How to filter http Get packet from tcp packets ... RRS feed

  • Question

  • My current code is here,


    filterConditions[conditionIndex].fieldKey =  FWPM_CONDITION_IP_REMOTE_ADDRESS;
          // code changed was set to FWP_MATCH_NOT_EQUAL from FWP_MATCH_EQUAL,
          filterConditions[conditionIndex].matchType = FWP_MATCH_NOT_EQUAL;

          if (IsEqualGUID(layerKey, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4))
             filterConditions[conditionIndex].conditionValue.type = FWP_UINT32;
             filterConditions[conditionIndex].conditionValue.uint32 = *(UINT32*)remoteAddr;
            // my code
          //  code  added for the filter out the tcp packets only
          filterConditions[conditionIndex].fieldKey =  FWPM_CONDITION_IP_PROTOCOL;
          // code changed was set to FWP_MATCH_NOT_EQUAL from FWP_MATCH_EQUAL,
          filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
          filterConditions[conditionIndex].conditionValue.type = FWP_UINT8;
          filterConditions[conditionIndex].conditionValue.uint8 = 6;
          // code ends here
          // here filtering the HTTP packets
        filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
       filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
       filterConditions[conditionIndex].conditionValue.type = FWP_UINT16;
       filterConditions[conditionIndex].conditionValue.uint16 =80;

            DbgPrint("Filter Added ...!!");
            // code ends


    this code is showing the packets from TCP --HTTP---at port 80

    but i need to filter the HTTP GET packets packets



    Tuesday, January 31, 2012 11:55 AM

All replies

  • In order to filter only the HTTP GET packets, it is advised to implement a callout driver and place your filter at FWPM_LAYER_STREAM_V{4 / 6}.  You can use the same filtering conditions you specify in the code above, but that will trigger classification for all HTTP packets.  within your callout, you will need to parse the data and block the HTTP GET portions.


    Optionally you can keep your filter at OUTBOUND_TRANSPORT, but you still need to have the callout parse the data of the packet.  The main issue with this approach is you will need to know how to determine when the GET portion is finished if it gets spread over multiple packets.


    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Tuesday, January 31, 2012 4:27 PM