locked
How to pass data from kernel driver (WFP) to user space app. RRS feed

  • Question

  • Hello,

    I would like to use dataLenght (transport layer in/out) of packet in my userspace app. In my dispatch_request function I have:

    sprintf_s(info, sizeof(info), "TDI;%s;%s;%u;%d.%d.%d.%d:%d;%d.%d.%d.%lu:%lu:%lu;\"%S\";%u;\"%s\"",
    GetEventName(request->EventType),
    GetDirection(request->Direction),
    request->IpProtocol,
    (request->SourceIP & 0xFF),
    ((request->SourceIP >> 8) & 0xFF),
    ((request->SourceIP >> 16) & 0xFF),
    ((request->SourceIP >> 24) & 0xFF),
    request->SourcePort,
    (request->DestinationIP & 0xFF),
    ((request->DestinationIP >> 8) & 0xFF),
    ((request->DestinationIP >> 16) & 0xFF),
    ((request->DestinationIP >> 24) & 0xFF),
    request->DestinationPort,
    request->DataTotalLengthOut,
    request->dataLength,
    request->ProcessPath,
    request->Pid,
    sidName
    );

    After calling sprintf I can see above values (src IP, dst IP, port etc) except dataLength and DataTotalLengthOut.

    In my kernel driver in TLInspectUniversalCLassify I'm displaying data as:

    DbgPrint("[Inspect] TLInspectUniversalClassify: %s, SRC:%d.%d.%d.%d:%d -> DEST:%d.%d.%d.%d:%d, Protocol: %d,     dataLength: %d (totalIn: %d, totalOut: %d), pid: %d (pid2: %d), path: %S\n",
    GetEventName(flowData->EventType),
    (flowData->SourceIP & 0xFF),
    ((flowData->SourceIP >> 8) & 0xFF),
    ((flowData->SourceIP >> 16) & 0xFF),
    ((flowData->SourceIP >> 24) & 0xFF),
    flowData->SourcePort,
    (flowData->DestinationIP & 0xFF),
    ((flowData->DestinationIP >> 8) & 0xFF),
    ((flowData->DestinationIP >> 16) & 0xFF),
    ((flowData->DestinationIP >> 24) & 0xFF),
    flowData->DestinationPort,
    flowData->IpProtocol,
    streamData->dataLength,
    flowData->DataTotalLengthIn,
    flowData->DataTotalLengthOut,
    flowData->Pid,
    flowData->PidAlternative,
    flowData->ProcessPath);

    and here (DbgPrint) I see above values including DataTotalLengthOut/DataTotalLengthIn and dataLength.

    How to correctly pass this data (DataTotalLengthOut/DataTotalLengthIn and dataLength) to user space?

    Why I can't see this values when using request->DataTotalLengthOut in dispatch_request function.

    Krzysztof

    Monday, October 8, 2018 6:49 PM