locked
How to get udp payload on FWPM_LAYER_DATAGRAM_V* RRS feed

  • Question

  • Hi all,

        I'm a newbie of WFP. My task is to block dns outbound request which queries specific domain. I set a filter on FWPM_LAYER_DATAGRAM_V* and filtercondition is remote_port == 53 (dns service port). Now I can block all dns request by setting the filter action to FWPM_ACTION_BLOCK. I have begun to add callout driver that inspects dns request udp datagram and checks whether it queries specific domain. But I am confused with how to get payload of udp. I have seen sample DDProxy, it modifies udp header. But I need to inspect udp payload, not header. How can I get it?

        Thanks a lot.

    Wednesday, July 28, 2010 4:54 AM

Answers

  • You need to know the layout of the packet.  At DATAGRAM_DATA, you are at the data portion in the NBL (assuming inbound) and at the transport header for outbound traffic.  You will need to adjust your view of the data accordingly and parse the DNS Header (this is the start of the data).  To alter the view of the NBL, you should use the transport header size metadata and the NdisRetreatNetBufferDataStart (& NdisAdvanceNetBufferDataStart when finished to return it to it's original position)

     To help ease things, you may want to move your filters to INBOUND / OUTBOUND Transport.  this way the direction is relatively a given.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, July 29, 2010 5:25 AM
    Moderator
  • For outbound, you need to advance the size of the UDP Header (FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE) using NdisAdvanceNetBufferListDataStart()
    http://msdn.microsoft.com/en-us/library/ff560704(VS.85).aspx

    You can then get the data( the UDP Payload) using NdisGetDataBuffer()
    http://msdn.microsoft.com/en-us/library/ff562631(v=VS.85).aspx

    Parse this data as a DNS Header + Payload.

    when finished, put the NBL back to the original position using NdisRetreatAdvanceNetBufferListDataStart()
    http://msdn.microsoft.com/en-us/library/ff564529(v=VS.85).aspx

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, July 29, 2010 4:49 PM
    Moderator
  • http://msdn.microsoft.com/en-us/library/ff560704(v=VS.85).aspx

    Calling this function {NdisAdvanceNetBufferListDataStart}is equivalent to calling NdisAdvanceNetBufferDataStart for every NET_BUFFER structure on the NET_BUFFER_LIST structure. However, calling NdisAdvanceNetBufferListDataStart is more efficient.

     

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, July 31, 2010 7:40 PM
    Moderator

All replies

  • You need to know the layout of the packet.  At DATAGRAM_DATA, you are at the data portion in the NBL (assuming inbound) and at the transport header for outbound traffic.  You will need to adjust your view of the data accordingly and parse the DNS Header (this is the start of the data).  To alter the view of the NBL, you should use the transport header size metadata and the NdisRetreatNetBufferDataStart (& NdisAdvanceNetBufferDataStart when finished to return it to it's original position)

     To help ease things, you may want to move your filters to INBOUND / OUTBOUND Transport.  this way the direction is relatively a given.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, July 29, 2010 5:25 AM
    Moderator
  • Thanks Dusty,

           Now I set another filter condition FWPM_CONDITION_DIRECTION to FWP_DIRECTION_OUTBOUND. In classify function, I use NdisGetDataBuffer function to get the udp header of each net buffer in netbufferlist (layerdata). The length of the udp datagram can be acquired in udp header. Now how can I get the content of datagram in nbl or how to use ndisretreat/advance function.

    Thursday, July 29, 2010 5:51 AM
  • For outbound, you need to advance the size of the UDP Header (FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE) using NdisAdvanceNetBufferListDataStart()
    http://msdn.microsoft.com/en-us/library/ff560704(VS.85).aspx

    You can then get the data( the UDP Payload) using NdisGetDataBuffer()
    http://msdn.microsoft.com/en-us/library/ff562631(v=VS.85).aspx

    Parse this data as a DNS Header + Payload.

    when finished, put the NBL back to the original position using NdisRetreatAdvanceNetBufferListDataStart()
    http://msdn.microsoft.com/en-us/library/ff564529(v=VS.85).aspx

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, July 29, 2010 4:49 PM
    Moderator
  • Thanks Dusty,

    I hava another problem.

    What's the difference between NdisAdvanceNetBufferListDataStart() and NdisAdvanceNetBufferDataStart()?

    Saturday, July 31, 2010 4:25 AM
  • http://msdn.microsoft.com/en-us/library/ff560704(v=VS.85).aspx

    Calling this function {NdisAdvanceNetBufferListDataStart}is equivalent to calling NdisAdvanceNetBufferDataStart for every NET_BUFFER structure on the NET_BUFFER_LIST structure. However, calling NdisAdvanceNetBufferListDataStart is more efficient.

     

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, July 31, 2010 7:40 PM
    Moderator
  • Thanks a lot.

    It really helps me so mush. I have solved the problem.

    Sunday, August 1, 2010 1:46 AM