NPF functions
[NPF driver internals manual]


Functions

NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
 The initialization routine of the driver.
PWCHAR getAdaptersList (VOID)
 Returns the list of the MACs available on the system.
PKEY_VALUE_PARTIAL_INFORMATION getTcpBindings (VOID)
 Returns the MACs that bind to TCP/IP.
BOOLEAN NPF_CreateDevice (IN OUT PDRIVER_OBJECT adriverObjectP, IN PUNICODE_STRING amacNameP)
 Creates a device for a given MAC.
NTSTATUS NPF_Open (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Opens a new instance of the driver.
VOID NPF_OpenAdapterComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN NDIS_STATUS OpenErrorStatus)
 Ends the opening of an adapter.
NTSTATUS NPF_Cleanup (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Closes an instance of the driver.
NTSTATUS NPF_Close (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
VOID NPF_CloseAdapterComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status)
 Ends the closing of an adapter.
NDIS_STATUS NPF_tap (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookaheadBufferSize, IN UINT PacketSize)
 Callback invoked by NDIS when a packet arrives from the network.
VOID NPF_TransferDataComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET Packet, IN NDIS_STATUS Status, IN UINT BytesTransferred)
 Ends the transfer of a packet.
VOID NPF_ReceiveComplete (IN NDIS_HANDLE ProtocolBindingContext)
 Callback function that signals the end of a packet reception.
NTSTATUS NPF_IoControl (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Handles the IOCTL calls.
VOID NPF_RequestComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_REQUEST pRequest, IN NDIS_STATUS Status)
 Ends an OID request.
NTSTATUS NPF_Write (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Writes a raw packet to the network.
INT NPF_BufferedWrite (IN PIRP Irp, IN PCHAR UserBuff, IN ULONG UserBuffSize, BOOLEAN sync)
 Writes a buffer of raw packets to the network.
VOID NPF_WaitEndOfBufferedWrite (POPEN_INSTANCE Open)
 Waits the completion of all the sends performed by NPF_BufferedWrite.
VOID NPF_SendComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET pPacket, IN NDIS_STATUS Status)
 Ends a send operation.
VOID NPF_ResetComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status)
 Ends a reset of the adapter.
VOID NPF_Status (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN PVOID StatusBuffer, IN UINT StatusBufferSize)
 Callback for NDIS StatusHandler. Not used by NPF.
VOID NPF_StatusComplete (IN NDIS_HANDLE ProtocolBindingContext)
 Callback for NDIS StatusCompleteHandler. Not used by NPF.
VOID NPF_Unload (IN PDRIVER_OBJECT DriverObject)
 Function called by the OS when NPF is unloaded.
NTSTATUS NPF_Read (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 Function that serves the user's reads.
NTSTATUS NPF_ReadRegistry (IN PWSTR *MacDriverName, IN PWSTR *PacketDriverName, IN PUNICODE_STRING RegistryPath)
 Reads the registry keys associated woth NPF if the driver is manually installed via the control panel.
NTSTATUS NPF_QueryRegistryRoutine (IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext)
 Function used by NPF_ReadRegistry() to quesry the registry keys associated woth NPF if the driver is manually installed via the control panel.
VOID NPF_BindAdapter (OUT PNDIS_STATUS Status, IN NDIS_HANDLE BindContext, IN PNDIS_STRING DeviceName, IN PVOID SystemSpecific1, IN PVOID SystemSpecific2)
 Callback for NDIS BindAdapterHandler. Not used by NPF.
VOID NPF_UnbindAdapter (OUT PNDIS_STATUS Status, IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE UnbindContext)
 Callback for NDIS UnbindAdapterHandler.
NTSTATUS NPF_OpenDumpFile (POPEN_INSTANCE Open, PUNICODE_STRING fileName, BOOLEAN append)
 Creates the file that will receive the packets when the driver is in dump mode.
NTSTATUS NPF_StartDump (POPEN_INSTANCE Open)
 Starts dump to file.
VOID NPF_DumpThread (PVOID Open)
 The dump thread.
NTSTATUS NPF_SaveCurrentBuffer (POPEN_INSTANCE Open)
 Saves the content of the packet buffer to the file associated with current instance.
VOID NPF_WriteDumpFile (PFILE_OBJECT FileObject, PLARGE_INTEGER Offset, ULONG Length, PMDL Mdl, PIO_STATUS_BLOCK IoStatusBlock)
 Writes a block of packets on the dump file.
NTSTATUS NPF_CloseDumpFile (POPEN_INSTANCE Open)
 Closes the dump file associated with an instance of the driver.
VOID NPF_CloseOpenInstance (POPEN_INSTANCE pOpen)
BOOLEAN NPF_StartUsingBinding (IN POPEN_INSTANCE pOpen)
VOID NPF_StopUsingBinding (IN POPEN_INSTANCE pOpen)
VOID NPF_CloseBinding (IN POPEN_INSTANCE pOpen)
NTSTATUS NPF_GetDeviceMTU (IN POPEN_INSTANCE pOpen, IN PIRP pIrp, OUT PUINT pMtu)
UINT GetBuffOccupation (POPEN_INSTANCE Open)
 Returns the amount of bytes present in the packet buffer.
JIT_BPF_FilterBPF_jitter (struct bpf_insn *fp, INT nins)
 BPF jitter, builds an x86 function from a BPF program.
BPF_filter_function BPFtoX86 (struct bpf_insn *ins, UINT nins, INT *mem)
 Translates a set of BPF instructions in a set of x86 ones.
void BPF_Destroy_JIT_Filter (JIT_BPF_Filter *Filter)
 Deletes a filtering function that was previously created by BPF_jitter().

