documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005
CACE technologies. All rights reserved.Data Structures | |
| struct | packet_file_header |
| Header of a libpcap dump file. More... | |
| struct | sf_pkthdr |
| Header associated to a packet in the driver's buffer when the driver is in dump mode. Similar to the bpf_hdr structure, but simpler. More... | |
| struct | _INTERNAL_REQUEST |
| Stores an OID request. More... | |
| struct | _PACKET_RESERVED |
| Contains a NDIS packet. More... | |
| struct | _DEVICE_EXTENSION |
| Port device extension. More... | |
| struct | __CPU_Private_Data |
| Kernel buffer of each CPU. More... | |
| struct | _OPEN_INSTANCE |
| Contains the state of a running instance of the NPF driver. More... | |
| struct | PacketHeader |
| Structure prepended to each packet in the kernel buffer pool. More... | |
| struct | binary_stream |
| A stream of X86 binary code. More... | |
| struct | JIT_BPF_Filter |
| Structure describing a x86 filtering program created by the jitter. More... | |
Defines | |
| #define | NTKERNEL |
| Forces the compilation of the jitter with kernel calls. | |
| #define | MAX_REQUESTS 32 |
| Maximum number of simultaneous IOCTL requests. | |
| #define | Packet_ALIGNMENT sizeof(int) |
| Alignment macro. Defines the alignment size. | |
| #define | Packet_WORDALIGN(x) (((x)+(Packet_ALIGNMENT-1))&~(Packet_ALIGNMENT-1)) |
| even multiple of Packet_ALIGNMENT. | |
| #define | BIOCSETBUFFERSIZE 9592 |
| IOCTL code: set kernel buffer size. | |
| #define | BIOCSETF 9030 |
| IOCTL code: set packet filtering program. | |
| #define | BIOCGSTATS 9031 |
| IOCTL code: get the capture stats. | |
| #define | BIOCSRTIMEOUT 7416 |
| IOCTL code: set the read timeout. | |
| #define | BIOCSMODE 7412 |
| IOCTL code: set working mode. | |
| #define | BIOCSWRITEREP 7413 |
| IOCTL code: set number of physical repetions of every packet written by the app. | |
| #define | BIOCSMINTOCOPY 7414 |
| IOCTL code: set minimum amount of data in the kernel buffer that unlocks a read call. | |
| #define | BIOCSETOID 2147483648 |
| IOCTL code: set an OID value. | |
| #define | BIOCQUERYOID 2147483652 |
| IOCTL code: get an OID value. | |
| #define | BIOCSETDUMPFILENAME 9029 |
| IOCTL code: set the name of a the file used by kernel dump mode. | |
| #define | BIOCGEVNAME 7415 |
| IOCTL code: get the name of the event that the driver signals when some data is present in the buffer. | |
| #define | BIOCSENDPACKETSNOSYNC 9032 |
| IOCTL code: Send a buffer containing multiple packets to the network, ignoring the timestamps. | |
| #define | BIOCSENDPACKETSSYNC 9033 |
| IOCTL code: Send a buffer containing multiple packets to the network, considering the timestamps. | |
| #define | BIOCSETDUMPLIMITS 9034 |
| IOCTL code: Set the dump file limits. | |
| #define | BIOCISDUMPENDED 7411 |
| IOCTL code: Get the status of the kernel dump process. | |
| #define | MODE_CAPT 0x0 |
| Capture working mode. | |
| #define | MODE_STAT 0x1 |
| Statistical working mode. | |
| #define | MODE_MON 0x2 |
| Kernel monitoring mode. | |
| #define | MODE_DUMP 0x10 |
| Kernel dump working mode. | |
| #define | IMMEDIATE 1 |
| Immediate timeout. Forces a read call to return immediately. | |
| #define | TCPDUMP_MAGIC 0xa1b2c3d4 |
| Libpcap magic number. Used by programs like tcpdump to recognize a driver's generated dump file. | |
| #define | PCAP_VERSION_MAJOR 2 |
