HTTP traffic and WFP

0mWindyBug · November 27, 2025, 5:18pm

Hey!

My goal is to be able log outbound HTTP requests including the requested URL and method.

Ideally, with process attribution (so also log the process making the outbound request)

And as bonus, log responses too.

What would be your go to approach?

Saw there are ETW providers (WinInet / WinHTTP) but I guess they won’t cover everything.

WFP surely comes to mind, would I have to manually parse data myself?

Is it possible (assuming there’s a layer that providers the metadata I’m interested in) to do it entirely from UM?

Tim_Roberts · November 27, 2025, 7:05pm

A proxy. No kernel mode work is required.

0mWindyBug · November 27, 2025, 10:07pm

so no need for WFP either? What requests would you proxy? Can decrypt HTTPs if I have a proxy question is what requests do I forward to the proxy

Tim_Roberts · November 28, 2025, 6:28am

Without intending to be cruel, if you’re not familiar with HTTP proxies, then I’m not sure you’re ready to do that kind of filtering.