Listing active NDIS filters - windows

I am performing a multilayer packet capture on Windows using the built-in NDIS capture service in order to determine where in the stack packets for my application are being dropped. When viewing the resulting ETL file in Microsoft Message Analyzer, I'm provided with data points containing two items in particular that I'm looking for:
MiniportIfIndex - this corresponds with the adapter interface ID, which I can translate into a logical name by running Get-NetAdapter in PowerShell (as one method).
LowerIfIndex - this is the specific layer/filter of the NDIS stack that the packet is progressing through during the traffic flow and is the subject of this question.
I have yet to find a way to gather what specific layer/filter the lowerIfIndex is referencing. I found this article which led me to the WMI class MSNdis_EnumerateReceiveFilters that I was hoping would give me an output similar to that of Get-NetAdapter, listing the logical name of the filter as well as the corresponding ID. When I try to run the command in the format similar to how the MSDN article references, I'm always receiving an 'incorrect parameter' stop error.
One other command Get-NetAdapterBinding appears to display the logical names of the NDIS filters/layers, but no corresponding ID.
Is anyone aware of a way to correlate the lowerIfIndex to a filter name?

Related

How to read SNMP variable bindings

I am trying to make a snmp trap receiver, that can capture all the incoming snmp trap from UDP 162 port and translate them into meaningful alarms. The image I attached is a sample trap that I captured using wireshark.
My script can capture and parse all different parts of the packet, but I got stuck in the variable binding section. Im not sure how I can re-present this section into some user friendly information (that I can show in the user interface). How do I know these sequences are sending something alarming or just some general information regarding the agent node? are these sequences independent information each or together they are forming one piece of information?
As with any incoming data, it is important to know what kind of info you are getting. The variable bindings of an SNMP trap is basically a hierarchical piece of data. Every object or element represents it's own data. If you take the first element (1.3.6.1.2.1.1.3.0) you will find that this contains the sysUpTime (see link), which is pretty general.
Most of the other elements seem to start with 1.3.6.1.4.1.4421 which appears to be object from a specific vendor; Santera systems (see link). You might want to try and contact them in order to obtain their MIB (Management Information Base), which should have details on what kind of data is shown in these fields.
It might be possible to find info like this online, have a look at the XML-files on this link.

A nested net-snmp snmptrap message sending example

Most of the examples provided for sending SNMP traps are simple ones like the one below.
snmptrap -v 1 -c public host TRAP-TEST-MIB::demotraps localhost 6 17 '' \
SNMPv2-MIB::sysLocation.0 s "Just here"
Take any MIB file, they contain many complex object groups, for example, systemGroup contains sysLocation, sysName, etc.
Could someone help in bringing out examples to show the way how to send snmp traps which includes such OBJECT-GROUPS. Adding one more question here, Does SNMPTRAPD support internationalization?
It is really bad practice to define the SNMP notification (trap or inform) the way that it contains the entire OBJECT GROUP or even worse the entire SNMP table. The reason is that you don't really need all these variables anyway. The other reason is that the packet/PDU is limited by MTU size. So it is possible that you'll not be able to send the data within single UDP packet due to its size.
The proper scenario would be to have few varbinds and you could also initiate some polling cycle to find out what happens if you need more details when you receive such trap.
SNMPTRAPD and NET-SNMP library in general do not support internationalization (UNICODE). The library is limited to ASCII charset only.
There are commercial products on the market including NetDecision TrapVision and some other that fully support UTF-8 internationalization.

Trying to uniquely ID a USB device from WMI query using DeviceID field

When WMI is queried and returns a list of devices, I've noted some information at the END of the DeviceID string that isn't documented anywhere I've looked so far. Here's an example of a DeviceID string returned from a WMI query looking at Win32_PnPEntity:
USB\VID_046D&PID_082D&MI_00\7&3538A2BF&0&0000
Now, the first two parts - both the 'USB' and the VID and PID are really well documented, as is the 'interface number' - the &MI_XX. However, the last part of the string (shown below) isn't documented anywhere I've looked. I don't even know what to call this part of the DeviceID string:
\7&3538A2BF&0&0000
Curiously, it comes in several flavors. I've noted that if I have two identical devices plugged into the PC, I'll get different values, which I've defaulted to calling 'instance id's' for lack of better documented reference info. Here's what I see when I have two identical USB Web cameras plugged into my PC:
USB\VID_046D&PID_082D&MI_00\6&DB509D0&0&0000
USB\VID_046D&PID_082D&MI_00\7&3538A2BF&0&0000
So far, so good. I can pick out that I have two identical devices plugged into the PC and can parse against these unique values. But wait! When the OS sees these devices, it also loads anything the drivers offers for different 'interfaces' or modes of operation, so along with the above entries when I make a WMI query against Win32_PnPEntity, I also get these nice entries in the DeviceID field as well:
USB\VID_046D&PID_082D\195825EF
USB\VID_046D&PID_082D\36149BBF
So the problem is that without documentation that describes what this last part of the DeviceID is, I don't know to expect, and can't associate or separate these 'duplicate' entries from their brethren in the query results.
The goal is to be able to scan through the WMI result, identify ONE 'primary' entry for a given device and discard anything else. I could likely HACK the filtering by looking for "USB Composite Device" in the Description field, but this is rather ugly and would discard some devices that do not have an appropriate or vendor-specified 'description.'
MSDN only provides that the DeviceID is a "Unique identifier of the USB controller. This property is inherited from CIM_LogicalDevice." -- and CIM_LogicalDevice doesn't detail the makeup of this field either.
Anyone been down this path or know which hole to look in? Similar questions in here and in other forums remain unanswered. (Hey M$, Why is this so %$##! mystical???)
It looks like this webcam is a composite device.
I think the node with the ID of USB\VID_046D&PID_082D\36149BBF is the parent device. The part after the second slash in this case is most likely the serial number of the device. (I have made Windows software for composite devices for years and we always get the serial number by parsing that part). This node probably uses usbccgp.sys as the driver, which allows it to parse the interface descriptors of the device and produce child nodes.
The node with ID USB\VID_046D&PID_082D&MI_00\6&DB509D0&0&0000 is the child node corresponding to USB interface 0. From my experience, I believe that the part after the second slash is some kind of unique identifier that depends on what USB port the device is plugged in to.
For the WMI query, you should probably just ignore the child nodes altogether. Just discard anything with MI_ in it before the second slash. The parent node tells you everything you need to know about the identity of the device.

