none
Connection closing notification in WFP RRS feed

Answers

  • Hi,

     

    To get flow-delete notifications you would first supply a flowDeleteFn function into FWPS_CALLOUT0 when registering your callout using FwpsCalloutRegister0.

     

    Second, during FLOW_ESTABLISHED invocation, call FwpsFlowAssociateContext0 to assocaite a non-0 context with the flow.

     

    After that whenever a flow is torn down, your flowDeleteFn will be invoked (from which you could also free your context).

     

    There is a "MSN Monitor" sample in the WDK demonstrating such usage.

     

    Hope this helps,

    Biao.W.

    Tuesday, March 18, 2008 11:38 PM

All replies

  • Hi,

     

    To get flow-delete notifications you would first supply a flowDeleteFn function into FWPS_CALLOUT0 when registering your callout using FwpsCalloutRegister0.

     

    Second, during FLOW_ESTABLISHED invocation, call FwpsFlowAssociateContext0 to assocaite a non-0 context with the flow.

     

    After that whenever a flow is torn down, your flowDeleteFn will be invoked (from which you could also free your context).

     

    There is a "MSN Monitor" sample in the WDK demonstrating such usage.

     

    Hope this helps,

    Biao.W.

    Tuesday, March 18, 2008 11:38 PM
  • Does it hold true if an user closes a WinSock application? e.g. An IE is running and WFP is monitoring every connection made by IE to open some website. Now if user closes IE then this "flow-delete" notification will be catched?

    Tuesday, July 1, 2008 4:55 PM
  • Yes. Closing IE would cause all sockets created within the IE process be closed, which should then cause flow-deletet be invoked on all of them.

     

    Biao.W.

    Wednesday, July 2, 2008 6:00 AM
  • What about if IE is not getting closed but it close its one of the socket? The flow delete will get called or not?

     

    Thursday, July 3, 2008 12:54 PM
  • Yes it should.

     

    Note that IE uses keep-alive connections quite agressively, so it can take 2-3 minutes before it closes an idle connections.

     

    Biao.W.

    Wednesday, July 9, 2008 5:07 AM