WFP Driver Issue RRS feed

  • Question

  • Backgroud:
    We have a WFP network driver, the main function is encrypt the smb2 protocol network packet. The client network drive encrypt the SMB2 network packet, and the server network drive decrypt the SMB2 network packet. TCP data filters is mainly in FWPS_LAYER_STREAM_V4 and FWPS_LAYER_STREAM_V6 this layer. On Windows Server 2016 + Windows 7 system, we found a problem, such as Windows 7 client when open the file sharing, the client WFP driver have filter the 300 bytes, then encrypted data; but on the Windows Server 2016 Server side, FWPS_LAYER_STREAM_V4 / FWPS_LAYER_STREAM_V6 have not receive the corresponding network packet size. I also tried in FWPS_LAYER_INBOUND_TRANSPORT_V4 / FWPS_LAYER_INBOUND_TRANSPORT_V6 this Layer to filter network packets, and debug. I see that wireshark can filter the client request, and the package size is correct, but the size of FWPS_LAYER_INBOUND_TRANSPORT_V4 package is zero(calculated by NET_BUFFER_LIST).

    My question:
    1, Why the server FWPS_LAYER_STREAM_V4 / FWPS_LAYER_STREAM_V6 does not filtering network packets from the client?

    2, Why the server FWPS_LAYER_INBOUND_TRANSPORT_V4 / FWPS_LAYER_INBOUND_TRANSPORT_V6 filter to the network packet length is 0?

    3, According to my own understanding, WFP driver mechanism is should be: the client WFP network packet filtering to how much, how server WFP driver can also filter to the network packet. Don't know whether my understanding is wrong?

    Monday, March 13, 2017 6:52 AM

All replies