0

I captured all packets from a pc with NDIS driver and Pcap library.
Can i distinct processes from these packet and sort packets group by process? Or should i use recv, send function hook about all process?

Lightstar
  • 183
  • 3
  • 12

1 Answers1

0

By the time the packets have hit the NDIS layer, the higher-layer metadata about who sent the packets is gone. (If you try to get the current process anyway, you'll find the current process ID is often wrong. NDIS sends traffic in arbitrary process context, not the sender's original context.)

The preferred way to do this in Windows is to develop a WFP callout. WFP callouts are given the packet, sending process, user identity, and other metadata.

Microsoft discourages you from hooking functions. Even LSPs are discouraged, and the OS will not run your LSP in all cases (e.g., store applications).

Jeffrey Tippet
  • 3,146
  • 1
  • 14
  • 15
  • I tried distinct packet with port for process. But port number is very variable. And internet browser chrome and explorer also use same remote port number 80... But PID is not same... Should i develop WFP to use pid from packet? Is not way in Winpcap library? i have no time... – Lightstar Jan 18 '15 at 12:39
  • TCPView probably uses an LSP, because it was designed for older versions of Windows. TCPView could not be written as an NDIS driver. – Jeffrey Tippet Jan 19 '15 at 17:02
  • Then... WFP is also driver like NDIS? I searched also wfp to develop this work but there is not sample code and other infomation... If WFP is one way to solve my problem, i try to develop WFP as soon as posiible... – Lightstar Jan 21 '15 at 16:54
  • WFP is a driver platform, like NDIS. The WFP sample is here: https://code.msdn.microsoft.com/windowshardware/Windows-Filtering-Platform-27553baa#content – Jeffrey Tippet Jan 22 '15 at 04:54
  • wfp user mode == user application? I searched many information about wfp but there are no sign to develop searching pid from packet... – Lightstar Jan 23 '15 at 14:57
  • @JeffreyTippet nice one....out of interest, how do you transfer data BACK from the WFP callout to the user process? – horseyguy May 17 '20 at 00:18
  • WFP doesn't dictate how to communicate between your WFP callout and any usermode components. You can use ioctls or whatever other mechanism you like. – Jeffrey Tippet May 19 '20 at 18:38