Function Documentation

void BPF_Destroy_JIT_Filter ( JIT_BPF_Filter Filter  ) 

Deletes a filtering function that was previously created by BPF_jitter().

Parameters:
Filter The filter to destroy.
This function frees the variuos buffers (code, memory, etc.) associated with a filtering function.

JIT_BPF_Filter* BPF_jitter ( struct bpf_insn *  fp,
INT  nins 
)

BPF jitter, builds an x86 function from a BPF program.

Parameters:
fp The BPF pseudo-assembly filter that will be translated into x86 code.
nins Number of instructions of the input filter.
Returns:
The JIT_BPF_Filter structure containing the x86 filtering binary.
BPF_jitter allocates the buffers for the new native filter and then translates the program pointed by fp calling BPFtoX86().

BPF_filter_function BPFtoX86 ( struct bpf_insn *  ins,
UINT  nins,
INT *  mem 
)

Translates a set of BPF instructions in a set of x86 ones.

Parameters:
ins Pointer to the BPF instructions that will be translated into x86 code.
nins Number of instructions to translate.
mem Memory used by the x86 function to emulate the RAM of the BPF pseudo processor.
Returns:
The x86 filtering function.
This function does the hard work for the JIT compilation. It takes a group of BPF pseudo instructions and through the instruction macros defined in jitter.h it is able to create an function directly executable by NPF.

NTSTATUS DriverEntry ( IN PDRIVER_OBJECT  DriverObject,
IN PUNICODE_STRING  RegistryPath 
)

The initialization routine of the driver.

Parameters:
DriverObject The driver object of NPF created by the system.
RegistryPath The registry path containing the keys related to the driver.
Returns:
A string containing a list of network adapters.
DriverEntry is a mandatory function in a device driver. Like the main() of a user level program, it is called by the system when the driver is loaded in memory and started. Its purpose is to initialize the driver, performing all the allocations and the setup. In particular, DriverEntry registers all the driver's I/O callbacks, creates the devices, defines NPF as a protocol inside NDIS.

PWCHAR getAdaptersList ( VOID   ) 

Returns the list of the MACs available on the system.

Returns:
A string containing a list of network adapters.
The list of adapters is retrieved from the SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} registry key. NPF tries to create its bindings from this list. In this way it is possible to be loaded and unloaded dynamically without passing from the control panel.

UINT GetBuffOccupation ( POPEN_INSTANCE  Open  ) 

Returns the amount of bytes present in the packet buffer.

Parameters:
Open The NPF instance that closes the file.

PKEY_VALUE_PARTIAL_INFORMATION getTcpBindings ( VOID   ) 

Returns the MACs that bind to TCP/IP.

Returns:
Pointer to the registry key containing the list of adapters on which TCP/IP is bound.
If getAdaptersList() fails, NPF tries to obtain the TCP/IP bindings through this function.

VOID NPF_BindAdapter ( OUT PNDIS_STATUS  Status,
IN NDIS_HANDLE  BindContext,
IN PNDIS_STRING  DeviceName,
IN PVOID  SystemSpecific1,
IN PVOID  SystemSpecific2 
)

Callback for NDIS BindAdapterHandler. Not used by NPF.

Function called by NDIS when a new adapter is installed on the machine With Plug and Play.

INT NPF_BufferedWrite ( IN PIRP  Irp,
IN PCHAR  UserBuff,
IN ULONG  UserBuffSize,
BOOLEAN  sync 
)

Writes a buffer of raw packets to the network.

Parameters:
Irp Pointer to the IRP containing the user request.
UserBuff Pointer to the buffer containing the packets to send.
UserBuffSize Size of the buffer with the packets.
sync If set to TRUE, the packets are transmitted respecting their timestamps.
Returns:
The amount of bytes actually sent. If the return value is smaller than the Size parameter, an error occurred during the send. The error can be caused by an adapter problem or by an inconsistent/bogus user buffer.
This function is called by the OS in consequence of a BIOCSENDPACKETSNOSYNC or a BIOCSENDPACKETSSYNC IOCTL. The buffer received as input parameter contains an arbitrary number of packets, each of which preceded by a sf_pkthdr structure. NPF_BufferedWrite() scans the buffer and sends every packet via the NdisSend() function. When Sync is set to TRUE, the packets are synchronized with the KeQueryPerformanceCounter() function. This requires a remarkable amount of CPU, but allows to respect the timestamps associated with packets with a precision of some microseconds (depending on the precision of the performance counter of the machine). If Sync is false, the timestamps are ignored and the packets are sent as fat as possible.

NTSTATUS NPF_Cleanup ( IN PDEVICE_OBJECT  DeviceObject,
IN PIRP  Irp 
)

Closes an instance of the driver.

Parameters:
DeviceObject Pointer to the device object utilized by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called when a running instance of the driver is closed by the user with a CloseHandle(). It stops the capture/monitoring/dump process, deallocates the memory and the objects associated with the instance and closing the files. The network adapter is then closed with a call to NdisCloseAdapter.

NTSTATUS NPF_Close ( IN PDEVICE_OBJECT  DeviceObject,
IN PIRP  Irp 
)

VOID NPF_CloseAdapterComplete ( IN NDIS_HANDLE  ProtocolBindingContext,
IN NDIS_STATUS  Status 
)

Ends the closing of an adapter.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Status Status of the close operation performed by NDIS.
Callback function associated with the NdisCloseAdapter() NDIS function. It is invoked by NDIS when the NIC driver has finished a close operation that was previously started by NPF_Close().

VOID NPF_CloseBinding ( IN POPEN_INSTANCE  pOpen  ) 

NTSTATUS NPF_CloseDumpFile ( POPEN_INSTANCE  Open  ) 

Closes the dump file associated with an instance of the driver.

Parameters:
Open The NPF instance that closes the file.
Returns:
The status of the operation. See ntstatus.h in the DDK.

VOID NPF_CloseOpenInstance ( POPEN_INSTANCE  pOpen  ) 

BOOLEAN NPF_CreateDevice ( IN OUT PDRIVER_OBJECT  adriverObjectP,
IN PUNICODE_STRING  amacNameP 
)

Creates a device for a given MAC.

Parameters:
adriverObjectP The driver object that will be associated with the device, i.e. the one of NPF.
amacNameP The name of the network interface that the device will point.
Returns:
If the function succeeds, the return value is nonzero.
NPF creates a device for every valid network adapter. The new device points to the NPF driver, but contains information about the original device. In this way, when the user opens the new device, NPF will be able to determine the correct adapter to use.

