WFP Stream data results.

Hello,

I’m comparing stream data from my inspect driver [1] (WFP) and Wireshark at session close. I can see, that Wireshark results are different than Inspect:

Inspect: IN: 15277 B, OUT: 6115 B
Wireshark: IN: 15360 B (15KB), OUT: 6115 B

or

Inspect: IN: 12621213 B, OUT: 6115 B
Wireshark: IN: 12582912 B (12MB), OUT: 6115 B

[1] Below portion of my code which counting data:

if (eventType == INSPECT_EVENT_STREAM)
{
KLOCK_QUEUE_HANDLE lockHandle;

	PFLOW_CONTEXT flowData = (PFLOW_CONTEXT)flowContext;

	if (flowData != NULL)
	{
		FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket;
		FWPS_STREAM_DATA* streamData;

		ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
		NT_ASSERT(ioPacket != NULL);

		streamData = ioPacket->streamData;
		NT_ASSERT(streamData != NULL);

		KeAcquireInStackQueuedSpinLock(&dataLenghtGuard, &lockHandle);

		flowData->DataLength = streamData->dataLength;
		
		if (streamData->flags & FWPS_STREAM_FLAG_SEND)
		{
			flowData->DataTotalLengthOut += streamData->dataLength;
		}
		else if (streamData->flags & FWPS_STREAM_FLAG_RECEIVE)
		{
			flowData->DataTotalLengthIn += streamData->dataLength;
		}

Can sameone explain me why is the difference?

Krzysiek