How to detect closed event? RRS feed

  • Question

  • I want to implement an application based filtering to my IPPACKET callout driver.

    So I'm going to add ALE layer classify. and directly change conditions by using information of ALE.

    There are conditions for accept. connect. and bind.

    But I need to know closed event and initial list of connections.

    Where do I start?


    Tuesday, August 2, 2011 8:53 AM


  • In Win7+ there are FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V{4 /6} and FWPM_LAYER_ALE_RESOURCE_RELEASE_V{4 / 6}.  These layers require that you have authorized at ALE.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights
    Tuesday, August 2, 2011 5:23 PM