VOID NPF_DumpThread ( PVOID  Open  ) 

The dump thread.

Parameters:
Open The NPF instance that creates the thread.
This function moves the content of the NPF kernel buffer to file. It runs in the user context, so at lower priority than the TAP.

NTSTATUS NPF_GetDeviceMTU ( IN POPEN_INSTANCE  pOpen,
IN PIRP  pIrp,
OUT PUINT  pMtu 
)

NTSTATUS NPF_IoControl ( IN PDEVICE_OBJECT  DeviceObject,
IN PIRP  Irp 
)

Handles the IOCTL calls.

Parameters:
DeviceObject Pointer to the device object utilized by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
Once the packet capture driver is opened it can be configured from user-level applications with IOCTL commands using the DeviceIoControl() system call. NPF_IoControl receives and serves all the IOCTL calls directed to NPF. The following commands are recognized:

NTSTATUS NPF_Open ( IN PDEVICE_OBJECT  DeviceObject,
IN PIRP  Irp 
)

Opens a new instance of the driver.

Parameters:
DeviceObject Pointer to the device object utilized by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called by the OS when a new instance of the driver is opened, i.e. when a user application performs a CreateFile on a device created by NPF. NPF_Open allocates and initializes variables, objects and buffers needed by the new instance, fills the OPEN_INSTANCE structure associated with it and opens the adapter with a call to NdisOpenAdapter.

VOID NPF_OpenAdapterComplete ( IN NDIS_HANDLE  ProtocolBindingContext,
IN NDIS_STATUS  Status,
IN NDIS_STATUS  OpenErrorStatus 
)

Ends the opening of an adapter.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Status Status of the opening operation performed by NDIS.
OpenErrorStatus not used by NPF.
Callback function associated with the NdisOpenAdapter() NDIS function. It is invoked by NDIS when the NIC driver has finished an open operation that was previously started by NPF_Open().

NTSTATUS NPF_OpenDumpFile ( POPEN_INSTANCE  Open,
PUNICODE_STRING  fileName,
BOOLEAN  append 
)

Creates the file that will receive the packets when the driver is in dump mode.

Parameters:
Open The NPF instance that opens the file.
fileName Pointer to a UNICODE string containing the name of the file.
append Boolean value that specifies if the data must be appended to the file.
Returns:
The status of the operation. See ntstatus.h in the DDK.

NTSTATUS NPF_QueryRegistryRoutine ( IN PWSTR  ValueName,
IN ULONG  ValueType,
IN PVOID  ValueData,
IN ULONG  ValueLength,
IN PVOID  Context,
IN PVOID  EntryContext 
)

Function used by NPF_ReadRegistry() to quesry the registry keys associated woth NPF if the driver is manually installed via the control panel.

Normally not used in recent versions of NPF.

NTSTATUS NPF_Read ( IN PDEVICE_OBJECT  DeviceObject,
IN PIRP  Irp 
)

Function that serves the user's reads.

Parameters:
DeviceObject Pointer to the device used by the user.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called by the OS in consequence of user ReadFile() call. It moves the data present in the kernel buffer to the user buffer associated with Irp. First of all, NPF_Read checks the amount of data in kernel buffer associated with current NPF instance.
  • If the instance is in capture mode and the buffer contains more than OPEN_INSTANCE::MinToCopy bytes, NPF_Read moves the data in the user buffer and returns immediatly. In this way, the read performed by the user is not blocking.
  • If the buffer contains less than MinToCopy bytes, the application's request isn't satisfied immediately, but it's blocked until at least MinToCopy bytes arrive from the net or the timeout on this read expires. The timeout is kept in the OPEN_INSTANCE::TimeOut field.
  • If the instance is in statistical mode or in dump mode, the application's request is blocked until the timeout kept in OPEN_INSTANCE::TimeOut expires.

