenced by NPF_Close(), NPF_CloseAdapterComplete(), and NPF_IoControl().

UINT bpf_filter register struct bpf_insn   pc,
register UCHAR *    p,
UINT    wirelen,
register UINT    buflen,
PMEM_TYPE    mem_ex,
PTME_CORE    tme,
struct time_conv *    time_ref
 

The filtering pseudo-machine interpreter.

Parameters:
pc The filter.
p Pointer to a memory buffer containing the packet on which the filter will be executed.
wirelen Original length of the packet.
buflen Current length of the packet. In some cases (for example when the transfer of the packet to the RAM has not yet finished), bpf_filter can be executed on a portion of the packet.
mem_ex The extended memory.
tme The virtualization of the TME co-processor
time_ref Data structure needed by the TME co-processor to timestamp data
Returns:
The portion of the packet to keep, in bytes. 0 means that the packet must be rejected, -1 means that the whole packet must be kept.
Note:
this function is not used in normal situations, because the jitter creates a native filtering function that is faster than the interpreter.

Referenced by NPF_tap(), and pcap_offline_read().

UINT bpf_filter_with_2_buffers register struct bpf_insn   pc,
register UCHAR *    p,
register UCHAR *    pd,
register int    headersize,
UINT    wirelen,
register UINT    buflen,
PMEM_TYPE    mem_ex,
PTME_CORE    tme,
struct time_conv *    time_ref
 

The filtering pseudo-machine interpreter with two buffers. This function is slower than bpf_filter(), but works correctly also if the MAC header and the data of the packet are in two different buffers.

Parameters:
pc The filter.
p Pointer to a memory buffer containing the MAC header of the packet.
pd Pointer to a memory buffer containing the data of the packet.
wirelen Original length of the packet.
buflen Current length of the packet. In some cases (for example when the transfer of the packet to the RAM has not yet finished), bpf_filter can be executed on a portion of the packet.
mem_ex The extended memory.
tme The virtualization of the TME co-processor
time_ref Data structure needed by the TME co-processor to timestamp data
Returns:
The portion of the packet to keep, in bytes. 0 means that the packet must be rejected, -1 means that the whole packet must be kept.
This function is used when NDIS passes the packet to NPF_tap() in two buffers instaed than in a single one.

Referenced by NPF_tap().

JIT_BPF_Filter* BPF_jitter struct bpf_insn   fp,
INT    nins
 

BPF jitter, builds an x86 function from a BPF program.

Parameters:
fp The BPF pseudo-assembly filter that will be translated into x86 code.
nins Number of instructions of the input filter.
Returns:
The JIT_BPF_Filter structure containing the x86 filtering binary.
BPF_jitter allocates the buffers for the new native filter and then translates the program pointed by fp calling BPFtoX86().

Definition at line 608 of file jitter.c.

References BPFtoX86(), JIT_BPF_Filter, and JIT_BPF_Filter::mem.

Referenced by NPF_IoControl().

int bpf_validate struct bpf_insn   f,
int    len,
uint32    mem_ex_size
 

Validates a filtering program arriving from the user-level app.

Parameters:
f The filter.
len Its length, in pseudo instructions.
mem_ex_size The length of the extended memory, used to validate LD/ST to that memory
Returns:
true if f is a valid filter program..
The kernel needs to be able to verify an application's filter code. Otherwise, a bogus program could easily crash the system. This function returns true if f is a valid filter program. The constraints are that each jump be forward and to a valid code. The code must terminate with either an accept or reject.

Referenced by daemon_unpackapplyfilter(), and NPF_IoControl().

BPF_filter_function BPFtoX86 struct bpf_insn   ins,
UINT    nins,
INT *    mem
 

Translates a set of BPF instructions in a set of x86 ones.

Parameters:
ins Pointer to the BPF instructions that will be translated into x86 code.
nins Number of instructions to translate.
mem Memory used by the x86 function to emulate the RAM of the BPF pseudo processor.
Returns:
The x86 filtering function.
This function does the hard work for the JIT compilation. It takes a group of BPF pseudo instructions and through the instruction macros defined in jitter.h it is able to create an function directly executable by NPF.

Definition at line 75 of file jitter.c.

References ADD_EAXi, ADDib, ADDrd, ANDib, ANDid, ANDrd, BPF_filter_function, binary_stream::bpf_pc, BSWAP, CMPid, CMPodd, CMPrd, bpf_insn::code, binary_stream::cur_ip, DIVrd, emit_code(), emit_lenght(), emitm, binary_stream::ibuf, JA, JAE, JE, bpf_insn::jf, JG, JGE, JLEb, JMP, JNEb, bpf_insn::jt, bpf_insn::k, MOVid, MOVobb, MOVobd, MOVobw, MOVodd, MOVomd, MOVrd, MULrd, NEGd, ORid, ORrd, POP, PUSH, binary_stream::refs, RET, SHL_CLrb, SHLib, SHR_CLrb, SHRib, SUB_EAXi, SUBrd, and SWAP_AX.

Referenced by BPF_jitter().

BOOLEAN createDevice IN OUT PDRIVER_OBJECT    adriverObjectP,
IN PUNICODE_STRING    amacNameP,
NDIS_HANDLE    aProtoHandle
 

Creates a device for a given MAC.

Parameters:
adriverObjectP The driver object that will be associated with the device, i.e. the one of NPF.
amacNameP The name of the network interface that the device will point.
aProtoHandle NDIS protocol handle of NPF.
Returns:
If the function succeeds, the return value is nonzero.
NPF creates a device for every valid network adapter. The new device points to the NPF driver, but contains information about the original device. In this way, when the user opens the new device, NPF will be able to determine the correct adapter to use.

Definition at line 394 of file Packet.c.

References _DEVICE_EXTENSION::AdapterName, devicePrefix, _DEVICE_EXTENSION::ExportString, _DEVICE_EXTENSION::NdisProtocolHandle, NPF_Prefix, and symbolicLinkPrefix.

Referenced by DriverEntry().

NTSTATUS DriverEntry IN PDRIVER_OBJECT    DriverObject,
IN PUNICODE_STRING    RegistryPath
 

The initialization routine of the driver.

Parameters:
DriverObject The driver object of NPF created by the system.
RegistryPath The registry path containing the keys related to the driver.
Returns:
A string containing a list of network adapters.
DriverEntry is a mandatory function in a device driver. Like the main() of a user level program, it is called by the system when the driver is loaded in memory and started. Its purpose is to initialize the driver, performing all the allocations and the setup. In particular, DriverEntry registers all the driver's I/O callbacks, creates the devices, defines NPF as a protocol inside NDIS.

Definition at line 70 of file Packet.c.

References bindP, createDevice(), getAdaptersList(), getTcpBindings(), NCpu, NPF_BindAdapter(), NPF_Close(), NPF_CloseAdapterComplete(), NPF_IoControl(), NPF_Open(), NPF_OpenAdapterComplete(), NPF_Read(), NPF_ReceiveComplete(), NPF_RequestComplete(), NPF_ResetComplete(), NPF_SendComplete(), NPF_Status(), NPF_StatusComplete(), NPF_tap(), NPF_TransferDataComplete(), NPF_UnbindAdapter(), NPF_Unload(), and NPF_Write().

PWCHAR getAdaptersList VOID   
 

Returns the list of the MACs available on the system.

Returns:
A string containing a list of network adapters.
The list of adapters is retrieved from the SYSTEM\{4D36E972-E325-11CE-BFC1-08002BE10318} registry key. NPF tries to create its bindings from this list. In this way it is possible to be loaded and unloaded dynamically without passing from the control panel.

UINT GetBuffOccupation POPEN_INSTANCE    Open
 

Returns the amount of bytes present in the packet buffer.

Parameters:
Open The NPF instance that closes the file.

PKEY_VALUE_PARTIAL_INFORMATION getTcpBindings VOID   
 

Returns the MACs that bind to TCP/IP.

Returns:
Pointer to the registry key containing the list of adapters on which TCP/IP is bound.
If getAdaptersList() fails, NPF tries to obtain the TCP/IP bindings through this function.

VOID NPF_BindAdapter OUT PNDIS_STATUS    Status,
IN NDIS_HANDLE    BindContext,
IN PNDIS_STRING    DeviceName,
IN PVOID    SystemSpecific1,
IN PVOID    SystemSpecific2
 

Callback for NDIS BindAdapterHandler. Not used by NPF.

Function called by NDIS when a new adapter is installed on the machine With Plug and Play.

Definition at line 577 of file Openclos.c.

Referenced by DriverEntry().

INT NPF_BufferedWrite IN PIRP    Irp,
IN PCHAR    UserBuff,
IN ULONG    UserBuffSize,
BOOLEAN    sync
 

Writes a buffer of raw packets to the network.

Parameters:
Irp Pointer to the IRP containing the user request.
UserBuff Pointer to the buffer containing the packets to send.
UserBuffSize Size of the buffer with the packets.
Returns:
The amount of bytes actually sent. If the return value is smaller than the Size parameter, an error occurred during the send. The error can be caused by an adapter problem or by an inconsistent/bogus user buffer.
This function is called by the OS in consequence of a BIOCSENDPACKETSNOSYNC or a BIOCSENDPACKETSSYNC IOCTL. The buffer received as input parameter contains an arbitrary number of packets, each of which preceded by a sf_pkthdr structure. NPF_BufferedWrite() scans the buffer and sends every packet via the NdisSend() function. When Sync is set to TRUE, the packets are synchronized with the KeQueryPerformanceCounter() function. This requires a remarkable amount of CPU, but allows to respect the timestamps associated with packets with a precision of some microseconds (depending on the precision of the performance counter of the machine). If Sync is false, the timestamps are ignored and the packets are sent as fat as possible.

Definition at line 136 of file Write.c.

References _OPEN_INSTANCE::AdapterHandle, _OPEN_INSTANCE::Bound, sf_pkthdr::caplen, _OPEN_INSTANCE::MaxFrameSize, NPF_SendComplete(), _OPEN_INSTANCE::PacketPool, RESERVED, and sf_pkthdr::ts.

Referenced by NPF_IoControl().

NTSTATUS NPF_Close IN PDEVICE_OBJECT    DeviceObject,
IN PIRP    Irp
 

Closes an instance of the driver.

Parameters:
DeviceObject Pointer to the device object utilized by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called when a running instance of the driver is closed by the user with a CloseHandle(). It stops the capture/monitoring/dump process, deallocates the memory and the objects associated with the instance and closing the files. The network adapter is then closed with a call to NdisCloseAdapter.

Definition at line 380 of file Openclos.c.

References _OPEN_INSTANCE::AdapterHandle, _OPEN_INSTANCE::Bound, BPF_Destroy_JIT_Filter(), _OPEN_INSTANCE::bpfprogram, __CPU_Private_Data::Buffer, _OPEN_INSTANCE::CpuData, _OPEN_INSTANCE::DumpEvent, _OPEN_INSTANCE::DumpFileHandle, _OPEN_INSTANCE::DumpFileName, _OPEN_INSTANCE::DumpThreadObject, _OPEN_INSTANCE::Filter, _OPEN_INSTANCE::IOEvent, _OPEN_INSTANCE::mem_ex, _OPEN_INSTANCE::mode, MODE_DUMP, NPF_CloseAdapterComplete(), NPF_CloseDumpFile(), _OPEN_INSTANCE::OpenCloseIrp, _OPEN_INSTANCE::PacketPool, _OPEN_INSTANCE::ReadEvent, _OPEN_INSTANCE::ReadEventHandle, _OPEN_INSTANCE::ReadEventName, and _OPEN_INSTANCE::Size.

Referenced by DriverEntry().

VOID NPF_CloseAdapterComplete IN NDIS_HANDLE    ProtocolBindingContext,
IN NDIS_STATUS    Status
 

Ends the closing of an adapter.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Status Status of the close operation performed by NDIS.
Callback function associated with the NdisCloseAdapter() NDIS function. It is invoked by NDIS when the NIC driver has finished a close operation that was previously started by NPF_Close().

Definition at line 492 of file Openclos.c.

References _OPEN_INSTANCE::Bound, BPF_Destroy_JIT_Filter(), _OPEN_INSTANCE::bpfprogram, __CPU_Private_Data::Buffer, _OPEN_INSTANCE::CpuData, _OPEN_INSTANCE::DumpFileName, _OPEN_INSTANCE::Filter, _OPEN_INSTANCE::IOEvent, _OPEN_INSTANCE::mem_ex, n_Opened_Instances, _OPEN_INSTANCE::OpenCloseIrp, _OPEN_INSTANCE::PacketPool, _OPEN_INSTANCE::ReadEventName, and _OPEN_INSTANCE::Size.

Referenced by DriverEntry(), NPF_Close(), and NPF_UnbindAdapter().

NTSTATUS NPF_CloseDumpFile POPEN_INSTANCE    Open
 

Closes the dump file associated with an instance of the driver.

Parameters:
Open The NPF instance that closes the file.
Returns:
The status of the operation. See ntstatus.h in the DDK.

Definition at line 459 of file dump.c.

References _OPEN_INSTANCE::DumpFileHandle, _OPEN_INSTANCE::DumpFileName, _OPEN_INSTANCE::DumpFileObject, _OPEN_INSTANCE::DumpOffset, NPF_OpenDumpFile(), and NPF_SaveCurrentBuffer().

Referenced by NPF_Close(), NPF_IoControl(), and NPF_UnbindAdapter().

VOID NPF_DumpThread PVOID    Open
 

The dump thread.

Parameters:
Open The NPF instance that creates the thread.
This function moves the content of the NPF kernel buffer to file. It runs in the user context, so at lower priority than the TAP.

NTSTATUS NPF_IoControl IN PDEVICE_OBJECT    DeviceObject,
IN PIRP    Irp
 

Handles the IOCTL calls.

Parameters:
DeviceObject Pointer to the device object utilized by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
Once the packet capture driver is opened it can be configured from user-level applications with IOCTL commands using the DeviceIoControl() system call. NPF_IoControl receives and serves all the IOCTL calls directed to NPF. The following commands are recognized:

Definition at line 549 of file Packet.c.

