gustav

I am currently filtering on FWPM_LAYER_INBOUND_TRANSPORT_V4 and FWPM_LAYER_OUTBOUND_TRANSPORT_V4. According to the documentation if a fragmented TCP/IP packet is received it should be fully rebuilt beore it its the transport layer. I am however only seeing the first fragment of the original packet.

Looking at the IP header of the inbound packet there is no indication of MF or a fragment offset let alone 2 consecutive packets that have the same ID.

Is there something I have missed here



Re: Windows Filtering Platform (WFP) Fragmented TCP packets not being seen on Transport layer

Anupama Vasanth[MSFT]

Hi Gustav,

You will only see fragments indicated to you at the FWPM_LAYER_INBOUND_IPPACKETV4/6 layers. What you are seeing at the inbound transport layer should be the fully reassembled packet.

Please let us know if you have any more questions.

thanks.






Re: Windows Filtering Platform (WFP) Fragmented TCP packets not being seen on Transport layer

gustav

Correct I 'should' be seeing a reassembled packet on transport layer but I am not, I am seeing a packet with a 576 byte size according to the header. The size should be updated to reflect the size of the reassembled packet. I assume that If I intercept and re-inject this packet with the header that is not correct it will be discarded by the wfp.



Re: Windows Filtering Platform (WFP) Fragmented TCP packets not being seen on Transport layer

Biao Wang [MSFT]

I assume you had retreated the ipHeaderSize and transportHeaderSize to get to the IP header

Can you dump out the complete IP packet here

Also what's the value of NET_BUFFER_DATA_LENGTH(NET_BUFFER_LIST_FIRST_NB(NetBufferList))

Biao.W.





Re: Windows Filtering Platform (WFP) Fragmented TCP packets not being seen on Transport layer

gustav

I have determined the error and can confirm it as well.

It appears that the checksum in the ip header is not calculated correctly when the packet is reassembled and passed onto the transport layer. To confirm this I added code to reset and recalculate the ip header checksum. In all reassembled packets the new checksum that I calculated does not match the checksum in the ip header I received.

89ebb18c: 45 00 05 dc f8 2c 00 00 6e 06 a9 d8 41 36 98 7e 3a a5 73 9d

From this you can see the checksum is 0xd8a9 (a9 d8 in network order)

The correct checksum is: 0xf8c6 (c6 f8)

On correcting this checksum I re-inject the packet and I have no more issues.





Re: Windows Filtering Platform (WFP) Fragmented TCP packets not being seen on Transport layer

gustav

And about the other fragmentation issue - my customer changed the mtu on their servers without informing me of the change so I can confirm that WFP is re-assembling the packets correctly - as mentioned in my previous post however the IP header checksum IS NOT being recalculated correctly by WFP.



Re: Windows Filtering Platform (WFP) Fragmented TCP packets not being seen on Transport layer

Biao Wang [MSFT]

Thanks for the update.

The incorrect checksum for reassembled packet is a known bug and will be corrected in Vista SP1. As you suggested, the workaround is to re-calculate IP checksum in the cloned NBL prior to re-injection.

Thanks,

Biao.W.