4

I'm working on the application that should collect in/out traffic stats for every connection on the system. My idea is using the WFP 'FwpmConnectionSubscribe0' function in order to register the callback function and start receiving the 'FWPM_CONNECTION_EVENT_TYPE' and 'FWPM_CONNECTION0' object.

The 'FWPM_CONNECTION_EVENT_TYPE' would allow to detect connections opening and closing events (FWPM_CONNECTION_EVENT_ADD, FWPM_CONNECTION_EVENT_DELETE). The 'FWPM_CONNECTION0' allows to get the connection details such as IP addresses and in/out bytes transferred bytes.

But when the test app was ready it appeared that I don't receive any connection events. There are no runtime errors or something like that. It just does not receive any events. I thought the problem could be in access rights, but the app is running as Administrator and it has the required access rights. Another idea was about the WFP policies. I thought that the required policy was disabled. So I enabled the following one: 'Filtering Platform Connection {0CCE9226-69AE-11D9-BED3-505054503030}', but this did not work out too.

So the questions are:

  • Is it possible to get in/out traffic stats for every connection on the OS using the user-mode WFP methods without kernel-mode callout driver implementation?
  • What is the reason for the non working connection events subscription?

Here is the source code.

// BFE session initialization.
{
    FWPM_SESSION session;
    std::memset(&session, 0, sizeof(session));

    session.sessionKey = <Key>;
    session.flags |= FWPM_SESSION_FLAG_DYNAMIC;
    session.displayData.name = BFE_SESSION_NAME;
    session.displayData.description = BFE_SESSION_DESC;

    const auto error = FwpmEngineOpen(
        NULL, RPC_C_AUTHN_WINNT, NULL, &session, &handle_
    );
}

// Connection events subscription initialization.
{
    FWPM_CONNECTION_SUBSCRIPTION subscription;
    subscription.enumTemplate = NULL;
    subscription.flags = 0;
    subscription.sessionKey = BfeSession::Key();

    const auto error = FwpmConnectionSubscribe(
        session.Handle(),
        &subscription,
        (FWPM_CONNECTION_CALLBACK)&ConnectionsCallback,
        NULL,
        &handle_
    );
}

Any ideas are appreciated! Thank you!

Richard Roe
  • 95
  • 5
  • 1
    You can't receive the non-DROP event by using WFP User-Mode API. – Michael Kim Jul 26 '20 at 04:27
  • Thank you for the response! Could you provide any doc or guide where it's said that there is no way to get new connection events? The thing that worries me is that I do not receive any events at all. – Richard Roe Jul 27 '20 at 09:38
  • I found https://social.msdn.microsoft.com/Forums/en-US/45490831-3eb9-4c2e-8ea3-1ace88a5c940/wfp-logging and tried to logging non-drop event, but could not receive with FwpmNetEventSubscribe. – Michael Kim Aug 03 '20 at 04:28

0 Answers0