Examine data at in callout driver for FWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 layer in WFP

https://stackoverflow.com/questions/15778827

31-03-2022
|

Question

I am writing the callout driver for Hyper-V 2012 where I need to filter the packets sent from virtual machines.

I added filter at FWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 layer in WFP. Callout function receive packet buffer which I am typecasting it to NET_BUFFER_LIST. I am doing following to get the data pointer

pNetBuffer = NET_BUFFER_LIST_FIRST_NB((NET_BUFFER_LIST*)pClassifyData->pPacket); pContiguousData = NdisGetDataBuffer(pNetBuffer, NET_BUFFER_DATA_LENGTH(pNetBuffer), 0, 1, 0);

I have simple client-server application to test the packet data. Client is on VM and server is another machine. As I observed, data sent from client to server is truncated and some garbage value is added at the end. There is no issue for sending message from server to client. If I dont add this layer filter client-server works without any issue.

Callback function receives the metadata which incldues ipHeaderSize and transportHeaderSize. Both these values are zero. Are these correct values or should those be non-zero?? Can somebody help me to extract the data from packet in callout function and forward it safely to further layers?

Thank You.

No correct solution

OTHER TIPS

These are the TCP packets. I looked into size and offset information. It seems the problem is consistent across packets. I checked below values in (NET_BUFFER_LIST*)pClassifyData->pPacket.

NET_BUFFER_LIST->NetBUfferListHeader->NetBUfferListData->FirstNetBuffer->NetBuffe rHeader->NetBufferData->CurrentMdl->MappedSystemVa

First 24 bytes are only sent correctly and remaining are garbage.

For example total size of the packet is 0x36 + 0x18 = 0x4E I don't know what is there in first 0x36 bytes which is constant for all the packets. Is it a TCP/IP header? Second part 0x18 is the actual data which i sent.

I even tried with API NdisQueryMdl() to retrieve from MDL list.

So on the receiver side I get only 24 bytes correct and remaining is the garbage. How to read the full buffer from NET_BUFFER_LIST?

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow