WFP - Capturing TCP SYN packets

Hi,

I have been trying to capture SYN packets for TCP inbound connections to detect port scanning. Have used and modified the sample driver provided by Microsoft (WFPSampler) to capture source IP and destination port for SYN requests for TCP connections on FWPS_LAYER_INBOUND_TRANSPORT_V4. I am able to capture values if connection is attempted on a port that is listening, but if a connection attempt is made to any random port which is not listening then information is not getting captured.

I went through this link (mentioned below) which states to use FWPS_LAYER_INBOUND_V4_IPPACKET or FWPS_LAYER_INBOUND_IPPACKET_V4_DISCARD, but I want to avoid parsing IP packets and would like to know if there is any way to capture the source IP and destination port for SYN requests on transport layer itself.

https://social.msdn.microsoft.com/Forums/sqlserver/en-US/5d45a4dc-91ce-4710-ac23-4a8f48dd1ed3/cant-capture-tcp-syn-packet-first-handshake-packet-at-transport-layer?forum=wfp