Reply To: Network Monitor API synchronization

Home Forums Discussions Support Network Monitor API synchronization Reply To: Network Monitor API synchronization

August 31, 2007 at 9:18 pm #6424
Toxic
Participant

    Ok, then another things…

    1. When I set event filter mask as follows

    FilterInfo.m_FilterMask = EVENT_MASK_RCV | EVENT_MASK_RCV_DGM | EVENT_MASK_SND | EVENT_MASK_SND_DGM;

    then remote IP in PLOG_INFO structure is always equal to local IP. When I set 

    FilterInfo.m_FilterMask = EVENT_MASK_FULL;

    remote IP is shown correctly.

    2. I’ve modified Monitor example to group events by app/localIP/remoteIP/protocol as follows (rest part of example is unchanged):

    //declared earlier
    
//typedef struct _STAT_ENTRY
    
//{
    
//	LONGLONG		totalSent;
    
//	LONGLONG		totalRecv;
    
//	char			szProcName[NT_PROCNAMELEN + 1];
    
//	unsigned long	localAddr;
    
//	unsigned long	remoteAddr;
    
//	unsigned long	protocol;
    
//} STAT_ENTRY;
    
//
    
//vector	g_Entries;
    

    
while(i < 20)
    
{
    
if (!api.ReadLog((PLOG_INFO)Buffer, BufferLength))
    
{
    
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
    
{
    
BufferLength += 0x1000;
    
if (!(Buffer = (PUCHAR)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Buffer, BufferLength)))
    
{
    
_tprintf (TEXT("can't allocate %i bytes! abortn"), BufferLength);
    
break;
    
}
    
continue;
    
}
    
if (api.GetWaitEvent())
    
api.WaitForData(INFINITE);
    
else
    
Sleep(1000);
    

    
continue;
    
}
    

    
i++;
    
BytesProcessed = 0;
    
BytesRead = api.GetBytesReturned();
    

    
LogInfo = (PLOG_INFO)Buffer;
    
for (j = 0; BytesProcessed < BytesRead; j++)
    
{
    
if (!LogInfo->m_GroupID && !LogInfo->m_OperationStatus)
    
{
    
for (unsigned int l = 0; l < g_Entries.size(); l++)
    
{
    
if (g_Entries[l].remoteAddr == LogInfo->m_RemoteAddress.m_Ip && g_Entries[l].localAddr == LogInfo->m_LocalAddress.m_Ip && g_Entries[l].protocol == LogInfo->m_Protocol)
    
{
    
if(!_stricmp(g_Entries[l].szProcName, LogInfo->m_szProcessName))
    
{
    
if (LogInfo->m_EvtType == TDI_EVT_RCV) g_Entries[l].totalRecv += LogInfo->m_FullDataLength;
    
if (LogInfo->m_EvtType == TDI_EVT_SND) g_Entries[l].totalSent += LogInfo->m_FullDataLength;
    
break;
    
}
    
}
    
}
    

    
if (l >= g_Entries.size())
    
{
    
STAT_ENTRY se = {0L, 0L};
    
if (LogInfo->m_EvtType == TDI_EVT_RCV) se.totalRecv = LogInfo->m_FullDataLength;
    
if (LogInfo->m_EvtType == TDI_EVT_SND) se.totalSent = LogInfo->m_FullDataLength;
    
se.localAddr = LogInfo->m_LocalAddress.m_Ip;
    
se.remoteAddr = LogInfo->m_RemoteAddress.m_Ip;
    
se.protocol = LogInfo->m_Protocol;
    
strncpy(se.szProcName, LogInfo->m_szProcessName, sizeof(se.szProcName));
    
g_Entries.push_back(se);
    
}
    
}
    

    
BytesProcessed += sizeof(*LogInfo) + LogInfo->m_DataLength;
    
LogInfo += (PLOG_INFO)((PUCHAR)Buffer + BytesProcessed);
    
}
    
}

    After launching example I use browser to download some data. Strange thing that totalRecv field in each entry is always zero and totalSent contains received data size.