Skip to main content

 none
Why filterId in DISCARD_METADATA is zero? RRS feed

  • Question

  • I wrote program for inspecting packets on DISCARD layers of WFP. To get reason and filter id of discards I use following code:

    if (FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_DISCARD_REASON))
        {
            FWPS_DISCARD_METADATA0 discardData = inMetaValues->discardMetadata;
            FWPS_DISCARD_MODULE0 discardModule = discardData.discardModule;
            UINT32 discardReason = discardData.discardReason;
            UINT64 discardFilter = discardData.filterId;
            switch (discardModule)
            {
            case FWPS_DISCARD_MODULE_NETWORK:
                PrintNetworkDiscardReason(discardReason);
                break;
    
            case FWPS_DISCARD_MODULE_TRANSPORT:
                PrintTransportDiscardReason(discardReason);
                break;
    
            case FWPS_DISCARD_MODULE_GENERAL:
                if (FWPS_DISCARD_FIREWALL_POLICY == discardReason)
                {
                    PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_FIREWALL_POLICY");
                }
                else if (FWPS_DISCARD_IPSEC == discardReason)
                {
                    PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_IPSEC");
                }
                break;
            }
    
            PRINT_MSG("DISCARD FILTER: %x", discardFilter);
        }

    Program write filterId correctly when packet is discarded by windows firewall (on some ale layer), but filterId is zero when antivirus blocks packets (on FWPS_LAYER_INBOUND_IPPACKET_V4_DISCARD layer ).
    Is it possible to get filterId of filter that discard those packets?


    • Edited by klimandr Monday, May 6, 2019 9:19 AM typo
    Monday, May 6, 2019 9:11 AM

All replies

  • Hi,

    How do you know that antivirus block those packets?

    I have a similar problem with a WFP trace that shows blocked packets with filterId as zero.

    This issue is happening to me when I change Windows Firewall rules.

    Thanks,

    Cristian

    Monday, July 22, 2019 1:59 PM