locked
WFP driver callout, get domain name RRS feed

  • Question

  • I implemented a WFP driver with callout on FWPM_LAYER_ALE_AUTH_CONNECT_V4 that extracts the datagram payload using 

    NdisAdvanceNetBufferDataStart(...)

    payload = (PBYTE)NdisGetDataBuffer(...);

    payload buffer memory dump does include the domain. For example when connecting www.gooogle.com, the payload includes an ascii string www\0google\0com. 

     

    May you help me to figure out the actual payload format?

    Monday, April 25, 2011 5:36 AM

Answers

  • The payload format is different for each application protocol. Most of the well known protocol (HTTP, DNS, SMTP, etc) have RFC's which give details on the specific layout of the packet.

    http://www.faqs.org/faqs/

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, April 30, 2011 3:22 PM
    Moderator