As noted below, the flow_established callout will not be invoked if your
driver is loaded after the fact. But you can still inspect streams that
are already established by setting the
FWP_CALLOUT_FLAG_ALLOW_MID_STREAM_INSPECTION flag in the registration
for the FWPM_LAYER_STREAM_V4 callout.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “Gurzou Alexandru”
To: “Windows System Software Devs Interest List”
Sent: 8/27/2015 5:29:07 AM
Subject: Re: [ntdev] WFP callouts are not getting called sometimes
>From what I’ve seen and according to the MSDN documentation regarding
>data flows (TCP -
>https://msdn.microsoft.com/en-us/library/windows/desktop/bb451830(v=vs.85).aspx
>and UDP -
>https://msdn.microsoft.com/en-us/library/windows/desktop/bb451831(v=vs.85).aspx
>) the only time the FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer is
>traversed is when the connection is actually established.
>
>This means, if an application (JMeter in this case) has already
>established a connection before you loaded your WFP driver your
>FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 callout will not be called for that
>connection.
>
>If you find a workaround for this - besides starting your driver at
>boot - I would be interested to find out your solution.
>
>On 27 August 2015 at 13:49, wrote:
>>Hi,
>>
>>Recently I have created a WFP driver, which is used for deep packet
>>inspection. My driver registers following callouts
>>
>>FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 - To identify new TCP connections
>>FWPM_LAYER_STREAM_V4 - To get the actual packet data
>>FWPM_LAYER_ALE_ENDPOINT_CLOSURE_V4 - To identify the connection
>>closure for internal cleanup.
>>
>>My driver works for most of the cases, but with one test application
>>JMeter, which is used by our QA to stress test new driver, I am
>>observing this issue.
>>What I am observing that on some test machines when JMeter does some
>>network activity my FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 callout is not
>>called, and I am not able to inspect data transfer activity happening
>>from JMeter. While data transfer from other applications like browser
>>IE,FF intercepted in my callouts.
>>
>>So I want to understand whether Is it possible for an application to
>>bypass a callout driver?
>>How can I find out why my callout driver is not getting invoked in
>>some cases ?
>>
>>Thanks,
>>Bishnu
>>
>>—
>>NTDEV is sponsored by OSR
>>
>>Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>>OSR is HIRING!! See http://www.osr.com/careers
>>
>>For our schedule of WDF, WDM, debugging and other seminars visit:
>>http://www.osr.com/seminars
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http://www.osronline.com/page.cfm?name=ListServer
>
>— NTDEV is sponsored by OSR Visit the list at:
>http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer