- This topic has 3 replies, 3 voices, and was last updated 16 years, 2 months ago by
.
-
Posts
-
I wrote a TDI filter driver to monitor the TCP packets, it works very good for the normal packets (HTTP, FTP, SMTP….), but it can not see the SMB (network share) packets, then based on some suggestions I hooked the TCPSendData(…), I do see some activities while access the network share, but it seems only for handshake, after network share was established, when I copy a file to that network share, didn’t see anything, the TCPSendData(…) was not called during file copying!
So where does the SMB data packets go?
And also where is the data buffer stored in parameter SendIrp?
TCPSendData( IN PIRP SendIrp, IN PIO_STACK_LOCATION SendIrpStack ).Anyone can shed some lights on it?
thanks in advance.
AFei
It is difficult to say something without understanding of how you have hooked TCPSendData.
Processing requests passed to TCPSendData is the same as for TDI requests passed through normal path.
я наблюдал то же самое. хукается путем аттача к \Device\Tcp, Udp, RawIp, после обрабатываются TDI_XXX irp – в общем, все по классической схеме tdi_fw 🙂
самое интересное: входящие данные есть, нет только исходящих; снифер на основе winpcap видит исходящие; TDIMON тоже не показывает исходящих.Тема с TCPSendData раскрыта тут http://www.ntkernel.com/w&p.php?id=17
Эту функцию нужно перехватывать дополнительно.
- You must be logged in to reply to this topic.