Hello,
I’m comparing stream data from my inspect driver [1] (WFP) and Wireshark at session close. I can see, that Wireshark results are different than Inspect:
Inspect: IN: 15277 B, OUT: 6115 B
Wireshark: IN: 15360 B (15KB), OUT: 6115 B
or
Inspect: IN: 12621213 B, OUT: 6115 B
Wireshark: IN: 12582912 B (12MB), OUT: 6115 B
[1] Below portion of my code which counting data:
if (eventType == INSPECT_EVENT_STREAM)
{
KLOCK_QUEUE_HANDLE lockHandle;
PFLOW_CONTEXT flowData = (PFLOW_CONTEXT)flowContext;
if (flowData != NULL)
{
FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket;
FWPS_STREAM_DATA* streamData;
ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
NT_ASSERT(ioPacket != NULL);
streamData = ioPacket->streamData;
NT_ASSERT(streamData != NULL);
KeAcquireInStackQueuedSpinLock(&dataLenghtGuard, &lockHandle);
flowData->DataLength = streamData->dataLength;
if (streamData->flags & FWPS_STREAM_FLAG_SEND)
{
flowData->DataTotalLengthOut += streamData->dataLength;
}
else if (streamData->flags & FWPS_STREAM_FLAG_RECEIVE)
{
flowData->DataTotalLengthIn += streamData->dataLength;
}
Can sameone explain me why is the difference?
Krzysiek