Recent update: 2008-3-21
We need inspect ARP packets to detect ARP poisoning. Does WFP support this?</font> If not, should I use the new NDIS6.0 filter driver? And where can I ask questions about NDIS filter driver?
We need inspect ARP packets to detect ARP poisoning. Does WFP support this?</font> If not, should I use the new NDIS6.0 filter driver? And where can I ask questions about NDIS filter driver?
Is it possible to do cleanup for our driver as in removing our callouts, filters, etc from within Safe Mode?It works fine if the user picks Safe Mode with networking but not if they pick regular Safe Mode since BFE isn't running.It doesn't seem to be possible to remove the objects without BFE ...
I noticed on a different thread it was said (emphasis added): Biao Wang [MSFT] wrote: You need to use FwpsPendOperation0/FwpsCompleteOperation0 to pend ALE_Xxx invocations as long as FWP_CONDITION_FLAG_IS_REAUTHORIZE is not set. (re-auth can not be pended). Whenever a packet is ...
Hi, I have a driver implementing 2 callouts for both FWPM_LAYER_INBOUND and OUTBOUND layers,ipv4. I need information about the underlying prootocol, let say ethernet. Do you know if it is possible without hooking the ndis layer? Thanks, <div style="margin-left:40px">Fabien. </div>
I noticed on a different thread it was said (emphasis added): Biao Wang [MSFT] wrote: You need to use FwpsPendOperation0/FwpsCompleteOperation0 to pend ALE_Xxx invocations as long as FWP_CONDITION_FLAG_IS_REAUTHORIZE is not set. (re-auth can not be pended). Whenever a packet is ...
Hi I have already written an application some time ago in C# using sockets to do many things but as you will know they dont expose the functionality or efficiency of the job in hand when creating a firewall for instance. I recently came across WFP and have been reading any documentation I can ...
Hi, I wrote a WFP callout driver for out-of-band stream data inspection/modification (layer FWPS_LAYER_STREAM_V4/6). The driver blocks all data at the stream layer (for a specific port, e.g. 80 for http), routes the data through a user app and injects all data back to the network stack. This ...
I noticed on a different thread it was said (emphasis added): Biao Wang [MSFT] wrote: You need to use FwpsPendOperation0/FwpsCompleteOperation0 to pend ALE_Xxx invocations as long as FWP_CONDITION_FLAG_IS_REAUTHORIZE is not set. (re-auth can not be pended). Whenever a packet is ...
I have just looked over some examples in the DDK and I can't get them to wotk on WS2K8. I used the example from network\trans. So now I have several questions. 1) Can I filter the TDI lawyer from WFP? What I want to do is to monitor TDI_CONNECT, TDI_SEND, TDI_RECEIVE and ...
HI I want to create a packet filtering and content scanning application to be run under windows XP sp2, windows 2003 server and Windows Vista. Can this be done using WFP? Am a begininer so any suggesting would be of great help. Regards Shiraz
Hi, I wrote a WFP callout driver for out-of-band stream data inspection/modification (layer FWPS_LAYER_STREAM_V4/6). The driver blocks all data at the stream layer (for a specific port, e.g. 80 for http), routes the data through a user app and injects all data back to the network stack. This ...
Are there any Windows API which I could use to read/interpret the active IPSec policy.Actually I need to programmatically know which ports are blocked at the network level by this policy, so that I am not worried about these ports for sure for any kind of vulnerability threats.How can I get the ...
I have just looked over some examples in the DDK and I can't get them to wotk on WS2K8. I used the example from network\trans. So now I have several questions. 1) Can I filter the TDI lawyer from WFP? What I want to do is to monitor TDI_CONNECT, TDI_SEND, TDI_RECEIVE and ...
HI I want to create a packet filtering and content scanning application to be run under windows XP sp2, windows 2003 server and Windows Vista. Can this be done using WFP? Am a begininer so any suggesting would be of great help. Regards Shiraz
Hi, I wrote a WFP callout driver for out-of-band stream data inspection/modification (layer FWPS_LAYER_STREAM_V4/6). The driver blocks all data at the stream layer (for a specific port, e.g. 80 for http), routes the data through a user app and injects all data back to the network stack. This ...
Are there any Windows API which I could use to read/interpret the active IPSec policy.Actually I need to programmatically know which ports are blocked at the network level by this policy, so that I am not worried about these ports for sure for any kind of vulnerability threats.How can I get the ...
