What's the IRP handler that transfers received packets to user process in windows?

As we know the windows kernel is driven by IRP(I/O request packet ),

when we request a webpage(or anything else),a IRP is received by 开发者_开发问答NIC ,what's that IRP exactly?

See the Windows TCP/IP Stack Components page for a list of the components which are involved in such a request.

The NDIS driver model does hide the IRP which gets passed around and exposes 'callback' functions for the components to inspect/forward/change the contents of send/receive requests.

NIC drive is NDIS framework which does not receive IRPs from protocol driver(Tcpip.sys); instead it exports function pointers for protocol driver to call.

Please refer to MSDN Initializing a Miniport Driver and NDIS Driver Stack.

On XP/2k3/2000: IRPs occurs at higher network layer using TDI framework; namely AFD.SYS sends TDI IoControl to Tcpip.sys. AFD is a TDI client which implements Winsock by sending IRPs to Tcpip.sys.

On Vista and later: TDI is deprecated, and if I am guessing right, AFD.SYS uses WinSock Kernel to communicate with Tcpip.sys. No IRPs.

Although TDI is deprecated on Vista, if you install a TDI client or filter, TDX.SYS will be loaded and emulates the TDI framework for you (via WinSock kernel also). In this case, we still see TDI IRPs from TDI-client ---(TDI)---> TDX ---(WSK)---> TCPIP.