locked
receiving fragments twice RRS feed

  • Question

  • Hi,

    I have been installing the latest version of the wdk (6001) + vista sp1 rc in
    order to have access to the FWP_CONDITION_FLAG_IS_REASSEMBLED
    condition flag.
    It actually works, and the flag is correctly set for reassembled packets. Thanks
    to the wfp team for the fix.
    My problem is that I see fragments twice, ie. my inbound ip callout is called
    twice for a given fragment, and do so for every fragment, but is not called twice
    for non fragmented data.
    Are you aware of this issue?

    Thanks for helping,

    Fabien.
    Wednesday, January 2, 2008 4:51 PM

Answers

  • Hi,

     

    The multiple indications of the same packet is documented here http://msdn2.microsoft.com/en-us/library/aa938498.aspx.

     

    Network Layer
     
    IP packet fragments, which are indicated only for inbound paths, are indicated three times at this layer—first as an IP packet, a second time as an IP fragment, and a third time as part of a reassembled IP packet. WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT flag when it indicates fragments to network layer callouts.

    When adding filtering conditions, FWP_MATCH_FLAGS_NONE_SET can be used along with the FWP_CONDITION_FLAG_IS_FRAGMENT flag to avoid the second indication. If the callout needs to inspect only full packets (those that have not been fragmented and re-assembled), it needs to parse the IP header to avoid processing fragments that are indicated as IP packets. Alternately the callout can inspect packets at the transport layer.

    Our recommendation is that your inspect only fragments at IPPACKET and inspect full packets (stand-alone or reassembled) TRANSPORT.

     

    Thanks,

    Biao.W.

    Wednesday, January 2, 2008 9:31 PM

All replies

  • Hi,

     

    The multiple indications of the same packet is documented here http://msdn2.microsoft.com/en-us/library/aa938498.aspx.

     

    Network Layer
     
    IP packet fragments, which are indicated only for inbound paths, are indicated three times at this layer—first as an IP packet, a second time as an IP fragment, and a third time as part of a reassembled IP packet. WFP sets the FWP_CONDITION_FLAG_IS_FRAGMENT flag when it indicates fragments to network layer callouts.

    When adding filtering conditions, FWP_MATCH_FLAGS_NONE_SET can be used along with the FWP_CONDITION_FLAG_IS_FRAGMENT flag to avoid the second indication. If the callout needs to inspect only full packets (those that have not been fragmented and re-assembled), it needs to parse the IP header to avoid processing fragments that are indicated as IP packets. Alternately the callout can inspect packets at the transport layer.

    Our recommendation is that your inspect only fragments at IPPACKET and inspect full packets (stand-alone or reassembled) TRANSPORT.

     

    Thanks,

    Biao.W.

    Wednesday, January 2, 2008 9:31 PM
  • thanks you very much for you answer, it was very
    useful,
    Thursday, January 3, 2008 12:18 PM
  • Hi,

     

    For completeness, please note that during the 1st indication, all TCP/IP stack knows is that the packet has a valid IP header; and it does not yet know whether the IP packet is a valid fragment or not. Once it determines as such, the 2nd indication will then follow. If the fragment is invalid/malformed, there won't be 2nd indicaiton.

     

    Biao.W.

     

    Thursday, January 3, 2008 8:38 PM
  • thanks for your precisions
    Wednesday, January 9, 2008 7:47 AM