IpFilter能收到所有的包吗？

我怎么感觉收到的包不够。
我在过滤邮件的时候，我想把接收到邮件数据都显示出来。
发现远远小于邮件的大小。
我这样干的：
           IPHeader *iph;
TCPHeader *tcph;
PCHAR pBuffer = NULL;
unsigned int port;
unsigned int cbSize;
//we "extract" the ip Header
iph = (IPHeader *)PacketHeader;

//TCP -> protocol = 6
if( iph->ipProtocol == 6 )
{
tcph=(TCPHeader *)Packet;
port = ntohs( tcph->sourcePort );
if( port == 110 )
{
cbSize = PacketLength - sizeof(TCPHeader);
dprintf("recv [[*%d*]] bytes pop3 data  from IP:[[*%x*]]<-->Port:[[*%d*]]", PacketLength, iph->ipSource, port);
pBuffer = (PCHAR)ExAllocatePool( NonPagedPool, cbSize + 1 );
RtlCopyMemory( pBuffer, Packet + sizeof(TCPHeader), cbSize);

pBuffer[ cbSize ] = '\0';
dprintf( "%s", pBuffer );
ExFreePool( pBuffer );

}
}

上面的问题没有写完。续：
pBuffer[ cbSize ] = '\0';
dprintf( "%s", pBuffer );
ExFreePool( pBuffer );

}
********************************************************
********************************************************
********************************************************
下面是我收邮件时的情景：

我在cmd下的操作如下：

+OK
+OK authorization succeeded (eyou mta)
+OK
1 500
2 500
.
-ERR unimplemented (eyou mta)
+OK
Received: (eyou send program); Wed, 03 Mar 2004 21:37:09 +0800
Message-ID: <278321029.56488@mail.sdu.edu.cn>
Received: from 211.87.213.78 by mail.sdu.edu.cn with HTTP; Wed, 03 Mar 2004 21:3
7:09 +0800
X-WebMAIL-MUA: [211.87.213.78]
From: "相建亭" <x_j_ting@mail.sdu.edu.cn>
To: x_j_ting@mail.sdu.edu.cn
Date: Wed, 03 Mar 2004 21:37:09 +0800
Return-Path: "相建亭" <x_j_ting@mail.sdu.edu.cn>
Reply-To: "相建亭" <x_j_ting@mail.sdu.edu.cn>
Subject: AAAAAAAAAAAA
Content-Type: text/plain

BBBBBBBBBBBBBB


.


我在dbgview下拦截如下：

00000000 0.00000000 recv [[*4*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000001 0.00001620 ]
00000002 0.00174994 recv [[*16*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000003 0.00176950 +OK POP3 ready
00000004 10.12698709 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000005 10.31700118 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000006 10.42714395 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000007 10.52707593 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000008 10.71719227 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000009 11.07712656 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000010 11.29699305 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000011 11.47729502 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000012 11.58708383 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000013 11.86754406 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000014 11.96717264 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000015 12.06726833 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000016 12.19428615 recv [[*6*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000017 12.19430263 +OK  
00000018 13.45732852 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000019 13.58725676 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000020 13.80725288 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000021 13.94760926 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000022 14.12736842 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000023 14.44750073 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000024 14.54718575 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000025 14.64715767 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000026 14.74747712 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000027 14.84726299 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000028 14.85236504 recv [[*40*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000029 14.85237565 +OK authorization succeeded (eyou mta)
00000030 16.15737643 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000031 16.36716398 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000032 16.46742030 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000033 16.57728426 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000034 16.63061814 recv [[*6*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000035 16.63063546 +OK  
00000036 16.82950012 recv [[*17*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000037 16.82951716 1 500
00000038 16.82952275 2 500
00000039 16.82952833 .
00000040 18.31722328 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000041 18.47759226 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000042 18.58724335 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000043 18.93734623 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000044 19.53748060 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000045 20.53744373 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000046 20.88742200 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000047 21.04736803 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000048 21.18696706 recv [[*18*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000049 21.18698494 -ERR unimplemented
00000050 21.34351042 recv [[*13*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000051 21.34352690 (eyou mta)
00000052 22.60859523 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000053 22.75765216 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000054 22.89756463 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000055 23.70776705 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000056 24.01739914 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000057 24.28756392 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000058 24.56396888 recv [[*6*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000059 24.56398593 +OK  
00000060 24.75474760 recv [[*88*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000061 24.75476604 Received: (eyou send program); Wed, 03 Mar 2004 21:37:09 +0800
00000062 24.75477191 Message-ID: <278321029.5
00000063 144.57162544 recv [[*25*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000064 144.57164332 -ERR timeout (eyou mta)
00000065 144.57170478 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000066 144.57307060 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
***********************************************************
***********************************************************
***********************************************************
***********************************************************
***********************************************************
请大家给小弟看看是怎么回事啊？谢谢
***********************************************************

