Windows Filtering Platform - finding byte count of TCP sessions

Question

I am using a Windows Filtering Platform callout on Windows to track TCP connections. Filters on the ALE established and endpoint closure layers work great for detecting start and end of connection. However, I also need to know the size of traffic in each direction and preferably packet count but I have not been able to find that in the closure information.

It is possible to monitor each packet using the stream layer(s) but maintaining a session table in kernel space and constantly updating sessions for each packet is not appealing as this is going to add a lot of overhead and complexity.

Anyone know how to efficiently get byte-count for TCP sessions using WFP on Windows? Alternative suggestions would also be welcome.

Answer 1

I also tried to solve this issue once but ended up with the following. It is valid for IPv4 only!

On FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer you can create your own context using FwpsFlowAssociateContext0 funtions and later, at DITNO_FIREWALL_STREAM_CALLOUT_V4 and DITNO_FIREWALL_DATAGRAM_DATA_CALLOUT_V4 layers, increment byte counters and save any metadata in your context structure.

Once flowDeleteFn is called it means flows is at end and you've got your counters ready. Memory used for the context must be released.

Any luck with in-kernel features to approach it by the way?