Data size in UDP-datagram.

Alexey_Barabash · July 12, 2007, 10:53am

Hello.

I’m writing network monitor driver for Vista based on WFP. Now I have a problem: I don’t know, how get data size from UDP-datagram.
I’ve registred callout for UDP protocol on FWPM_LAYER_STREAM_V4 layer, and I receive those datagrams. My classifyFn is

void CoutUdpClassifyStream(
IN const FWPS_INCOMING_VALUES0* inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
IN OUT void* layerData,
IN const FWPS_FILTER0* filter,
IN UINT64 flowContext,
OUT FWPS_CLASSIFY_OUT0* classifyOut
);

There is no field I need, neither in inFixedValues nor in inMetaValues, so I suppose that it should be in layerData. According to WDK, layerData points to NET_BUFFER_LIST structure.

UDP header has following format:

typedef struct _UDPHeader
{
USHORT sourcePort; // Source Port
USHORT destinationPort;// Destination Port
USHORT len; // Total length
USHORT checksum; // Total checksum
} UDPHeader;

So my questions:

where should I look for UDPHeader in parameters of my classifyFn?
may be there is other way to get size of data in datagram?

Thank in advance,
Barabash Alexey.

anton_bassov · July 12, 2007, 11:04am

The problem is that MSDN documentation on the subject is , softly speaking," not-so-precise"
(in fact, it is just completely useless, at least the part that ships with WDK, although MSFT later provided some updates on their site). I had exactly the same problem. What I actually did in order to solve it was filtering at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer instead of FWPM_LAYER_STREAM_V4 one - at this filtering level I managed to get all info that I needed…

Try to experiment with different layers…

Anton Bassov