Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Why filterId in DISCARD_METADATA is zero?

klimandrklimandr Member Posts: 9
edited May 2019 in NTDEV

I wrote program for inspecting packets on DISCARD layers of WFP. To get reason and filter id of discards I use folowwing code:

if (FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_DISCARD_REASON))
    {
        FWPS_DISCARD_METADATA0 discardData = inMetaValues->discardMetadata;
        FWPS_DISCARD_MODULE0 discardModule = discardData.discardModule;
        UINT32 discardReason = discardData.discardReason;
        UINT64 discardFilter = discardData.filterId;
        switch (discardModule)
        {
        case FWPS_DISCARD_MODULE_NETWORK:
            PrintNetworkDiscardReason(discardReason);
            break;

        case FWPS_DISCARD_MODULE_TRANSPORT:
            PrintTransportDiscardReason(discardReason);
            break;

        case FWPS_DISCARD_MODULE_GENERAL:
            if (FWPS_DISCARD_FIREWALL_POLICY == discardReason)
            {
                PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_FIREWALL_POLICY");
            }
            else if (FWPS_DISCARD_IPSEC == discardReason)
            {
                PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_IPSEC");
            }
            break;
        }

        PRINT_MSG("DISCARD FILTER: %x", discardFilter);
    }

Program write filterId correctly when packet is discarded by windows firewall (on some ale layer), but filterId is zero when antivirus blocks packets (on FWPS_LAYER_INBOUND_IPPACKET_V4_DISCARD layer ).
Is it possible to get filterId of filter that discard those packets?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA