从包装里拿出头 [英] GETTING HEADER FROM PACKET

问题描述

嗨每一个：

当我使用函数（   NdisGetDataBuffer）来获取我要问的数据时，我如何确定数据属于我收集的数据包，

另一个问题我不明白我如何使用NdisRetreatNetBufferDataStart和NdisAdvanceNetBufferDataStart函数

解决方案

< blockquote>

你知道它是正确的数据包，因为你传入了被分类的NBL。 默认情况下，此NBL是单个数据包的表示（有一些例外，如片段和批次分类）。

当NBL遍历TCPIP堆栈时，会添加标题或。除去&NBSP;这会影响NBL的偏移。 您可以使用以下链接查看您要分类的图层的数据偏移量：  http://msdn.microsoft.com/en-us/library/ff546324(v = VS.85）.aspx

基于哪一层您在，以及您希望检查的数据包的哪一部分，您可以确定是否需要提前或撤消偏移。 如果你看看WFPSampler，你可以看到这个逻辑以及前进和后退
的评论（ http://code.msdn.microsoft.com/Windows-Filtering-Platform-27553baa sys\ClassifyFunctions_BasicPacketInjection.cpp :: PerformBasicPacketInjectionAtInboundNetwork）

希望这有帮助，

hi every one:

When i use the function (   NdisGetDataBuffer) to get the data i ask ,how i am sure that the data is belong to the packet i catched,

and another question i did not understand how i use the NdisRetreatNetBufferDataStart and NdisAdvanceNetBufferDataStart function

解决方案

You know it is the correct packet, as you are passing in the NBL that was classified.  This NBL is, by default, a representation of a single packet (with a few exceptions like fragments and batch classifies).

As the NBL traverses the TCPIP stack, headers are added or removed.  This affects the offset of the NBL.  You can use the following link to see where the data offset is for the layer you are classifying:  http://msdn.microsoft.com/en-us/library/ff546324(v=VS.85).aspx

Based on which layer you are at, and what part of the packet you wish to inspect, you can determine whether you need to advance or retreat the offset.  If you look at the WFPSampler, you can see this logic as well as comments for the advancing and retreating (http://code.msdn.microsoft.com/Windows-Filtering-Platform-27553baa sys\ClassifyFunctions_BasicPacketInjection.cpp::PerformBasicPacketInjectionAtInboundNetwork)

Hope this helps,

这篇关于从包装里拿出头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！