WFP - listen callout misses few ports

Hi,
the scenario is:

  1. (when BFE ran) I created a permanent sublayer, a permanent FWPM_LAYER_ALE_AUTH_LISTEN_V4+6 layers’ callouts and two filters in each - boot and permanent (both with empty condition)
  2. my test WFP driver is set to start before TCPIP
  3. the WFP driver registers the callouts and the classify function is receiving listen “events”

However it misses 0.0.0.0:445 (Windows 7 SP1 x86), even though I see a resource assignment event for it (using another callout). The :::445 listen event is notified correctly. Netstat shows the 0.0.0.0:445 port as listening :(.
The situation in 8220 is even worse - it misses also another ports (like :80).

Can anyone give me a hint, please?

What did you mean by “with empty condition”? In particular, did you call
FwpmFilterAdd0 or not?

If you did not call FwpmFilterAdd0 then consider doing so.

Thomas F. Divine
http://www.pcausa.com


From:
Sent: Thursday, February 09, 2012 5:34 PM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] WFP - listen callout misses few ports

> Hi,
> the scenario is:
> 1) (when BFE ran) I created a permanent sublayer, a permanent
> FWPM_LAYER_ALE_AUTH_LISTEN_V4+6 layers’ callouts and two filters in each -
> boot and permanent (both with empty condition)
> 2) my test WFP driver is set to start before TCPIP
> 3) the WFP driver registers the callouts and the classify function is
> receiving listen “events”
>
> However it misses 0.0.0.0:445 (Windows 7 SP1 x86), even though I see a
> resource assignment event for it (using another callout). The :::445
> listen event is notified correctly. Netstat shows the 0.0.0.0:445 port as
> listening :(.
> The situation in 8220 is even worse - it misses also another ports (like
> :80).
>
> Can anyone give me a hint, please?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Hi Thomas,
I did call FwpmFilterAdd0, I see listen requests for other ports. The empty condition means numFilterConditions = 0.

The netstat output is:
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 736
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 404
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 780
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 520
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 1876
TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING 536
TCP 10.6.135.68:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 736
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 404
TCP [::]:49153 [::]:0 LISTENING 780
TCP [::]:49154 [::]:0 LISTENING 936
TCP [::]:49155 [::]:0 LISTENING 520
TCP [::]:49156 [::]:0 LISTENING 1876
TCP [::]:49158 [::]:0 LISTENING 536

while the events from classify fn were:
(ASSIGN = FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V*, LISTEN = FWPM_LAYER_ALE_AUTH_LISTEN_V*)
TCP IPv4 ASSIGN 135
TCP IPv4 LISTEN 135
TCP IPv6 ASSIGN 135
TCP IPv6 LISTEN 135
TCP IPv4 ASSIGN 49152
TCP IPv4 LISTEN 49152
TCP IPv6 ASSIGN 49152
TCP IPv6 LISTEN 49152
TCP IPv4 ASSIGN 49153
TCP IPv4 LISTEN 49153
TCP IPv6 ASSIGN 49153
TCP IPv6 LISTEN 49153
TCP IPv4 ASSIGN 139
TCP IPv4 LISTEN 139
TCP IPv4 ASSIGN 49154
TCP IPv4 LISTEN 49154
TCP IPv6 ASSIGN 49154
TCP IPv6 LISTEN 49154
TCP IPv4 ASSIGN 445
TCP IPv6 ASSIGN 445
TCP IPv6 LISTEN 445
TCP IPv4 ASSIGN 49155
TCP IPv4 LISTEN 49155
TCP IPv6 ASSIGN 49155
TCP IPv6 LISTEN 49155
TCP IPv4 ASSIGN 49156
TCP IPv4 LISTEN 49156
TCP IPv6 ASSIGN 49156
TCP IPv6 LISTEN 49156

I didn’t get TCP IPv4 LISTEN 445 :(.