References __CPU_Private_Data::Accepted, _OPEN_INSTANCE::AdapterHandle, BIOCGEVNAME, BIOCGSTATS, BIOCISDUMPENDED, BIOCQUERYOID, BIOCSENDPACKETSNOSYNC, BIOCSENDPACKETSSYNC, BIOCSETBUFFERSIZE, BIOCSETDUMPFILENAME, BIOCSETDUMPLIMITS, BIOCSETF, BIOCSETOID, BIOCSMINTOCOPY, BIOCSMODE, BIOCSRTIMEOUT, BIOCSWRITEREP, BPF_Destroy_JIT_Filter(), BPF_jitter(), BPF_SEPARATION, bpf_validate(), _OPEN_INSTANCE::bpfprogram, __CPU_Private_Data::Buffer, __CPU_Private_Data::C, _OPEN_INSTANCE::CountersLock, _OPEN_INSTANCE::CpuData, __CPU_Private_Data::Dropped, _OPEN_INSTANCE::DumpFileHandle, _OPEN_INSTANCE::DumpFileName, _OPEN_INSTANCE::DumpLimitReached, EXIT_FAILURE, EXIT_SUCCESS, _OPEN_INSTANCE::Filter, __CPU_Private_Data::Free, IMMEDIATE, _INTERNAL_REQUEST::Internal, IOCTL_PROTOCOL_RESET, _OPEN_INSTANCE::IOEvent, _OPEN_INSTANCE::IOStatus, _INTERNAL_REQUEST::Irp, _OPEN_INSTANCE::MaxDumpBytes, _OPEN_INSTANCE::MaxDumpPacks, _OPEN_INSTANCE::mem_ex, _OPEN_INSTANCE::MinToCopy, _OPEN_INSTANCE::mode, MODE_CAPT, MODE_DUMP, MODE_MON, MODE_STAT, _OPEN_INSTANCE::Nbytes, NCpu, _OPEN_INSTANCE::Npackets, NPF_BufferedWrite(), NPF_CloseDumpFile(), NPF_OpenDumpFile(), NPF_RequestComplete(), NPF_ResetComplete(), NPF_StartDump(), _OPEN_INSTANCE::Nwrites, __CPU_Private_Data::P, PPACKET_OID_DATA, __CPU_Private_Data::Processing, _OPEN_INSTANCE::ReaderSN, _OPEN_INSTANCE::ReadEventName, __CPU_Private_Data::Received, _INTERNAL_REQUEST::Request, _OPEN_INSTANCE::RequestList, _OPEN_INSTANCE::RequestSpinLock, _OPEN_INSTANCE::ResetIrpList, _OPEN_INSTANCE::Size, _OPEN_INSTANCE::SkipProcessing, _OPEN_INSTANCE::TimeOut, _OPEN_INSTANCE::tme, and _OPEN_INSTANCE::WriterSN.

Referenced by DriverEntry().

NTSTATUS NPF_Open IN PDEVICE_OBJECT    DeviceObject,
IN PIRP    Irp
 

Opens a new instance of the driver.

Parameters:
DeviceObject Pointer to the device object utilized by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called by the OS when a new instance of the driver is opened, i.e. when a user application performs a CreateFile on a device created by NPF. NPF_Open allocates and initializes variables, objects and buffers needed by the new instance, fills the OPEN_INSTANCE structure associated with it and opens the adapter with a call to NdisOpenAdapter.

Definition at line 66 of file Openclos.c.

References _OPEN_INSTANCE::AdapterHandle, _DEVICE_EXTENSION::AdapterName, _OPEN_INSTANCE::Bound, _OPEN_INSTANCE::bpfprogram, _OPEN_INSTANCE::CountersLock, _OPEN_INSTANCE::DeviceExtension, _OPEN_INSTANCE::DumpEvent, _OPEN_INSTANCE::DumpFileHandle, _OPEN_INSTANCE::DumpFileName, _OPEN_INSTANCE::DumpLimitReached, _OPEN_INSTANCE::IOEvent, _INTERNAL_REQUEST::ListElement, _OPEN_INSTANCE::MachineLock, MAX_REQUESTS, _OPEN_INSTANCE::MaxFrameSize, _OPEN_INSTANCE::Medium, _OPEN_INSTANCE::mem_ex, _OPEN_INSTANCE::MinToCopy, _OPEN_INSTANCE::mode, MODE_CAPT, _OPEN_INSTANCE::Multiple_Write_Counter, _OPEN_INSTANCE::Nbytes, _DEVICE_EXTENSION::NdisProtocolHandle, _OPEN_INSTANCE::Npackets, NPF_OpenAdapterComplete(), _OPEN_INSTANCE::Nwrites, _OPEN_INSTANCE::OpenCloseIrp, PacketItoa(), _OPEN_INSTANCE::PacketPool, _OPEN_INSTANCE::ReaderSN, _OPEN_INSTANCE::ReadEvent, _OPEN_INSTANCE::ReadEventHandle, _OPEN_INSTANCE::ReadEventName, _OPEN_INSTANCE::RequestList, _OPEN_INSTANCE::Requests, _OPEN_INSTANCE::RequestSpinLock, _OPEN_INSTANCE::ResetIrpList, _OPEN_INSTANCE::Size, _OPEN_INSTANCE::TimeOut, _OPEN_INSTANCE::tme, _OPEN_INSTANCE::WriteEvent, and _OPEN_INSTANCE::WriterSN.

