Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Why I can't capture any TCP traffic of PacketSender at FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 ?

iFengHuangiFengHuang Member Posts: 15

I'm developing a WFP callout driver for redirecting traffic to local proxy (user-mode).

  1. My user-mode app call FwpmGetAppIdFromFileName0 then sends app id blob data (byte array) to my WFP callout driver.
  2. Add filters with conditions:
FWPM_FILTER_CONDITION conditions[2] = { 0 };
int conditionIndex = 0;

conditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
conditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
conditions[conditionIndex].conditionValue.type = FWP_UINT8;
conditions[conditionIndex++].conditionValue.uint8 = IPPROTO_TCP;

conditions[conditionIndex].fieldKey = FWPM_CONDITION_ALE_APP_ID;
conditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
conditions[conditionIndex].conditionValue.type = FWP_BYTE_BLOB_TYPE;
conditions[conditionIndex++].conditionValue.byteBlob = appIdFromUserMode;

filter.filterCondition = conditions;
filter.numFilterConditions = sizeof(conditions) / sizeof(conditions[0]);
  1. Redirect to local proxy.

My question is:

When my target appId is "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", it works well, all traffic will redirect by my local proxy.

But when target appId is "C:\Program Files (x86)\PacketSender\PacketSender.exe", my ClassifyFn callback of callout driver never called, so no traffic redirect to my local proxy.

And I try it with "C:\Program Files\internet explorer\iexplore.exe", A small part of traffic will redirect, but more parts not work.

Comments

  • ashish_kohliashish_kohli Member - All Emails Posts: 58

    Do you always observe appid equal to process id.Better filter all TCP traffic.You can make further checks in classify function.make sure you log each TCP packet.Is any TCP packet missed then.

  • ashish_kohliashish_kohli Member - All Emails Posts: 58

    Also specify,do you want TCP traffic or only connect packets

  • ashish_kohliashish_kohli Member - All Emails Posts: 58

    Also specify,do you want TCP traffic or only connect packets

  • iFengHuangiFengHuang Member Posts: 15

    @ashish_kohli said:
    Do you always observe appid equal to process id.Better filter all TCP traffic.You can make further checks in classify function.make sure you log each TCP packet.Is any TCP packet missed then.

    This is a part of my ClassifyFn, i think it log all ? But never log anything when target is PacketSender.

  • iFengHuangiFengHuang Member Posts: 15

    @ashish_kohli said:
    Also specify,do you want TCP traffic or only connect packets

    What difference between TCP traffic and only connect packets ? I want to redirect all application layer traffic but no tcp handshakes.

    But my solution works fine if target is chrome, so I think problems arise from filters

  • iFengHuangiFengHuang Member Posts: 15

    I found the reason, because PacketSender working on IPv6 even if I specify IPv4 mode. :s
    It's a confusing design. :s :s

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!