Unit OS A: Windows NetworkingUnit OS A: Windows Networking

A.4.A.4. Lab ManualLab Manual

2

Copyright NoticeCopyright Notice© 2000-2005 David A. Solomon and Mark Russinovich© 2000-2005 David A. Solomon and Mark Russinovich

These materials are part of the These materials are part of the Windows Operating Windows Operating System Internals Curriculum Development Kit,System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E. developed by David A. Solomon and Mark E. Russinovich with Andreas PolzeRussinovich with Andreas Polze

Microsoft has licensed these materials from David Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic academic organizations solely for use in academic environments (and not for commercial use)environments (and not for commercial use)

3

Roadmap for Section A.4Roadmap for Section A.4

Lab experiments investigating:Lab experiments investigating:

Listing registered winsock transportsListing registered winsock transports

Viewing named pipes and named pipe activityViewing named pipes and named pipe activity

Investigating NetBIOS namesInvestigating NetBIOS names

Watching TDI activityWatching TDI activity

Listing loaded NDIS miniportsListing loaded NDIS miniports

Capture network packets with network monitorCapture network packets with network monitor

4

List Registered Winsock TransportsList Registered Winsock Transports

Winsock integrates with the Windows I/O model and uses file Winsock integrates with the Windows I/O model and uses file handles to represent socketshandles to represent sockets

Kernel-mode Ancillary Function Driver (AFD - \Windows\System32\Kernel-mode Ancillary Function Driver (AFD - \Windows\System32\Drivers\Afd.sys) implements socket-based functionsDrivers\Afd.sys) implements socket-based functions

AFD is a TDI client and executes network socket operations by AFD is a TDI client and executes network socket operations by sending TDI IRPs to protocol driverssending TDI IRPs to protocol drivers

AFD isn’t coded to use particular protocol drivers; user-mode AFD isn’t coded to use particular protocol drivers; user-mode Msafd.dll informs AFD of the name of the protocol used for each Msafd.dll informs AFD of the name of the protocol used for each socket socket

AFD opens the device object representing the protocolAFD opens the device object representing the protocol

Windows Sockets Configuration(Sporder.exe)Windows Sockets Configuration(Sporder.exe) utility shows utility shows registered Winsock transport providersregistered Winsock transport providers

5

Viewing Named Pipes and Named Viewing Named Pipes and Named Pipe ActivityPipe Activity

Run Pipelist (Sysinternals) to see the named Run Pipelist (Sysinternals) to see the named pipes on a systempipes on a system

Run Filemon (Sysinternals) to watch named pipe Run Filemon (Sysinternals) to watch named pipe activity in real-timeactivity in real-time

6

Investigating NetBIOS namesInvestigating NetBIOS names

NetBIOS relies on a naming conventionNetBIOS relies on a naming convention

computers and network services are assigned a 16-byte name computers and network services are assigned a 16-byte name called a NetBIOS name called a NetBIOS name

Only one instance of a unique NetBIOS name can be assigned Only one instance of a unique NetBIOS name can be assigned to a networkto a network

A client can broadcast messages by sending them to a groupA client can broadcast messages by sending them to a group

Windows automatically defines a NetBIOS name for a Windows automatically defines a NetBIOS name for a domain domain

the first 15 bytes of the left-most DNS name the first 15 bytes of the left-most DNS name

support interoperability with Windows NT 4 systems as well as support interoperability with Windows NT 4 systems as well as Consumer WindowsConsumer Windows

Nbtstat.exe -nNbtstat.exe -n shows NetBIOS-to-TCP/IP mappings shows NetBIOS-to-TCP/IP mappings

7

Watching TDI ActivityWatching TDI Activity

Run TDIMon (Sysinternals) to watch TDI activity Run TDIMon (Sysinternals) to watch TDI activity

Access any network resourceAccess any network resource

TDImon sees every IRP that TDI clients issue to TDImon sees every IRP that TDI clients issue to network protocols. network protocols.

By intercepting TDI client event callback By intercepting TDI client event callback registration, it also monitors event callbacks.registration, it also monitors event callbacks.

8

Listing Network Driver Interface Listing Network Driver Interface Specification (NDIS) miniportsSpecification (NDIS) miniports

NDIS-conforming network adapter drivers are called NDIS-conforming network adapter drivers are called NDIS miniport drivers NDIS miniport drivers

NDIS library (\Windows\System32\Drivers\Ndis.sys) NDIS library (\Windows\System32\Drivers\Ndis.sys) implements the NDIS boundary that exists between TDI implements the NDIS boundary that exists between TDI transports (typically) and NDIS driverstransports (typically) and NDIS drivers

a helper library that NDIS driver clients use to format a helper library that NDIS driver clients use to format commands they send to NDIS driverscommands they send to NDIS drivers

Kernel debugger shows miniports:Kernel debugger shows miniports:

!miniports and !miniport commands!miniports and !miniport commands

ndiskd extension needs to be loadedndiskd extension needs to be loaded

9

Using Network Monitor to Capture Using Network Monitor to Capture Network PacketsNetwork Packets

Note: requires Windows 2000 Server or higherNote: requires Windows 2000 Server or higher

Install Network Monitor ToolsInstall Network Monitor Tools

Configure Network Monitor to attach to a network Configure Network Monitor to attach to a network connectionconnection

Run Network Monitor (netmon.exe)Run Network Monitor (netmon.exe)

Press go to begin monitoringPress go to begin monitoring

Perform network activityPerform network activity

Press stop to stop monitoringPress stop to stop monitoring

Double-click on monitor event to reveal more informationDouble-click on monitor event to reveal more information