Recently I have written a NDIS protocol driver in WDM based on the Microsoft driver example which I run on Windows 10 which implements a custom protocol.
It was working while I was debugging it but this changed when I turned of kernel debugging (bcdedit /debug off). Previously my adapter was shown as Windows Kernel Debugger or something like that but now it regained its own name.
Then, when I used wireshark to track all frames I sent using a second a second PC the first 8 bytes of the frame(the destination and part of the source) got erased to 0x00.
The strange thing is when I start Wireshark on the PC that runs the driver it shows the correct frames being sent.
So between the filterdriver of WinPcap and it being sent the first 8 bytes are erased.
Coming back for people that might run into the same problem as it looks like I fixed it.
I would allocate an MDL using NdisAllocateMdl based on allocated memory which I gave as VirtualAddress parameter.
Then I would allocate an NBL using the MDL.
But after calling NdisSendNetBufferLists on the NBL I freed the original allocated memory from which I created the MDL.
For me it still does not explain every symptom as 1 NIC worked while two other NIC’s only worked when the kernel debugger was enabled but I think this is just a difference in how the miniport adapters handled the memory.
Thank you for taking the time to “circle back” and update us.
One of the great tragedies of forums is when you find a thread that asks/posts the EXACT SAME question that you have… but there’s no follow-up. I never know if OP died, or s/he found the answer and never came back.