locked
What layers do I have to use if I control packets without loss and overlapping operations? RRS feed

  • Question

  • I want to control packets in OS version above windows 8 as following purposes:
    1. IP, Port control of process
    2. shared folder control
    3. MAC adress control
    4. Packet redirection 
    5. URL Control.

    I think I don't need all layers.
    I want to write logs in callout functions.
    What layers do I have to use if I control packets without loss and overlapping operations?
    Could you suggest layers?

    Thank you in advance.

    Thursday, July 10, 2014 5:07 AM

All replies

  • IP Address, Port and Process is best done at ALE
       FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6}
       FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6}
       FWPM_LAYER_ALE_FLOW_ESTABLISHED_V{4|6} (to associate extraneous data with the flows)

    MAC Address is best done at MAC_FRAME
       FWPM_LAYER_{IN|OUT}BOUND_MAC_FRAME_ETHERNET

    Packet Redirection is done at ALE
       FWPM_LAYER_ALE_CONNECT_REDIRECT_V{4|6}

    URL and SMB parsing is best done at STREAM
       FWPM_LAYER_STREAM_V{4|6}

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, July 10, 2014 10:44 PM
    Moderator
  • Thank you so much.
    Your reply is very helpful to me.
    I would like to ask you a few questions.

    1. There are many callout and sublayer keys in the identifiers.h file of Windows Filtering Platform Sample.
       Do my company have to request keys that we intend to use if we make product using WFP platform?
       Or do we use the keys generated by function like UuidCreate during run-time ?

    2. I wnated to prevent someone from deleteing my filter and found 'Hindering Filter Deletion' topic in MSDN.
       This document says "The following example code demonstrates how to make a filter difficult to delete by setting a DACL".
       It says not 'impossible' but 'difficult'. In addition, there is 'Forcing Filter Deletion' in Managing Security topic.
       How could I implement my application using filters not changed except me?

       
    Tuesday, July 15, 2014 1:15 AM