Digital Broadcasting - settop box

I'm very new to settop box project.Is there any materials available to study the basics of its internals and the working of it.I dont know how to start understand about it.I was looking for the architecture of middleware,DCCM and other components.I need to know how these components interact with each other.I need to know how by pressing a particular event in the EPG menu we could able to get the event corresponding to the service.I need to know the interaction between the tables.How to set the reminder in EPG and how the interactive TV works.
This is only a very partial answer to your question. Rather i would say, this is the first preliminary work you must accomplish before getting deeper into interactivity.
The tutorial here on PSIP: Program specific information show how the ATSC (or DVB is similar) is organized in the form of periodic tables including some tables that indicate EPG. By reading and processing such tables you will be able to accomplish the desired work.
Essentially, EPG table contains the information about the program and its respective time. And the actual timing information is contained in the TDT and TOT table. These tables tells the STB's the current time (on wall clock). Once, the respective time occurs, as per the TDT/TOT, the notification action can fire.
Below here are two more important references to Transport stream structures.
PSIP tutorial
The ATSC transport layer, including program and system information protocol (PSIP)
Please read the above pre-requsite and then refine your question.

retrieving the serial number of a USB keyboard under Windows

Many USB devices contain a unique serial number (which is actually a Unicode string) which the host can use in conjunction with the 16-bit vendor and product ID numbers to uniquely identify the device.
I'm trying to figure out how to write a Windows application that would be able to display a list of all USB human interface devices attached to the system. The list would have one row for each HID, including system keyboards. There would be columns in the list for the vendor ID, product ID, and serial number.
I can get a list of USB HIDs by calling SetupDiGetClassDevs with the GUID returned by HidD_GetHidGuid and looping through the result by repeatedly calling SetupDiEnumDeviceInterfaces. I can then call SetupDiGetDeviceInterfaceDetail to get the path to each device, which I can open with CreateFile, so long as I am careful to request neither read nor write permission, which would be denied for a system keyboard. From there I can get the vendor and product ID numbers by invoking HidD_GetAttributes.
What I'm having trouble figuring out is how to retrieve the serial number string. When I search for solutions to this problem, I find a lot of information about how to get serial numbers for USB mass storage devices, but nothing that looks like it might apply to any other type of USB device. I would be happy to discover either a generic method or a HID-specific method of retrieving the serial number string.
I have a feeling that the Win32 port of libusb could manage this without too much trouble, but unfortunately I need a solution that depends only on libraries that come with Windows, such as the setupapi and hid DLLs that contain the functions mentioned above.
Any suggestions would be very much appreciated!
It turns out that HID.dll defines a function called HidD_GetSerialNumberString that does exactly what I want, given the handle I got from CreateFile as described above. Just tried it out and it works great. There are also HidD_GetManufacturerString and HidD_GetProductString functions to retrieve the other string descriptors referred to in the device descriptor, and even a HidD_GetIndexedString to get an arbitrary string descriptor given its index (presumably because the HID descriptor is allowed to contain string descriptor indices). I feel pretty silly now -- the answer was right there under my nose this whole time.
Thank you all for taking the time to read and answer my question! I'm going to go ahead and accept Alphaneo's answer since it sounds quite promising, and in fact I was waiting for the DDK to download when I stumbled across this answer.
Have you tried the USBVIew source code that comes along with the DDK. The USBView tool displays serial number for any USB device, and the source is shipped with the DDK.
Have you tried searching for the documentation of the HID definition of input records, output records and features records for Hid keyboards. This should show you the list of "things" you can get out/in of a keyboard through HID.
Also, I know it is possible to enumerate the HID record definition by software. I did something similar about 1 year ago, but I cannot remember the details at the top of my head. Doing so would allow you to see what the keyboard USB class is publishing as a standard interface.
I hope it can get you a few pointers to find out what you are looking for. Sorry I could not be more precise!
I recommend this book USB Complete. Chapter 4 Enumeration: How the Host Learns about Devices has the information you need.
This page has many links to information and for you links to libraries and utilities you can use.
you can use GetVolumeInformation for getting the serial number of any hardware attached.

Resources