A driver that listens to traffic

NTDEV
21

A network 5 tuple uniquely identifies a TCP connection.

22

Could you please explain more? What are the members of the tuple ?
On 20 Aug 2016 21:11, wrote:

> A network 5 tuple uniquely identifies a TCP connection.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

23

local address,remote address,local port,remote port and protocol

24

@Don

What do you mean by most cases ?

So transportEndpointHandle will have a unique value in both ale and
transport callouts for the same tcp connecting ? Also I noticed that the
value of transportEndpointHandle is sometimes equal to zero what does that
mean ?

On Sat, Aug 20, 2016 at 12:36 AM, Don Burn wrote:

> At least for most cases check out FWPS_METADATA_FIELD_TRANSPORT_
> ENDPOINT_HANDLE
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-614816-122747@
> lists.osr.com] On Behalf Of zaid ALYAFEY
> Sent: Friday, August 19, 2016 5:22 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] A driver that listens to traffic
>
> How do I know that two packets in the transport layer belong to the same
> tcp connection ?
>
> On 18 Aug 2016 13:01, > xxxxx@hotmail.com> > wrote:
>
>
> As far as I know,ale connect and ale recv accept flow context
> cannot be got in
> transport layers.
>
> We need to maintain our own context for example search key will
> be 5 tuple.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals
> and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer&gt; >
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:></http:>

25

The transportEndpointHandle (when it is not zero) will allow to match a unique value for the duration of the bind/connect to unbind. See https://social.msdn.microsoft.com/Forums/en-US/6280b002-f93d-4dab-b892-1e138ceabfcd/fwpsmetadatafieldtransportendpointhandle-bit-is-set-but-meta-data-field-0?forum=wfp for some instances that you get zero. I don’t have a good solution for the zero value case.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of zaid ALYAFEY
Sent: Sunday, August 21, 2016 6:21 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] A driver that listens to traffic

@Don

What do you mean by most cases ?

So transportEndpointHandle will have a unique value in both ale and transport callouts for the same tcp connecting ? Also I noticed that the value of transportEndpointHandle is sometimes equal to zero what does that mean ?

On Sat, Aug 20, 2016 at 12:36 AM, Don Burn > wrote:

At least for most cases check out FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com mailto:xxxxx [mailto:xxxxx@lists.osr.com mailto:xxxxx] On Behalf Of zaid ALYAFEY
Sent: Friday, August 19, 2016 5:22 PM
To: Windows System Software Devs Interest List >
Subject: RE:[ntdev] A driver that listens to traffic

How do I know that two packets in the transport layer belong to the same tcp connection ?

On 18 Aug 2016 13:01, mailto:xxxxx > > wrote:

As far as I know,ale connect and ale recv accept flow context cannot be got in
transport layers.

We need to maintain our own context for example search key will be 5 tuple.


NTDEV is sponsored by OSR

Visit the list online at: http: http: > >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http: http: > >

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at


NTDEV is sponsored by OSR

Visit the list online at: http: >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http: >

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

26

So this is just a bug ?

On Mon, Aug 22, 2016 at 2:13 AM, Don Burn wrote:

> The transportEndpointHandle (when it is not zero) will allow to match a
> unique value for the duration of the bind/connect to unbind. See
> https://social.msdn.microsoft.com/Forums/en-US/6280b002-
> f93d-4dab-b892-1e138ceabfcd/fwpsmetadatafieldtransportendp
> ointhandle-bit-is-set-but-meta-data-field-0?forum=wfp for some instances
> that you get zero. I don’t have a good solution for the zero value case.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-614890-122747@
> lists.osr.com] On Behalf Of zaid ALYAFEY
> Sent: Sunday, August 21, 2016 6:21 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] A driver that listens to traffic
>
> @Don
>
> What do you mean by most cases ?
>
> So transportEndpointHandle will have a unique value in both ale and
> transport callouts for the same tcp connecting ? Also I noticed that the
> value of transportEndpointHandle is sometimes equal to zero what does that
> mean ?
>
>
> On Sat, Aug 20, 2016 at 12:36 AM, Don Burn > xxxxx@windrvr.com> > wrote:
>
>
> At least for most cases check out FWPS_METADATA_FIELD_TRANSPORT_
> ENDPOINT_HANDLE
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com mailto:> xxxxx@lists.osr.com> [mailto:bounce-614816-122747@
> lists.osr.com mailto:xxxxx] On Behalf Of
> zaid ALYAFEY
> Sent: Friday, August 19, 2016 5:22 PM
> To: Windows System Software Devs Interest List <
> xxxxx@lists.osr.com mailto:xxxxx >
> Subject: RE:[ntdev] A driver that listens to traffic
>
> How do I know that two packets in the transport layer belong to
> the same tcp connection ?
>
> On 18 Aug 2016 13:01, > xxxxx@hotmail.com> mailto:xxxxx> xxxxx@hotmail.com> > > wrote:
>
>
> As far as I know,ale connect and ale recv accept flow
> context cannot be got in
> transport layers.
>
> We need to maintain our own context for example search
> key will be 5 tuple.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> > >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows
> internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR
> Online at http:> http://www.osronline.com/page.cfm?name=ListServer&gt; <
> http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer&gt; > >
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY
> seminars on crash dump analysis, WDF, Windows internals and software
> drivers! Details at To unsubscribe, visit the List Server section of OSR
> Online at
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals
> and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer&gt; >
>
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:>