WFP driver callout, get domain name RRS feed

  • Question

  • I implemented a WFP driver with callout on FWPM_LAYER_ALE_AUTH_CONNECT_V4 that extracts the datagram payload using 


    payload = (PBYTE)NdisGetDataBuffer(...);

    payload buffer memory dump does include the domain. For example when connecting www.gooogle.com, the payload includes an ascii string www\0google\0com. 


    May you help me to figure out the actual payload format?

    Monday, April 25, 2011 5:36 AM


  • The payload format is different for each application protocol. Most of the well known protocol (HTTP, DNS, SMTP, etc) have RFC's which give details on the specific layout of the packet.


    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights
    Saturday, April 30, 2011 3:22 PM