[Winpcap-users] Direct Dump the packets from the driver
Gianluca Varenni
gianluca.varenni at cacetech.com
Tue Jun 22 09:55:15 PDT 2010
1. it's possible, but I'm not sure how trivial it is. If you use functions like ZwCreateFile/WriteFile, they all require an IRQL = PASSIVE_LEVEL, the receive handlers in an NDIS IM driver run at IRQL <= DISPATCH_LEVEL. It's not a matter of dumping in pcap vs any other file format. The issue is the write operation itself.
2. Have you checked if there is any sample in the WDK that writes to file from a driver?
Have a nice day
GV
From: ictsecurity ictsecurity
Sent: Tuesday, June 22, 2010 1:59 AM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] Direct Dump the packets from the driver
Hai, all
I modified the passthru driver (NDIS Intermediate Driver) from the example in WinDDK. I success to direct intercept and dump all the network traffic packets (hexadecimal format) into c:\xxxx.dat format. My question is:
1. is it possible direct dump from NDIS intermediate driver into pcap format? for example, c:\xxx.pcap without sending all the traffic to ring3 for process
2. if yes, any code / docsi can refer?
Thanks,
from ictsecurity0
--------------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20100622/e69faea8/attachment.htm
More information about the Winpcap-users
mailing list