From: Roddy, Mark [Mark_Roddy@stratus.com] Sent: Monday, May 15, 2000 8:44 AM To: NT Developers Interest List Subject: [ntdev] RE: TCP hooks question Barak, W2K does indeed have an "IP Hook" feature in the protocol stack. This gives your driver a shot at each IP packet before it is passed up (on incoming data) to the transport protocol (TCP or UDP.) It also gives you a look at each outgoing packet before it goes down to NDIS. You are allowed to modify the behavior of the protocol stack with respect to each packet by the return value you supply to your hook function. No it is not operating in promiscuous mode, and I don't know what would happen if you put the NDIS layer in promiscuous mode. Either you will see all IP datagrams, or you will see only those IP datagrams that match the IP target address. Note that for most networks (i.e. switched Ethernet) promiscuous mode is not as useful as it sounds. At any rate probably some NDIS wonk can tell you how to get NDIS to fetch everything off the wire. I have a sample IP hook driver on my web site: http:\\www.hollistech.com feel free to download it and use or abuse it as you see fit. > -----Original Message----- > From: Barak Mandelovich [mailto:barak@mercury.co.il] > Sent: Sunday, May 14, 2000 9:04 AM > To: NT Developers Interest List > Subject: [ntdev] TCP hooks question > > > Hello! > > I'd like to write some kind of software that can listen to > network traffic. > > Until now, I've used a kernel mode driver, based on the > PACKET.SYS file > given in the DDK. > > Now, it's time to port that thing to Windows 2000. > > I heard that the TCP stack of 2000 has "hooks", where I can > specify function > that will > process incoming packets before they reach the TCP stack. > > It sounds great, but the question is: > > Does it hear ALL the frames on the network (promiscuous mode)? > > If not - is it the one that FIRST "sees" the incoming packet? > > (for example - suppose I get an ACK frame, designated to my > machine, but > I did not send a SYN packet before. Will I still hear it, or will the > kernel > "catch" it before me, and will send a RST packet, and thus I > won't see the > ASK > packet?) > > If it doesn't work in promiscuous mode - can I change its > mode using IOCTL > of some kind? > > > thanks in advance, > > - Barak > > --- > You are currently subscribed to ntdev as: mark_roddy@stratus.com > To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com > --- You are currently subscribed to ntdev as: GlennEverhart@FirstUSA.com To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com