locked
recognize when TCP connection terminated RRS feed

  • Question

  • Hi, it's me again...

    The layer FWPM_LAYER_STREAM_V4 is bidirectional. Is it possible to recognize the termination of the TCP connection at this layer? Not the termination of one data flow, but the whole connection. I am more and more confused about this...

    Wednesday, August 4, 2010 2:25 PM

Answers

  • Yes you can use the flowDeleteFn as well.  Again though this will not solve the issue of non graceful TCP termination.

    For this to work, you should associate your context at FWPM_LAYER_ALE_FLOW_ESTABLISHED.

     

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, August 10, 2010 6:01 PM
    Moderator

All replies

  • At Stream, you will be indicated the FIN(s) for TCP.  This may not be sufficient as you would need to maintain some sort of state to distinguish a connection in a half-closed state vs. a fully closed state.

    Additionally, you may try putting a callout filter at FWPM_LAYER_ALE_ENDPOINT_CLOSURE to send when the socket closes.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, August 5, 2010 2:52 AM
    Moderator
  • Thank you, that helped me very much. I now check for TCP connection termination by looking for two FIN packets: one for send and one for receive. This says to me that the connection was terminated (or is going to be terminated).

    Is there another possibility when a TCP connection will terminate and which cannot be detected by this? Maybe some kind of network interruption or failure. If yes (and I think this is so), can I recognize this at the layer FWPM_LAYER_ALE_ENDPOINT_CLOSURE? At the moment I have problems to reach the MSDN library. Could you tell me if the layer FWPM_LAYER_ALE_ENDPOINT_CLOSURE is available starting with Windows Vista/Server 2008?

    Jojo

    Thursday, August 5, 2010 9:10 AM
  • FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V* is available starting with Win7 / Server 2008R2.  ENDPOINT_CLOSURE assumes graceful termination (closesocket).  Additionally, the FWPM_LAYER_ALE_RESOURCE_RELEASE_V* were added.  This coincides when the endpoint goes away.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, August 6, 2010 3:16 AM
    Moderator
  • So on Win Vista /Server 2008 there is no reliable layer to identify a closed session?
    Friday, August 6, 2010 5:00 AM
  • What about the flag FWPS_CLASSIFY_OUT_FLAG_NO_MORE_DATA of the structure FWPS_CLASSIFY_OUT0 in the classifyFn? Could I say, if this flag is set, the connection is closed - in any case?

    Jojo

    Friday, August 6, 2010 2:08 PM
  • No this just means that there is no data left in the queue.  It's not to say more data won't come in, just that currently the queue is empty.

     

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, August 7, 2010 2:08 AM
    Moderator
  • So, how can I reliably say, that a connection is closed? Does detecting the FIN packets of the two endpoints do it? Or isn't this possible? What is the "best" way?

    Jojo

    Monday, August 9, 2010 5:52 AM
  • Found some other interesting thing, which might solve my problem.

    I have context associated with a data flow. The documentation for FwpsFlowAssociateContext0 says: "The filter engine calls that flowDeleteFn callout function when the flow is terminated so that the callout driver can clean up the context associated with the flow." So the connection is terminated, when flowDeleteFn is called???

    Could someone confirm this? Does it work??? Are there other possibilities (see my previous post, too)?

    Thanks

    Monday, August 9, 2010 8:15 AM
  • Yes you can use the flowDeleteFn as well.  Again though this will not solve the issue of non graceful TCP termination.

    For this to work, you should associate your context at FWPM_LAYER_ALE_FLOW_ESTABLISHED.

     

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, August 10, 2010 6:01 PM
    Moderator
  • FWPM_LAYER_ALE_FLOW_ESTABLISHED is already in use :)

    I only want to add here (for people with the same or similar problem), that I was wondering that my TCP connections did not close gracefully (by sending the FIN packet). Then I used Wireshark to detect the problem and it was my Browser. I thought, it will close a TCP connection when a requested web page was fully loaded. But this is not the fact, the connections will close when the browser (for me: firefox) will be terminated. Maybe there is a timeout or other circumstances when the browser closes a TCP connection, but I think closing the browser will close the connections is the default behavior.

    So thanks for the replies, they helped very much to understand the mechanisms

    Wednesday, August 11, 2010 5:07 AM