locked
2 conditions at 2 different layerKey RRS feed

  • Question

  • Hi everyone,

    As title, I want to filter packet based on 2 conditions at 2 different layerKeys.

    Such as FWPM_CONDITION_IP_REMOTE_ADDRESS at FWPM_LAYER_INBOUND_TRANSPORT_V4

    and

    FWPM_CONDITION_MAC_REMOTE_ADDRESS at FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET

    How do I add these condition into a same filter?

    Thanks!


    Sunday, June 29, 2014 10:19 AM

All replies

  • You can't.  A filter can apply to only 1 layer.  In this case you add 2 filters.

    If you need to combine the logic, then you would create your filter at FWPM_LAYER_INBOUND_MAC_FRAME_ETHERNET.  This filter would need a kernel callout which would parse the NBL for the source IP address.  Note that this parsing would occur for every frame that came from that remote MAC address.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, June 30, 2014 5:41 PM
    Moderator
  • Thanks for your replying,

    But what codes to know the MAC address which was matched with my filter and how to "parse the NBL for the source IP address". Might you show me some codes?

    Sorry if this's a trouble, nice day!

    Wednesday, July 2, 2014 10:17 AM
  • You can look at the WFPSampler.
    http://code.msdn.microsoft.com/windowshardware/Windows-Filtering-Platform-27553baa/sourcecode?fileId=51338&pathId=430772664

    This link provided does basic packet examination.  At the Ethernet MAC layers, you will have the MAC Addresses in the classifiable data, as well as in the Ethernet Header itself.  You can parse IP Address in the NBL by advancing the NBL offset to the size of the MAC Header, and then parsing the IP Header.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, July 10, 2014 10:49 PM
    Moderator