|
|
|
| Rawether for Windows | |
| "Rawether" | |
| Win32 NDIS Framework | |
| "WinDis" or "WinDis 32" |
![]()
Perhaps.
Microsoft Windows support for raw data sockets is inconsistent across the various platforms. On many Microsoft supports raw IGMP and ICMP sockets.
Windows 2000 raw data sockets support is more extensive. However, for "security reasons" the use of raw sockets became much more limited on Windows XP and later platforms.
Microsoft provides several Winsock sample applications as part of the Microsoft
Platform SDK. ![]()
The Platform SDK includes the RcvAll Winsock sample that illustrates how to use Windows 2000 Winsock ioctls and how to capture IP traffic on a specific network interface. The sample is under the Samples\NetDS\Winsock directory.
For more information about Winsock, see the Winsock Programmers FAQ. Click here for information specifically about raw data sockets.
![]()
No, the HookPeek sample application that is provided with Rawether is NOT a network monitoring or "sniffer" program. It is, however, a good place to start development of such a program. In fact, PCAUSA products are used as the network packet reception codebase for several commercial network analyzer products.
HookPeek does place the selected adapter into promiscuous mode and "dump" packets to the console. However, there is a lot more to making a good network analyzer.
First of all, dumping each packet to the console actually takes a lot of time. On a heavily loaded network packets can be lost during the time that it takes to display the packet. Commercial network monitor programs save the packets in internal memory buffers and display very little information while actually collecting data.
In addition, commercial network analyzers provide lots of other packet data processing and filtering functions that are not provided by HookPeek.
![]()
"Filtering" a packet means either altering a packets contents (e.g., encryption/compression) or altering the flow of packets (e.g., dropping or delaying) before they are presented to some other protocol driver such TCP/IP.
Rawether does not include the capability to filter network packets.
This is not a limitation of Rawether. It is part of the behavior specified by the Network Driver Interface Specification (NDIS).
In particular, Rawether uses supporting NDIS protocol drivers to allow your application the "directly" access NDIS MAC drivers. The Rawether NDIS protocol drivers are "peers" to other NDIS protocol and transport drivers (such as TCP/IP). NDIS does not provide any mechanism for one peer NDIS protocol driver to modify packets presented to any other NDIS protocol driver. In fact, NDIS guarantees that every peer NDIS protocol driver will be presented with exactly the same received packet as every other peer NDIS protocol driver.
If you are interested in filtering, then you cannot use a "simple" NDIS protocol driver. Instead you will need a network component that is logically between the NDIS MAC drivers and the protocol that you wish to filter. This type of filter driver is generally called an NDIS Intermediate (IM) driver.
For more information about packet filtering on Windows platforms, visit the page Windows Network Data And Packet Filtering Frequently Asked Questions.
![]()
Rawether allows you to conveniently write Win32 applications that access NDIS MAC drivers using a straight forward API that is very similar to the API used by a NDIS protocol driver. In addition, the samples provided in the SDK provide several illustrations of performing representative NDIS operations using the Rawether protocol drivers as a "proxy".
However, Rawether doesn't make it "simpler" for you to use interface with the adapter. There are hundreds of operations which could conceivably be made, and many of these are media-dependent. If you need to call the adapter to do something special, you'll have to know a little about NDIS.
![]()
HookPeek is a Win32 console application which is intended to be run from the Windows Command Prompt - much like a DOS application. In addition. HookPeek needs a few command-line arguments to tell it which adapter to use. When you double-click the HookPeek icon form the Explorer, Windows starts HookPeek without the command-line arguments that it needs. So, it quits immediately.
The NDIScope Help File includes topics that describe how to run the HookPeek application.
![]()
The current version of Rawether does not include support for NDIS WAN.
![]()
There are obvious similarities: both provide functions to send and receive packets and to submit NDIS requests to a NDIS adapter driver.
However, there are quite a few differences, including:
| Rawether is simple to understand and use. Developers who have successfully used
Rawether include both experienced network software developers as well as those who do not have a
deep understanding of NDIS or Windows device drivers. | |
| Rawether provides and "Adapter Chooser" and run-time dynamically
loadable protocol drivers for all current Windows platforms. | |
| Rawether includes a relatively high-performance PacketRead mechanism designed to pass
packets to the application in the same sequence that they were received. Received packets
are time stamped and are assigned sequence numbers which allow detection of lost packets. | |
| Rawether is thoroughly debugged and provides the foundation for a large number of
commercial products. | |
| Rawether is actively supported, and features like the BPF packet filter (and more) are being added. |
![]()
No, the Rawether PCANDIS# drivers are "ordinary" NDIS protocol drivers.
An NDIS intermediate driver is a type of NDIS driver that can be layered on top of an actual NDIS media access controller (MAC) driver and below NDIS protocol drivers such as TCP/IP. In this "intermediate" position the driver can modify the data passed up or down the network protocol stack to perform functions such as encryption, compression, etc.
NDIS intermediate drivers can only be used on platforms that support NDIS 4.X and higher, which Microsoft provides (inconsistently) only on Windows 95 OSR2 and later, Windows 98, Windows Millennium and Windows NT 4.0 SP3 and later and Windows 2000.
![]()
At the device driver level a "transport driver" is a "protocol driver". That is: it is a Windows device driver that uses the NDIS API to bind to lower-level NIC miniport drivers.
However, a "transport driver" implements a specific network protocol such as TCP/IP and interfaces to applications via the user-mode Winsock API.
Rawether is a general-purpose NDIS protocol driver that
![]()
On Windows XP NDIS protocol drivers can directly bind to 802.11 adapter miniports. This allows NDIS protocols to be used to implement 802.11 adapter management functionality and custom supplicants.
However, Windows Vista and later platforms have an entirely different 802.11 network architecture. In particular, the Microsoft "Native Wi-Fi" architecture inserts a proprietary NDIS 6 filter driver that has exclusive access to the actual 802.11 NIC miniport. This effectively prevents non-Microsoft management of 802.11 adapters on Vista and later.
Mailing Lists ·
PCAUSA Newsletter
·
PCAUSA Discussion List
|