Arthur E.

I'd like to capture the IP header portion of the specified TCP packets (e.g., packets to the localhost) with WFP.

To achieve the goal, I think a callout is required to access the IP header data, but I don't know whether a built-in callout can be used for this purpose or not. Do I have to make some new callouts to access it



Re: Windows Filtering Platform (WFP) How to capture IP header of the specified TCP packet with WFP

Biao Wang [MSFT]

If you just need to be able to permit or block TCP packets based on the network 4-tuple, then you don't need a callout driver.

Otherwise you need to register a callout driver at IPPACKET or TRANSPORT layer. At IPPACKET, you will need to parse out the protocol field to know a packet is TCP. At TRANSPORT layers, protocol (and ports) are readily available; however at OUTBOUND_TRANSPORT the IP packet has not yet been built (In SP1 we will be providing a function to construct a full IP packet at OUTBOUND_TRANSPORT).

But no I don't think there is a built-in callout that does what you need.

Hope this helps,

Biao.W.





Re: Windows Filtering Platform (WFP) How to capture IP header of the specified TCP packet with WFP

Arthur E.

Thank you for your reply.I'm trying to build a callout driver for myself with WDK, but When I had the file fwpsk.h included in my callout device source file, the preprocessor generated many errors. Anything wrong with my configuration





Re: Windows Filtering Platform (WFP) How to capture IP header of the specified TCP packet with WFP

Charlie Hu [MSFT]

The best way to start wfp callout driver development is referring to the WDK samples. This forum is more about wfp specific questions. For general driver development, WDK documentation or other driver newsgroups will be a better resource.

Charlie