| Major libpcap version of the dump file. Used by programs like tcpdump to recognize a driver's generated dump file. | |
| #define | PCAP_VERSION_MINOR 4 |
| Minor libpcap version of the dump file. Used by programs like tcpdump to recognize a driver's generated dump file. | |
| #define | RESERVED(_p) ((PPACKET_RESERVED)((_p)->ProtocolReserved)) |
| Macro to obtain a NDIS_PACKET from a PACKET_RESERVED. | |
| #define | TRANSMIT_PACKETS 256 |
| of packets that can be transmitted at the same time or with a single call to NdisSendPackets. | |
| #define | EXIT_SUCCESS(quantity) |
| Macro used in the I/O routines to return the control to user-mode with a success status. | |
| #define | EXIT_FAILURE(quantity) |
| Macro used in the I/O routines to return the control to user-mode with a failure status. | |
| #define | EAX 0 |
| #define | ECX 1 |
| #define | EDX 2 |
| #define | EBX 3 |
| #define | ESP 4 |
| #define | EBP 5 |
| #define | ESI 6 |
| #define | EDI 7 |
| #define | AX 0 |
| #define | CX 1 |
| #define | DX 2 |
| #define | BX 3 |
| #define | SP 4 |
| #define | BP 5 |
| #define | SI 6 |
| #define | DI 7 |
| #define | AL 0 |
| #define | CL 1 |
| #define | DL 2 |
| #define | BL 3 |
| #define | MOVid(r32, i32) emitm(&stream, 11 << 4 | 1 << 3 | r32 & 0x7, 1); emitm(&stream, i32, 4); |
| mov r32,i32 | |
| #define | MOVrd(dr32, sr32) emitm(&stream, 8 << 4 | 3 | 1 << 3, 1); emitm(&stream, 3 << 6 | (dr32 & 0x7) << 3 | sr32 & 0x7, 1); |
| mov dr32,sr32 | |
| #define | MOVodd(dr32, sr32, off) |
| mov dr32,sr32[off] | |
| #define | MOVobd(dr32, sr32, or32) |
| mov dr32,sr32[or32] | |
| #define | MOVobw(dr32, sr32, or32) |
| mov dr16,sr32[or32] | |
| #define | MOVobb(dr8, sr32, or32) |
| mov dr8,sr32[or32] | |
| #define | MOVomd(dr32, or32, sr32) |
| mov [dr32][or32],sr32 | |
| #define | BSWAP(dr32) |
| bswap dr32 | |
| #define | SWAP_AX() |
| xchg al,ah | |
| #define | PUSH(r32) emitm(&stream, 5 << 4 | 0 << 3 | r32 & 0x7, 1); |
| push r32 | |
| #define | POP(r32) emitm(&stream, 5 << 4 | 1 << 3 | r32 & 0x7, 1); |
| pop r32 | |
| #define | RET() emitm(&stream, 12 << 4 | 0 << 3 | 3, 1); |
| ret | |
| #define | ADDrd(dr32, sr32) |
| add dr32,sr32 | |
| #define | ADD_EAXi(i32) |
| add eax,i32 | |
| #define | ADDid(r32, i32) |
| add r32,i32 | |
| #define | ADDib(r32, i8) |
| add r32,i8 | |
| #define | SUBrd(dr32, sr32) |
| sub dr32,sr32 | |
| #define | SUB_EAXi(i32) |
| sub eax,i32 | |
| #define | MULrd(r32) |
| mul r32 | |
| #define | DIVrd(r32) |
| div r32 | |
| #define | ANDib(r8, i8) |
| and r8,i8 | |
| #define | ANDid(r32, i32) |
| and r32,i32 | |
| #define | ANDrd(dr32, sr32) |
| and dr32,sr32 | |
| #define | ORrd(dr32, sr32) |
| or dr32,sr32 | |
| #define | ORid(r32, i32) |
| or r32,i32 | |
| #define | SHLib(r32, i8) |
| shl r32,i8 | |
| #define | SHL_CLrb(dr32) |
| shl dr32,cl | |
| #define | SHRib(r32, i8) |
| shr r32,i8 | |
| #define | SHR_CLrb(dr32) |
| shr dr32,cl | |
| #define | NEGd(r32) |
| neg r32 | |
| #define | CMPodd(dr32, sr32, off) |
| cmp dr32,sr32[off] | |
| #define | CMPrd(dr32, sr32) |
| cmp dr32,sr32 | |
| #define | CMPid(dr32, i32) |
| cmp dr32,i32 | |
| #define | JNEb(off8) |
| jne off32 | |
| #define | JE(off32) |
| je off32 | |
| #define | JLE(off32) |
| jle off32 | |
| #define | JLEb(off8) |
| jle off8 | |
| #define | JA(off32) |
| ja off32 | |
| #define | JAE(off32) |
| jae off32 | |
| #define | JG(off32) |
| jg off32 | |
| #define | JGE(off32) |
| jge off32 | |
| #define | JMP(off32) |
| jmp off32 | |
Typedefs | |
| typedef _INTERNAL_REQUEST | INTERNAL_REQUEST |
| Stores an OID request. | |
| typedef _INTERNAL_REQUEST * | PINTERNAL_REQUEST |
| Stores an OID request. | |
| typedef _PACKET_RESERVED | PACKET_RESERVED |
| Contains a NDIS packet. | |
| typedef _PACKET_RESERVED * | PPACKET_RESERVED |
| Contains a NDIS packet. | |
| typedef _DEVICE_EXTENSION | DEVICE_EXTENSION |
| Port device extension. | |
| typedef _DEVICE_EXTENSION * | PDEVICE_EXTENSION |
| Port device extension. | |
| typedef __CPU_Private_Data | CpuPrivateData |
| Kernel buffer of each CPU. | |
| typedef _OPEN_INSTANCE | OPEN_INSTANCE |
| Contains the state of a running instance of the NPF driver. | |
| typedef _OPEN_INSTANCE * | POPEN_INSTANCE |
| Contains the state of a running instance of the NPF driver. | |
| typedef binary_stream | binary_stream |
| A stream of X86 binary code. | |
| typedef UINT(* | BPF_filter_function )(binary_stream *, ULONG, UINT) |
| Prototype of a filtering function created by the jitter. | |
| typedef void(* | emit_func )(binary_stream *stream, ULONG value, UINT n) |
| Prototype of the emit functions. | |
| typedef JIT_BPF_Filter | JIT_BPF_Filter |
| Structure describing a x86 filtering program created by the jitter. | |
|
|
Value: add eax,i32
|
|
|
Value: add r32,i8
|
|
|
Value: add r32,i32
|
|
|
Value: add dr32,sr32
|
|
|
|
|
|
Value: and r8,i8
|
|
|
Value: and r32,i32
|
|
|
Value: and dr32,sr32
|
|
|
|
|
|
IOCTL code: get the name of the event that the driver signals when some data is present in the buffer. Command used by the application to retrieve the name of the global event associated with a NPF instance. The event is signaled by the driver when the kernel buffer contains enough data for a transfer. |
|
|
IOCTL code: get the capture stats. This command returns to the application the number of packets received and the number of packets dropped by an instance of the driver. |
|
|
IOCTL code: Get the status of the kernel dump process. This command returns TRUE if the kernel dump is ended, i.e if one of the limits set with BIOCSETDUMPLIMITS (amount of bytes or number of packets) has been reached. |
|
|
IOCTL code: get an OID value. This IOCTL is used to perform an OID get operation on the NIC driver. |
|
|
IOCTL code: Send a buffer containing multiple packets to the network, ignoring the timestamps. Command used to send a buffer of packets in a single system call. Every packet in the buffer is preceded by a sf_pkthdr structure. The timestamps of the packets are ignored, i.e. the packets are sent as fast as possible. The NPF_BufferedWrite() function is invoked to send the packets. |
|
|
IOCTL code: Send a buffer containing multiple packets to the network, considering the timestamps. Command used to send a buffer of packets in a single system call. Every packet in the buffer is preceded by a sf_pkthdr structure. The timestamps of the packets are used to synchronize the write, i.e. the packets are sent to the network respecting the intervals specified in the sf_pkthdr structure assiciated with each packet. NPF_BufferedWrite() function is invoked to send the packets. |
|
|
IOCTL code: set kernel buffer size. This IOCTL is used to set a new size of the circular buffer associated with an instance of NPF. When a BIOCSETBUFFERSIZE command is received, the driver frees the old buffer, allocates the new one and resets all the parameters associated with the buffer in the OPEN_INSTANCE structure. The currently buffered packets are lost. |
