21,597
社区成员
发帖
与我相关
我的任务
分享TDI过滤驱动源码tdifw接收数据重复的问题
我用的是开源tdi防火墙tdifw-1.4.4。
没有改动什么地方,就是在tdi_event_chained_receive中加了打印接收数据包的信息:
NTSTATUS
tdi_event_chained_receive(
IN PVOID TdiEventContext,
IN CONNECTION_CONTEXT ConnectionContext,
IN ULONG ReceiveFlags,
IN ULONG ReceiveLength,
IN ULONG StartingOffset,
IN PMDL Tsdu,
IN PVOID TsduDescriptor)
{
TDI_EVENT_CONTEXT *ctx = (TDI_EVENT_CONTEXT *)TdiEventContext;
PFILE_OBJECT connobj = ot_find_conn_ctx(ctx->fileobj, ConnectionContext);
NTSTATUS status = STATUS_SUCCESS;
PCHAR packet_buffer = Tsdu->StartVa; //数据包起始地址
ULONG packet_count = Tsdu->ByteCount; //数据包总长度
packet_count -= 54; //减去以太头IP头TCP头部
if (packet_count <= 0)
return status;
packet_buffer += 54; //跳过以太头IP头TCP头部
KdPrint(("[++++] tdi_event_chained_receive ReceiveLength: %d Tsdu->ByteCount: %d\n", ReceiveLength, Tsdu->ByteCount));
//打印出网络数据包的前五个字节
KdPrint(("[++++] %02x %02x %02x %02x %02x \n", packet_buffer[0], packet_buffer[1], packet_buffer[2], packet_buffer[3], packet_buffer[4]));
用POP3进行接收测试,发现有相邻的两个数据包内容是一样的,但是他们的长度是不同的。输出如下:
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 2b 4f 4b 20 31
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 2b 4f 4b 20 31
[++++] tdi_event_chained_receive ReceiveLength: 552 Tsdu->ByteCount: 606
[++++] 72 43 42 37 5a
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 72 43 42 37 5a
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 6b 4c 69 44 71
[++++] tdi_event_chained_receive ReceiveLength: 552 Tsdu->ByteCount: 606
[++++] 6b 4c 69 44 71
这些长度跟我用Wireshark捕获的包长度是一致的,但是内容却不对。为什么相邻的数据包内容会一样呢?
PS:这里的输出为了方便我只输出前面的五个字节,我也试过把每个接收数据包导出为文件,相邻的文件内容是一样的。
没有改动什么地方,就是在tdi_event_chained_receive中加了打印接收数据包的信息:
NTSTATUS
tdi_event_chained_receive(
IN PVOID TdiEventContext,
IN CONNECTION_CONTEXT ConnectionContext,
IN ULONG ReceiveFlags,
IN ULONG ReceiveLength,
IN ULONG StartingOffset,
IN PMDL Tsdu,
IN PVOID TsduDescriptor)
{
TDI_EVENT_CONTEXT *ctx = (TDI_EVENT_CONTEXT *)TdiEventContext;
PFILE_OBJECT connobj = ot_find_conn_ctx(ctx->fileobj, ConnectionContext);
NTSTATUS status = STATUS_SUCCESS;
PCHAR packet_buffer = Tsdu->StartVa; //数据包起始地址
ULONG packet_count = Tsdu->ByteCount; //数据包总长度
packet_count -= 54; //减去以太头IP头TCP头部
if (packet_count <= 0)
return status;
packet_buffer += 54; //跳过以太头IP头TCP头部
KdPrint(("[++++] tdi_event_chained_receive ReceiveLength: %d Tsdu->ByteCount: %d\n", ReceiveLength, Tsdu->ByteCount));
//打印出网络数据包的前五个字节
KdPrint(("[++++] %02x %02x %02x %02x %02x \n", packet_buffer[0], packet_buffer[1], packet_buffer[2], packet_buffer[3], packet_buffer[4]));
用POP3进行接收测试,发现有相邻的两个数据包内容是一样的,但是他们的长度是不同的。输出如下:
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 2b 4f 4b 20 31
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 2b 4f 4b 20 31
[++++] tdi_event_chained_receive ReceiveLength: 552 Tsdu->ByteCount: 606
[++++] 72 43 42 37 5a
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 72 43 42 37 5a
[++++] tdi_event_chained_receive ReceiveLength: 1460 Tsdu->ByteCount: 1514
[++++] 6b 4c 69 44 71
[++++] tdi_event_chained_receive ReceiveLength: 552 Tsdu->ByteCount: 606
[++++] 6b 4c 69 44 71
这些长度跟我用Wireshark捕获的包长度是一致的,但是内容却不对。为什么相邻的数据包内容会一样呢?
PS:这里的输出为了方便我只输出前面的五个字节,我也试过把每个接收数据包导出为文件,相邻的文件内容是一样的。
...全文
请发表友善的回复…
发表回复
mhcio 2011-10-04
- 打赏
- 举报
debug中看各个变量的值,发现要取另外一个变量的值才能得到正确的数据包:
packet_buffer = Tsdu->MappedSystemVa; //就是这里! 不是原来的StartVa
packet_buffer += StartingOffset;
感谢诸位!
packet_buffer = Tsdu->MappedSystemVa; //就是这里! 不是原来的StartVa
packet_buffer += StartingOffset;
感谢诸位!
codesnail 2011-09-30
- 打赏
- 举报
不知出处,只能帮顶。
woshi_ziyu 2011-09-30
- 打赏
- 举报
[Quote=引用楼主 mhcio 的回复:]
我用的是开源tdi防火墙tdifw-1.4.4。
没有改动什么地方,就是在tdi_event_chained_receive中加了打印接收数据包的信息:
NTSTATUS
tdi_event_chained_receive(
IN PVOID TdiEventContext,
IN CONNECTION_CONTEXT ConnectionContext,
……
[/Quote]
帮顶
我用的是开源tdi防火墙tdifw-1.4.4。
没有改动什么地方,就是在tdi_event_chained_receive中加了打印接收数据包的信息:
NTSTATUS
tdi_event_chained_receive(
IN PVOID TdiEventContext,
IN CONNECTION_CONTEXT ConnectionContext,
……
[/Quote]
帮顶
