Why I can't capture any TCP traffic of PacketSender at FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 ?

I’m developing a WFP callout driver for redirecting traffic to local proxy (user-mode).

  1. My user-mode app call FwpmGetAppIdFromFileName0 then sends app id blob data (byte array) to my WFP callout driver.
  2. Add filters with conditions:
FWPM_FILTER_CONDITION conditions[2] = { 0 };
int conditionIndex = 0;

conditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
conditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
conditions[conditionIndex].conditionValue.type = FWP_UINT8;
conditions[conditionIndex++].conditionValue.uint8 = IPPROTO_TCP;

conditions[conditionIndex].fieldKey = FWPM_CONDITION_ALE_APP_ID;
conditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
conditions[conditionIndex].conditionValue.type = FWP_BYTE_BLOB_TYPE;
conditions[conditionIndex++].conditionValue.byteBlob = appIdFromUserMode;

filter.filterCondition = conditions;
filter.numFilterConditions = sizeof(conditions) / sizeof(conditions[0]);
  1. Redirect to local proxy.

My question is:

When my target appId is "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", it works well, all traffic will redirect by my local proxy.

But when target appId is "C:\Program Files (x86)\PacketSender\PacketSender.exe", my ClassifyFn callback of callout driver never called, so no traffic redirect to my local proxy.

And I try it with "C:\Program Files\internet explorer\iexplore.exe", A small part of traffic will redirect, but more parts not work.

about PacketSender: https://packetsender.com/ https://github.com/dannagle/PacketSender

Do you always observe appid equal to process id.Better filter all TCP traffic.You can make further checks in classify function.make sure you log each TCP packet.Is any TCP packet missed then.

Also specify,do you want TCP traffic or only connect packets

Also specify,do you want TCP traffic or only connect packets

@ashish_kohli said:
Do you always observe appid equal to process id.Better filter all TCP traffic.You can make further checks in classify function.make sure you log each TCP packet.Is any TCP packet missed then.

This is a part of my ClassifyFn, i think it log all ? But never log anything when target is PacketSender.

@ashish_kohli said:
Also specify,do you want TCP traffic or only connect packets

What difference between TCP traffic and only connect packets ? I want to redirect all application layer traffic but no tcp handshakes.

But my solution works fine if target is chrome, so I think problems arise from filters

I found the reason, because PacketSender working on IPv6 even if I specify IPv4 mode. :s
It’s a confusing design. :s :s