i am posting this thread to get any better solution to capture every inbound packet without missing by using ndislwf.
what i have implemented now is i am still using FilterReceiveNetBufferLists , and i will loop the NBL to get each NB, and get the buffer from NB, then copy buffer to BUFFER_IO of IRP and complete the IRP.
in user-mode application, i open the device \\.\NDISLWF with FILE_FLAG_OVERLAPPED,
then ReadFileEx with this sample code:
VOID CALLBACK ReadCompletionRoutine(DWORD dwErrorCode, DWORD dwNumberOfBytesTransfered, LPOVERLAPPED lpOverlapped)
{
PASYNC_READ pAsyncRead = (PASYNC_READ)lpOverlapped;
unsigned char* ppb = pAsyncRead->pszBuffer;
UINT8 p1 = ppb[26];
UINT8 p2 = ppb[27];
UINT8 p3 = ppb[28];
UINT8 p4 = ppb[29];
UINT8 p5 = ppb[30];
UINT8 p6 = ppb[31];
UINT8 p7 = ppb[32];
UINT8 p8 = ppb[33];
printf(“source ip address: %d.%d.%d.%d destination ip address: %d.%d.%d.%d”, p1, p2, p3, p4, p5, p6, p7, p8);
printf(“\r\n”);
memset(pAsyncRead->pszBuffer, 0, 1500);
ReadFileEx(pAsyncRead->hfiler, pAsyncRead->pszBuffer, pAsyncRead->uiSize - 1, (LPOVERLAPPED)pAsyncRead, ReadCompletionRoutine);
}
so what this is saying is that in user-mode application, each time only one IRP will be issued to the device and get it completed then issue another IRP, during this between i guess there will be thousands of packets have been through without notify user-mode application.
any better solution.
for code detail, you can go to https://github.com/tonysos507/ethernetcapturer