DEVHIDE
Login Or Sign up

Receiving in/out traffic stats using WFP user-mode API

391 Views Asked by At

I'm working on the application that should collect in/out traffic stats for every connection on the system. My idea is using the WFP 'FwpmConnectionSubscribe0' function in order to register the callback function and start receiving the 'FWPM_CONNECTION_EVENT_TYPE' and 'FWPM_CONNECTION0' object.

The 'FWPM_CONNECTION_EVENT_TYPE' would allow to detect connections opening and closing events (FWPM_CONNECTION_EVENT_ADD, FWPM_CONNECTION_EVENT_DELETE). The 'FWPM_CONNECTION0' allows to get the connection details such as IP addresses and in/out bytes transferred bytes.

But when the test app was ready it appeared that I don't receive any connection events. There are no runtime errors or something like that. It just does not receive any events. I thought the problem could be in access rights, but the app is running as Administrator and it has the required access rights. Another idea was about the WFP policies. I thought that the required policy was disabled. So I enabled the following one: 'Filtering Platform Connection {0CCE9226-69AE-11D9-BED3-505054503030}', but this did not work out too.

So the questions are:

  • Is it possible to get in/out traffic stats for every connection on the OS using the user-mode WFP methods without kernel-mode callout driver implementation?
  • What is the reason for the non working connection events subscription?

Here is the source code.

// BFE session initialization.
{
    FWPM_SESSION session;
    std::memset(&session, 0, sizeof(session));

    session.sessionKey = <Key>;
    session.flags |= FWPM_SESSION_FLAG_DYNAMIC;
    session.displayData.name = BFE_SESSION_NAME;
    session.displayData.description = BFE_SESSION_DESC;

    const auto error = FwpmEngineOpen(
        NULL, RPC_C_AUTHN_WINNT, NULL, &session, &handle_
    );
}

// Connection events subscription initialization.
{
    FWPM_CONNECTION_SUBSCRIPTION subscription;
    subscription.enumTemplate = NULL;
    subscription.flags = 0;
    subscription.sessionKey = BfeSession::Key();

    const auto error = FwpmConnectionSubscribe(
        session.Handle(),
        &subscription,
        (FWPM_CONNECTION_CALLBACK)&ConnectionsCallback,
        NULL,
        &handle_
    );
}

Any ideas are appreciated! Thank you!

windows wfp
Original Q&A
0

There are 0 best solutions below

Related Questions in WINDOWS

Related Questions in WFP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.