NPF functions
[NPF driver internals manual]

Functions
NTSTATUS	DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
	The initialization routine of the driver.
PWCHAR	getAdaptersList (VOID)
	Returns the list of the MACs available on the system.
PKEY_VALUE_PARTIAL_INFORMATION	getTcpBindings (VOID)
	Returns the MACs that bind to TCP/IP.
BOOLEAN	NPF_CreateDevice (IN OUT PDRIVER_OBJECT adriverObjectP, IN PUNICODE_STRING amacNameP)
	Creates a device for a given MAC.
NTSTATUS	NPF_Open (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
	Opens a new instance of the driver.
VOID	NPF_OpenAdapterComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN NDIS_STATUS OpenErrorStatus)
	Ends the opening of an adapter.
NTSTATUS	NPF_Cleanup (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
	Closes an instance of the driver.
NTSTATUS	NPF_Close (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
VOID	NPF_CloseAdapterComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status)
	Ends the closing of an adapter.
NDIS_STATUS	NPF_tap (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookaheadBufferSize, IN UINT PacketSize)
	Callback invoked by NDIS when a packet arrives from the network.
VOID	NPF_TransferDataComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET Packet, IN NDIS_STATUS Status, IN UINT BytesTransferred)
	Ends the transfer of a packet.
VOID	NPF_ReceiveComplete (IN NDIS_HANDLE ProtocolBindingContext)
	Callback function that signals the end of a packet reception.
NTSTATUS	NPF_IoControl (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
	Handles the IOCTL calls.
VOID	NPF_RequestComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_REQUEST pRequest, IN NDIS_STATUS Status)
	Ends an OID request.
NTSTATUS	NPF_Write (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
	Writes a raw packet to the network.
INT	NPF_BufferedWrite (IN PIRP Irp, IN PCHAR UserBuff, IN ULONG UserBuffSize, BOOLEAN sync)
	Writes a buffer of raw packets to the network.
VOID	NPF_WaitEndOfBufferedWrite (POPEN_INSTANCE Open)
	Waits the completion of all the sends performed by NPF_BufferedWrite.
VOID	NPF_SendComplete (IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET pPacket, IN NDIS_STATUS Status)
	Ends a send operation.
VOID	NPF_ResetComplete (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status)
	Ends a reset of the adapter.
VOID	NPF_Status (IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_STATUS Status, IN PVOID StatusBuffer, IN UINT StatusBufferSize)
	Callback for NDIS StatusHandler. Not used by NPF.
VOID	NPF_StatusComplete (IN NDIS_HANDLE ProtocolBindingContext)
	Callback for NDIS StatusCompleteHandler. Not used by NPF.
VOID	NPF_Unload (IN PDRIVER_OBJECT DriverObject)
	Function called by the OS when NPF is unloaded.
NTSTATUS	NPF_Read (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
	Function that serves the user's reads.
NTSTATUS	NPF_ReadRegistry (IN PWSTR *MacDriverName, IN PWSTR *PacketDriverName, IN PUNICODE_STRING RegistryPath)
	Reads the registry keys associated woth NPF if the driver is manually installed via the control panel.
NTSTATUS	NPF_QueryRegistryRoutine (IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext)
	Function used by NPF_ReadRegistry() to quesry the registry keys associated woth NPF if the driver is manually installed via the control panel.
VOID	NPF_BindAdapter (OUT PNDIS_STATUS Status, IN NDIS_HANDLE BindContext, IN PNDIS_STRING DeviceName, IN PVOID SystemSpecific1, IN PVOID SystemSpecific2)
	Callback for NDIS BindAdapterHandler. Not used by NPF.
VOID	NPF_UnbindAdapter (OUT PNDIS_STATUS Status, IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE UnbindContext)
	Callback for NDIS UnbindAdapterHandler.
NTSTATUS	NPF_OpenDumpFile (POPEN_INSTANCE Open, PUNICODE_STRING fileName, BOOLEAN append)
	Creates the file that will receive the packets when the driver is in dump mode.
NTSTATUS	NPF_StartDump (POPEN_INSTANCE Open)
	Starts dump to file.
VOID	NPF_DumpThread (PVOID Open)
	The dump thread.
NTSTATUS	NPF_SaveCurrentBuffer (POPEN_INSTANCE Open)
	Saves the content of the packet buffer to the file associated with current instance.
VOID	NPF_WriteDumpFile (PFILE_OBJECT FileObject, PLARGE_INTEGER Offset, ULONG Length, PMDL Mdl, PIO_STATUS_BLOCK IoStatusBlock)
	Writes a block of packets on the dump file.
NTSTATUS	NPF_CloseDumpFile (POPEN_INSTANCE Open)
	Closes the dump file associated with an instance of the driver.
BOOLEAN	NPF_StartUsingBinding (IN POPEN_INSTANCE pOpen)
VOID	NPF_StopUsingBinding (IN POPEN_INSTANCE pOpen)
VOID	NPF_CloseBinding (IN POPEN_INSTANCE pOpen)
BOOLEAN	NPF_StartUsingOpenInstance (IN POPEN_INSTANCE pOpen)
VOID	NPF_StopUsingOpenInstance (IN POPEN_INSTANCE pOpen)
VOID	NPF_CloseOpenInstance (IN POPEN_INSTANCE pOpen)
NTSTATUS	NPF_GetDeviceMTU (IN POPEN_INSTANCE pOpen, IN PIRP pIrp, OUT PUINT pMtu)
UINT	GetBuffOccupation (POPEN_INSTANCE Open)
	Returns the amount of bytes present in the packet buffer.
JIT_BPF_Filter *	BPF_jitter (struct bpf_insn *fp, INT nins)
	BPF jitter, builds an x86 function from a BPF program.
BPF_filter_function	BPFtoX86 (struct bpf_insn *ins, UINT nins, INT *mem)
	Translates a set of BPF instructions in a set of x86 ones.
void	BPF_Destroy_JIT_Filter (JIT_BPF_Filter *Filter)
	Deletes a filtering function that was previously created by BPF_jitter().

