Data offset positions
When the filter engine calls a callout driver's classifyFn callout function, it passes a pointer to a structure in the layerData parameter. For the layers that filter packet data, the pointer references a NET_BUFFER_LIST structure. Depending on the filtering layer at which the classifyFn callout function is called, the filter engine passes a pointer in the layerData* parameter to one of the following structures:
For the stream layer, the layerData parameter contains a pointer to an FWPS_STREAM_CALLOUT_IO_PACKET0 structure. The streamData member of this structure contains a pointer to an FWPS_STREAM_DATA0 structure.
The netBufferListChain member of the FWPS_STREAM_DATA0 structure contains a pointer to a NET_BUFFER_LIST structure.
For all the other layers, the layerData parameter contains a pointer to a NET_BUFFER_LIST structure.
Note
The layerData parameter might be NULL, depending on the layer being filtered and the conditions under which the driver's classifyFn callout function is called.
The NET_BUFFER_LIST structure contains a linked list of NET_BUFFER structures. Within the NET_BUFFER_DATA structure of each NET_BUFFER structure, the DataOffset member points to a specific position in the packet data. The position that the DataOffset member points to depends on the filtering layer at which the filter engine calls the callout driver's classifyFn callout function.
For each filtering layer, the position in the packet data as specified by the DataOffset member is defined as follows:
| Run-time filtering layer identifier (starting with Windows Vista) | Position in the packet data |
|---|---|
|
FWPS_LAYER_INBOUND_IPPACKET_V4 FWPS_LAYER_INBOUND_IPPACKET_V6 |
The beginning of the transport header. |
|
FWPS_LAYER_INBOUND_IPPACKET_V4_DISCARD FWPS_LAYER_INBOUND_IPPACKET_V6_DISCARD |
The offset where the TCP/IP stack stopped processing. |
|
FWPS_LAYER_OUTBOUND_IPPACKET_V4 FWPS_LAYER_OUTBOUND_IPPACKET_V6 |
The beginning of the IP header. |
|
FWPS_LAYER_OUTBOUND_IPPACKET_V4_DISCARD FWPS_LAYER_OUTBOUND_IPPACKET_V6_DISCARD |
The offset where the TCP/IP stack stopped processing. |
|
FWPS_LAYER_IPFORWARD_V4 FWPS_LAYER_IPFORWARD_V6 |
The beginning of the IP header. |
|
FWPS_LAYER_IPFORWARD_V4_DISCARD FWPS_LAYER_IPFORWARD_V6_DISCARD |
The beginning of the IP header. |
|
FWPS_LAYER_INBOUND_TRANSPORT_V4 FWPS_LAYER_INBOUND_TRANSPORT_V6 |
The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
|
|
FWPS_LAYER_INBOUND_TRANSPORT_V4_DISCARD FWPS_LAYER_INBOUND_TRANSPORT_V6_DISCARD |
The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
|
|
FWPS_LAYER_OUTBOUND_TRANSPORT_V4 FWPS_LAYER_OUTBOUND_TRANSPORT_V6 |
The beginning of the transport header. |
|
FWPS_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD FWPS_LAYER_OUTBOUND_TRANSPORT_V6_DISCARD |
The beginning of the transport header. |
|
FWPS_LAYER_STREAM_V4 FWPS_LAYER_STREAM_V6 |
The beginning of the data. Note The position in the packet data contains no IP, IPv6, and transport headers.
|
|
FWPS_LAYER_STREAM_V4_DISCARD FWPS_LAYER_STREAM_V6_DISCARD |
The beginning of the data. Note The position in the packet data contains no IP, IPv6, or transport headers.