我郁闷死了。发了好几遍发不全，那句话，发布上去。这个论坛后问题。

pBuffer[ cbSize ] = 0;
dprintf( "%s", pBuffer );
ExFreePool( pBuffer );

}
}
*********************************************************
下面是我收邮件时候的情景：


*********************************************************

我在cmd下的操作如下：
+OK
+OK authorization succeeded (eyou mta)
+OK
1 500
2 500
.
-ERR unimplemented (eyou mta)
+OK
Received: (eyou send program); Wed, 03 Mar 2004 21:37:09 +0800
Message-ID: <278321029.56488@mail.sdu.edu.cn>
Received: from 211.87.213.78 by mail.sdu.edu.cn with HTTP; Wed, 03 Mar 2004 21:3
7:09 +0800
X-WebMAIL-MUA: [211.87.213.78]
From: "相建亭" <x_j_ting@mail.sdu.edu.cn>
To: x_j_ting@mail.sdu.edu.cn
Date: Wed, 03 Mar 2004 21:37:09 +0800
Return-Path: "相建亭" <x_j_ting@mail.sdu.edu.cn>
Reply-To: "相建亭" <x_j_ting@mail.sdu.edu.cn>
Subject: AAAAAAAAAAAA
Content-Type: text/plain

BBBBBBBBBBBBBB


.
*******************************************************
我在dbgview下拦截的数据如下：

00000000 0.00000000 recv [[*4*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000001 0.00001620 ]
00000002 0.00174994 recv [[*16*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000003 0.00176950 +OK POP3 ready
00000004 10.12698709 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000005 10.31700118 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000006 10.42714395 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000007 10.52707593 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000008 10.71719227 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000009 11.07712656 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000010 11.29699305 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000011 11.47729502 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000012 11.58708383 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000013 11.86754406 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000014 11.96717264 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000015 12.06726833 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000016 12.19428615 recv [[*6*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000017 12.19430263 +OK  
00000018 13.45732852 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000019 13.58725676 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000020 13.80725288 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000021 13.94760926 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000022 14.12736842 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000023 14.44750073 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000024 14.54718575 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000025 14.64715767 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000026 14.74747712 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000027 14.84726299 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000028 14.85236504 recv [[*40*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000029 14.85237565 +OK authorization succeeded (eyou mta)
00000030 16.15737643 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000031 16.36716398 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000032 16.46742030 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000033 16.57728426 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000034 16.63061814 recv [[*6*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000035 16.63063546 +OK  
00000036 16.82950012 recv [[*17*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000037 16.82951716 1 500
00000038 16.82952275 2 500
00000039 16.82952833 .
00000040 18.31722328 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000041 18.47759226 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000042 18.58724335 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000043 18.93734623 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000044 19.53748060 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000045 20.53744373 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000046 20.88742200 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000047 21.04736803 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000048 21.18696706 recv [[*18*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000049 21.18698494 -ERR unimplemented
00000050 21.34351042 recv [[*13*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000051 21.34352690 (eyou mta)
00000052 22.60859523 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000053 22.75765216 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000054 22.89756463 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000055 23.70776705 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000056 24.01739914 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000057 24.28756392 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000058 24.56396888 recv [[*6*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000059 24.56398593 +OK  
00000060 24.75474760 recv [[*88*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000061 24.75476604 Received: (eyou send program); Wed, 03 Mar 2004 21:37:09 +0800
00000062 24.75477191 Message-ID: <278321029.5
00000063 144.57162544 recv [[*25*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000064 144.57164332 -ERR timeout (eyou mta)
00000065 144.57170478 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
00000066 144.57307060 recv [[*0*]] bytes pop3 data  from IP:[[*80fc2ca*]]<-->Port:[[*110*]]
*******************************************************
请大家给小弟看看哪儿出错了。谢谢

