1. it's possible, but I'm not sure how trivial it is. If you use functions like ZwCreateFile/WriteFile, they all require an IRQL = PASSIVE_LEVEL, the receive handlers in an NDIS IM driver run at IRQL <= DISPATCH_LEVEL. It's not a matter of dumping in pcap vs any other file format. The issue is the write operation itself.
2. Have you checked if there is any sample in the WDK that writes to file from a driver? Have a nice day GV From: ictsecurity ictsecurity Sent: Tuesday, June 22, 2010 1:59 AM To: [email protected] Subject: [Winpcap-users] Direct Dump the packets from the driver Hai, all I modified the passthru driver (NDIS Intermediate Driver) from the example in WinDDK. I success to direct intercept and dump all the network traffic packets (hexadecimal format) into c:\xxxx.dat format. My question is: 1. is it possible direct dump from NDIS intermediate driver into pcap format? for example, c:\xxx.pcap without sending all the traffic to ring3 for process 2. if yes, any code / docsi can refer? Thanks, from ictsecurity0 -------------------------------------------------------------------------------- _______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
