Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Network monitor with WFP callout driver questions

tanda996tanda996 Member Posts: 12

hello everyone.
I'm developing a network monitor (without modify) driver base on WFP callout model. Print output simple TCP/UDP infors: pid, data send/recv length anytime send() called.

on TCP connection, i can get those infors by use flow context from FWPM_LAYER_ALE_FLOW_ESTABLISHED_V* to FWPM_LAYER_STREAM_V*.
Then, get data length by parsing FWPS_STREAM_CALLOUT_IO_PACKET at stream layer.
on UDP connection, i also use flow context, from FWPM_LAYER_ALE_FLOW_ESTABLISHED_V* to FWPM_LAYER_DATAGRAM_DATA_V*.

But, at the FWPM_LAYER_DATAGRAM_DATA_V*, i can only parsing NET_BUFFER_LIST instead FWPS_STREAM_CALLOUT_IO_PACKET like TCP connection.
my question (for UDP connection):
Can i get exactly data length (send/recv) by the sum of DataLength member value in all NET_BUFFER struct in NET_BUFFER_LIST?
thank you.


  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,300

    For inbound FWPM_LAYER_DATAGRAM_DATA_V4/FWPM_LAYER_DATAGRAM_DATA_V6 packets you'll only get one net buffer list with one net buffer.

    On outbound, you'll still only get one net buffer list but it can have multiple net buffers. Each of these will have their own UDP header (i.e. each is one packet as opposed to a single packet broken up).

    See the docs on Packet Indication Format here. You can also see the comments in the ddproxy sample's handling of inbound (DDProxyCloneModifyReinjectInbound) and outbound (DDProxyCloneModifyReinjectOutbound) datagram packet buffers.


  • tanda996tanda996 Member Posts: 12

    thank you Scott_Noone, i got a problem from start: FlowStreamClassfiyFn never be called after call FwpsFlowAssociateContext successfully.
    i register 2 callout classify functions with system:
    1. flowEstClassifyFn by sequence: FwpsCalloutRegister, FwpmCalloutAdd, FwpmFilterAdd (for filter TCP only).
    2. streamClassifyfn by sequence: FwpsCalloutRegister, FwpmCalloutAdd (w/wo).
    but, after these lines (in flowEstClassifyFn):
    status = FwpsFlowAssociateContext(flowHandle, FWPS_LAYER_STREAM_V4, calloutId, (UINT64)flowData); // return STATUS_SUCCESS
    if (NT_SUCCESS(status))
    classifyOut->actionType = FWP_ACTION_PERMIT;
    if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
    classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
    classifyOut->actionType = FWP_ACTION_CONTINUE;
    => the streamClassifyfn never be called (???). I dont know why, pls give me some advices.

  • tanda996tanda996 Member Posts: 12

    Ah, i found solution for myself. streamClassifyfn also need FwpsCalloutRegister, FwpmCalloutAdd, FwpmFilterAdd (except that numFilterConditions = 0).
    i'm trying to parse data size for send/recv on UDP protocol follow by your comment, will be update here later. :smile:

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA