Windows Blocking Network Traffic Capture

• Windows Blocking Network Traffic Capture

Windows Blocking Network Traffic Capture

• Windows Blocking Network Traffic Capture
  • Setting Up a Test Project
  • Capturing Block Events via Auditing
    • Obtaining Provider Information
    • Triggering a Block Event
  • Monitoring Network Events (NET_EVENT)
  • Monitoring Network Connections (NetConnection)
  • Application Layer Enforcement (ALE) Introduction
  • Coding
  • Conclusion
  • Appendix
    • WFP Architecture
    • Data Flow
    • Reference Links

• Need to identify blocked traffic, including outbound and inbound.
• Two ways of blocking: by connection or by packet. Packet drops occur frequently and the reason must be audited; connection‐oriented blocks align better with real-world monitoring.
• Many normally processed packets may also be dropped, so we must distinguish drops from actual blocks—we focus on blocks.

Setting Up a Test Project

WFP mainly runs in user mode and partly in kernel mode, exposed as drivers. The test setup is complex.
Recommended: run a separate physical machine for testing, compile on the dev box, then copy and remotely debug on the test machine.
For those with limited resources, local debugging on the same machine is also possible.

• Microsoft WFP Sample Project
  • Focus only on: Windows-driver-samples\network\trans\WFPSampler
• WFPSampler Guide

Build Issues:

• Missing api-ms-win-net-isolation-l1-1-0
• wfpcalloutsclassreg-not-found

Other Issues:

• Driver Does Not Run
• How to Sign
• Preparing a Target Machine for Manual Driver Deployment

Capturing Block Events via Auditing

• Auditing Docs
• auditpol Docs

By default, auditing for WFP is off.

• Audit can be enabled by category (via Group Policy Object Editor MMC, Local Security Policy MMC, or auditpol.exe).
• Audit can also be enabled by subcategory with auditpol.exe.
• Always use GUIDs—otherwise localized display strings break cross-language systems.
• Audit uses circular logs of 128 KB—low resource impact.

Categories https://docs.microsoft.com/en-us/windows/win32/secauthz/auditing-constants

Object Access subcategories and their GUIDs https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d

Policy Change subcategories and GUIDs:

# auditpol reference: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
# This section focuses on the 'Object Access' category
# List available fields
# -v shows GUID, -r produces CSV report
auditpol /list /category /v
auditpol /list /subcategory:* /v
# Get audit settings for a subcategory
auditpol /get /category:'Object Access' /r | ConvertFrom-Csv | Get-Member
# Query subcategory GUID
auditpol /get /category:'Object Access' /r | ConvertFrom-Csv | Format-Table Subcategory,'Subcategory GUID','Inclusion Setting'
# Lookup subcategory
auditpol /list /subcategory:"Object Access","Policy Change" -v
# Backup
auditpol /backup /file:d:\audit.bak
# Restore
auditpol /restore /file:d:\audit.bak
# Modify Policy
# **Policy Change**    | {6997984D-797A-11D9-BED3-505054503030}
auditpol /set /category:"{6997984D-797A-11D9-BED3-505054503030}" /success:disable /failure:disable
# Filtering Platform Policy Change | {0CCE9233-69AE-11D9-BED3-505054503030}
auditpol /set /subcategory:"{0CCE9233-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

# **Object Access**    | {6997984A-797A-11D9-BED3-505054503030}
auditpol /get /category:"{6997984A-797A-11D9-BED3-505054503030}"
auditpol /set /category:"{6997984A-797A-11D9-BED3-505054503030}" /success:disable /failure:disable
# Filtering Platform Packet Drop | {0CCE9225-69AE-11D9-BED3-505054503030}
auditpol /set /subcategory:"{0CCE9225-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable
# Filtering Platform Connection  | {0CCE9226-69AE-11D9-BED3-505054503030}
auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable

# Read audit logs
$Events = Get-WinEvent -LogName 'Security'
foreach ($event in $Events) {
    ForEach ($line in $($event.Message -split "`r`n")) {
        Write-Host $event.RecordId ':' $Line
        break
    }
}

Event Details:

Events to Focus On:

• Audit Filtering Platform Packet Drop

  • These events generate huge volumes; focus on 5157, which records almost the same data but per-connection rather than per-packet.

  • Failure volume is typically very high for this subcategory and mainly useful for troubleshooting. To monitor blocked connections, 5157(F): The Windows Filtering Platform has blocked a connection is recommended since it contains nearly identical information and generates per-connection instead of per-packet.

  • 5152

  • 5153

• Audit Filtering Platform Connection
  • It is best to monitor only failure events such as blocked connections; track allowed connections only when necessary.
  • 5031
    • If there are no firewall rules (Allow or Deny) for a specific application in Windows Firewall, traffic will be dropped at the WFP layer, which by default denies all inbound connections.
  • 5150
  • 5151
  • 5155
  • 5157
  • 5159

Obtaining Provider Information

# List security-related providers
Get-WinEvent -ListProvider "*Security*" | Select-Object ProviderName,Id
# Microsoft-Windows-Security-Auditing                             54849625-5478-4994-a5ba-3e3b0328c30d
# Show tasks for a provider
Get-WinEvent -ListProvider "Microsoft-Windows-Security-Auditing" | Select-Object -ExpandProperty tasks
# SE_ADT_OBJECTACCESS_FIREWALLCONNECTION       12810 Filtering Platform Connection          00000000-0000-0000-0000-000000000000

Triggering a Block Event

Warning: Creating block filters affects other software on the host!
You can immediately clean up with .\WFPSampler.exe -clean.

