The first step:
because the process information is not available in NDIS, you can get the information to the port
maintains a table locally on the TDI, storing the correspondence between processes and ports. (Getting process information and ports is not difficult, I've done it, just need to correlate)
Step Two:
NDIS uses functions to query the TDI for this process and port table, and then to limit the traffic information for a port (difficulty: Figuring out how TDI and NDIS communicate, because TDI and NDIS need to communicate)
Step Three:
How do I limit the traffic to a port? What's the principle? Using deferred processing or packet loss processing is a good choice.
What if the speed limit of the process network can be completed on the basis of the original TDI?
//////////////////////////Process Network speed limit overall design scheme//////////////////////////////////////
the technical points summarized are as follows:
TDI to drop uploads (i.e. send packets)
NDIS to drop the download (i.e. receive packets)
a problem is derived:
What is the difference between packet loss and delay? (Self test)
What is the difference between TDI drops and NDIS drop packets? (self-test with TDIFW and PassThru respectively)
The conclusion is:
for the sending packet, say:
in the case of NDIS can actually be sent successfully (function will return OK) during the re-error by the protocol guaranteed retransmission
for the receiving packet, say:
In the TDI layer, it's a transmission. If you receive the package in the TDI Layer drop protocol will not retransmit
Precautions :
TCP and UDP need to be handled separately, there is heartbeat packet mechanism and retransmission mechanism in TCP
the IP address information and port information, along with the process ID information, are transferred from the ALE layer to the TCP and UDP tiers for parsing.
1 Better IP connect get part
2\ parsing data in UDP
3\ parsing data in TCP
4\ block the code inside the process monitoring function, and add the last time.
IP address and port can be obtained in TCP
What is the difference between the IP address and the IP address that the two layers acquire under the port test?
Another idea is to use NDIS Hook + TDI to achieve the speed limit, which I also realized
Using Tdi+ndis to implement process network traffic throttling under Windows XP (design document)