locked
WFP Stream data results. RRS feed

  • Question

  • Hello,

    I'm comparing stream data from my inspect driver [1] (WFP) and Wireshark at session close. I can see, that Wireshark results are different than Inspect:

    Inspect:   IN: 15277 B, OUT: 6115 B
    Wireshark: IN: 15360 B (15KB), OUT: 6115 B

    or

    Inspect: IN: 12621213 B, OUT: 6115 B
    Wireshark: IN: 12582912 B (12MB), OUT: 6115 B


    [1] Below portion of my code which counting data:

    if (eventType == INSPECT_EVENT_STREAM)
    {
    KLOCK_QUEUE_HANDLE lockHandle;

    PFLOW_CONTEXT flowData = (PFLOW_CONTEXT)flowContext;

    if (flowData != NULL)
    {
    FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket;
    FWPS_STREAM_DATA* streamData;

    ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
    NT_ASSERT(ioPacket != NULL);

    streamData = ioPacket->streamData;
    NT_ASSERT(streamData != NULL);

    KeAcquireInStackQueuedSpinLock(&dataLenghtGuard, &lockHandle);

    flowData->DataLength = streamData->dataLength;

    if (streamData->flags & FWPS_STREAM_FLAG_SEND)
    {
    flowData->DataTotalLengthOut += streamData->dataLength;
    }
    else if (streamData->flags & FWPS_STREAM_FLAG_RECEIVE)
    {
    flowData->DataTotalLengthIn += streamData->dataLength;
    }


    Can sameone explain me why is the difference?

    Krzysiek
    Wednesday, October 31, 2018 9:35 PM