---

Function Documentation

void BPF_Destroy_JIT_Filter

(

JIT_BPF_Filter *

Filter

)

Deletes a filtering function that was previously created by BPF_jitter().

Parameters:

Filter

The filter to destroy.

This function frees the variuos buffers (code, memory, etc.) associated with a filtering function.

JIT_BPF_Filter* BPF_jitter	(	struct bpf_insn *	fp,
		INT	nins
	)

BPF jitter, builds an x86 function from a BPF program.

Parameters:

	fp	The BPF pseudo-assembly filter that will be translated into x86 code.
	nins	Number of instructions of the input filter.

Returns:

The JIT_BPF_Filter structure containing the x86 filtering binary.

BPF_jitter allocates the buffers for the new native filter and then translates the program pointed by fp calling BPFtoX86().

BPF_filter_function BPFtoX86	(	struct bpf_insn *	ins,
		UINT	nins,
		INT *	mem
	)

Translates a set of BPF instructions in a set of x86 ones.

Parameters:

	ins	Pointer to the BPF instructions that will be translated into x86 code.
	nins	Number of instructions to translate.
	mem	Memory used by the x86 function to emulate the RAM of the BPF pseudo processor.

Returns:

The x86 filtering function.

This function does the hard work for the JIT compilation. It takes a group of BPF pseudo instructions and through the instruction macros defined in jitter.h it is able to create an function directly executable by NPF.

NTSTATUS DriverEntry	(	IN PDRIVER_OBJECT	DriverObject,
		IN PUNICODE_STRING	RegistryPath
	)

The initialization routine of the driver.

Parameters:

	DriverObject	The driver object of NPF created by the system.
	RegistryPath	The registry path containing the keys related to the driver.

Returns:

A string containing a list of network adapters.

DriverEntry is a mandatory function in a device driver. Like the main() of a user level program, it is called by the system when the driver is loaded in memory and started. Its purpose is to initialize the driver, performing all the allocations and the setup. In particular, DriverEntry registers all the driver's I/O callbacks, creates the devices, defines NPF as a protocol inside NDIS.

PWCHAR getAdaptersList

(

VOID

)

Returns the list of the MACs available on the system.

Returns:

A string containing a list of network adapters.

The list of adapters is retrieved from the SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} registry key. NPF tries to create its bindings from this list. In this way it is possible to be loaded and unloaded dynamically without passing from the control panel.

UINT GetBuffOccupation

(

POPEN_INSTANCE

Open

)

Returns the amount of bytes present in the packet buffer.

Parameters:

Open

The NPF instance that closes the file.

PKEY_VALUE_PARTIAL_INFORMATION getTcpBindings

(

VOID

)

Returns the MACs that bind to TCP/IP.

