office: (770)
432-4580
fax: (770) 234-4182
skype: pcausa
Transport-Level IP Port Data Monitor
Overview
Windows Kernel-Mode Transport Background
Windows protocol stacks such as TCP/IP are implemented as
kernel-mode transport drivers. The kernel-more transport drivers are
all written to expose a common upper-edge network-programming
interface to the system, although this interface change between
Windows XP and Vista.
The kernel-mode transport API is the "native" Windows networking
interface. Emulators are provided to expose the Winsock API to
user-mode.
Pre-Vista Kernel-Mode Transport Implementation
The pre-Vista Windows protocol TCP/IP stack is implemented as a
kernel-mode NDIS protocol or "transport" driver. These drivers
expose a common upper-edge network-programming interface known as
the Transport Data Interface (TDI). TDI is the "native" Windows NT
networking interface for Windows platforms prior to Vista.
One could actually write native Windows NT applications that use TDI
directly. However, it is more common for applications to be written
to use a more widely accepted Win32 network API such as Sockets. For
example, the Winsock API is provided to Win32 applications using an
"emulator module" that translates the Winsock API to the native TDI.
Kernel-mode drivers can use the native TDI interface without going
through the emulators. The purpose of this sample is not to
illustrate how to write a TDI client. Instead it is intended to
provide some guidance in the development of a TDI filter. This is
not intended to be a comprehensive framework for all TDI filtering
operations (e.g., blocking, data modification). Instead, it is just
an introduction to TDI filtering.
TDI has been around for a long time. It was provided at least as
early as Windows NT 3.5 and was used to support MSTCP on the
original Windows 95. It was probably included in Windows for
Workgroups 3.11, although the PCAUSA WFW machine is dead at this
point in history and this cannot be confirmed.
TDI is logically similar across all these platforms. Remarkably,
some of the earliest and most obscure TDI header files for Windows
95 (circa 1989) include data some structures that preserved intact
in Windows 2000 and only slightly modified in Windows XP.
There are actually several kernel-mode interfaces to the Microsoft
transport protocol drivers:
- Transport Data Interface (TDI) – Provides a uniform API for addressing, establishing connections and sending/receiving both datagrams and connection-oriented data.
- Protocol-Specific API Extensions – Provide support for protocol-specific functionality.
- Proprietary Interfaces – APIs that used by Microsoft to optimize the performance of its own products but cannot be used by most third party vendors.
TDI is well suited for its intended use of supporting other
kernel mode clients. All TDI operations can be designed to execute
asynchronously using event or callback routines. Chains of callback
routines can be used to control the flow of operations without
resorting to a complex state machine; as each callback is called it
can examine the results of the operation and, unless restricted by
IRQL, can initiate subsequent operations.
The Windows WDK provides extensive documentation of the API, and
early versions of the Windows NT DDK included a sample TDI driver
and guidelines for modifying the sample. However, the TDI driver
sample provided by Microsoft was a NetBIOS-oriented protocol driver.
It offered little insight into the TCP/IP protocol of interest to
most developers.
It is not easy to read the Microsoft TDI documentation because some
of the techniques used in TDI drivers are not encountered in typical
Windows NT device drivers and/or are weakly described in Microsoft
documentation and DDK samples. This means that even though the TDI
documentation is essentially correct, it is easily misinterpreted.
In addition, the Windows NT DDK does not include any samples that
actually illustrate the use of the TDI interface by TDI Clients –
the users of TDI protocol drivers.
Vista and Later Kernel-Mode Transport Implementation
The kernel-mode architecture in Vista and later Windows platforms
is completely new. The kernel-mode transport interface is Winsock
Kernel (WSK), and a filtering API called the Windows Filtering
Platform (WFP) is an integral part of the IP transport driver.
See the current WDK documentation for more information.
The PCAUSA Transport-Level IP Data Monitor
The transport-level sample included in this collection includes
both a TDI filter and a WFP filter that allow monitoring of TCP
streams and UDP datagrams. They include the ability to monitor IP
data when both endpoints are on the same host - as well as when one
endpoint is remote.
Although TDI is "old technology", both the TDI filter and the WFP
filter are implemented using the Windows Driver Framework (WFP) from
WDK 7600.16385.1.
You can download the TDPortMon
Application User Guide (PDF) to gain familiarity with operation
of the sample.
One example is monitoring the Microsoft Platform SDK Winsock
"simple" client/server sample's TCP data. You can view the
TDPortMon log for simple client/server
data exchanges here. The trace was made with client and server
running on the same Windows XP host using the TDI filter.
A second example is monitoring HTTP data exchanges when viewing
smallpage.htm on the PCAUSA website. You can view the
TDPortMon log for smallpage.htm HTTP
exchanges here. The trace was made on Windows 7 64-Bit Edition
using the WFP filter.
Download Sample Executables
You can download sample executables for evaluation and your own personal use subject to these limitations:
- The evaluation executables are provided as-is and have no warranty.
- You may not redistribute the PCAUSA the sample executables in any way.
The MSI installer doesn't do much. It simply copies the driver and application executables and companion documentation to the \ProgramFiles\PCAUSA\TDMonitor folder. You will need to examine the documentation in this folder to use the TDPortMon application.
- Windows Installer for Windows XP through Windows 7 - 32-Bit
Edition
3320.00KB (3399680 bytes) - Windows Installer for Windows XP through Windows 7 - 64-Bit
Edition
3122.00KB (3196928 bytes)
Additional Documentation
None at this time...
Other Information
Licensing
The samples are licensed intellectual property of PCAUSA.
However, if you purchase a PCAUSA sample driver product they are
provided with a royalty-free license that is intended to allow
customers to derive their own products using all or parts of the
samples. The royalty-free license applies strictly to the
distribution of product in binary (executable) form; there are quite
naturally restrictions on distribution of sample source code.
You can
view the PCAUSA License here.
Price List and Ordering Information
Press the button below for Online Ordering
and other Purchase Information.
Release Notes
| Version | Date | Notes |
| V2.02.06.19 | January 11, 2011 | 1.) Some
improvements to logging. 2.) Modified setup projects to include merge modules needed to support the sample applications. |
| V2.02.06.18 | October 22, 2010 | Added UDP logging to WFP driver. This was omitted in V2.02.06.17. |
| V2.02.06.17 | September 16, 2010 | Major rework and initial public release. |
| V2.02.06.16 | October 29, 2010 | Internal release. Limited external distribution. |