Network monitor with WFP callout driver questions

hello everyone.
I’m developing a network monitor (without modify) driver base on WFP callout model. Print output simple TCP/UDP infors: pid, data send/recv length anytime send() called.

on TCP connection, i can get those infors by use flow context from FWPM_LAYER_ALE_FLOW_ESTABLISHED_V* to FWPM_LAYER_STREAM_V*.
Then, get data length by parsing FWPS_STREAM_CALLOUT_IO_PACKET at stream layer.
on UDP connection, i also use flow context, from FWPM_LAYER_ALE_FLOW_ESTABLISHED_V* to FWPM_LAYER_DATAGRAM_DATA_V*.

But, at the FWPM_LAYER_DATAGRAM_DATA_V*, i can only parsing NET_BUFFER_LIST instead FWPS_STREAM_CALLOUT_IO_PACKET like TCP connection.
my question (for UDP connection):
Can i get exactly data length (send/recv) by the sum of DataLength member value in all NET_BUFFER struct in NET_BUFFER_LIST?
thank you.

For inbound FWPM_LAYER_DATAGRAM_DATA_V4/FWPM_LAYER_DATAGRAM_DATA_V6 packets you’ll only get one net buffer list with one net buffer.

On outbound, you’ll still only get one net buffer list but it can have multiple net buffers. Each of these will have their own UDP header (i.e. each is one packet as opposed to a single packet broken up).

See the docs on Packet Indication Format here. You can also see the comments in the ddproxy sample’s handling of inbound (DDProxyCloneModifyReinjectInbound) and outbound (DDProxyCloneModifyReinjectOutbound) datagram packet buffers.

1 Like

thank you Scott_Noone, i got a problem from start: FlowStreamClassfiyFn never be called after call FwpsFlowAssociateContext successfully.
i register 2 callout classify functions with system:

  1. flowEstClassifyFn by sequence: FwpsCalloutRegister, FwpmCalloutAdd, FwpmFilterAdd (for filter TCP only).
  2. streamClassifyfn by sequence: FwpsCalloutRegister, FwpmCalloutAdd (w/wo).
    but, after these lines (in flowEstClassifyFn):
    _
    status = FwpsFlowAssociateContext(flowHandle, FWPS_LAYER_STREAM_V4, calloutId, (UINT64)flowData); // return STATUS_SUCCESS
    if (NT_SUCCESS(status))
    {
    classifyOut->actionType = FWP_ACTION_PERMIT;
    if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
    {
    classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
    }
    }
    else
    {
    classifyOut->actionType = FWP_ACTION_CONTINUE;
    }
    _
    => the streamClassifyfn never be called (???). I dont know why, pls give me some advices.

Ah, i found solution for myself. streamClassifyfn also need FwpsCalloutRegister, FwpmCalloutAdd, FwpmFilterAdd (except that numFilterConditions = 0).
i’m trying to parse data size for send/recv on UDP protocol follow by your comment, will be update here later. :smile: