Introduction to NDIS

The Network Driver Interface Specification (NDIS) is a Microsoft-defined interface that enables network adapter drivers (also known as miniport drivers) to communicate with the network stack in Windows. NDIS also defines interfaces for protocol drivers and filter drivers, which sit above and between miniport drivers, respectively.

What is NDIS?

NDIS acts as a middleware layer between network adapter hardware and the operating system's networking components. It abstracts the complexities of network hardware, providing a consistent programming interface for developers. This allows different network adapter manufacturers to develop drivers without needing to understand the intricate details of the Windows networking subsystem, and conversely, allows Microsoft to introduce new networking features without requiring significant changes to existing network adapter drivers.

Key benefits of NDIS include:

Hardware Abstraction: Hides the specific details of network interface cards (NICs).
Standardization: Provides a common interface for network drivers.
Modularity: Supports different types of network drivers (miniport, protocol, filter).
Performance: Optimized for efficient data transfer.
Extensibility: Allows for new networking technologies and features.

NDIS Driver Types

NDIS defines three main types of drivers:

Miniport Drivers

Miniport drivers are the most common type and are responsible for controlling a specific network adapter. They perform the following functions:

Initialize and halt the network adapter.
Send data packets to the network.
Receive data packets from the network.
Report the status of the network adapter (e.g., link up/down).
Handle hardware-specific configurations.

Miniport drivers interact directly with the network adapter hardware through I/O ports, memory-mapped I/O, or Direct Memory Access (DMA). They communicate with the NDIS library, which in turn communicates with protocol drivers or the operating system's networking stack.

Protocol Drivers

Protocol drivers implement network protocols (e.g., TCP/IP, IPX/SPX). They are responsible for:

Formatting data according to specific network protocols.
Sending data down to the miniport driver for transmission.
Receiving data from the miniport driver and passing it up to higher-level applications or services.
Managing network connections and addressing.

Protocol drivers can stack on top of each other. For example, TCP sits above IP, and both stack on top of the NDIS library.

Filter Drivers

Filter drivers act as intermediate drivers between protocol drivers and miniport drivers. They can intercept, inspect, modify, or drop network packets. This capability is useful for:

Network monitoring and analysis.
Implementing firewalls or intrusion detection systems.
Packet shaping and QoS (Quality of Service).
Network virtualization.

Filter drivers can be chained together, forming a sophisticated packet processing pipeline.

NDIS Packet Flow

Data flows through the NDIS architecture in a well-defined manner:

Send Path: A protocol driver initiates a send request. NDIS passes the packet down to a filter driver (if present), which may modify it, and then passes it to the appropriate miniport driver. The miniport driver then sends the packet out over the network interface.
Receive Path: The miniport driver receives a packet from the network. It passes the packet up to NDIS. NDIS then passes it to any filter drivers (in reverse order of their binding), which can inspect or modify it. Finally, NDIS delivers the packet to the protocol driver that requested it or to the operating system's network stack.

Note: NDIS has evolved significantly over the years. Modern NDIS versions (NDIS 6.0 and later) introduced substantial changes, including support for the Windows Driver Frameworks (WDF), packet coalescing, and improved power management features. Understanding the specific NDIS version is crucial for driver development.

NDIS Structures and Functions

NDIS provides a rich set of structures, functions, and OIDs (Object Identifiers) for driver development. Some key concepts include:

NDIS_PACKET: Represents a network packet.
NDIS_BUFFER: Describes a contiguous block of memory for packet data.
NdisAllocatePacket / NdisFreePacket: Functions for managing packet structures.
NdisOpenAdapterEx / NdisCloseAdapterEx: Functions for opening and closing a connection to a network adapter.
OIDs: Standardized identifiers used to query and set adapter properties and statistics. For example, OID_GEN_MEDIA_CONNECT_STATUS reports the link status.

Developing NDIS drivers requires a deep understanding of kernel-mode programming, memory management, interrupt handling, and the specific network hardware being targeted.