NTSTATUS NPF_ReadRegistry ( IN PWSTR *  MacDriverName,
IN PWSTR *  PacketDriverName,
IN PUNICODE_STRING  RegistryPath 
)

Reads the registry keys associated woth NPF if the driver is manually installed via the control panel.

Normally not used in recent versions of NPF.

VOID NPF_ReceiveComplete ( IN NDIS_HANDLE  ProtocolBindingContext  ) 

Callback function that signals the end of a packet reception.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
does nothing in NPF

VOID NPF_RequestComplete ( IN NDIS_HANDLE  ProtocolBindingContext,
IN PNDIS_REQUEST  pRequest,
IN NDIS_STATUS  Status 
)

Ends an OID request.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
pRequest Pointer to the completed OID request.
Status Status of the operation.
Callback function associated with the NdisRequest() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_IoControl().

VOID NPF_ResetComplete ( IN NDIS_HANDLE  ProtocolBindingContext,
IN NDIS_STATUS  Status 
)

Ends a reset of the adapter.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Status Status of the operation.
Callback function associated with the NdisReset() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_IoControl(), in an IOCTL_PROTOCOL_RESET command.

NTSTATUS NPF_SaveCurrentBuffer ( POPEN_INSTANCE  Open  ) 

Saves the content of the packet buffer to the file associated with current instance.

Parameters:
Open The NPF instance that creates the thread.
Used by NPF_DumpThread() and NPF_CloseDumpFile().

VOID NPF_SendComplete ( IN NDIS_HANDLE  ProtocolBindingContext,
IN PNDIS_PACKET  pPacket,
IN NDIS_STATUS  Status 
)

Ends a send operation.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
pPacket Pointer to the NDIS PACKET structure used by NPF_Write() to send the packet.
Status Status of the operation.
Callback function associated with the NdisSend() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_Write().

NTSTATUS NPF_StartDump ( POPEN_INSTANCE  Open  ) 

Starts dump to file.

Parameters:
Open The NPF instance that opens the file.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function performs two operations. First, it writes the libpcap header at the beginning of the file. Second, it starts the thread that asynchronously dumps the network data to the file.

BOOLEAN NPF_StartUsingBinding ( IN POPEN_INSTANCE  pOpen  ) 

VOID NPF_Status ( IN NDIS_HANDLE  ProtocolBindingContext,
IN NDIS_STATUS  Status,
IN PVOID  StatusBuffer,
IN UINT  StatusBufferSize 
)

Callback for NDIS StatusHandler. Not used by NPF.

VOID NPF_StatusComplete ( IN NDIS_HANDLE  ProtocolBindingContext  ) 

Callback for NDIS StatusCompleteHandler. Not used by NPF.

VOID NPF_StopUsingBinding ( IN POPEN_INSTANCE  pOpen  ) 

NDIS_STATUS NPF_tap ( IN NDIS_HANDLE  ProtocolBindingContext,
IN NDIS_HANDLE  MacReceiveContext,
IN PVOID  HeaderBuffer,
IN UINT  HeaderBufferSize,
IN PVOID  LookAheadBuffer,
IN UINT  LookaheadBufferSize,
IN UINT  PacketSize 
)

Callback invoked by NDIS when a packet arrives from the network.

Parameters:
ProtocolBindingContext Context of the function. Points to a OPEN_INSTANCE structure that identifies the NPF instance to which the packets are destined.
MacReceiveContext Handle that identifies the underlying NIC driver that generated the request. This value must be used when the packet is transferred from the NIC driver with NdisTransferData().
HeaderBuffer Pointer to the buffer in the NIC driver memory that contains the header of the packet.
HeaderBufferSize Size in bytes of the header.
LookAheadBuffer Pointer to the buffer in the NIC driver's memory that contains the incoming packet's data available to NPF. This value does not necessarily coincide with the actual size of the packet, since only a portion can be available at this time. The remaining portion can be obtained with the NdisTransferData() NDIS function.
LookaheadBufferSize Size in bytes of the lookahead buffer.
PacketSize Total size of the incoming packet, excluded the header.
Returns:
The status of the operation. See ntstatus.h in the DDK.
NPF_tap() is called by the underlying NIC for every incoming packet. It is the most important and one of the most complex functions of NPF: it executes the filter, runs the statistical engine (if the instance is in statistical mode), gathers the timestamp, moves the packet in the buffer. NPF_tap() is the only function, along with the filtering ones, that is executed for every incoming packet, therefore it is carefully optimized.

