- This topic has 4 replies, 2 voices, and was last updated 17 years, 2 months ago by
.
-
Posts
-
1. Does all log entries read by ReadLog are automatically removed from driver’s queue? If not, then how to synchronize user-mode log entries purging (after they’ve been read) with kernel mode log filling and not to delete unread entries?
2. I found FLT_ACTION_NOTIFY filter action flag which is not described in help file at all.
3. I want to make simplified version of Network Monitor App (traffic monitor): I don’t need to capture data itself, I need only to know data size (PLOG_INFO->m_FullDataLength). So data logging shown in “Monitor” example app is redundant. What methods(calls) should I use?
Thanks.
1. При вызове ReadLog прочитанные записи удаляются из очереди(буфера) драйвера? Если нет, то как синхронизировать удаление приложением записей из очереди и добавление записей драйвером в очередь?
2. Флаг FLT_ACTION_NOTIFY не описан в справке. Для чего он нужен?
3. Я хочу написать программу учета траффика. Мне не нужно захватывать сами передаваемые данные, а просто нужно знать их размер. Думаю, что методы, применяемые в программе-примере “Monitor” избыточны – выполняется лишняя работа. Как можно добиться такого же мониторинга, но только без захвата самих данных драйвером?
Заранее спасибо.
Hi,
>1. Does all log entries read by ReadLog are automatically removed from driver’s
>queue? If not, then how to synchronize user-mode log entries purging (after they’ve
>been read) with kernel mode log filling and not to delete unread entries?Yes, driver removes log entries automatically
>2. I found FLT_ACTION_NOTIFY filter action flag which is not described in help file
>at all.FLT_ACTION_NOTIFY is not used now.
>3. I want to make simplified version of Network Monitor App (traffic monitor): I don’t
>need to capture data itself, I need only to know data size >(PLOG_INFO->m_FullDataLength). So data logging shown in “Monitor” example app
>is redundant. What methods(calls) should I use?It’s not possible with the current api. Driver always logs request’s data. You should modify driver sources for capturing without data.
Regards
Anton.Ok, then another things…
1. When I set event filter mask as follows
FilterInfo.m_FilterMask = EVENT_MASK_RCV | EVENT_MASK_RCV_DGM | EVENT_MASK_SND | EVENT_MASK_SND_DGM;then remote IP in PLOG_INFO structure is always equal to local IP. When I set
FilterInfo.m_FilterMask = EVENT_MASK_FULL;
remote IP is shown correctly.
2. I’ve modified Monitor example to group events by app/localIP/remoteIP/protocol as follows (rest part of example is unchanged):
//declared earlier
//typedef struct _STAT_ENTRY
//{
// LONGLONG totalSent;
// LONGLONG totalRecv;
// char szProcName[NT_PROCNAMELEN + 1];
// unsigned long localAddr;
// unsigned long remoteAddr;
// unsigned long protocol;
//} STAT_ENTRY;
//
//vectorg_Entries;
while(i < 20)
{
if (!api.ReadLog((PLOG_INFO)Buffer, BufferLength))
{
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
BufferLength += 0x1000;
if (!(Buffer = (PUCHAR)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Buffer, BufferLength)))
{
_tprintf (TEXT("can't allocate %i bytes! abortn"), BufferLength);
break;
}
continue;
}
if (api.GetWaitEvent())
api.WaitForData(INFINITE);
else
Sleep(1000);
continue;
}
i++;
BytesProcessed = 0;
BytesRead = api.GetBytesReturned();
LogInfo = (PLOG_INFO)Buffer;
for (j = 0; BytesProcessed < BytesRead; j++)
{
if (!LogInfo->m_GroupID && !LogInfo->m_OperationStatus)
{
for (unsigned int l = 0; l < g_Entries.size(); l++)
{
if (g_Entries[l].remoteAddr == LogInfo->m_RemoteAddress.m_Ip && g_Entries[l].localAddr == LogInfo->m_LocalAddress.m_Ip && g_Entries[l].protocol == LogInfo->m_Protocol)
{
if(!_stricmp(g_Entries[l].szProcName, LogInfo->m_szProcessName))
{
if (LogInfo->m_EvtType == TDI_EVT_RCV) g_Entries[l].totalRecv += LogInfo->m_FullDataLength;
if (LogInfo->m_EvtType == TDI_EVT_SND) g_Entries[l].totalSent += LogInfo->m_FullDataLength;
break;
}
}
}
if (l >= g_Entries.size())
{
STAT_ENTRY se = {0L, 0L};
if (LogInfo->m_EvtType == TDI_EVT_RCV) se.totalRecv = LogInfo->m_FullDataLength;
if (LogInfo->m_EvtType == TDI_EVT_SND) se.totalSent = LogInfo->m_FullDataLength;
se.localAddr = LogInfo->m_LocalAddress.m_Ip;
se.remoteAddr = LogInfo->m_RemoteAddress.m_Ip;
se.protocol = LogInfo->m_Protocol;
strncpy(se.szProcName, LogInfo->m_szProcessName, sizeof(se.szProcName));
g_Entries.push_back(se);
}
}
BytesProcessed += sizeof(*LogInfo) + LogInfo->m_DataLength;
LogInfo += (PLOG_INFO)((PUCHAR)Buffer + BytesProcessed);
}
}
After launching example I use browser to download some data. Strange thing that totalRecv field in each entry is always zero and totalSent contains received data size.
Look’s like you missed something… Please, send me your sources to anton@ntkernel.com
- You must be logged in to reply to this topic.