求求大家了，给我看看吧。

求求各位高手帮着看看吧？
我现在很急。

好象只能收到小的数据包，大的数据包没有收到。

不能收到所有的包！ARP，ICMP就拿不到

ICMP 可以得到。 他不可以获得所有的包。 这是微软设计BUG.

80的包可以得到。
25的包主要部分不可以。既使有了包大小也没发得到包内容。

他是属于TDI层的HOOK。

下面是我做的代码。删了好多。

//#include <wdm.h>
#include "ntddk.h"
#include "YMDriver.h"
#include <stdio.h>
#include <ntddndis.h>
#include <pfhook.h>

static BOOLEAN Sign = FALSE;
//PDRIVER_OBJECT pOldDriverObject;
PVOID EventObject = NULL;
PMDL  Mdl;
KEVENT signal_event;
KSPIN_LOCK ArraySpinLock;
char *TcpUserData;
int  TcpUserDataSize;
BOOLEAN FilterFlags=FALSE;

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegsitryPath)
{
NTSTATUS ntstatus;
PDEVICE_OBJECT pMyMainDeviceObject;
UNICODE_STRING MainLinkName;
UNICODE_STRING MainDeviceName;
PMyMainDeviceExtension     pMyMainDeviceExtension;
int i;
DbgPrint("DriverEntry Start \n");

for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
DriverObject->MajorFunction =  Dispatch;
}

RtlInitUnicodeString(&MainDeviceName,MyMainDeviceName);

ntstatus=IoCreateDevice(
IN DriverObject,
IN sizeof(MyMainDeviceExtension),
IN &MainDeviceName,
IN FILE_DEVICE_UNKNOWN,
IN 0,
IN FALSE,
IN &pMyMainDeviceObject);
if(!NT_SUCCESS(ntstatus))
{
DbgPrint("IoCreateDevice %s Error Code 0X%x\n",MyMainDeviceName,ntstatus);
goto exit;
}

pMyMainDeviceExtension = (PMyMainDeviceExtension)(pMyMainDeviceObject->DeviceExtension);

InitializeMyMainDeviceExtension(IN DriverObject,IN pMyMainDeviceObject,IN pMyMainDeviceExtension);

RtlInitUnicodeString(&MainLinkName,MyMainLinkName);

ntstatus=IoCreateSymbolicLink(&MainLinkName,&MainDeviceName);
if(!NT_SUCCESS(ntstatus))
{
DbgPrint("IoCreateSymbolicLink %s Error Code 0X%x \n",MainLinkName,ntstatus);
IoDeleteDevice(pMyMainDeviceObject);
goto exit;
}

KeInitializeEvent(&signal_event, NotificationEvent, 0);

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyDeviceControl;
DriverObject->DriverUnload = Unload;

exit:

return ntstatus;
}


VOID InitializeMyMainDeviceExtension(IN PDRIVER_OBJECT DriverObject,IN PDEVICE_OBJECT DeviceObject,IN PMyMainDeviceExtension pMyMainDeviceExtension)
{
memset(pMyMainDeviceExtension,0,sizeof(MyMainDeviceExtension));
pMyMainDeviceExtension->DeviceType     =  MainType;
pMyMainDeviceExtension->pDriverObject  =  DriverObject;
pMyMainDeviceExtension->pDeviceObject  =  DeviceObject;
return;
}

NTSTATUS Dispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS ntstatus=STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;

