locked
FWPM_LAYER_DATAGRAM_DATA_V4 and data length RRS feed

  • Question

  • I want to count traffic at FWPM_LAYER_DATAGRAM_DATA_V4 ( only data length ).

    This is a part of the code:

        dataLength = NET_BUFFER_DATA_LENGTH( NET_BUFFER_LIST_FIRST_NB( nbl ) );
        
         if ( GetDirection( inFixedValues ) == FWP_DIRECTION_OUTBOUND )
        {
            flow->sendBytes += dataLength;
        }
        else
        {
            flow->recvBytes += dataLength;       
        }
    


    Then I run a test: send "hello" to the echo server a check my counts:
    flow->recvBytes = 5 ( length of "hello" )
    flow->sendBytes = 0xD ( length of "hello" + length of the UDP header )

    OS: 7600.16841.x86fre.win7_gdr.110622-150
    tcpip: Tue Jun 21 07:25:01 2011 (4E000F0D)

    Tuesday, November 8, 2011 12:10 PM

Answers

  • For OUTBOUND traffic at any transport layer (OUTBOUND_TRANSPORT, DATAGRAM_DATA, STREAM_PACKET, etc) the initial packet offset is at the transport header.  For your data only counts you will need to subtract the size of the transport header (indicated in FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE).
    For INBOUND traffic at any transport layer, the transport header has already been parsed and the offset adjusted to the data portion.   No extra steps need be taken for your data only counts.

     

    UINT32 transportHeaderSize = 0;
    
    if(FWPS_METADATA_FIELD_IS_PRESENT(inMetaValues,
                                                                FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE))
       transportHeaderSize = inMetaValues->transportHeaderSize;
    
    dataLength = NET_BUFFER_DATA_LENGTH(NET_BUFFER_LIST_FIRST_NB( nbl ) );
    if(GetDirection( inFixedValues ) == FWP_DIRECTION_OUTBOUND)
    {
       dataLength -= transportHeaderSize;
    
       flow->sendBytes += dataLength;
    }
    else
       flow->recvBytes += dataLength;       
    

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Tuesday, November 8, 2011 4:51 PM
    Moderator

All replies

  • For OUTBOUND traffic at any transport layer (OUTBOUND_TRANSPORT, DATAGRAM_DATA, STREAM_PACKET, etc) the initial packet offset is at the transport header.  For your data only counts you will need to subtract the size of the transport header (indicated in FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE).
    For INBOUND traffic at any transport layer, the transport header has already been parsed and the offset adjusted to the data portion.   No extra steps need be taken for your data only counts.

     

    UINT32 transportHeaderSize = 0;
    
    if(FWPS_METADATA_FIELD_IS_PRESENT(inMetaValues,
                                                                FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE))
       transportHeaderSize = inMetaValues->transportHeaderSize;
    
    dataLength = NET_BUFFER_DATA_LENGTH(NET_BUFFER_LIST_FIRST_NB( nbl ) );
    if(GetDirection( inFixedValues ) == FWP_DIRECTION_OUTBOUND)
    {
       dataLength -= transportHeaderSize;
    
       flow->sendBytes += dataLength;
    }
    else
       flow->recvBytes += dataLength;       
    

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Tuesday, November 8, 2011 4:51 PM
    Moderator
  • Thank you! It works fine.
    Wednesday, November 9, 2011 3:16 PM