UDP Packet monitoring using Windows Filtering Platform. RRS feed

  • Question

  • Hello,

    I need to write a driver using Windows Filtering Platform to capture UDP packets in Windows 8.1. I need to do following operation:

    1. Capture the packet and then extract the header to get the IP address and port.

    2. To get the packet payload or actual data from the captured packet.

    3. To write the packet payload to a file or to the debugger so that I can view the packet data.

    Tuesday, May 17, 2016 5:27 AM

All replies

  • Very interesting... now, do you have a question?
    Tuesday, May 17, 2016 8:17 AM
  • >Very interesting... now, do you have a question?

    My question is how to do 2 part in the above mentioned point. Can you share any information or piece of code?

    Wednesday, May 18, 2016 6:18 AM
  • This depends on what callouts you've registered and whether you want to access the packet payload from the kernel or usermode.

    You can inspect / manipulate udp packets in the kernel by registering at the ALE_DATAGRAM_DATA layer and manipulating the NBL offsets to reach the part of the packet you're interested in.

    Alternatively, you can also redirect the udp packets at ALE_CONNECT_REDIRECT into a usermode proxy service. The service will be able to inspect/manipulate the udp packet payload before sending it on / dropping it. I'm not entirely sure how to access the udp packets headers with this approach.


    • Proposed as answer by JST86 Wednesday, May 18, 2016 2:39 PM
    Wednesday, May 18, 2016 2:39 PM
  • Can you tell me how to extract or get packet payload from NBL and print that in kernel mode?
    Thursday, May 19, 2016 6:29 AM
  • The exact means of doing this depends on what WFP layer you're registering at. You'll be wanting to manipulate the NBL using the NdisRetreatNetBufferDataStart and NdisAdvanceNetBufferDataStart APIs. Take a look at the WFPSampler driver sample, it has some code paths which end in the LogUDPHeader method which you may find useful.


    Thursday, May 19, 2016 8:50 AM
  • I am able to log the header but not the payload of the packet which i think resides in currentMdl. I am registering it at FWPM_LAYER_INBOUND_TRANSPORT_V4 layer.

    Friday, May 20, 2016 7:29 AM