DbgPrint("Dispatch\n");

pIrpStack=IoGetCurrentIrpStackLocation(Irp);

switch(pIrpStack->MajorFunction)
{

break;
default:
break;
}

    Irp->IoStatus.Status = ntstatus;
Irp->IoStatus.Information=0L;
IoCompleteRequest(Irp,0);

return ntstatus;
}


static NTSTATUS MyDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS ntstatus=STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;
HANDLE hEvent = NULL;
OBJECT_HANDLE_INFORMATION HandleInfo;
PMyMainDeviceExtension pMyMainDeviceExtension;

pMyMainDeviceExtension = (PMyMainDeviceExtension)(DeviceObject->DeviceExtension);

DbgPrint("MyDeviceControl\n");

pIrpStack=IoGetCurrentIrpStackLocation(Irp);

switch(pIrpStack->MajorFunction)
{
default:
break;
}
default:
break;
}


IoCompleteRequest(Irp,IO_NO_INCREMENT);
    
return ntstatus;
}



NTSTATUS InstallAndUnloadHookIPFilterDriver(BOOLEAN Flags)
{
NTSTATUS ntstatus;
PIRP  pIrp;
UNICODE_STRING NtIPFilterDriver;
PFILE_OBJECT pFileObject;
PDEVICE_OBJECT pDeviceObject;
PF_SET_EXTENSION_HOOK_INFO HookCallback;
IO_STATUS_BLOCK  StatusBlock;

RtlInitUnicodeString(&NtIPFilterDriver,IPFilterDriver);

ntstatus=IoGetDeviceObjectPointer(
IN  &NtIPFilterDriver,
IN  FILE_GENERIC_READ|FILE_GENERIC_WRITE,
OUT &pFileObject,
OUT &pDeviceObject);
if(!NT_SUCCESS(ntstatus))
{
DbgPrint("InstallAndUnloadHookIPFilterDriver: IoGetDeviceObjectPointer Error Code 0X%x \n",ntstatus);
goto exit;
}

if(Flags==TRUE)
{
HookCallback.ExtensionPointer = MyHookCallback;
}
else
{
HookCallback.ExtensionPointer = NULL;
}

pIrp=IoBuildDeviceIoControlRequest(
IN IOCTL_PF_SET_EXTENSION_POINTER,
IN pDeviceObject,
IN &HookCallback,
IN sizeof(PF_SET_EXTENSION_HOOK_INFO),
OUT NULL,
IN 0,
IN FALSE,
IN NULL,
OUT &StatusBlock);
if(pIrp==NULL)
{
DbgPrint("InstallAndUnloadHookIPFilterDriver: IoBuildDeviceIoControlRequest Error\n");
goto exit1;
}
else
{
return IoCallDriver(pDeviceObject,pIrp);
}