Referenced by DriverEntry().

VOID NPF_OpenAdapterComplete IN NDIS_HANDLE    ProtocolBindingContext,
IN NDIS_STATUS    Status,
IN NDIS_STATUS    OpenErrorStatus
 

Ends the opening of an adapter.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Status Status of the opening operation performed by NDIS.
OpenErrorStatus not used by NPF.
Callback function associated with the NdisOpenAdapter() NDIS function. It is invoked by NDIS when the NIC driver has finished an open operation that was previously started by NPF_Open().

Definition at line 277 of file Openclos.c.

References _OPEN_INSTANCE::AdapterHandle, _INTERNAL_REQUEST::Internal, _INTERNAL_REQUEST::Irp, _OPEN_INSTANCE::MaxFrameSize, _OPEN_INSTANCE::mem_ex, n_Opened_Instances, NPF_RequestComplete(), _OPEN_INSTANCE::OpenCloseIrp, _OPEN_INSTANCE::PacketPool, _OPEN_INSTANCE::ReadEventHandle, _OPEN_INSTANCE::ReadEventName, _INTERNAL_REQUEST::Request, _OPEN_INSTANCE::RequestList, and _OPEN_INSTANCE::RequestSpinLock.

Referenced by DriverEntry(), and NPF_Open().

NTSTATUS NPF_OpenDumpFile POPEN_INSTANCE    Open,
PUNICODE_STRING    fileName,
BOOLEAN    append
 

Creates the file that will receive the packets when the driver is in dump mode.

Parameters:
Open The NPF instance that opens the file.
fileName Pointer to a UNICODE string containing the name of the file.
append Boolean value that specifies if the data must be appended to the file.
Returns:
The status of the operation. See ntstatus.h in the DDK.

Definition at line 34 of file dump.c.

References _OPEN_INSTANCE::DumpFileHandle, and _OPEN_INSTANCE::DumpFileObject.

Referenced by NPF_CloseDumpFile(), and NPF_IoControl().

NTSTATUS NPF_QueryRegistryRoutine IN PWSTR    ValueName,
IN ULONG    ValueType,
IN PVOID    ValueData,
IN ULONG    ValueLength,
IN PVOID    Context,
IN PVOID    EntryContext
 

Function used by NPF_ReadRegistry() to quesry the registry keys associated woth NPF if the driver is manually installed via the control panel.

Normally not used in recent versions of NPF.

Definition at line 1343 of file Packet.c.

Referenced by NPF_ReadRegistry().

NTSTATUS NPF_Read IN PDEVICE_OBJECT    DeviceObject,
IN PIRP    Irp
 

Function that serves the user's reads.

Parameters:
DeviceObject Pointer to the device used by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called by the OS in consequence of user ReadFile() call. It moves the data present in the kernel buffer to the user buffer associated with Irp. First of all, NPF_Read checks the amount of data in kernel buffer associated with current NPF instance.
  • If the instance is in capture mode and the buffer contains more than OPEN_INSTANCE::MinToCopy bytes, NPF_Read moves the data in the user buffer and returns immediatly. In this way, the read performed by the user is not blocking.
  • If the buffer contains less than MinToCopy bytes, the application's request isn't satisfied immediately, but it's blocked until at least MinToCopy bytes arrive from the net or the timeout on this read expires. The timeout is kept in the OPEN_INSTANCE::TimeOut field.
  • If the instance is in statistical mode or in dump mode, the application's request is blocked until the timeout kept in OPEN_INSTANCE::TimeOut expires.

Definition at line 37 of file Read.c.