Steps:

1. Enable auditing for Filtering Platform Connection:
   auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

2. Open Event Viewer, create a Custom View/filter for IDs 5155, 5157, 5159.

3. Add a WFP filter using WFPSampler.exe to block listening on port 80:
   .\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_LISTEN_V4 -iplp 80

4. Run a third-party (non-IIS) HTTP server—here we use nginx on port 80. Starting it triggers event 5155.

5. Clean up the filter:
   .\WFPSampler.exe -clean

6. Disable auditing:
   auditpol /set /category:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable

# 5155: an application or service was blocked from listening on a port
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_LISTEN_V4
# 5157: a connection was blocked
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_CONNECT_V4
# 5159: binding to a local port was blocked
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4

# Other
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4_DISCARD
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD
.\WFPSampler.exe -s BASIC_ACTION_BLOCK -l FWPM_LAYER_ALE_AUTH_CONNECT_V4_DISCARD

# List a WFP filter by ID:
netsh wfp show filters
# Get layer IDs:
netsh wfp show state

Monitoring Network Events (NET_EVENT)

• Events support both enumeration and subscription.
• Enumeration allows filter criteria, querying events within a time window.
• Subscriptions inject a callback to deliver events in real time.

Supported event types:

typedef enum FWPM_NET_EVENT_TYPE_ {
  FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE = 0,
  FWPM_NET_EVENT_TYPE_IKEEXT_QM_FAILURE,
  FWPM_NET_EVENT_TYPE_IKEEXT_EM_FAILURE,
  FWPM_NET_EVENT_TYPE_CLASSIFY_DROP,
  FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP,
  FWPM_NET_EVENT_TYPE_IPSEC_DOSP_DROP,
  FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW,
  FWPM_NET_EVENT_TYPE_CAPABILITY_DROP,
  FWPM_NET_EVENT_TYPE_CAPABILITY_ALLOW,
  FWPM_NET_EVENT_TYPE_CLASSIFY_DROP_MAC,
  FWPM_NET_EVENT_TYPE_LPM_PACKET_ARRIVAL,
  FWPM_NET_EVENT_TYPE_MAX
} FWPM_NET_EVENT_TYPE;

Enumeration filter fields (FWPM_NET_EVENT_ENUM_TEMPLATE):

Outside of drivers, only basic drop events are returned.

Monitoring Network Connections (NetConnection)

Compared to monitoring network events, monitoring connections requires higher privileges.
callback approach

The caller needs FWPM_ACTRL_ENUM access to the connection objects’ containers and FWPM_ACTRL_READ access to the connection objects. See Access Control for more information.

Monitoring network connections has not yet succeeded.

I found a similar issue: Receiving in/out traffic stats using WFP user-mode API. It matches the behavior I observed—none of the subscribing functions receive any notifications, giving no events and no errors. Neither enabling auditing nor elevating privileges helped. Some noted that non-kernel mode can only receive drop events, which is insufficient for obtaining block events.

Example of adding a security descriptor: https://docs.microsoft.com/en-us/windows/win32/fwp/reserving-ports

Application Layer Enforcement (ALE) Introduction

• ALE comprises a set of kernel-mode filters that support stateful filtering.
• Filters at the ALE layer can authorize connection creation, port allocation, socket management, raw socket creation, and promiscuous-mode reception.
• Classification of ALE-layer filters is based on the connection or socket; filters in other layers can only classify based on individual packets.
• ALE filter reference: ale-layers
  • More filter reference: filtering-layer-identifiers

Coding Notes

Most WFP functions can be invoked from either user mode or kernel mode. However, user-mode functions return a DWORD representing a Win32 error code, whereas kernel-mode functions return an NTSTATUS representing an NT status code.
Therefore, functions share the same names and semantics across modes but have differing signatures. Separate user-mode and kernel-mode headers are required: user-mode header file names end with “u”, and kernel-mode ones end with “k”.

Conclusion

Our requirement is merely to know when events occur; real-time handling is unnecessary, and developing a kernel driver would introduce greater risk. Consequently, we’ll rely on event auditing and monitor event log generation to acquire block events.
A dedicated thread will use NotifyChangeEventLog to watch for new log records.

Appendix

WFP Architecture

WFP (Windows Filter Platform)

Data Flow

Data flow:

1. A packet enters the network stack.
2. The network stack finds and invokes a shim.
3. The shim initiates classification at a particular layer.
4. During classification, filters are matched, and the resulting action is applied. (See Filter Arbitration.)
5. If any callout filters match, their corresponding callouts are invoked.
6. The shim enforces the final filtering decision (e.g., drop the packet).

Reference Links

• Filter types
• Available filtering conditions per layer
• System error codes
• WFP error codes

• ←Previous
• Next→