locked
Transport Layer vs. Stream Layer - How to get all sended data RRS feed

  • Question

  • Hi,

    I'm new to WFP and have the task to inspect and maybe modify all plain and readable data which is send over the network with WFP and Windows Vista RTM. After my research in the DDK the following Layers

    FWPM_LAYER_OUTBOUND_TRANSPORT_V*
    FWPM_LAYER_STREAM_V*

    where possible. In the board here exists a topic where Biao Wang told to use the FWPM_LAYER_STREAM_V* to inspect these data.

    Biao Wang [MSFT] said:

    At INBOUND_TRANSPORT_V4 layer you will be indicated one IP packet at a time.

    We indicate NET_BUFFER_LIST (which contains one NET_BUFFER, or packet) to INBOUND_TRANSPORT callouts which is a NDIS construct -- you should review NDIS documentation on how to operate on NBLs.

    The best place to inspect TCP content is the STREAM layers. Over there there is a helper function, FwpsCopyStreamDataToBuffer0, which converts NBL data to a flat buffer.

    I have just now tried the MSDN Messanger Example again which used the FWPM_LAYER_STREAM_V* Layer to inspect the data. In this example I have removed the Conditions to get all data and not only from MSN Messanger. If I send a message to a fried which is online the message appears in the tracing tool. Other wise (and the same for HTTP requests) only the message "Creating flow for traffic" and not the message I sended althought Wireshark displayed the transfer of this message to a server.

    Now my question is:
    Can I really get all plain and readable data with the FWPM_LAYER_STREAM_V* Layers or must I use a other one? (FWPM_LAYER_OUTBOUND_TRANSPORT_V*?)

    If I must use the FWPM_LAYER_OUTBOUND_TRANSPORT_V* Layer, how do I get easiest only the payload?

    Thanks
    Novan
    Monday, March 23, 2009 1:43 PM

Answers

  • All of TCP's data payload will be indicated to you at FWPM_LAYER_STREAM_V* for that flow.

    For *_TRANSPORT_V*, you can use the NBL functions from http://msdn.microsoft.com/en-us/library/bb259887.aspx, mainly NdisAdvanceNetBufferDataStart() and NdisRetreatNetBufferDataStart().  THe offsets of the headers are provided as the FWPS_INCOMING_METADATA_VALUES0* value provided to the ClassifyFn.

    At OutboundTransport, you will not have an IP Header yet, so do not retreat past the layerData pointer provided.  At InboundTransport, you can advance or retreat based on the header size metadata values.


    For your sample modifications, did you make modifications to only how Stream operates, or did you make changes to the FlowEstablished logic too.

    This link may help assist in debugging your issue http://msdn.microsoft.com/en-us/library/dd163342.aspx.

    If you still need assistance, please provide us with the code changes made.

    Hope this helps




    Dusty Harper [MSFT]
    Monday, March 23, 2009 7:19 PM
    Moderator
  • As mentioned by Dusty, you can inspect all TCP data segments from STREAM layers. This is the preferred layer if your goal is content inspection. From TRANSPORT layer you can inspect TCP control packets as well (e.g. 3-way handshake, ACKS, retransmits, and etc).

    Please read http://msdn.microsoft.com/en-us/library/aa938501.aspx for addition details on STREAM inspection.

    Thanks,
    Biao.W.
    Thursday, March 26, 2009 4:26 AM
  • Stream is for TCP only.  non-TCP Packets will be seen at FWPM_LAYER_DATAGRAM_DATA_V* as well as the typical layers like TRANSPORT and IPPACKET.

    Hop this helps.
    Dusty Harper [MSFT]
    Thursday, March 26, 2009 9:41 PM
    Moderator

All replies

  • All of TCP's data payload will be indicated to you at FWPM_LAYER_STREAM_V* for that flow.

    For *_TRANSPORT_V*, you can use the NBL functions from http://msdn.microsoft.com/en-us/library/bb259887.aspx, mainly NdisAdvanceNetBufferDataStart() and NdisRetreatNetBufferDataStart().  THe offsets of the headers are provided as the FWPS_INCOMING_METADATA_VALUES0* value provided to the ClassifyFn.

    At OutboundTransport, you will not have an IP Header yet, so do not retreat past the layerData pointer provided.  At InboundTransport, you can advance or retreat based on the header size metadata values.


    For your sample modifications, did you make modifications to only how Stream operates, or did you make changes to the FlowEstablished logic too.

    This link may help assist in debugging your issue http://msdn.microsoft.com/en-us/library/dd163342.aspx.

    If you still need assistance, please provide us with the code changes made.

    Hope this helps




    Dusty Harper [MSFT]
    Monday, March 23, 2009 7:19 PM
    Moderator
  • As mentioned by Dusty, you can inspect all TCP data segments from STREAM layers. This is the preferred layer if your goal is content inspection. From TRANSPORT layer you can inspect TCP control packets as well (e.g. 3-way handshake, ACKS, retransmits, and etc).

    Please read http://msdn.microsoft.com/en-us/library/aa938501.aspx for addition details on STREAM inspection.

    Thanks,
    Biao.W.
    Thursday, March 26, 2009 4:26 AM
  • Thank you for the answer.
    I've now modifyed the msdn messenger example to get the complete payload which is sendet over the Stream layer from any application.

    At the moment I've only one question left:

    What is about UDP traffic. Does this kind of traffic also go across thr Stream layer or must I use there other layers?

    Thanks
    Novan
    Thursday, March 26, 2009 3:01 PM
  • Stream is for TCP only.  non-TCP Packets will be seen at FWPM_LAYER_DATAGRAM_DATA_V* as well as the typical layers like TRANSPORT and IPPACKET.

    Hop this helps.
    Dusty Harper [MSFT]
    Thursday, March 26, 2009 9:41 PM
    Moderator