locked
Modifying the 'inspect' sample - where's the payload? RRS feed

  • Question

  • I've been modifying the 'inspect' WFP example with the aim of being able to parse the payload of all incoming TCP packets (from a specified IP address) for certain strings.  (I've already modified 'inspect' such that only TCP packets are caught by the filter)

    So far my modifications have been on the 'TLInspectTransportClassify'  classifyFn, as shown below.  My aim is to have access to the payload of each TCP packet that is caught.

     

    FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
       FWPS_STREAM_DATA* streamData;
       SIZE_T streamLength;
       BYTE* stream = NULL;
       SIZE_T bytesCopied = 0;

    [...]

       if(ioPacket == NULL) {
           DbgPrint("ioPacket == NULL\n");
           return STATUS_INSUFFICIENT_RESOURCES;
       }
       streamData = ioPacket->streamData;


       if(!streamData) {     // why is this always NULL?  shouldn't our payload be here?
           DbgPrint("streamData == NULL: no data\n");   
           classifyOut->actionType = FWP_ACTION_PERMIT;
             classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
             goto Exit;
       }

      DbgPrint("tcp packet has some data\n");

       streamLength = streamData->dataLength;


       stream =  ExAllocatePoolWithTag(NonPagedPool,
                                       streamLength,
                                       'yftN');

       if (!stream)
          return STATUS_INSUFFICIENT_RESOURCES;

       RtlZeroMemory(stream,streamLength);
       FwpsCopyStreamDataToBuffer0(
          streamData,
          stream,
          streamLength,
          &bytesCopied);

       // should now have our tcp payload in 'stream' buffer(?)

       DbgPrint("reached parsing code\n");

    [...]

     

    From my understanding, after declaring ioPacket as above, ioPacket->streamData should contain the packet's payload.  However, ioPacket->streamData is ALWAYS NULL for me.  How do I get the packet's payload?  Am I doing something wrong.

    Thanks in advance.

     

     

    Tuesday, February 22, 2011 10:25 AM

All replies

  • Hey Dave,

    Did you find a solution for your problem yet? What is your e-mail address?

    Regards,

    Ellay K.

    Tuesday, May 10, 2011 11:00 PM
  • This classify function was for the TRANSPORT layers. FWPS_STREAM_CALLOUT_IO_PACKET is only for the STREAM layers.  At TRANSPORT the layerData is a NET_BUFFER_LIST*.

    If you are wanting only the TCP packet's payload, then you should be filtering at stream, and using the stream_edit sample as your reference point.
    http://msdn.microsoft.com/en-us/library/ff571071

     

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, May 11, 2011 2:51 PM
    Moderator