locked
Network monitoring and traffic shaping RRS feed

  • Question

  • Hello. I need to write an application to monitor and shape network traffic. I've found out that WFP might be the right choice for this. I'm new to driver development and WFP and I would really appreciate if you'd answer the following 2 questions in a way I could understand.
    1) What is the best way to perform network monitoring with WFP? Monitoring should be done on all of the TCP traffic and provide following information: application path or PID, local and remote IP addresses, amount of data transferred. Is it possible to do without writing a kernel-mode driver?
    2) Is it possible to do traffic shaping with WFP? If so, can you please provide me with some information on how it can be done?
    Tuesday, January 19, 2010 1:05 PM

Answers

  • The simplest and most direct method to get the information you are seeking is to use a kernel WFP callout.  You would want to place callouts at FWPM_LAYER_ALE_AUTH_CONNECT, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT, FWPM_LAYER_INBOUND_TRANSPORT, and FWPM_LAYER_OUTBOUND_TRANSPORT.

    At the ALE layers, you can look in the FWPS_INCOMING_VALUES0 and retrieve the app path (ALE_APP_ID) and IP Addresses. the FWPS_INCOMING_METADATA_VALUES0 will contain the process ID.

    At the Transport layers you can parse the headers to retrieve how many bytes are in the packet.

    Can you explain more as to what kind of shaping you are wanting to do?  Via callouts, you can modify packets, proxy connections etc.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, January 21, 2010 7:14 PM
    Moderator

All replies

  • The simplest and most direct method to get the information you are seeking is to use a kernel WFP callout.  You would want to place callouts at FWPM_LAYER_ALE_AUTH_CONNECT, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT, FWPM_LAYER_INBOUND_TRANSPORT, and FWPM_LAYER_OUTBOUND_TRANSPORT.

    At the ALE layers, you can look in the FWPS_INCOMING_VALUES0 and retrieve the app path (ALE_APP_ID) and IP Addresses. the FWPS_INCOMING_METADATA_VALUES0 will contain the process ID.

    At the Transport layers you can parse the headers to retrieve how many bytes are in the packet.

    Can you explain more as to what kind of shaping you are wanting to do?  Via callouts, you can modify packets, proxy connections etc.

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, January 21, 2010 7:14 PM
    Moderator
  • I also have the similar requirements.

     Have you developed some application for this ?

     If yes then could you please tell me how and where to start.

    Thanks

    Tuesday, March 1, 2016 6:02 AM
  • Could you please provide some threads to write such an application.
    Tuesday, March 1, 2016 6:03 AM
  • Hello Sir,

    Can you tell me how to get the actual data in the packet. I am able to get the header from the packet. But I am facing difficulty for getting the actual data from the packet of UDP which i am receiving at 53 port. I am using the WFPSampler example (Basic Packet Examination). I am not getting how to parse the NET_BUFFER structure and get actual data (packet's payload) from the structure and write it to a file.

    Reply as soon as possible. I need it very urgent.

    Thanks

    Friday, April 29, 2016 7:06 AM