Hi, I have a driver implementing 2 callouts for both FWPM_LAYER_INBOUND and OUTBOUND layers,ipv4. I need information about the underlying prootocol, let say ethernet. Do you know if it is possible without hooking the ndis layer? Thanks, <div style="margin-left:40px">Fabien. </div>
Hi, I wrote a WFP callout driver for out-of-band stream data inspection/modification (layer FWPS_LAYER_STREAM_V4/6). The driver blocks all data at the stream layer (for a specific port, e.g. 80 for http), routes the data through a user app and injects all data back to the network stack. This ...
709 byte By
gustav at 2008-2-15
Having moved my filtering code from transport layer to IP Packet layer due to recommendations found in this newsgroup I once again run into new issues. With just intercepting and reinjecting packets I have no issues however when the packets are fragmented traffic seems to stop. On transport ...
I have just looked over some examples in the DDK and I can't get them to wotk on WS2K8. I used the example from network\trans. So now I have several questions. 1) Can I filter the TDI lawyer from WFP? What I want to do is to monitor TDI_CONNECT, TDI_SEND, TDI_RECEIVE and ...
I'd like to capture the IP header portion of the specified TCP packets (e.g., packets to the localhost) with WFP. To achieve the goal, I think a callout is required to access the IP header data, but I don't know whether a built-in callout can be used for this purpose or not. Do I have to make ...
I have just looked over some examples in the DDK and I can't get them to wotk on WS2K8. I used the example from network\trans. So now I have several questions. 1) Can I filter the TDI lawyer from WFP? What I want to do is to monitor TDI_CONNECT, TDI_SEND, TDI_RECEIVE and ...
Hi, I wrote a WFP callout driver for out-of-band stream data inspection/modification (layer FWPS_LAYER_STREAM_V4/6). The driver blocks all data at the stream layer (for a specific port, e.g. 80 for http), routes the data through a user app and injects all data back to the network stack. This ...
What exactly are the differences between a Management Filter Layer and a Runtime Filter Layer, as described in the following MSDN Article: http://msdn2.microsoft.com/en-us/library/aa504935.aspx ? I am familiar with the Management Filter Layers, as I have been using them in (User Mode) ...
Hi, I wrote a WFP callout driver for out-of-band stream data inspection/modification (layer FWPS_LAYER_STREAM_V4/6). The driver blocks all data at the stream layer (for a specific port, e.g. 80 for http), routes the data through a user app and injects all data back to the network stack. This ...
I have a callout which is registered on FWPM_LAYER_INBOUND_TRANSPORT_V4 which is looking for SYN packets being received. I have been trying to figure out why I am not seeing as many of them in my callout as I am sending to the machine. I added a KdPrint to output whenever I see one, and what ...
One of the people who is now testing my WFP application/callout is experiencing periodic bluescreens (fairly often, generally within a couple hours) while the machine is idle. The network driver is Rtnicxp.sys, which is a Realtek driver. The crash dumps are always identical, and happen with ...
I have the following situation. I am creating a new simple Filter in the BFE. The session has a Name, Description and is not Dynamic. The custom provider has a defined provider ID, name, description and host service name. The custom sublayer has a sublayer ID, provider ID, name. description ...
I'd like to capture the IP header portion of the specified TCP packets (e.g., packets to the localhost) with WFP. To achieve the goal, I think a callout is required to access the IP header data, but I don't know whether a built-in callout can be used for this purpose or not. Do I have to make ...
One of the people who is now testing my WFP application/callout is experiencing periodic bluescreens (fairly often, generally within a couple hours) while the machine is idle. The network driver is Rtnicxp.sys, which is a Realtek driver. The crash dumps are always identical, and happen with ...
I have the following situation. I am creating a new simple Filter in the BFE. The session has a Name, Description and is not Dynamic. The custom provider has a defined provider ID, name, description and host service name. The custom sublayer has a sublayer ID, provider ID, name. description ...
I was just testing my code on the Server 2008 beta3, and got a stop error. I attached a kernel debugger and got the following details, but I do not see my kernel code in the call stack. Can you tell if this is due to something I am doing wrong in my code, or is this a bug in beta3? Thanks, ...