References bpf_hdr::bh_caplen, bpf_hdr::bh_datalen, bpf_hdr::bh_hdrlen, bpf_hdr::bh_tstamp, _OPEN_INSTANCE::Bound, _OPEN_INSTANCE::CountersLock, _OPEN_INSTANCE::CpuData, _OPEN_INSTANCE::DumpFileHandle, _OPEN_INSTANCE::DumpOffset, EXIT_FAILURE, EXIT_SUCCESS, __CPU_Private_Data::Free, PacketHeader::header, IMMEDIATE, _OPEN_INSTANCE::MachineLock, _OPEN_INSTANCE::MinToCopy, _OPEN_INSTANCE::mode, MODE_DUMP, MODE_MON, MODE_STAT, _OPEN_INSTANCE::Nbytes, NCpu, _OPEN_INSTANCE::Npackets, Packet_WORDALIGN, _OPEN_INSTANCE::ReaderSN, _OPEN_INSTANCE::ReadEvent, _OPEN_INSTANCE::Size, PacketHeader::SN, _OPEN_INSTANCE::TimeOut, and _OPEN_INSTANCE::tme.

Referenced by DriverEntry().

NTSTATUS NPF_ReadRegistry IN PWSTR *    MacDriverName,
IN PWSTR *    PacketDriverName,
IN PUNICODE_STRING    RegistryPath
 

Reads the registry keys associated woth NPF if the driver is manually installed via the control panel.

Normally not used in recent versions of NPF.

Definition at line 1246 of file Packet.c.

References NPF_QueryRegistryRoutine().

VOID NPF_ReceiveComplete IN NDIS_HANDLE    ProtocolBindingContext
 

Callback function that signals the end of a packet reception.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
does nothing in NPF

Definition at line 876 of file Read.c.

Referenced by DriverEntry().

VOID NPF_RequestComplete IN NDIS_HANDLE    ProtocolBindingContext,
IN PNDIS_REQUEST    pRequest,
IN NDIS_STATUS    Status
 

Ends an OID request.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
pRequest Pointer to the completed OID request.
Status Status of the operation.
Callback function associated with the NdisRequest() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_IoControl().

Definition at line 1128 of file Packet.c.

References BIOCQUERYOID, BIOCSETOID, _INTERNAL_REQUEST::Internal, _OPEN_INSTANCE::IOEvent, _OPEN_INSTANCE::IOStatus, _INTERNAL_REQUEST::Irp, _INTERNAL_REQUEST::ListElement, _OPEN_INSTANCE::MaxFrameSize, PPACKET_OID_DATA, _INTERNAL_REQUEST::Request, _OPEN_INSTANCE::RequestList, and _OPEN_INSTANCE::RequestSpinLock.

Referenced by DriverEntry(), NPF_IoControl(), and NPF_OpenAdapterComplete().

VOID NPF_ResetComplete IN NDIS_HANDLE    ProtocolBindingContext,
IN NDIS_STATUS    Status
 

Ends a reset of the adapter.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Status Status of the operation.
Callback function associated with the NdisReset() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_IoControl(), in an IOCTL_PROTOCOL_RESET command.

Definition at line 648 of file Openclos.c.

References _OPEN_INSTANCE::RequestSpinLock, and _OPEN_INSTANCE::ResetIrpList.

Referenced by DriverEntry(), and NPF_IoControl().

NTSTATUS NPF_SaveCurrentBuffer POPEN_INSTANCE    Open
 

Saves the content of the packet buffer to the file associated with current instance.

Parameters:
Open The NPF instance that creates the thread.
Used by NPF_DumpThread() and NPF_CloseDumpFile().

Definition at line 301 of file dump.c.

References _OPEN_INSTANCE::DumpFileObject, _OPEN_INSTANCE::DumpLimitReached, _OPEN_INSTANCE::DumpOffset, _OPEN_INSTANCE::MaxDumpBytes, NPF_WriteDumpFile(), and _OPEN_INSTANCE::ReadEvent.

Referenced by NPF_CloseDumpFile(), and NPF_DumpThread().

VOID NPF_SendComplete IN NDIS_HANDLE    ProtocolBindingContext,
IN PNDIS_PACKET    pPacket,
IN NDIS_STATUS    Status
 

Ends a send operation.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
pRequest Pointer to the NDIS PACKET structure used by NPF_Write() to send the packet.
Status Status of the operation.
Callback function associated with the NdisSend() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_Write().

Definition at line 298 of file Write.c.

References _OPEN_INSTANCE::Multiple_Write_Counter, _OPEN_INSTANCE::Nwrites, RESERVED, and _OPEN_INSTANCE::WriteEvent.

Referenced by DriverEntry(), NPF_BufferedWrite(), and NPF_Write().

NTSTATUS NPF_StartDump POPEN_INSTANCE    Open
 

Starts dump to file.

Parameters:
Open The NPF instance that opens the file.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function performs two operations. First, it writes the libpcap header at the beginning of the file. Second, it starts the thread that asynchronously dumps the network data to the file.

Definition at line 142 of file dump.c.

