locked
How to get the packet from? RRS feed

  • Question

  • like in FWPS_LAYER_ALE_FLOW_ESTABLISHED_V4 layer in classifyFn0 function 

    the  inMetaValues->processPath->data is the start point of packet!

    how can i get the path in FWPM_LAYER_OUT/INBOUND_IPPACKET_V4 layer!

    Wednesday, August 3, 2011 5:56 AM

Answers

  • inMetaValues->processPath is the path of the process associated with the flow (i.e. \device\harddiskvolume2\program files (x86)\internet explorer\iexplore.exe).

    For FWPM_LAYER_OUTBOUND_IPPACKET_V{4 / 6} you would associate a flow context at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V{4 / 6} with the information and retrieve it at the IPPACKET layer.  for inbound, you would need to be at TRANSPORT as INBOUND_IPPACKET is too early for retrieving flow context.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, August 3, 2011 6:42 PM
    Moderator

All replies

  • inMetaValues->processPath is the path of the process associated with the flow (i.e. \device\harddiskvolume2\program files (x86)\internet explorer\iexplore.exe).

    For FWPM_LAYER_OUTBOUND_IPPACKET_V{4 / 6} you would associate a flow context at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V{4 / 6} with the information and retrieve it at the IPPACKET layer.  for inbound, you would need to be at TRANSPORT as INBOUND_IPPACKET is too early for retrieving flow context.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, August 3, 2011 6:42 PM
    Moderator
  • I do this in IPPACKET layer because I must to get the TCP head , and I want to use the flags members in tcphead struct to determine TCP_FLAG_SYN flag  and TCP_FLAG_ACK flag is set! 

    like this 

    if ((pTcpHeader->flags & TCP_FLAG_SYN) && (pTcpHeader->flags & TCP_FLAG_ACK)){
    
    }
    


    TRANSPORT layer seem can not  get  the flags member???



    Thursday, August 4, 2011 3:34 AM
  • The whole TCP header is available at Transport.  how are you retrieving the Header?

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, August 4, 2011 4:49 AM
    Moderator
  • Some questions!

    (1)

    you mean that do in INBOUND_TRANSOPRT layer instead of FWPM_LAYER_INBOUND_IPPACKET_V{4 / 6}?

    I tried! FWPM_LAYER_INBOUND_TRANSPORT_V4 layer  the inMetaValues->processPath->data is not available

     

    (2)

    i use FwpsFlowAssociateContext0 to associate information in FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer  

     

    	status = FwpsFlowAssociateContext0(inMetaValues->flowHandle,
    				FWPS_LAYER_OUTBOUND_IPPACKET_V4,
    				g_OBIpPacketId,
    				pFlowData);
    

     associate is OK!

    but never entry the classifyFn0 function in FWPS_LAYER_OUTBOUND_IPPACKET_V4 layer

     

     

    (3)

    i want to get all inbound and outbound packet  and must get the  transport head(TCP head)

    i do this in IN/OUTBOUND_IPPACKET layer now!  but can not get the processPath

    how can i do!

     

    thank you  Dusty!

     



    Thursday, August 4, 2011 5:11 AM