Returns:

Pointer to the registry key containing the list of adapters on which TCP/IP is bound.

If getAdaptersList() fails, NPF tries to obtain the TCP/IP bindings through this function.

VOID NPF_BindAdapter	(	OUT PNDIS_STATUS	Status,
		IN NDIS_HANDLE	BindContext,
		IN PNDIS_STRING	DeviceName,
		IN PVOID	SystemSpecific1,
		IN PVOID	SystemSpecific2
	)

Callback for NDIS BindAdapterHandler. Not used by NPF.

Function called by NDIS when a new adapter is installed on the machine With Plug and Play.

INT NPF_BufferedWrite	(	IN PIRP	Irp,
		IN PCHAR	UserBuff,
		IN ULONG	UserBuffSize,
		BOOLEAN	sync
	)

Writes a buffer of raw packets to the network.

Parameters:

	Irp	Pointer to the IRP containing the user request.
	UserBuff	Pointer to the buffer containing the packets to send.
	UserBuffSize	Size of the buffer with the packets.
	sync	If set to TRUE, the packets are transmitted respecting their timestamps.

Returns:

The amount of bytes actually sent. If the return value is smaller than the Size parameter, an error occurred during the send. The error can be caused by an adapter problem or by an inconsistent/bogus user buffer.

This function is called by the OS in consequence of a BIOCSENDPACKETSNOSYNC or a BIOCSENDPACKETSSYNC IOCTL. The buffer received as input parameter contains an arbitrary number of packets, each of which preceded by a sf_pkthdr structure. NPF_BufferedWrite() scans the buffer and sends every packet via the NdisSend() function. When Sync is set to TRUE, the packets are synchronized with the KeQueryPerformanceCounter() function. This requires a remarkable amount of CPU, but allows to respect the timestamps associated with packets with a precision of some microseconds (depending on the precision of the performance counter of the machine). If Sync is false, the timestamps are ignored and the packets are sent as fat as possible.

NTSTATUS NPF_Cleanup	(	IN PDEVICE_OBJECT	DeviceObject,
		IN PIRP	Irp
	)

Closes an instance of the driver.

Parameters:

	DeviceObject	Pointer to the device object utilized by the user.
	Irp	Pointer to the IRP containing the user request.

Returns:

The status of the operation. See ntstatus.h in the DDK.

This function is called when a running instance of the driver is closed by the user with a CloseHandle(). It stops the capture/monitoring/dump process, deallocates the memory and the objects associated with the instance and closing the files. The network adapter is then closed with a call to NdisCloseAdapter.

NTSTATUS NPF_Close	(	IN PDEVICE_OBJECT	DeviceObject,
		IN PIRP	Irp
	)

VOID NPF_CloseAdapterComplete	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN NDIS_STATUS	Status
	)

Ends the closing of an adapter.

Parameters:

	ProtocolBindingContext	Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
	Status	Status of the close operation performed by NDIS.

Callback function associated with the NdisCloseAdapter() NDIS function. It is invoked by NDIS when the NIC driver has finished a close operation that was previously started by NPF_Close().

VOID NPF_CloseBinding

(

IN POPEN_INSTANCE

pOpen

)

NTSTATUS NPF_CloseDumpFile

(

POPEN_INSTANCE

Open

)

Closes the dump file associated with an instance of the driver.

Parameters:

Open

The NPF instance that closes the file.

Returns:

The status of the operation. See ntstatus.h in the DDK.

VOID NPF_CloseOpenInstance

(

IN POPEN_INSTANCE

pOpen

)

BOOLEAN NPF_CreateDevice	(	IN OUT PDRIVER_OBJECT	adriverObjectP,
		IN PUNICODE_STRING	amacNameP
	)

Creates a device for a given MAC.

Parameters:

	adriverObjectP	The driver object that will be associated with the device, i.e. the one of NPF.
	amacNameP	The name of the network interface that the device will point.

Returns:

If the function succeeds, the return value is nonzero.

NPF creates a device for every valid network adapter. The new device points to the NPF driver, but contains information about the original device. In this way, when the user opens the new device, NPF will be able to determine the correct adapter to use.

VOID NPF_DumpThread

(

PVOID

Open

)

The dump thread.

Parameters:

Open

The NPF instance that creates the thread.

This function moves the content of the NPF kernel buffer to file. It runs in the user context, so at lower priority than the TAP.

