I am receiving packets in callouts in a WFP firewall I am testing. The port values are UINT16, and as they are coming from the networking functions they are bigendian values.
I have reversed the endians using RtlUshortByteSwap, and am using DbgPrint with the %hu token to debug the network 5 tuple values so I can start building up a pattern of what is going on. All is well except the port numbers are printing out a little garbled.
Example
LocalIP,LocalPort,RemoteIP,RemotePort
192.168.1.5,61395,192.168.1.1,13568
192.168.1.5,16832,64.233.183.103,20480
Now I have been running this back to back with wireshark and I can tell you that the first entry is a DNS request between host and router, and the second is an SYN to establish a TCP connection on port 80 to the host ip returned by the DNS request in 1.
So for example the second row, the remoteport is 80 but prints 20480.
Any ideas what I could be doing wrong?