VOID NPF_TransferDataComplete ( IN NDIS_HANDLE  ProtocolBindingContext,
IN PNDIS_PACKET  Packet,
IN NDIS_STATUS  Status,
IN UINT  BytesTransferred 
)

Ends the transfer of a packet.

Parameters:
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
Packet Pointer to the NDIS_PACKET structure that received the packet data.
Status Status of the transfer operation.
BytesTransferred Amount of bytes transferred.
Callback function associated with the NdisTransferData() NDIS function. It is invoked by NDIS when the NIC driver has finished the transfer of a packet from the NIC driver memory to the NPF circular buffer.

VOID NPF_UnbindAdapter ( OUT PNDIS_STATUS  Status,
IN NDIS_HANDLE  ProtocolBindingContext,
IN NDIS_HANDLE  UnbindContext 
)

Callback for NDIS UnbindAdapterHandler.

Parameters:
Status out variable filled by NPF_UnbindAdapter with the status of the unbind operation.
ProtocolBindingContext Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with current instance.
UnbindContext Specifies a handle, supplied by NDIS, that NPF can use to complete the opration.
Function called by NDIS when a new adapter is removed from the machine without shutting it down. NPF_UnbindAdapter closes the adapter calling NdisCloseAdapter() and frees the memory and the structures associated with it. It also releases the waiting user-level app and closes the dump thread if the instance is in dump mode.

VOID NPF_Unload ( IN PDRIVER_OBJECT  DriverObject  ) 

Function called by the OS when NPF is unloaded.

Parameters:
DriverObject The driver object of NPF created by the system.
This is the last function executed when the driver is unloaded from the system. It frees global resources, delete the devices and deregisters the protocol. The driver can be unloaded by the user stopping the NPF service (from control panel or with a console 'net stop npf').

VOID NPF_WaitEndOfBufferedWrite ( POPEN_INSTANCE  Open  ) 

Waits the completion of all the sends performed by NPF_BufferedWrite.

Parameters:
Open Pointer to open context structure
Used by NPF_BufferedWrite to wait the completion of all the sends before returning the control to the user.

NTSTATUS NPF_Write ( IN PDEVICE_OBJECT  DeviceObject,
IN PIRP  Irp 
)

Writes a raw packet to the network.

Parameters:
DeviceObject Pointer to the device object on which the user wrote the packet.
Irp Pointer to the IRP containing the user request.
Returns:
The status of the operation. See ntstatus.h in the DDK.
This function is called by the OS in consequence of user WriteFile() call, with the data of the packet that must be sent on the net. The data is contained in the buffer associated with Irp, NPF_Write takes it and delivers it to the NIC driver via the NdisSend() function. The Nwrites field of the OPEN_INSTANCE structure associated with Irp indicates the number of copies of the packet that will be sent: more than one copy of the packet can be sent for performance reasons.

VOID NPF_WriteDumpFile ( PFILE_OBJECT  FileObject,
PLARGE_INTEGER  Offset,
ULONG  Length,
PMDL  Mdl,
PIO_STATUS_BLOCK  IoStatusBlock 
)

Writes a block of packets on the dump file.

Parameters:
FileObject The file object that will receive the packets.
Offset The offset in the file where the packets will be put.
Length The amount of bytes to write.
Mdl MDL mapping the memory buffer that will be written to disk.
IoStatusBlock Used by the function to return the status of the operation.
Returns:
The status of the operation. See ntstatus.h in the DDK.
NPF_WriteDumpFile addresses directly the file system, creating a custom IRP and using it to send a portion of the NPF circular buffer to disk. This function is used by NPF_DumpThread().


documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2009 CACE Technologies. All rights reserved.