Summary of packet-tracking techniques

Tracking the packet tracking We just covered a couple ways to track packets in the kernel debugger.  Here’s a quick reference table to help you understand how these techniques fit into your toolbelt.   !ndiskd.pendingnbls !ndiskd.nbl -log Documentation Here Here Finds “lost packets” Yes No Finds “smuggled packets” No Yes Finds use-after-free No Yes Loses…


!ndiskd.nbl -log

All your NBL are belong to !ndiskd Last time we talked about !ndiskd.pendingnbls.  This command shows you which component currently holds an NBL.  But what if you want to see how the NBL got there?  That sounds like a job for !ndiskd.nbl-log! Starting with Windows 8 and Windows Server 2012, NDIS can be configured to…


!ndiskd.pendingnbls

I’ve got your NBLs right here The most common issue we see in NDIS drivers is a “lost packet”.  You have lost a packet when NDIS gives your driver a NET_BUFFER_LIST (NBL) and your driver never returns the packet back to NDIS.  A lost packet will often show up as a hang during Pause or…