locked
FWPS_INCOMING_VALUES ports different from TCP/UDP header ports RRS feed

  • Question

  • Hi, I noticed something a little weird and I was wondering if anyone knew why this happens.

    Inside of the ALE Connect layer whenever I receive a connection I display the source address/port and the destination address/port as shown:
    ALE - 167772687::59501 -> 1249764026::80

    Inside of the Inbound Transport layer I receive a packet and display the same information in the same format. To do this I gather the source address and destination address from the FWPS_INCOMING_VALUES0 parameter in the callout and I gather the ports from the transport header with the first two bytes being the source port and the next two bytes being the destination port. When I do this I noticed that what the ports were suppose to be were switched. Here is an example:

    Format: Layer - source address::source port -> destination address::destination port

    ALE - 167772687::59501 -> 1249764026::80
    ALE - 167772687::59502 -> 1116195539::80
    INBOUND - 167772687::80 -> 1249764026::59501

    INBOUND - 167772687::80 -> 1116195539::59502

    These values should be the same in the inbound layer as they are in the ALE layer. When I gather the source and destination ports from the FWPS_INCOMING_VALUES0 parameter in the callout the source and destination ports are correct and match the ALE layer ports.

    So my question is does anyone know as to why the source and destination ports are switched in the TCP/UDP header of the Inbound Transport layer? Is this something with the header itself that im not understanding for inbound traffic? I make sure to get the source port as the 1st 2 bytes from the header and the destination as the next 2 bytes. I also tried this in the Outbound layer and the source and destination ports out of the TCP/UDP header matched the ALE layer.

     

    Tuesday, July 5, 2011 4:45 PM

Answers

  • SOURCE_PORT and DESTINATION_PORT are only at IPFORWARD.  At other layers they are LOCAL_PORT and REMOTE_PORT.  At CONNECT, the LOCAL_PORT indicated is 59501(source) and the REMOTE_PORT indicated is 80 (destination).  At INBOUND_TRANSPORT, you are being indicated the same: REMOTE_PORT 80 (source) LOCAL_PORT 59501 (destination).

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, July 5, 2011 5:21 PM
    Moderator