What API\Framework I can use for logging all net events(like send a packet, connect, receive events) from some process list.
I have a TDI driver for that now, but it has poor docs and I can’t find the solution for some kind of troubles, can you please suggest some other variants?
Can I use WSK for it? I find examples of a client, but I don’t see any examples of how I can intercept or log net events of all active processes in the system.
WFP - Windows Filtering Platform will be able to do this.
@Jason_Stephenson said:
WFP - Windows Filtering Platform will be able to do this.
Jason, I find this sample of the driver(https://github.com/JaredWright/WFPStarterKit/tree/master/Tutorial), and it works well for me, but I can’t find any example of how I cant get operation result after I pass it through.
For example, I see logs of connections, but how I can get result for it, does this connection try was successful? Does WPF have some PostCallback or CompletionRoutine(as in legacy filter drivers) for it?
Can you help me please with it?
That link doesn’t work for me. In general for anything WFP related you should start with https://docs.microsoft.com/en-us/windows-hardware/drivers/network/windows-filtering-platform-callout-drivers2 and https://github.com/microsoft/Windows-driver-samples/tree/master/network/trans/WFPSampler
Read and understand the core concepts before you worry about how to build anything with it.
Jason
@Jason_Stephenson said:
That link doesn’t work for me. In general for anything WFP related you should start with https://docs.microsoft.com/en-us/windows-hardware/drivers/network/windows-filtering-platform-callout-drivers2 and https://github.com/microsoft/Windows-driver-samples/tree/master/network/trans/WFPSamplerRead and understand the core concepts before you worry about how to build anything with it.
Jason
Jason, okey. I read some docs to WFP, as I can’t understand, it uses some filters, where I can receive notifications events for TCP\UDP packets flow.
So I need to catch few events in this flow, for TCP as an example(https://docs.microsoft.com/en-us/windows/win32/fwp/tcp-packet-flows).
But… how I can understand. that the connect request was timeout, and the connection failed? I don’t receive the event on FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4, but… how can I sync it, because I need to wait for this event some time, and… how I can determine timeout of connection?
Or I need use packet tagging?
If you wanted to do this at the ALE layers then i think you would track the flow through it’s lifetime. https://docs.microsoft.com/en-us/windows/win32/fwp/ale-layers. I would guess that a flow that has it’s delete handler called before FLOW_ESTABLISHED would be a flow who’s “connection” failed. IT might also be possible use the DISCARD layers for this, but i’m not too sure.