exit:
return ntstatus;
exit1:
return StatusBlock.Status;
}

PF_FORWARD_ACTION MyHookCallback(
IN unsigned char *PacketHeader,
IN unsigned char *Packet,
IN unsigned int PacketLength,
IN unsigned int RecvInterfaceIndex,
IN unsigned int SendInterfaceIndex,
IN IPAddr RecvLinkNextHop,
IN IPAddr SendLinkNextHop)
{
PTCPHeader  pTCPHeader;
PIPHeader   pIPHeader;
PICMPHeader pICMPHeader;
HANDLE      Handle;
char buffer[256];
int type;
int flag;
int DataOffset;
int TcpHeaderLen;
int IPHeaderLen;
int iBufSize;
char * TcpData;
KIRQL aIrqL;
int control;
pIPHeader  = (PIPHeader)PacketHeader;
{
memset(buffer,0,256);
sprintf(buffer," IPv %d ",(pIPHeader->ver_len>>4)&15);
DbgPrint("\n%s", buffer);
memset(buffer,0,256);
//版本
sprintf(buffer," 版本:%d ",(pIPHeader->ver_len>>4)&15);
DbgPrint("%s", buffer);
//报头长度
memset(buffer,0,256);
sprintf(buffer," 报头长:%d字节 ",(pIPHeader->ver_len&15)*32/8);
DbgPrint("%s", buffer);
IPHeaderLen=(pIPHeader->ver_len&15)*32/8;
//服务类型
memset(buffer,0,256);
sprintf(buffer," 服务类型:0x%02x ",pIPHeader->type);
DbgPrint("%s", buffer);
type=pIPHeader->type&7;
if(type==0)
DbgPrint(" 普通 ");
if(type==1)
DbgPrint(" 优先 ");
if(type==2)
DbgPrint(" 立刻 ");
if(type==3)
DbgPrint(" 即时 ");
if(type==4)
DbgPrint(" 即时、优先 ");
if(type==5)
DbgPrint(" 重要 ");
if(type==6)
DbgPrint(" 网络间控制 ");
if(type==7)
DbgPrint(" 网络控制 ");
//处理第三位到第六位
type=(pIPHeader->type>>3)&7;
if(type==0)
DbgPrint(" 普通服务 ");
if(type==1)
DbgPrint(" 金钱成本最小 ");
if(type==2)
    DbgPrint(" 可靠性最大 ");
if(type==4)
DbgPrint(" 吞吐量最大 ");
if(type==8)
DbgPrint(" 延迟最小 ");
if(type==15)
DbgPrint(" 安全级最高 ");
//数据报长度
memset(buffer,0,256);
sprintf(buffer," 数据报长度:%d字节 ",pIPHeader->length[0]*0x100+pIPHeader->length[1]);
DbgPrint("%s", buffer);
iBufSize=(pIPHeader->length[0]*0x100+pIPHeader->length[1]);
//标识
memset(buffer,0,256);
sprintf(buffer," 标识:%d ",pIPHeader->id[0]*0x100+pIPHeader->id[1]);
DbgPrint("%s", buffer);
//标志
memset(buffer,0,256);
flag=pIPHeader->flag_offset[0]>>5;
sprintf(buffer," 标志:%d ",flag);
DbgPrint("%s", buffer);
if((flag&4)==0)
DbgPrint(" 预约固定 ");
if((flag&2)==0)
DbgPrint(" 有碎块 ");
if((flag&1)==0)
DbgPrint(" 最后的碎块 ");
else
DbgPrint(" 接收中 ");
//数据块偏移
memset(buffer,0,256);
sprintf(buffer," '数据块偏移':%d ",(pIPHeader->flag_offset[0]*0x100+pIPHeader->flag_offset[1])&8191);//后13位
DbgPrint("%s", buffer);
//TTL
memset(buffer,0,256);
sprintf(buffer," 生存时间TTL:%d ",pIPHeader->time);
DbgPrint("%s", buffer);
/* //协议
memset(buffer,0,256);
switch(pIPHeader->protocol)
{
case PROT_ICMP:
DbgPrint(" 协议:ICMP ");
break;
case PROT_TCP:
DbgPrint(" 协议:TCP ");
break;
case PROT_EGP:
DbgPrint(" 协议:EGP ");
break;
case PROT_IGP:
DbgPrint(" 协议:IGP ");
break;
case PROT_UDP:
DbgPrint(" 协议:UDP ");
break;
default:
{
sprintf(buffer," 协议:%d (不支持) ",pIPHeader->protocol);
DbgPrint("%s", buffer);
}
break;
}*/
//报头校验码
memset(buffer,0,256);
sprintf(buffer," 报头校验码:0x%02x%02x ",pIPHeader->crc_val[0],pIPHeader->crc_val[0]);
DbgPrint("%s", buffer);
//发送端地址
memset(buffer,0,256);
sprintf(buffer," 源地址:%d.%d.%d.%d ",pIPHeader->src_addr[0],pIPHeader->src_addr[1],pIPHeader->src_addr[2],pIPHeader->src_addr[3]);
DbgPrint("%s", buffer);
//接收端地址
memset(buffer,0,256);
sprintf(buffer," 目标地址:%d.%d.%d.%d ",pIPHeader->des_addr[0],pIPHeader->des_addr[1],pIPHeader->des_addr[2],pIPHeader->des_addr[3]);
DbgPrint("%s", buffer);
}

switch(((PIPHeader)PacketHeader)->protocol)
{
case PROT_ICMP:
{
pICMPHeader = (PICMPHeader)Packet;
DbgPrint("ICMP\n");
memset(buffer,0,256);
sprintf(buffer," 类型:%d ",pICMPHeader->Type);
DbgPrint("%s",buffer);
switch(pICMPHeader->Type)
{
case 0:
DbgPrint(" 对会应请求的响应 ");
break;
case 3:
DbgPrint(" IP数据报到达不了接收端 ");
break;
case 4:
DbgPrint(" 抑制从发送端传来的数据 ");
break;
case 5:
DbgPrint(" 请求变更路径 ");
break;
case 8:
DbgPrint(" 响应请求 ");
break;
case 11:
DbgPrint(" 通知发送端TTL已为0 ");
break;
case 12:
DbgPrint(" 通知数据报形式等出错 ");
break;
case 13:
DbgPrint(" 要求对方送出时间信息 ");
break;
case 14:
DbgPrint(" 对要求时间戳的回应 ");
break;
case 15:
DbgPrint(" 由路邮器查询地址等信息 ");
break;
case 16:
DbgPrint(" 对查询信息的会应 ");
break;
case 17:
DbgPrint(" 地址掩码请求消息 ");
break;
case 18:
DbgPrint(" 地址掩码会应消息 ");
break;
default:
DbgPrint(" 未知类型值 ");
break;
}
//代码
memset(buffer,0,256);
sprintf(buffer," 代码:%d ",pICMPHeader->Code);
DbgPrint("%s",buffer);
//校验码
memset(buffer,0,256);
sprintf(buffer," 校验码:0x%02x%02x ",pICMPHeader->Checksum[0],pICMPHeader->Checksum[1]);

DbgPrint(" 状态:阻拦 \n");
return PF_DROP;
}
break;
case PROT_IGMP:
DbgPrint("IGMP\n");
break;
case PROT_TCP:
{
pTCPHeader = (PTCPHeader)Packet;
DbgPrint("TCP\n");
//发送端端口
memset(buffer,0,256);
sprintf(buffer," 发送端端口:%d ",pTCPHeader->src_port[0]*0x100+pTCPHeader->src_port[1]);
DbgPrint("%s",buffer);
//接收端端口
memset(buffer,0,256);
sprintf(buffer," 接收端端口:%d ",pTCPHeader->des_port[0]*0x100+pTCPHeader->des_port[1]);
DbgPrint("%s",buffer);
//顺序号
memset(buffer,0,256);
sprintf(buffer," 顺序号:0x%02x%02x%02x%02x ",pTCPHeader->sequence_no[0],pTCPHeader->sequence_no[1],pTCPHeader->sequence_no[2],pTCPHeader->sequence_no[3]);
DbgPrint("%s",buffer);
//确认号
memset(buffer,0,256);
sprintf(buffer," 确认号:0x%02x%02x%02x%02x ",pTCPHeader->ack_no[0],pTCPHeader->ack_no[1],pTCPHeader->ack_no[2],pTCPHeader->ack_no[3]);
DbgPrint("%s",buffer);
//报头长
memset(buffer,0,256);
sprintf(buffer,"报头长:%d字节",(pTCPHeader->offset_reser_con[0]>>4)*32/4);
DbgPrint("%s",buffer);
            