NTSTATUS NPF_GetDeviceMTU	(	IN POPEN_INSTANCE	pOpen,
		IN PIRP	pIrp,
		OUT PUINT	pMtu
	)

NTSTATUS NPF_IoControl	(	IN PDEVICE_OBJECT	DeviceObject,
		IN PIRP	Irp
	)

Handles the IOCTL calls.

Parameters:

	DeviceObject	Pointer to the device object utilized by the user.
	Irp	Pointer to the IRP containing the user request.

Returns:

The status of the operation. See ntstatus.h in the DDK.

Once the packet capture driver is opened it can be configured from user-level applications with IOCTL commands using the DeviceIoControl() system call. NPF_IoControl receives and serves all the IOCTL calls directed to NPF. The following commands are recognized:

• BIOCSETBUFFERSIZE
• BIOCSETF
• BIOCGSTATS
• BIOCSRTIMEOUT
• BIOCSMODE
• BIOCSWRITEREP
• BIOCSMINTOCOPY
• BIOCSETOID
• BIOCQUERYOID
• BIOCSETDUMPFILENAME
• BIOCGEVNAME
• BIOCSENDPACKETSSYNC
• BIOCSENDPACKETSNOSYNC

NTSTATUS NPF_Open	(	IN PDEVICE_OBJECT	DeviceObject,
		IN PIRP	Irp
	)

Opens a new instance of the driver.

Parameters:

	DeviceObject	Pointer to the device object utilized by the user.
	Irp	Pointer to the IRP containing the user request.

Returns:

The status of the operation. See ntstatus.h in the DDK.

This function is called by the OS when a new instance of the driver is opened, i.e. when a user application performs a CreateFile on a device created by NPF. NPF_Open allocates and initializes variables, objects and buffers needed by the new instance, fills the OPEN_INSTANCE structure associated with it and opens the adapter with a call to NdisOpenAdapter.

VOID NPF_OpenAdapterComplete	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN NDIS_STATUS	Status,
		IN NDIS_STATUS	OpenErrorStatus
	)

Ends the opening of an adapter.

Parameters:

	ProtocolBindingContext	Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
	Status	Status of the opening operation performed by NDIS.
	OpenErrorStatus	not used by NPF.

Callback function associated with the NdisOpenAdapter() NDIS function. It is invoked by NDIS when the NIC driver has finished an open operation that was previously started by NPF_Open().

NTSTATUS NPF_OpenDumpFile	(	POPEN_INSTANCE	Open,
		PUNICODE_STRING	fileName,
		BOOLEAN	append
	)

Creates the file that will receive the packets when the driver is in dump mode.

Parameters:

	Open	The NPF instance that opens the file.
	fileName	Pointer to a UNICODE string containing the name of the file.
	append	Boolean value that specifies if the data must be appended to the file.

Returns:

The status of the operation. See ntstatus.h in the DDK.

NTSTATUS NPF_QueryRegistryRoutine	(	IN PWSTR	ValueName,
		IN ULONG	ValueType,
		IN PVOID	ValueData,
		IN ULONG	ValueLength,
		IN PVOID	Context,
		IN PVOID	EntryContext
	)

Function used by NPF_ReadRegistry() to quesry the registry keys associated woth NPF if the driver is manually installed via the control panel.

Normally not used in recent versions of NPF.

NTSTATUS NPF_Read	(	IN PDEVICE_OBJECT	DeviceObject,
		IN PIRP	Irp
	)

Function that serves the user's reads.

Parameters:

	DeviceObject	Pointer to the device used by the user.
	Irp	Pointer to the IRP containing the user request.

Returns:

The status of the operation. See ntstatus.h in the DDK.

This function is called by the OS in consequence of user ReadFile() call. It moves the data present in the kernel buffer to the user buffer associated with Irp. First of all, NPF_Read checks the amount of data in kernel buffer associated with current NPF instance.

• If the instance is in capture mode and the buffer contains more than OPEN_INSTANCE::MinToCopy bytes, NPF_Read moves the data in the user buffer and returns immediatly. In this way, the read performed by the user is not blocking.
• If the buffer contains less than MinToCopy bytes, the application's request isn't satisfied immediately, but it's blocked until at least MinToCopy bytes arrive from the net or the timeout on this read expires. The timeout is kept in the OPEN_INSTANCE::TimeOut field.
• If the instance is in statistical mode or in dump mode, the application's request is blocked until the timeout kept in OPEN_INSTANCE::TimeOut expires.