Hello,I wrote a user level program to disable chimney offload. My problem is determining whether the program has any effect. I can run netstat -t to see the connection created when mapping a network drive is offloaded on w2k3 with SNP. However, netstat -t shows the connection created when ...
Hi, In my callout driver, I retrieve the FWPS_FIELD_INBOUND_IPPACKET_V4_LOCAL_INTERFACE field from FWPS_INCOMING_VALUES0, and would like to have information about the interface given its index / luid. Is there any function that does the job? Thanks, Fabien.
Hi, I have a driver implementing 2 callouts for both FWPM_LAYER_INBOUND and OUTBOUND layers,ipv4. I need information about the underlying prootocol, let say ethernet. Do you know if it is possible without hooking the ndis layer? Thanks, <div style="margin-left:40px">Fabien. </div>
I was just testing my code on the Server 2008 beta3, and got a stop error. I attached a kernel debugger and got the following details, but I do not see my kernel code in the call stack. Can you tell if this is due to something I am doing wrong in my code, or is this a bug in beta3? Thanks, ...
Hi, I'm writing a WFP driver with the aim to route all TCP data of a certain port (e.g. 80) through a user app which inspects and/or modifies the data. So I added a filter to the stream layer. As a first step, I'm just cloning the stream data every time my classifyFn is called, block the ...
Hi, I have a driver implementing 2 callouts for both FWPM_LAYER_INBOUND and OUTBOUND layers,ipv4. I need information about the underlying prootocol, let say ethernet. Do you know if it is possible without hooking the ndis layer? Thanks, <div style="margin-left:40px">Fabien. </div>
I was just testing my code on the Server 2008 beta3, and got a stop error. I attached a kernel debugger and got the following details, but I do not see my kernel code in the call stack. Can you tell if this is due to something I am doing wrong in my code, or is this a bug in beta3? Thanks, ...
Hello,I wrote a user level program to disable chimney offload. My problem is determining whether the program has any effect. I can run netstat -t to see the connection created when mapping a network drive is offloaded on w2k3 with SNP. However, netstat -t shows the connection created when ...
Hi, I'm writing a WFP driver with the aim to route all TCP data of a certain port (e.g. 80) through a user app which inspects and/or modifies the data. So I added a filter to the stream layer. As a first step, I'm just cloning the stream data every time my classifyFn is called, block the ...
Hello,I wrote a user level program to disable chimney offload. My problem is determining whether the program has any effect. I can run netstat -t to see the connection created when mapping a network drive is offloaded on w2k3 with SNP. However, netstat -t shows the connection created when ...
Hi, I'm writing a WFP driver with the aim to route all TCP data of a certain port (e.g. 80) through a user app which inspects and/or modifies the data. So I added a filter to the stream layer. As a first step, I'm just cloning the stream data every time my classifyFn is called, block the ...
thank you for your help,I know how to Modify remoteIP from outcoming UDP Packet http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1950957&SiteID=1 but when I use same way to Modify incoming udp packge , At FWPM_LAYER_INBOUND_TRANSPORT_V4, I use FwpsInjectTransportReceiveAsync0,but ...
I noticed that a couple of things on this forum have been replied to that the feature will be added to the next version of WFP, or in Vista SP1/WS2008. I would like to get a couple of things that bugged me in implementing a firewall using WFP out there for consideration for future releases. ...
2773 byte By
gustav at 2008-2-3
I am currently intercepting ICMP packets on FWPS_LAYER_OUTBOUND_TRANSPORT_V4 layer. I capture all relevent information for sendargs i.e. remote ip address and scope id, I also copy the data in inMetaValues->controlData. (simplified code below) ...
thank you for your help,I know how to Modify remoteIP from outcoming UDP Packet http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1950957&SiteID=1 but when I use same way to Modify incoming udp packge , At FWPM_LAYER_INBOUND_TRANSPORT_V4, I use FwpsInjectTransportReceiveAsync0,but ...
What exactly is the definition of the Stream Layer? There is no such layer in the OSI model or TCP/IP. What are some concrete examples of the application of filters placed in this particular layer? What kind of traffic should I expect to capture in this layer. MSDN: FWPM_LAYER_STREAM_V4 ...
Hi, I'm writing a WFP driver with the aim to route all TCP data of a certain port (e.g. 80) through a user app which inspects and/or modifies the data. So I added a filter to the stream layer. As a first step, I'm just cloning the stream data every time my classifyFn is called, block the ...