Netsh FWPM_NET_EVENT_TYPE_CLASSIFY_DROP

Hi

I have a MUX 1:1 driver sitting on top on the real NIC driver.
Setup has 2 machines connected back to back (static IPs). Both have NetMon on them.

I am using Winsock to send a UDP pkt from machine_2 to machine_1 mux_driver.
I see the pkt in Netmon on both sides (i.e. my mux driver doesn’t drop instead does a proper NdisMIndicateReceiveNetBufferLists() or pkt contents are not garbled etc.)

But the KeWait() (after WskReceiveFrom()) I have on machine_1 for this UDP packet doesn’t get satisfied and eventually returns STATUS_IO_TIMEOUT.

I briefly tried TCP connection socket. The issue is the same. WskAccept() fails.

I used below cmd to collect netsh trace on machine_1.
netsh trace start ndis globallevel=0xff capture=yes capturemultilayer=yes

Following section from netevents.xml seems to be my pkt and it has FWPM_NET_EVENT_TYPE_CLASSIFY_DROP identifier on it.
Looks like somebody dropped my pkt, probably NDIS, tcp/ip.sys?
I even disabled all protocols (except Netmon, ipv4), still I see this pkt drop.

The destination port (i.e. the listening port on machine_1 is a well known port if that means anything here. But I used a ephemeral port as well, see same behavior.).

Please let me know

  • Whether that identifier implies NDIS (or who?) dropped the pkt? thereby not having the pkt reach whom - tcpip.sys or afd.sys ?

  • Are there any other means/tools to debug this to point to which OS component dropped the pkt?

  • Below capture was for ipv4. So not sure what some of below FWPM_NET_EVENT_FLAG_*_SET mean.


-

-

2015-10-28T00:13:27.475Z

-

FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET

FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET

FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET

FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET

FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET

FWPM_NET_EVENT_FLAG_APP_ID_SET

FWPM_NET_EVENT_FLAG_USER_ID_SET

FWPM_NET_EVENT_FLAG_IP_VERSION_SET

FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET



FWP_IP_VERSION_V4

17

192.168.1.10

192.168.1.20

4791

56465

0

-

530079007300740065006d000000

S.y.s.t.e.m…



S-1-5-18

FWP_AF_INET

S-1-0-0



FWPM_NET_EVENT_TYPE_CLASSIFY_DROP

-

67183

44

0

1

1

MS_FWP_DIRECTION_OUT

false



0

0