References _OPEN_INSTANCE::DumpFileHandle, _OPEN_INSTANCE::DumpFileObject, _OPEN_INSTANCE::DumpOffset, _OPEN_INSTANCE::DumpThreadHandle, _OPEN_INSTANCE::DumpThreadObject, packet_file_header::linktype, packet_file_header::magic, _OPEN_INSTANCE::Medium, PCAP_VERSION_MAJOR, PCAP_VERSION_MINOR, packet_file_header::sigfigs, packet_file_header::snaplen, TCPDUMP_MAGIC, packet_file_header::thiszone, packet_file_header::version_major, and packet_file_header::version_minor.

Referenced by NPF_IoControl().

VOID NPF_Status IN NDIS_HANDLE    ProtocolBindingContext,
IN NDIS_STATUS    Status,
IN PVOID    StatusBuffer,
IN UINT    StatusBufferSize
 

Callback for NDIS StatusHandler. Not used by NPF.

Definition at line 1213 of file Packet.c.

Referenced by DriverEntry().

VOID NPF_StatusComplete IN NDIS_HANDLE    ProtocolBindingContext
 

Callback for NDIS StatusCompleteHandler. Not used by NPF.

Definition at line 1231 of file Packet.c.

Referenced by DriverEntry().

NDIS_STATUS NPF_tap IN NDIS_HANDLE    ProtocolBindingContext,
IN NDIS_HANDLE    MacReceiveContext,
IN PVOID    HeaderBuffer,
IN UINT    HeaderBufferSize,
IN PVOID    LookAheadBuffer,
IN UINT    LookaheadBufferSize,
IN UINT    PacketSize
 

Callback invoked by NDIS when a packet arrives from the network.

Parameters:
ProtocolBindingContext Context of the function. Points to a OPEN_INSTANCE structure that identifies the NPF instance to which the packets are destined.
MacReceiveContext Handle that identifies the underlying NIC driver that generated the request. This value must be used when the packet is transferred from the NIC driver with NdisTransferData().
HeaderBuffer Pointer to the buffer in the NIC driver memory that contains the header of the packet.
HeaderBufferSize Size in bytes of the header.
LookAheadBuffer Pointer to the buffer in the NIC driver's memory that contains the incoming packet's data available to NPF. This value does not necessarily coincide with the actual size of the packet, since only a portion can be available at this time. The remaining portion can be obtained with the NdisTransferData() NDIS function.
LookaheadBufferSize Size in bytes of the lookahead buffer.
PacketSize Total size of the incoming packet, excluded the header.
Returns:
The status of the operation. See ntstatus.h in the DDK.
NPF_tap() is called by the underlying NIC for every incoming packet. It is the most important and one of the most complex functions of NPF: it executes the filter, runs the statistical engine (if the instance is in statistical mode), gathers the timestamp, moves the packet in the buffer. NPF_tap() is the only function, along with the filtering ones, that is executed for every incoming packet, therefore it is carefully optimized.

Definition at line 297 of file Read.c.

References __CPU_Private_Data::Accepted, _OPEN_INSTANCE::AdapterHandle, bpf_hdr::bh_caplen, bpf_hdr::bh_datalen, bpf_hdr::bh_hdrlen, bpf_hdr::bh_tstamp, bpf_filter(), bpf_filter_with_2_buffers(), _OPEN_INSTANCE::bpfprogram, _OPEN_INSTANCE::CountersLock, _OPEN_INSTANCE::CpuData, __CPU_Private_Data::Dropped, _OPEN_INSTANCE::DumpEvent, _OPEN_INSTANCE::DumpLimitReached, _OPEN_INSTANCE::Filter, JIT_BPF_Filter::Function, PacketHeader::header, _OPEN_INSTANCE::MachineLock, _OPEN_INSTANCE::MaxDumpPacks, _OPEN_INSTANCE::mem_ex, _OPEN_INSTANCE::MinToCopy, _OPEN_INSTANCE::mode, MODE_DUMP, MODE_MON, MODE_STAT, _OPEN_INSTANCE::Nbytes, NCpu, _OPEN_INSTANCE::Npackets, _OPEN_INSTANCE::PacketPool, __CPU_Private_Data::Processing, _OPEN_INSTANCE::ReadEvent, __CPU_Private_Data::Received, RESERVED, _OPEN_INSTANCE::Size, _OPEN_INSTANCE::SkipProcessing, PacketHeader::SN, _OPEN_INSTANCE::tme, and _OPEN_INSTANCE::WriterSN.

Referenced by DriverEntry().

VOID NPF_TransferDataComplete IN NDIS_HANDLE    ProtocolBindingContext,
IN PNDIS_PACKET    Packet,
IN NDIS_STATUS    Status,
IN UINT    BytesTransferred
 

Ends the transfer of a packet.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Packet Pointer to the NDIS_PACKET structure that received the packet data.
Status Status of the transfer operation.
BytesTransferred Amount of bytes transferred.
Callback function associated with the NdisTransferData() NDIS function. It is invoked by NDIS when the NIC driver has finished the transfer of a packet from the NIC driver memory to the NPF circular buffer.

