none
Application-specific TCP data: transitioning from LSP model to WFP RRS feed

  • Question

  • I'm rewriting an LSP-based Internet monitoring solution for Windows 8 using WFP. When using an LSP, a separate copy of the code is loaded into each application, so the TCP data is by definition collected for each application discretely. In WFP, at the FWPM_LAYER_STREAM_PACKET V4 level, if I understand correctly, there is only one copy of the kernel-mode driver and therefore the TCP data from all applications is mixed together.

    With the current solution, my users have the option to not monitor applications that I specify, and it's easy me to separate web, chat, ftp traffic etc. because I know which application each copy of the LSP is loaded in. How can I recreate this in WFP? Can I tell, at the stream level, which application the data was collected from? What about at the packet level? I know I can say which applications are allowed to access the Internet, but that's actually outside the scope of my application.

    I don't expect there to be a one-to-one correspondence in features between LSP and WFP, but this difference in the conceptual models is making it hard for me to figure out how to keep providing functionality my users are used to.

    Wednesday, July 25, 2012 4:24 PM

Answers

  • You can associate context @ ALE_FLOW_ESTABLISHED (http://msdn.microsoft.com/en-us/library/windows/hardware/ff551165(v=vs.85).aspx).  This layer will help you identify what application the stream data is from (ALE_APP_ID).  once you associate the flow with whatever data you need, that data will be passed in to the classifyFn in the flowContext parameter.

    If you associate context, then you can also use the FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW flag so your callout is only invoked @ stream for flows you've associated context with.  This will help prevent your callout from processing the flows you don't care about.

    Additionally, you can break up the flows by using stricter filters (i.e. filtering by the ports).  Doing this will allow your callout to only be invoked for the traffic you care about.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, July 25, 2012 5:39 PM
    Moderator
  • The MSNMntr (http://code.msdn.microsoft.com/Windows-Filtering-Platform-ae42c8d7) sample uses the flowContext.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, July 26, 2012 7:41 PM
    Moderator

All replies

  • You can associate context @ ALE_FLOW_ESTABLISHED (http://msdn.microsoft.com/en-us/library/windows/hardware/ff551165(v=vs.85).aspx).  This layer will help you identify what application the stream data is from (ALE_APP_ID).  once you associate the flow with whatever data you need, that data will be passed in to the classifyFn in the flowContext parameter.

    If you associate context, then you can also use the FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW flag so your callout is only invoked @ stream for flows you've associated context with.  This will help prevent your callout from processing the flows you don't care about.

    Additionally, you can break up the flows by using stricter filters (i.e. filtering by the ports).  Doing this will allow your callout to only be invoked for the traffic you care about.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, July 25, 2012 5:39 PM
    Moderator
  • Thanks! I don't quite understand all that yet, because I'm still learning WFP, but it sounds like exactly what I want. Do any of the WFP sample projects have architecture like this?
    Thursday, July 26, 2012 3:27 PM
  • The MSNMntr (http://code.msdn.microsoft.com/Windows-Filtering-Platform-ae42c8d7) sample uses the flowContext.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, July 26, 2012 7:41 PM
    Moderator