|
|
IOCTL code: set the name of a the file used by kernel dump mode. This command opens a file whose name is contained in the IOCTL buffer and associates it with current NPf instance. The dump thread uses it to copy the content of the circular buffer to file. If a file was already opened, the driver closes it before opening the new one. |
|
|
IOCTL code: Set the dump file limits. This IOCTL sets the limits (maximum size and maximum number of packets) of the dump file created when the driver works in dump mode. |
|
|
IOCTL code: set packet filtering program. This IOCTL sets a new packet filter in the driver. Before allocating any memory for the new filter, the bpf_validate() function is called to check the correctness of the filter. If this function returns TRUE, the filter is copied to the driver's memory, its address is stored in the bpfprogram field of the OPEN_INSTANCE structure associated with current instance of the driver, and the filter will be applied to every incoming packet. This command also empties the circular buffer used by current instance to store packets. This is done to avoid the presence in the buffer of packets that do not match the filter. |
|
|
IOCTL code: set an OID value. This IOCTL is used to perform an OID set operation on the NIC driver. |
|
|
IOCTL code: set minimum amount of data in the kernel buffer that unlocks a read call. This command sets the OPEN_INSTANCE::MinToCopy member. |
|
|
IOCTL code: set working mode. This IOCTL can be used to set the working mode of a NPF instance. The new mode, received by the driver in the buffer associated with the IOCTL command, can be MODE_CAPT for capture mode (the default), MODE_STAT for statistical mode or MODE_DUMP for dump mode. |
|
|
IOCTL code: set the read timeout. This command sets the maximum timeout after which a read is released, also if no data packets were received. |
|
|
IOCTL code: set number of physical repetions of every packet written by the app. Sets the number of times a single write call must be repeated. This command sets the OPEN_INSTANCE::Nwrites member, and is used to implement the 'multiple write' feature of the driver. |
|
|
|
|
|
|
|
|
Value: bswap dr32
|
|
|
|
|
|
|
|
|
Value: cmp dr32,i32
|
|
|
Value: cmp dr32,sr32[off]
|
|
|
Value: cmp dr32,sr32
|
|
|
|
|
|
|
|
|
Value: div r32
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Value: Macro used in the I/O routines to return the control to user-mode with a failure status.
|
|
|
Value: Macro used in the I/O routines to return the control to user-mode with a success status.
|
|
|
Immediate timeout. Forces a read call to return immediately.
|
|
|
Value: ja off32
|
|
|
Value: jae off32
|
|
|
Value: je off32
|
|
|
Value: jg off32
|
|
|
Value: jge off32
|
|
|
Value: jle off32
|
|
|
Value: jle off8
|
|
|
Value: jmp off32
|
|
|
Value: jne off32
|
|
|
Maximum number of simultaneous IOCTL requests.
|
|
|
Capture working mode.
|
|
|
Kernel dump working mode.
|
|
|
Kernel monitoring mode.
|
|
|
Statistical working mode.
|
|
|
mov r32,i32
|
|
|
Value: mov dr8,sr32[or32]
|
|
|
Value: mov dr32,sr32[or32]
|
|
|
Value: mov dr16,sr32[or32]
|
|
|
Value: mov dr32,sr32[off]
|
|
|
Value: mov [dr32][or32],sr32
|
|
|
mov dr32,sr32
|
|
|
Value: mul r32
|
|
|
Value: neg r32
|
|
|
Forces the compilation of the jitter with kernel calls.