TcpHeaderLen=(pTCPHeader->offset_reser_con[0]>>4)*32/4;
DataOffset=(pTCPHeader->offset_reser_con[0])*32/4;
//控制位
memset(buffer,0,256);
control=pTCPHeader->offset_reser_con[1]&63;
sprintf(buffer," 控制位:%d ",control);
DbgPrint("%s",buffer);
if(control&32)
DbgPrint(" URG(紧急数据指针有效) ");
if(control&16)
DbgPrint(" ACK(确认有效) ");
if(control&8)
DbgPrint(" PSH(传输强制功能) ");
if(control&4)
DbgPrint(" RTS(请求连接重新设置) ");
if(control&2)
DbgPrint(" SYN(请求顺序号同步处理) ");
if(control&1)
DbgPrint(" FIN(发送结束) ");
//窗口
memset(buffer,0,256);
sprintf(buffer," 窗口:%d位 ",pTCPHeader->window[0]*0x100+pTCPHeader->window[1]);
DbgPrint("%s",buffer);
//校验码
memset(buffer,0,256);
sprintf(buffer," 校验码:0x%02x%02x ",pTCPHeader->checksum[0],pTCPHeader->checksum[1]);
DbgPrint("%s",buffer);
//紧急数据指针
memset(buffer,0,256);
sprintf(buffer," 紧急数据指针 : 0x%02x%02x ",pTCPHeader->urgen_pointer[0],pTCPHeader->urgen_pointer[1]);
DbgPrint("%s",buffer);
if (iBufSize>40)
{
/* DbgPrint("\n[DATA Length=%d (0x%x)]\n",iBufSize-TcpHeaderLen,iBufSize-TcpHeaderLen);
DbgPrint("\n [DATA START]\n");
KeSetEvent(&signal_event, 1, FALSE);
KeAcquireSpinLock(&ArraySpinLock, &aIrqL);
PrintData(TcpData,(iBufSize-TcpHeaderLen));
KeReleaseSpinLock(&ArraySpinLock, aIrqL);
KeResetEvent(&signal_event);
DbgPrint("\n [DATA END]\n");*/
// if((pTCPHeader->src_port[0]*0x100+pTCPHeader->src_port[1]) == 445 && (pTCPHeader->des_port[0]*0x100+pTCPHeader->des_port[1]) == 1607)
// if((pTCPHeader->des_port[0]*0x100+pTCPHeader->des_port[1]) == 25 || RecvInterfaceIndex == INVALID_PF_IF_INDEX) //SMTP
// {
TcpData=Packet+DataOffset;
TcpUserData=Packet+DataOffset;
TcpUserDataSize=(iBufSize-TcpHeaderLen);
PrintData(Packet,iBufSize);
/* KeSetEvent(&signal_event,1,FALSE);

(VOID)PsCreateSystemThread(
OUT &Handle,
   IN  0L,
   IN  NULL,
   IN  NULL,
   OUT NULL,
   IN  &FilterAnalysePacket,
   IN  0);

   (VOID)KeWaitForSingleObject(
   IN &signal_event,
   IN Executive,
   IN KernelMode,
   IN FALSE,
   IN 0);

if(FilterFlags)
{
DbgPrint("垃圾邮件过滤 OK\n");
return PF_DROP;
}*/
// }
}
}
break;
case PROT_UDP:
DbgPrint("UDP\n");
break;
default:
break;
}
DbgPrint("\n");

return PF_FORWARD;
}



VOID FilterAnalysePacket(IN PVOID Context)
{
/* char *buffer=TcpUserData;
char bufferr[100]={0};
    char* pdest;
int result;
KIRQL aIrqL;
NTSTATUS ntstatus=STATUS_SUCCESS;

KeAcquireSpinLock(&ArraySpinLock, &aIrqL);

// strncpy(buffer,TcpUserData,TcpUserDataSize);

if(strncmp(buffer,"DATA",4)!=0)
{
if(strnstr(buffer,"To:",TcpUserDataSize)!=0)
{
pdest=strstr(buffer,"To:",TcpUserDataSize);
if(strncmp((buffer+6),"From:",5)!=0)
{
result = pdest - buffer;
_snprintf(bufferr,result,buffer);
DbgPrint("发信人邮件地址 %s\n",bufferr);
if(strnstr(buffer,"Subject:",TcpUserDataSize)!=NULL)
{
memset(bufferr,0,100);
pdest=strnstr(buffer,"Subject:",TcpUserDataSize);
result = pdest - buffer;
_snprintf(bufferr,result,buffer);
DbgPrint("收信人邮件地址 %s\n",bufferr);
}
}
}
}
KeResetEvent(&signal_event);
(VOID)PsTerminateSystemThread(ntstatus);
KeReleaseSpinLock(&ArraySpinLock, aIrqL);*/
return ;
}

IPFILTRE只能截获0x80也就是IP协议的报文，其实他就是使用的 \DEVICE\IP设备。

你可以登录 http://www.110i.net，通过 110i@110i.net 和我联系，我们一起来研究和探讨一下。

再见！