locked
TCP data was sent to FWPS_LAYER_DATAGRAM_DATA_V4 callout? RRS feed

  • Question

  • This is the call stacks

     

    97e72184 81ad7875 00000040 84273000 8451d348 nt!KeBugCheck+0x14
    97e7219c 856cfc6f 066e13cb 9badd000 00000034 nt!IoBuildPartialMdl+0x85
    97e721dc 85923d6f 83f01d90 00000000 8403ffcd ndis!NdisAllocateCloneNetBufferList+0x156
    97e72208 85924570 00000000 00000000 00000000 fwpkclnt!FwpsAllocateCloneNetBufferList0+0x59
    97e72240 918efabf 83f01d08 00000000 00000000 fwpkclnt!FwpsCloneStreamData0+0x74
    97e7228c 918f003e 00000119 00000000 83f01d08 eeyetv!Flow_OnFlowData+0x193

    97e722c0 8580263d 97e725cc 97e72484 83f01d08 eeyetv!ClassifyFn_Datagram+0x9a

    97e72308 85802107 00000018 97e725cc 97e72484 NETIO!ProcessCallout+0x10e
    97e72378 85802282 00000018 97e725cc 97e72484 NETIO!ArbitrateAndEnforce+0xaa
    97e7245c 85897a9f 00000018 97e725cc 97e72484 NETIO!KfdClassify+0x16f
    97e725ec 8589354e 00000006 2319640a 0000bd01 tcpip!WFPDatagramDataShimV4+0x2c5
    97e72648 858b2fd8 841af5b8 83fa0b48 00000000 tcpip!WfpDatagramDataIndicate+0x67
    97e726b4 8589348a 00e728c0 00000006 97e70002 tcpip!ProcessALEForTransportPacket+0x32a
    97e72734 858a158b 97e728c0 00000006 97e70002 tcpip!ProcessAleForNonTcpOut+0x5b
    97e72884 858a194f 00000006 83fa0c18 000068c0 tcpip!WfpProcessOutTransportStackIndication+0x1ff
    97e72908 858a129f 00000000 83b8c08c 97e72a6c tcpip!IppInspectLocalDatagramsOut+0xbf
    97e72aac 858d5399 00000000 00000000 858feca0 tcpip!IppSendDatagramsCommon+0x522
    97e72b8c 85925046 00000000 00000001 841af5b8 tcpip!IppInspectInjectRawSend+0xc3
    97e72bc8 918bb34e 841860b0 00000000 00000000 fwpkclnt!FwpsInjectNetworkSendAsync0+0x134
    97e72bf8 918bb7be 987ec660 83fcba20 97e72c2c eeyenv!W32_SendPacketToNdis+0xdc

    97e72c08 918bba96 83fcba20 00000000 83e2a418 eeyenv!W32API_IoCtrl_SendPacket+0x52

    97e72c2c 81ac8aef 83e63a60 00000060 83fcba20 eeyenv!W32_Dispatch+0xda

    eeyenv is my callout on FWPS_LAYER_OUTBOUND_IPPACKET_V4 layer, and eeyetv is my another callout on FWPS_LAYER_STREAM_V4 and FWPS_LAYER_DATAGRAM_DATA_V4 layer.

     

    eeyenv driver injects one outgoing packet of TCP protocol:

    987ec67e 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
    987ec68e 00 34 0d 35 40 00 80 06 00 00 0a 64 19 2d 0a 64 
    .4.5@......d.-.d
    987ec69e 19 23 c0 68 01 bd 91 d4 4b 5d ab e0 39 f9 80 10  .#.h....K]..9...
    987ec6ae 40 0b a1 b6 00 00 01 01 05 0a ab e0 39 f8 ab e0  @...........9...
    987ec6be 39 f9 00 00 00 00 00 00 00 00 00 00 00 00 00 00  9...............

    but it goes back to the upper layers and to the FWPS_LAYER_DATAGRAM_DATA_V4 layer.

     

    As I understand, only UDP and ICMP and RawIP data will be indicated to FWPS_LAYER_DATAGRAM_DATA layer callout, right?

     

    And another question, will all outgoing packet inject in IPPACKET layer be reprocessed by upper layer?

    Friday, December 21, 2007 11:09 PM

Answers

  • This is expected -- TCP packets sent over RAW sockets are treated just like UDP packets and are classified against DATAGRAM_DATA layer. The FWP_CONDITION_FLAG_IS_RAW_ENDPOINT flag should be set in your case.

     

    We need to call this out more explicitly in MSDN/DDK.

     

    Thanks,

    Biao.W.

    Saturday, December 22, 2007 8:55 AM