|
|
|
Value: or r32,i32
|
|
|
Value: or dr32,sr32
|
|
|
Alignment macro. Defines the alignment size.
|
|
|
even multiple of Packet_ALIGNMENT. Alignment macro. Rounds up to the next |
|
|
Major libpcap version of the dump file. Used by programs like tcpdump to recognize a driver's generated dump file.
|
|
|
Minor libpcap version of the dump file. Used by programs like tcpdump to recognize a driver's generated dump file.
|
|
|
pop r32
|
|
|
push r32
|
|
|
Macro to obtain a NDIS_PACKET from a PACKET_RESERVED.
|
|
|
ret
|
|
|
Value: shl dr32,cl
|
|
|
Value: shl r32,i8
|
|
|
Value: shr dr32,cl
|
|
|
Value: shr r32,i8
|
|
|
|
|
|
|
|
|
Value: sub eax,i32
|
|
|
Value: sub dr32,sr32
|
|
|
Value: xchg al,ah
|
|
|
Libpcap magic number. Used by programs like tcpdump to recognize a driver's generated dump file.
|
|
|
of packets that can be transmitted at the same time or with a single call to NdisSendPackets. Maximum number of packets in the transmit packet pool. This value is an upper bound to the number |
|
|
A stream of X86 binary code.
|
|
|
Prototype of a filtering function created by the jitter. The syntax and the meaning of the parameters is analogous to the one of bpf_filter(). Notice that the filter is not among the parameters, because it is hardwired in the function. |
|
|
Kernel buffer of each CPU. Structure containing the kernel buffer (and other CPU related fields) used to capture packets. |
|
|
Port device extension. Structure containing some data relative to every adapter on which NPF is bound. |
|
|
Prototype of the emit functions. Different emit functions are used to create the reference table and to generate the actual filtering code. This allows to have simpler instruction macros. The first parameter is the stream that will receive the data. The secon one is a variable containing the data, the third one is the length, that can be 1,2 or 4 since it is possible to emit a byte, a short or a work at a time. |
|
|
Stores an OID request. This structure is used by the driver to perform OID query or set operations on the underlying NIC driver. The OID operations be performed usually only by network drivers, but NPF exports this mechanism to user-level applications through an IOCTL interface. The driver uses this structure to wrap a NDIS_REQUEST structure. This allows to handle correctly the callback structure of NdisRequest(), handling multiple requests and maintaining information about the IRPs to complete. |
|
|
Structure describing a x86 filtering program created by the jitter.
|
|
|
Contains the state of a running instance of the NPF driver. This is the most important structure of NPF: it is used by almost all the functions of the driver. An _OPEN_INSTANCE structure is associated with every user-level session, allowing concurrent access to the driver. |
|
|
Contains a NDIS packet. The driver uses this structure to wrap a NDIS_PACKET structure. This allows to handle correctly the callback structure of NdisTransferData(), handling multiple requests and maintaining information about the IRPs to complete. |
|
|
Port device extension. Structure containing some data relative to every adapter on which NPF is bound. |
|
|
Stores an OID request. This structure is used by the driver to perform OID query or set operations on the underlying NIC driver. The OID operations be performed usually only by network drivers, but NPF exports this mechanism to user-level applications through an IOCTL interface. The driver uses this structure to wrap a NDIS_REQUEST structure. This allows to handle correctly the callback structure of NdisRequest(), handling multiple requests and maintaining information about the IRPs to complete. |
|
|
Contains the state of a running instance of the NPF driver. This is the most important structure of NPF: it is used by almost all the functions of the driver. An _OPEN_INSTANCE structure is associated with every user-level session, allowing concurrent access to the driver. |
|
|
Contains a NDIS packet. The driver uses this structure to wrap a NDIS_PACKET structure. This allows to handle correctly the callback structure of NdisTransferData(), handling multiple requests and maintaining information about the IRPs to complete. |
documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005
CACE technologies. All rights reserved.