Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How to get Packet's payload or data in WFP sampler code while examining the packet.

Nishant_VarshneyNishant_Varshney Member Posts: 14
Hello,

I have a filter driver based on Windows Filtering Platform (WFPSampler) which examine or capture all the UDP packets received by the system. I am able to capture or extract the header from the UDP packet (NET_BUFFER). Now I want to get the packet's actual data or packet's payload (which contains the information) and write that to a .txt file. But I am not able to get the packet's actual data or packet's payload (NET_BUFFER) from the received UDP packet. I am capturing packet on FWPM_LAYER_INBOUND_TRANSPORT_V4 layer.

Reply as soon as possible.

Thank you.

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Try to do it at stream layer and check the streamedit sample. There there is a function something like CopyDataToFlatBuffer where it copies the data payload from a netbuffer to a PVOID allocated buffer.

    --------------------------------------------------------

    Gabriel Bercea

    Windows Kernel Driver Consulting

    www.kasardia.com






    On Tue, Apr 26, 2016 at 11:08 PM -0700, wrote:










    Hello,

    I have a filter driver based on Windows Filtering Platform (WFPSampler) which examine or capture all the UDP packets received by the system. I am able to capture or extract the header from the UDP packet (NET_BUFFER). Now I want to get the packet's actual data or packet's payload (which contains the information) and write that to a .txt file. But I am not able to get the packet's actual data or packet's payload (NET_BUFFER) from the received UDP packet. I am capturing packet on FWPM_LAYER_INBOUND_TRANSPORT_V4 layer.

    Reply as soon as possible.

    Thank you.


    ---
    NTFSD is sponsored by OSR


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at

    To unsubscribe, visit the List Server section of OSR Online at
  • Nishant_VarshneyNishant_Varshney Member Posts: 14
    Hello Gabriel Bercea,

    I am using Basic Packet Examination scenario in WFPSampler example. I tried to do it at stream layer. But I am not getting any packet at that layer. I am trying to do it at FWPM_LAYER_INBOUND_IPPACKET_V4 layer and I am able to get the value of header for UDP protocol. But I don't know how to get the data payload from the packet.

    Thanks
  • Sap_GrSap_Gr Member Posts: 9
    Hi,
    As far as I know you can not inspect UDP packets at the stream layer. You
    should register to the datagram data layer and get the data from the net
    buffers.
    בתאריך 27 באפר׳ 2016 3:25 PM,‏ כתב:

    > Hello Gabriel Bercea,
    >
    > I am using Basic Packet Examination scenario in WFPSampler example. I
    > tried to do it at stream layer. But I am not getting any packet at that
    > layer. I am trying to do it at FWPM_LAYER_INBOUND_IPPACKET_V4 layer and I
    > am able to get the value of header for UDP protocol. But I don't know how
    > to get the data payload from the packet.
    >
    > Thanks
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Nishant_VarshneyNishant_Varshney Member Posts: 14
    Hello Sap Gr,


    Thanks for your reply. But you didn't tell me how to extract or get the payload from NET_BUFFER structure. I am able to get the packet and the header from the packet. But i want to write the actual data from packet (payload of the packet) to a file.
  • xusyshxusysh Member Posts: 2

    same problem here :'(
    did you solv it bro?

  • xusyshxusysh Member Posts: 2

    @Nishant_Varshney said:
    Hello Sap Gr,

    Thanks for your reply. But you didn't tell me how to extract or get the payload from NET_BUFFER structure. I am able to get the packet and the header from the packet. But i want to write the actual data from packet (payload of the packet) to a file.

    same problem here :'(
    did you solve it bro?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,380

    Dude... you seriously think somebody from 2016 is still following this thread?

    Which is, bythe way, posted to the wrong forum.

    SERIOUSLY?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA