如何从TCP数据包中过滤HTTP获取数据包...
我当前的代码在这里,
filterConditions [conditionIndex] .fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
//更改的代码已从FWP_MATCH_EQUAL设置为FWP_MATCH_NOT_EQUAL,
filterConditions [conditionIndex] .matchType = FWP_MATCH_NOT_EQUAL;
如果(IsEqualGUID(layerKey,& FWPM_LAYER_OUTBOUND_TRANSPORT_V4))
{
filterConditions [conditionIndex] .conditionValue.type = FWP_UINT32;
filterConditions [conditionIndex] .conditionValue.uint32 = *(UINT32 *)remoteAddr;
//我的代码
conditionIndex ++;
// 代码添加仅用于过滤tcp数据包
filterConditions [conditionIndex] .fieldKey = FWPM_CONDITION_IP_PROTOCOL;
//更改的代码已从FWP_MATCH_EQUAL设置为FWP_MATCH_NOT_EQUAL,
filterConditions [conditionIndex] .matchType = FWP_MATCH_EQUAL;
filterConditions [conditionIndex] .conditionValue.type = FWP_UINT8;
filterConditions [conditionIndex] .conditionValue.uint8 = 6;
//代码在这里结束
conditionIndex ++;
//这里过滤HTTP数据包
filterConditions [conditionIndex] .fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
filterConditions [conditionIndex] .matchType = FWP_MATCH_EQUAL;
filterConditions [conditionIndex] .conditionValue.type = FWP_UINT16;
filterConditions [conditionIndex] .conditionValue.uint16 = 80;
DbgPrint("添加了过滤器... !!");
//代码结束
}
conditionIndex ++;
}
===================
filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
// code changed was set to FWP_MATCH_NOT_EQUAL from FWP_MATCH_EQUAL,
filterConditions[conditionIndex].matchType = FWP_MATCH_NOT_EQUAL;
if (IsEqualGUID(layerKey, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4))
{
filterConditions[conditionIndex].conditionValue.type = FWP_UINT32;
filterConditions[conditionIndex].conditionValue.uint32 = *(UINT32*)remoteAddr;
// my code
conditionIndex++;
// code added for the filter out the tcp packets only
filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
// code changed was set to FWP_MATCH_NOT_EQUAL from FWP_MATCH_EQUAL,
filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
filterConditions[conditionIndex].conditionValue.type = FWP_UINT8;
filterConditions[conditionIndex].conditionValue.uint8 = 6;
// code ends here
conditionIndex++;
// here filtering the HTTP packets
filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;
filterConditions[conditionIndex].conditionValue.type = FWP_UINT16;
filterConditions[conditionIndex].conditionValue.uint16 =80;
DbgPrint("Filter Added ...!!");
// code ends
}
conditionIndex++;
}
====================
此代码显示了来自TCP --HTTP ---端口80的数据包
this code is showing the packets from TCP --HTTP---at port 80
但是我需要过滤HTTP GET数据包数据包
but i need to filter the HTTP GET packets packets
为了仅过滤HTTP GET数据包,建议实施标注驱动程序并放置过滤为FWPM_LAYER_STREAM_V {4/6}.您可以使用上面代码中指定的相同过滤条件,但这将触发分类 用于所有HTTP数据包.在标注中,您将需要解析数据并阻止HTTPGET部分.
In order to filter only the HTTP GET packets, it is advised to implement a callout driver and place your filter at FWPM_LAYER_STREAM_V{4 / 6}. You can use the same filtering conditions you specify in the code above, but that will trigger classification for all HTTP packets. within your callout, you will need to parse the data and block the HTTP GET portions.
http://msdn .microsoft.com/en-us/library/windows/hardware/ff570891(v = vs.85).aspx
(可选)您可以将过滤器保持在OUTBOUND_TRANSPORT,但仍需要让标注解析数据包的数据.这种方法的主要问题是您将需要知道如何确定GET部分何时完成 分布在多个数据包中.
Optionally you can keep your filter at OUTBOUND_TRANSPORT, but you still need to have the callout parse the data of the packet. The main issue with this approach is you will need to know how to determine when the GET portion is finished if it gets spread over multiple packets.
希望这会有所帮助,