How to get Packet's payload or data in WFP sampler code while examining the packet.

Hello,

I have a filter driver based on Windows Filtering Platform (WFPSampler) which examine or capture all the UDP packets received by the system. I am able to capture or extract the header from the UDP packet (NET_BUFFER). Now I want to get the packet’s actual data or packet’s payload (which contains the information) and write that to a .txt file. But I am not able to get the packet’s actual data or packet’s payload (NET_BUFFER) from the received UDP packet. I am capturing packet on FWPM_LAYER_INBOUND_TRANSPORT_V4 layer.

Reply as soon as possible.

Thank you.

Try to do it at stream layer and check the streamedit sample. There there is a function something like CopyDataToFlatBuffer where it copies the data payload from a netbuffer to a PVOID allocated buffer.


Gabriel Bercea

Windows Kernel Driver Consulting

www.kasardia.com

On Tue, Apr 26, 2016 at 11:08 PM -0700, wrote:

Hello,

I have a filter driver based on Windows Filtering Platform (WFPSampler) which examine or capture all the UDP packets received by the system. I am able to capture or extract the header from the UDP packet (NET_BUFFER). Now I want to get the packet’s actual data or packet’s payload (which contains the information) and write that to a .txt file. But I am not able to get the packet’s actual data or packet’s payload (NET_BUFFER) from the received UDP packet. I am capturing packet on FWPM_LAYER_INBOUND_TRANSPORT_V4 layer.

Reply as soon as possible.

Thank you.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at

To unsubscribe, visit the List Server section of OSR Online at

Hello Gabriel Bercea,

I am using Basic Packet Examination scenario in WFPSampler example. I tried to do it at stream layer. But I am not getting any packet at that layer. I am trying to do it at FWPM_LAYER_INBOUND_IPPACKET_V4 layer and I am able to get the value of header for UDP protocol. But I don’t know how to get the data payload from the packet.

Thanks

Hi,
As far as I know you can not inspect UDP packets at the stream layer. You
should register to the datagram data layer and get the data from the net
buffers.
בתאריך 27 באפר׳ 2016 3:25 PM,‏ כתב:

> Hello Gabriel Bercea,
>
> I am using Basic Packet Examination scenario in WFPSampler example. I
> tried to do it at stream layer. But I am not getting any packet at that
> layer. I am trying to do it at FWPM_LAYER_INBOUND_IPPACKET_V4 layer and I
> am able to get the value of header for UDP protocol. But I don’t know how
> to get the data payload from the packet.
>
> Thanks
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

Hello Sap Gr,

Thanks for your reply. But you didn’t tell me how to extract or get the payload from NET_BUFFER structure. I am able to get the packet and the header from the packet. But i want to write the actual data from packet (payload of the packet) to a file.

same problem here :cry:
did you solv it bro?

@Nishant_Varshney said:
Hello Sap Gr,

Thanks for your reply. But you didn’t tell me how to extract or get the payload from NET_BUFFER structure. I am able to get the packet and the header from the packet. But i want to write the actual data from packet (payload of the packet) to a file.

same problem here :cry:
did you solve it bro?

Dude… you seriously think somebody from 2016 is still following this thread?

Which is, bythe way, posted to the wrong forum.

SERIOUSLY?

Peter