Problems with the Windows Filtering Platform Sample RRS feed

  • Question

  • I've recently installed the Windows Filtering Platform Sample.  I am unable to get either of the two suggested experiments included at the end of the description.html document to work.

    Typing "WFPSampler.exe -s BASIC_PACKET_EXAMINATION -l FWPM_LAYER_INBOUND_IPPACKET_V4 -v" in the command prompt window does return a message indicating possible success, but I don't know how to trace through any of the modules to see what is going on.  Being able to do this would be the beginning of my understanding what these modules are doing.

    Should Visual Studio be installed on the test computer as well so that tracing through the (non-driver) modules could be done directly on the test computer?  If this is a common practice, I don't see it mentioned anywhere in the general instructions on deployment of test computers for the purpose of driver development.

    We beginners at driver development need help with the basics.  We need the ABC's.

    When I start a logging session in traceview, and type net stop WFPSamplerCallouts followed by net start WFPSamplerCallouts (both are reported as successful in the command prompt window) nothing is added to the traceview window.  I have followed the author's (of description.html) instructions very carefully.

    This is confusing as there is no service called WFPSamplerCallouts and yet the SCM returns success!  The pdb file that I've opened in traceview.exe is WFPSamplerCalloutDriver.pdb.  So I have no idea what's going on here.  Certainly nothing is getting picked up by traceview.exe

    The "Creating a Trace Session with a PDB File" link sheds absolutely no additional light on this topic.

    The signing script in the WFPSamplerInstall.bat file does not work, however I was able to sign WFPSampler.exe and WFPSamplerService.exe with my own self-created certificate thereby getting past this problem.

    Every time I try to enter debug mode for the driver (in the latest Visual Studio 2013 Pro), I am told that the project is out of date and a rebuild is needed.

    Of course this makes working with the project in any kind of debug mode next to impossible.  I've seen this before in simple Visual Studio 2010 projects.  It has always been caused by either a bad time stamp on a file which is always fixed by a complete rebuild, or a missing file that is included in the project, which, once removed, fixes the problem.  I don't know how to fix this one either, in the case of the Windows Filtering Platform Sample.

    Although I've debugged many normal (non-driver) applications in the visual studio environment, I don't know how to even start tackling the debugging of any of the several modules in this project.  About all I can to with debugging the driver on the test computer is select break all and watch the second hand of the clock on the test computer's desktop stop and then in the development computer press F5 and then go to the test computer and watch the second hand of the desktop gadget clock ticking away again!  I admit this is lots of fun and imbues me with a great sense of power (I am joking), but it is absolutely inadequate in terms of shedding any light on writing a windows callout driver, which I very much need to do!

    At the beginning of description.html the following appears:
    WFPSamplerProxyService.Exe is the service which listens for connections to proxy.
    Where is WFPSamplerProxyService.Exe ?????  It is certainly not generated by this solution.

    If your goal in issuing this sample project was to confuse and frustrate some of the developers who are interested in developing a filtering platform callout driver, you have succeeded.  I am not alone in this experience.  I've gone to your website dedicated to this topic.  The number of questions posted with no response is frightening.

    Anything worth doing is worth doing right.  Would it be possible for someone to clean this up and reissue this sample project?  I am confident that I would not be the only one who would appreciate it.

    Thank you!

    Charles S. Cotton

    Saturday, April 4, 2015 9:17 PM

All replies

  • Hello Charles

    1) My First advice would be to keep it short, Try to prioritize what you  really want to ask and what can wait!

    2)WFP Sampler can be overwhelming for newbies particularly for those who aren't even familiar with driver dev in the first place. Clear your driver development concepts first then go for WFP.*(Assuming you are interested in modification of network constructs via kernel mode)

    3) No you don't need VS on the target computer, for identifying the modules other than yours you will need the symbols of that particular build of windows.

    4) Since you have already gone ahead and tackled the breakpoint feat ( which is a big one for every newbie). I would recommend you start with trying to write a helloworld driver then try to do something with symbolic link names, then try to tell the driver something from the user mode some more...write some much more and write a little ...until ur comfortable with the whole dev paradigm :)

    However a word of caution, Its OK if you are trying to learn this for fun or add a skill to your resume. Commercial dev is a complex setup and would take a lot of experience to do something significant(not already done by MS)

    Hope this helps

    ___________ Regards Umar Yaqoob ___________

    Wednesday, April 8, 2015 8:00 PM
  • Hi Umar,

    What are you talking about? I thought I did keep it short (Just kidding).

    Seriously though, It would be nice to know why:

    (1) The traceview.exe example produces no activity.

    (2) What is the reference to "WFPSamplerProxyService.Exe" all about?

    (3) Why does net start/stop WFPSamplerCallouts report success (in the Admin command prompt) when there is no WFPSamplerCallouts service.

    I hope that this is sufficiently short and sweet.

    Thank you for responding.

    Charles S. Cotton

    Wednesday, April 8, 2015 9:31 PM