NTSTATUS NPF_ReadRegistry	(	IN PWSTR *	MacDriverName,
		IN PWSTR *	PacketDriverName,
		IN PUNICODE_STRING	RegistryPath
	)

Reads the registry keys associated woth NPF if the driver is manually installed via the control panel.

Normally not used in recent versions of NPF.

VOID NPF_ReceiveComplete

(

IN NDIS_HANDLE

ProtocolBindingContext

)

Callback function that signals the end of a packet reception.

Parameters:

ProtocolBindingContext

Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.

does nothing in NPF

VOID NPF_RequestComplete	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN PNDIS_REQUEST	pRequest,
		IN NDIS_STATUS	Status
	)

Ends an OID request.

Parameters:

	ProtocolBindingContext	Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
	pRequest	Pointer to the completed OID request.
	Status	Status of the operation.

Callback function associated with the NdisRequest() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_IoControl().

VOID NPF_ResetComplete	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN NDIS_STATUS	Status
	)

Ends a reset of the adapter.

Parameters:

	ProtocolBindingContext	Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
	Status	Status of the operation.

Callback function associated with the NdisReset() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_IoControl(), in an IOCTL_PROTOCOL_RESET command.

NTSTATUS NPF_SaveCurrentBuffer

(

POPEN_INSTANCE

Open

)

Saves the content of the packet buffer to the file associated with current instance.

Parameters:

Open

The NPF instance that creates the thread.

Used by NPF_DumpThread() and NPF_CloseDumpFile().

VOID NPF_SendComplete	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN PNDIS_PACKET	pPacket,
		IN NDIS_STATUS	Status
	)

Ends a send operation.

Parameters:

	ProtocolBindingContext	Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
	pPacket	Pointer to the NDIS PACKET structure used by NPF_Write() to send the packet.
	Status	Status of the operation.

Callback function associated with the NdisSend() NDIS function. It is invoked by NDIS when the NIC driver has finished an OID request operation that was previously started by NPF_Write().

NTSTATUS NPF_StartDump

(

POPEN_INSTANCE

Open

)

Starts dump to file.

Parameters:

Open

The NPF instance that opens the file.

Returns:

The status of the operation. See ntstatus.h in the DDK.

This function performs two operations. First, it writes the libpcap header at the beginning of the file. Second, it starts the thread that asynchronously dumps the network data to the file.

BOOLEAN NPF_StartUsingBinding

(

IN POPEN_INSTANCE

pOpen

)

BOOLEAN NPF_StartUsingOpenInstance

(

IN POPEN_INSTANCE

pOpen

)

VOID NPF_Status	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN NDIS_STATUS	Status,
		IN PVOID	StatusBuffer,
		IN UINT	StatusBufferSize
	)

Callback for NDIS StatusHandler. Not used by NPF.

VOID NPF_StatusComplete

(

IN NDIS_HANDLE

ProtocolBindingContext

)

Callback for NDIS StatusCompleteHandler. Not used by NPF.

VOID NPF_StopUsingBinding

(

IN POPEN_INSTANCE

pOpen

)

VOID NPF_StopUsingOpenInstance

(

IN POPEN_INSTANCE

pOpen

)

NDIS_STATUS NPF_tap	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN NDIS_HANDLE	MacReceiveContext,
		IN PVOID	HeaderBuffer,
		IN UINT	HeaderBufferSize,
		IN PVOID	LookAheadBuffer,
		IN UINT	LookaheadBufferSize,
		IN UINT	PacketSize
	)

Callback invoked by NDIS when a packet arrives from the network.

Parameters:

	ProtocolBindingContext	Context of the function. Points to a OPEN_INSTANCE structure that identifies the NPF instance to which the packets are destined.
	MacReceiveContext	Handle that identifies the underlying NIC driver that generated the request. This value must be used when the packet is transferred from the NIC driver with NdisTransferData().
	HeaderBuffer	Pointer to the buffer in the NIC driver memory that contains the header of the packet.
	HeaderBufferSize	Size in bytes of the header.
	LookAheadBuffer	Pointer to the buffer in the NIC driver's memory that contains the incoming packet's data available to NPF. This value does not necessarily coincide with the actual size of the packet, since only a portion can be available at this time. The remaining portion can be obtained with the NdisTransferData() NDIS function.
	LookaheadBufferSize	Size in bytes of the lookahead buffer.
	PacketSize	Total size of the incoming packet, excluded the header.