Definition at line 807 of file Read.c.

References __CPU_Private_Data::Accepted, bpf_hdr::bh_caplen, bpf_hdr::bh_tstamp, _OPEN_INSTANCE::CpuData, _OPEN_INSTANCE::DumpEvent, PacketHeader::header, _OPEN_INSTANCE::MinToCopy, _OPEN_INSTANCE::mode, MODE_DUMP, _OPEN_INSTANCE::ReadEvent, RESERVED, _OPEN_INSTANCE::Size, PacketHeader::SN, __CPU_Private_Data::TransferMdl1, __CPU_Private_Data::TransferMdl2, and _OPEN_INSTANCE::WriterSN.

Referenced by DriverEntry().

VOID NPF_UnbindAdapter OUT PNDIS_STATUS    Status,
IN NDIS_HANDLE    ProtocolBindingContext,
IN NDIS_HANDLE    UnbindContext
 

Callback for NDIS UnbindAdapterHandler.

Parameters:
Status out variable filled by NPF_UnbindAdapter with the status of the unbind operation.
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with current instance.
UnbindContext Specifies a handle, supplied by NDIS, that NPF can use to complete the opration.
Function called by NDIS when a new adapter is removed from the machine without shutting it down. NPF_UnbindAdapter closes the adapter calling NdisCloseAdapter() and frees the memory and the structures associated with it. It also releases the waiting user-level app and closes the dump thread if the instance is in dump mode.

Definition at line 591 of file Openclos.c.

References _OPEN_INSTANCE::AdapterHandle, _OPEN_INSTANCE::Bound, _OPEN_INSTANCE::DumpEvent, _OPEN_INSTANCE::DumpFileHandle, _OPEN_INSTANCE::IOEvent, _OPEN_INSTANCE::mode, MODE_DUMP, NPF_CloseAdapterComplete(), NPF_CloseDumpFile(), _OPEN_INSTANCE::ReadEvent, and _OPEN_INSTANCE::ReadEventHandle.

Referenced by DriverEntry().

VOID NPF_Unload IN PDRIVER_OBJECT    DriverObject
 

Function called by the OS when NPF is unloaded.

Parameters:
DriverObject The driver object of NPF created by the system.
This is the last function executed when the driver is unloaded from the system. It frees global resources, delete the devices and deregisters the protocol. The driver can be unloaded by the user stopping the NPF service (from control panel or with a console 'net stop npf').

Definition at line 495 of file Packet.c.

References _DEVICE_EXTENSION::AdapterName, _DEVICE_EXTENSION::ExportString, and _DEVICE_EXTENSION::NdisProtocolHandle.

Referenced by DriverEntry().

NTSTATUS NPF_Write IN PDEVICE_OBJECT    DeviceObject,
IN PIRP    Irp
 

Writes a raw packet to the network.

Parameters:
DeviceObject Pointer to the device object on which the user wrote the packet.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called by the OS in consequence of user WriteFile() call, with the data of the packet that must be sent on the net. The data is contained in the buffer associated with Irp, NPF_Write takes it and delivers it to the NIC driver via the NdisSend() function. The Nwrites field of the OPEN_INSTANCE structure associated with Irp indicates the number of copies of the packet that will be sent: more than one copy of the packet can be sent for performance reasons.

Definition at line 34 of file Write.c.

References _OPEN_INSTANCE::AdapterHandle, _OPEN_INSTANCE::Bound, EXIT_FAILURE, _OPEN_INSTANCE::MaxFrameSize, _OPEN_INSTANCE::Multiple_Write_Counter, NPF_SendComplete(), _OPEN_INSTANCE::Nwrites, _OPEN_INSTANCE::PacketPool, RESERVED, and _OPEN_INSTANCE::WriteEvent.

Referenced by DriverEntry().

VOID NPF_WriteDumpFile PFILE_OBJECT    FileObject,
PLARGE_INTEGER    Offset,
ULONG    Length,
PMDL    Mdl,
PIO_STATUS_BLOCK    IoStatusBlock
 

Writes a block of packets on the dump file.

Parameters:
FileObject The file object that will receive the packets.
Offset The offset in the file where the packets will be put.
Length The amount of bytes to write.
Mdl MDL mapping the memory buffer that will be written to disk.
IoStatusBlock Used by the function to return the status of the operation.
Returns:
The status of the operation. See ntstatus.h in the DDK.
NPF_WriteDumpFile addresses directly the file system, creating a custom IRP and using it to send a portion of the NPF circular buffer to disk. This function is used by NPF_DumpThread().

Definition at line 520 of file dump.c.

Referenced by NPF_SaveCurrentBuffer().


documentation. Copyright (c)2002-2003 Politecnico di Torino.
2005 translated by Telebusiness,Inc.
 All rights reserved.