<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=text/html;charset=iso-8859-1 http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16588"></HEAD>
<BODY style="PADDING-LEFT: 10px; PADDING-RIGHT: 10px; PADDING-TOP: 15px"
id=MailContainerBody leftMargin=0 topMargin=0 CanvasTabStop="true"
name="Compose message area">
<DIV><FONT face=Calibri>1. it's possible, but I'm not sure how trivial it is. If
you use functions like ZwCreateFile/WriteFile, they all require an IRQL =
PASSIVE_LEVEL, the receive handlers in an NDIS IM driver run at IRQL <=
DISPATCH_LEVEL. It's not a matter of dumping in pcap vs any other file format.
The issue is the write operation itself.</FONT></DIV>
<DIV><FONT face=Calibri></FONT><FONT face=Calibri></FONT><FONT
face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>2. Have you checked if there is any sample in the WDK
that writes to file from a driver?</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>Have a nice day</FONT></DIV>
<DIV><FONT face=Calibri>GV</FONT></DIV>
<DIV><BR></DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=ictsecurity0@gmail.com
href="mailto:ictsecurity0@gmail.com">ictsecurity ictsecurity</A> </DIV>
<DIV><B>Sent:</B> Tuesday, June 22, 2010 1:59 AM</DIV>
<DIV><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV><B>Subject:</B> [Winpcap-users] Direct Dump the packets from the
driver</DIV></DIV></DIV>
<DIV><FONT face=Calibri></FONT><FONT face=Calibri></FONT><BR></DIV>
<DIV>Hai, all</DIV>
<DIV> </DIV>
<DIV>I modified the passthru driver (NDIS Intermediate Driver) from the example
in WinDDK. I success to direct intercept and dump all the network traffic
packets (hexadecimal format) into c:\xxxx.dat format. My question
is:</DIV>
<DIV> </DIV>
<DIV>1. is it possible direct dump from NDIS intermediate driver into pcap
format? for example, c:\xxx.pcap without sending all the traffic to ring3
for process</DIV>
<DIV>2. if yes, any code / docsi can refer?</DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV> </DIV>
<DIV>from ictsecurity0 </DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BODY></HTML>