Returns:

The status of the operation. See ntstatus.h in the DDK.

NPF_tap() is called by the underlying NIC for every incoming packet. It is the most important and one of the most complex functions of NPF: it executes the filter, runs the statistical engine (if the instance is in statistical mode), gathers the timestamp, moves the packet in the buffer. NPF_tap() is the only function, along with the filtering ones, that is executed for every incoming packet, therefore it is carefully optimized.

VOID NPF_TransferDataComplete	(	IN NDIS_HANDLE	ProtocolBindingContext,
		IN PNDIS_PACKET	Packet,
		IN NDIS_STATUS	Status,
		IN UINT	BytesTransferred
	)

Ends the transfer of a packet.

Parameters:

	ProtocolBindingContext	Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with the current instance.
	Packet	Pointer to the NDIS_PACKET structure that received the packet data.
	Status	Status of the transfer operation.
	BytesTransferred	Amount of bytes transferred.

Callback function associated with the NdisTransferData() NDIS function. It is invoked by NDIS when the NIC driver has finished the transfer of a packet from the NIC driver memory to the NPF circular buffer.

VOID NPF_UnbindAdapter	(	OUT PNDIS_STATUS	Status,
		IN NDIS_HANDLE	ProtocolBindingContext,
		IN NDIS_HANDLE	UnbindContext
	)

Callback for NDIS UnbindAdapterHandler.

Parameters:

	Status	out variable filled by NPF_UnbindAdapter with the status of the unbind operation.
	ProtocolBindingContext	Context of the function. Contains a pointer to the OPEN_INSTANCE structure associated with current instance.
	UnbindContext	Specifies a handle, supplied by NDIS, that NPF can use to complete the opration.

Function called by NDIS when a new adapter is removed from the machine without shutting it down. NPF_UnbindAdapter closes the adapter calling NdisCloseAdapter() and frees the memory and the structures associated with it. It also releases the waiting user-level app and closes the dump thread if the instance is in dump mode.

VOID NPF_Unload

(

IN PDRIVER_OBJECT

DriverObject

)

Function called by the OS when NPF is unloaded.

Parameters:

DriverObject

The driver object of NPF created by the system.

This is the last function executed when the driver is unloaded from the system. It frees global resources, delete the devices and deregisters the protocol. The driver can be unloaded by the user stopping the NPF service (from control panel or with a console 'net stop npf').

VOID NPF_WaitEndOfBufferedWrite

(

POPEN_INSTANCE

Open

)

Waits the completion of all the sends performed by NPF_BufferedWrite.

Parameters:

Open

Pointer to open context structure

Used by NPF_BufferedWrite to wait the completion of all the sends before returning the control to the user.

NTSTATUS NPF_Write	(	IN PDEVICE_OBJECT	DeviceObject,
		IN PIRP	Irp
	)

Writes a raw packet to the network.

Parameters:

	DeviceObject	Pointer to the device object on which the user wrote the packet.
	Irp	Pointer to the IRP containing the user request.

Returns:

The status of the operation. See ntstatus.h in the DDK.

This function is called by the OS in consequence of user WriteFile() call, with the data of the packet that must be sent on the net. The data is contained in the buffer associated with Irp, NPF_Write takes it and delivers it to the NIC driver via the NdisSend() function. The Nwrites field of the OPEN_INSTANCE structure associated with Irp indicates the number of copies of the packet that will be sent: more than one copy of the packet can be sent for performance reasons.

VOID NPF_WriteDumpFile	(	PFILE_OBJECT	FileObject,
		PLARGE_INTEGER	Offset,
		ULONG	Length,
		PMDL	Mdl,
		PIO_STATUS_BLOCK	IoStatusBlock
	)

Writes a block of packets on the dump file.

Parameters:

	FileObject	The file object that will receive the packets.
	Offset	The offset in the file where the packets will be put.
	Length	The amount of bytes to write.
	Mdl	MDL mapping the memory buffer that will be written to disk.
	IoStatusBlock	Used by the function to return the status of the operation.

Returns:

The status of the operation. See ntstatus.h in the DDK.

NPF_WriteDumpFile addresses directly the file system, creating a custom IRP and using it to send a portion of the NPF circular buffer to disk. This function is used by NPF_DumpThread().