locked
Monitoring traffic using WFP RRS feed

  • Question

  • Hi,

    I want to monitor all the network traffic going out of my laptop and also figure out the application involved. My question is for this purpose I need to write a kernel mode callout and then capture all the outgoing packets?  or can we do it through user mode api?

    From the Inspect code, I am confused how to define my own GUID's? and also If i want to capture all the IP, what needs to be changed?

    Other followup questions is: All my traffic is directed to a proxy server, but ideally I would like to capture the final destination, can this be done?

    Thanks,

    Ashwin

    Tuesday, August 17, 2010 1:43 AM

All replies

  • GUID in layer or callout just a global flag , you can use guidgen.exe to generate your own GUID.

    You can use layer FWPM_LAYER_OUTBOUND_TRANSPORT_VX to capture all the outgoing packet and it's ip.

    Tuesday, August 17, 2010 1:58 AM
  • Hi Taian,

    Thanks for the information. 

    I have one question, the ip in the outgoing packet would be the final ip or would it be the ip of the proxy server?

     

    Thanks,

    Ashwin Patti

    Tuesday, August 17, 2010 4:26 AM
  • THis would require a kernel mode Callout.  For Outgoing, you would likely want to sit at FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6} as well as FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6}.  This will allow you to get the process information for the connection (AUTH_CONNECT) and capturing all outbound traffic (OUTBOUND_TRANSPORT).

    As stated you can use GUIDGen.exe or UUIDgen.exe to create a GUID http://msdn.microsoft.com/en-us/library/aa364086(VS.85).aspx.

    This would depend on how the proxying is performed.  if done via WFP, then sitting in the OUTBOUND layers would allow you to see the proxied packets.  If the proxying is done via TDI, then you would likely need to sit at OUTBOUND_IPPACKET.  if proxied at NDIS, then you would currently need a LWF to see them.

    Depending on how the proxying is done, the outgoing IP could be to a proxy server, or the final destination.  I'd suggest using a sniffer (i.e. NetMon) on your machine to determine what is going on and how the proxying is being done.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, August 17, 2010 12:05 PM
    Moderator
  • Hi Dusty,

    Thanks for the information.

    From the Inspect sample code the filter action type is taken as:

    filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;

    Why is it Terminating and not FWP_ACTION_CALLOUT_INSPECTION??

    Thanks,

    Ashwin Patti

    Tuesday, August 17, 2010 10:13 PM
  • Hi Dusty,

    I have one more basic question, for my purpose i.e. to monitor the network (i don't care about IPSec), do I need to do injection and stuff?

     

    Thanks,

    Ashwin Patti

    Wednesday, August 18, 2010 12:38 AM
  • For basic packet inspection no (i.e. log the header information).  If you do any modification to the packet, or if you need to do intensive processing during the inspection then you would do injection and pending etc. depending on where you are sitting.

    Hope this helps.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, August 18, 2010 5:56 PM
    Moderator
  • Hi Dusty,

    I want to print the remote ip, local ip, local application information. For these, I am having:

    FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_LOCAL_ADDRESS --- For local ip.

    FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_REMOTE_ADDRESS --- For remote ip.

    FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_APP_ID -- For app info.

    FWPS_INCOMING_METADATA_VALUES0 *inMetaValues;

    pid = inMetaValues->processId;   ---> for pid.

    if

     

    (FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_PATH))

    DbgPrint(

    "PROTMON::PID %d, PID's PATH %s", pid,inMetaValues->processPath->data);  ---> Again for app.

    But in application information i am getting only "\" and not actual path, though the ip and pid information is correct. Can you please suggest me what am I missing?

    From one of your earlier postings, I tried using %S instead of %s and this resulted in bluescreen.

    Also i tried doing:

    DbgPrint("PROTMON::App Path: %s\n",inFixedValues->incomingValue[index].value.byteBlob->data)

    DbgPrint("PROTMON::App Path: %s\n",inFixedValues->incomingValue[index].value.unicodeString)

    Both of these didn't work.

    Can you please help me on this?

     

     

    Thursday, August 19, 2010 5:29 PM
  • HI,

    The proxying is done at the application level so I am wondering which you be the best place to get the correct remote ip? Would ALE_REDIRECT would be fine?

    Thursday, August 19, 2010 5:45 PM
  • Any update on this?
    Saturday, August 21, 2010 4:45 AM
  • because the app path is unicode,  so when you used DbgPrint ,  you should pass "%S" not pass"%s"

    try use inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_APP_ID].value.byteBlob->data instead

    Tuesday, September 21, 2010 8:33 AM
  • Hi,

     

    Thanks, I would  try that and check it out. 

    BTW i was wondering if anyone has the answer for this: "The proxying is done at the application level so I am wondering which you be the best place to get the correct remote ip? Would ALE_REDIRECT would be fine?" 

    i.e. When i connect through vpn and proxy the destination address is also the proxy ip, i would like to the know the final destination address.

     

    Also, is there any way to figure out the url instead of IP address? I won't be able to read from DNS Cache as the table exists in RAM memory.

     

    Thanks,

    Ashwin Patti

    Monday, September 27, 2010 6:34 PM