Hello Folks,

We have a network filter driver (NDIS6) for miniport adapter which intercepts packet from the application. We have been using this for quite a long time. Now, we are trying to make use of our filter driver on Windows 8 Direct access client machine. It appears that our driver is getting the tunneled packets (IPHTTPS packets, we have disabled teredo interface) instead of getting the actual packets from the application. This proves that iphttps interface is operating above the adapter level in the driver stack.

Also, when we are registering our filter driver during installation, we are not getting any 'Attach' callback from ndis for iphttps interface. Can that be the problem ?

It would be nice if someone could advice on how we can intercept the packets before the iphttps interface.

Thanks in advance.

Hello there,

Can you please let us know, why are we looking to capture traffic before IPHTTPS interface?

IPHTTPS packets are generated as a part of DirectAccess tunnel (Technically IPSEC) and these are implemented by WFP.

I guess you might have to develop a filter driver that uses WFP APIs

"By providing a simpler development platform, WFP is designed to replace  previous packet filtering technologies such as Transport Driver Interface (TDI)  filters, Network Driver Interface Specification (NDIS) filters, and Winsock Layered Service Providers (LSP). Starting in Windows Server 2008 and Windows Vista, the firewall hook and the filter hook drivers  are not available; applications that were using these drivers should use WFP instead."

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366509(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/hardware/dn653358(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/ff546423.aspx

Please let me know, how it goes.

Hello there,

Can you please let us know, why are we looking to capture traffic before IPHTTPS interface?

IPHTTPS packets are generated as a part of DirectAccess tunnel (Technically IPSEC) and these are implemented by WFP.

I guess you might have to develop a filter driver that uses WFP APIs

"By providing a simpler development platform, WFP is designed to replace  previous packet filtering technologies such as Transport Driver Interface (TDI)  filters, Network Driver Interface Specification (NDIS) filters, and Winsock Layered Service Providers (LSP). Starting in Windows Server 2008 and Windows Vista, the firewall hook and the filter hook drivers  are not available; applications that were using these drivers should use WFP instead."

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366509(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/hardware/dn653358(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/ff546423.aspx

Please let me know, how it goes.

• Proposed as answer by Vasu Deva 18 hours 39 minutes ago

Hello there,

Can you please let us know, why are we looking to capture traffic before IPHTTPS interface?

IPHTTPS packets are generated as a part of DirectAccess tunnel (Technically IPSEC) and these are implemented by WFP.

I guess you might have to develop a filter driver that uses WFP APIs

"By providing a simpler development platform, WFP is designed to replace  previous packet filtering technologies such as Transport Driver Interface (TDI)  filters, Network Driver Interface Specification (NDIS) filters, and Winsock Layered Service Providers (LSP). Starting in Windows Server 2008 and Windows Vista, the firewall hook and the filter hook drivers  are not available; applications that were using these drivers should use WFP instead."

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366509(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/hardware/dn653358(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/ff546423.aspx

Please let me know, how it goes.

• Proposed as answer by Vasu Deva Monday, April 20, 2015 12:42 PM

Hello Vasu,

Thanks for the reply!

We want to capture the packets before IPHTTPS and before ipsec encryption is done so as to be able to understand the data being sent by the application. If it is after IPTTPS interface, then we cannot read the tunneled data OR maybe we can if we know a way to decrypt ipsec. But, we want to avoid this way as it involves more overhead on us.

So, you are saying WFP is going to replace NDIS in future ? If yes, I would hope that there would be some way we can do similar things using NDIS6 as of now (read backward compatibility) ?

Also, it would be great if you could provide me with some resource that explains iphttps interface techinical details. Could not find much by searching.

Meanwhile I will go through the links provided by you.

Thanks a lot !

 

Hello Arun,

Yes you are correct!

WFP is going to be the future. I am not sure if you are looking forward to understand DirectAccess or IPHTTPS only.

As IPHTTPS is one of the transition technology that DA uses.

https://technet.microsoft.com/en-us/library/gg315307.aspx

https://msdn.microsoft.com/en-us/library/dd358571.aspx

Thanks,

Vasu.

Hello Vasu,

For the time being I am trying to understand and hook up the filter before any DA transition technology comes into picture (Teredo / IPHTTPS). Hope with WFP that would be possible (still going through its documentation).

Is it the same technology that Netmon uses ? I could see the traffic going through iphttps interface with netmon, which was not possible using woreshark which uses ndis/winpcap.

Thanks