none
How to filter http Get packet from tcp packets ... RRS feed

  • Question

  • My current code is here,

     

    filterConditions[conditionIndex].fieldKey =  FWPM_CONDITION_IP_REMOTE_ADDRESS;
          // code changed was set to FWP_MATCH_NOT_EQUAL from FWP_MATCH_EQUAL,
          filterConditions[conditionIndex].matchType = FWP_MATCH_NOT_EQUAL;

          if (IsEqualGUID(layerKey, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4))
          {
             filterConditions[conditionIndex].conditionValue.type = FWP_UINT32;
             filterConditions[conditionIndex].conditionValue.uint32 = *(UINT32*)remoteAddr;
            // my code
                  conditionIndex++;
         
          //  code  added for the filter out the tcp packets only
         
          filterConditions[conditionIndex].fieldKey =  FWPM_CONDITION_IP_PROTOCOL;
          // code changed was set to FWP_MATCH_NOT_EQUAL from FWP_MATCH_EQUAL,
          filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
          filterConditions[conditionIndex].conditionValue.type = FWP_UINT8;
          filterConditions[conditionIndex].conditionValue.uint8 = 6;
           
        
          // code ends here
        conditionIndex++;
          // here filtering the HTTP packets
         
          
        filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
       filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
       filterConditions[conditionIndex].conditionValue.type = FWP_UINT16;
       filterConditions[conditionIndex].conditionValue.uint16 =80;

            DbgPrint("Filter Added ...!!");
            // code ends
          }
        


     
        
          conditionIndex++;        
               
       }
    ====================

    this code is showing the packets from TCP --HTTP---at port 80

    but i need to filter the HTTP GET packets packets

     


     

    Tuesday, January 31, 2012 11:55 AM

All replies

  • In order to filter only the HTTP GET packets, it is advised to implement a callout driver and place your filter at FWPM_LAYER_STREAM_V{4 / 6}.  You can use the same filtering conditions you specify in the code above, but that will trigger classification for all HTTP packets.  within your callout, you will need to parse the data and block the HTTP GET portions.

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff570891(v=vs.85).aspx

     

    Optionally you can keep your filter at OUTBOUND_TRANSPORT, but you still need to have the callout parse the data of the packet.  The main issue with this approach is you will need to know how to determine when the GET portion is finished if it gets spread over multiple packets.

     

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, January 31, 2012 4:27 PM
    Moderator