|
|
FWPS_LAYER_DATAGRAM_DATA_V4 FWPS_LAYER_DATAGRAM_DATA_V6 |
For inbound datagrams: The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
For outbound datagrams: The beginning of the transport header. |
|
FWPS_LAYER_DATAGRAM_DATA_V4_DISCARD FWPS_LAYER_DATAGRAM_DATA_V6_DISCARD |
For inbound datagrams: The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
For outbound datagrams: The beginning of the transport header. |
|
FWPS_LAYER_INBOUND_ICMP_ERROR_V4 FWPS_LAYER_INBOUND_ICMP_ERROR_V6 |
The beginning of the inner IP header. |
|
FWPS_LAYER_INBOUND_ICMP_ERROR_V4_DISCARD FWPS_LAYER_INBOUND_ICMP_ERROR_V6_DISCARD |
The beginning of the inner IP header. |
|
FWPS_LAYER_OUTBOUND_ICMP_ERROR_V4 FWPS_LAYER_OUTBOUND_ICMP_ERROR_V6 |
The beginning of the ICMP header. |
|
FWPS_LAYER_OUTBOUND_ICMP_ERROR_V4_DISCARD FWPS_LAYER_OUTBOUND_ICMP_ERROR_V6_DISCARD |
The beginning of the ICMP header. |
|
FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V6 |
Not applicable. |
|
FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4_DISCARD FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V6_DISCARD |
Not applicable. |
|
FWPS_LAYER_ALE_AUTH_LISTEN_V4 FWPS_LAYER_ALE_AUTH_LISTEN_V6 |
Not applicable. |
|
FWPS_LAYER_ALE_AUTH_LISTEN_V4_DISCARD FWPS_LAYER_ALE_AUTH_LISTEN_V6_DISCARD |
Not applicable. |
|
FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4 FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6 |
For inbound packet direction: The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
For outbound packet direction: The beginning of the transport header. |
|
FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6_DISCARD |
For inbound packet direction: The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
For outbound packet direction: The beginning of the transport header. |
|
FWPS_LAYER_ALE_AUTH_CONNECT_V4 FWPS_LAYER_ALE_AUTH_CONNECT_V6 |
For non-TCP traffic: The beginning of the transport header. For TCP traffic: Not applicable. |
|
FWPS_LAYER_ALE_AUTH_CONNECT_V4_DISCARD FWPS_LAYER_ALE_AUTH_CONNECT_V6_DISCARD |
For non-TCP traffic: The beginning of the transport header. For TCP traffic: Not applicable. |
|
FWPS_LAYER_ALE_FLOW_ESTABLISHED_V4 FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6 |
For inbound packet direction: The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
For outbound packet direction: The beginning of the transport header. |
|
FWPS_LAYER_ALE_FLOW_ESTABLISHED_V4_DISCARD FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6_DISCARD |
For inbound packet direction: The beginning of the data. Note For inbound packets received on the ICMP socket of the TCP/IP stack, the offset is the beginning of the ICMP header.
For outbound packet direction: The beginning of the transport header. |
|
FWPS_LAYER_IPSEC_KM_DEMUX_V4 FWPS_LAYER_IPSEC_KM_DEMUX_V6 |
Not applicable. |
|
FWPS_LAYER_IPSEC_V4 FWPS_LAYER_IPSEC_V6 |
Not applicable. |
|
FWPS_LAYER_IKEEXT_V4 FWPS_LAYER_IKEEXT_V6 |
Not applicable. |
|
FWPS_LAYER_RPC_UM |
Not applicable. |
|
FWPS_LAYER_RPC_EPMAP |
Not applicable. |
|
FWPS_LAYER_RPC_EP_ADD |
Not applicable. |
|
FWPS_LAYER_RPC_PROXY_CONN |
Not applicable. |
|
FWPS_LAYER_RPC_PROXY_IF |
Not applicable. |
| Run-time filtering layer identifier (starting with Windows 7) | Position in the packet data |
|
FWPS_LAYER_NAME_RESOLUTION_CACHE_V4 FWPS_LAYER_NAME_RESOLUTION_CACHE_V6 |
Not applicable. |
|
FWPS_LAYER_ALE_RESOURCE_RELEASE_V4 FWPS_LAYER_ALE_RESOURCE_RELEASE_V6 |
Not applicable. |
|
FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V4 FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V6 |
Not applicable. |
|
FWPS_LAYER_ALE_CONNECT_REDIRECT_V4 FWPS_LAYER_ALE_CONNECT_REDIRECT_V6 |
Not applicable. Note For these filtering layers, the layerData parameter contains a pointer to an FWPS_CONNECT_REQUEST0 structure. This structure does not reference a NET_BUFFER_LIST structure that describes packet data.
|
|
FWPS_LAYER_ALE_BIND_REDIRECT_V4 FWPS_LAYER_ALE_BIND_REDIRECT_V6 |
Not applicable. Note For these filtering layers, the layerData parameter contains a pointer to an FWPS_BIND_REQUEST0 structure. This structure does not reference a NET_BUFFER_LIST structure that describes packet data.
|
|
FWPS_LAYER_STREAM_PACKET_V4 FWPS_LAYER_STREAM_PACKET_V6 |
For inbound packet direction: The beginning of the data. For outbound packet direction: The beginning of the transport header. |
|
FWPS_LAYER_KM_AUTHORIZATION |
Not applicable. |
| Run-time filtering layer identifier (starting with Windows 8) | Position in the packet data |
|
FWPS_LAYER_INBOUND_MAC_FRAME_ETHERNET |
The beginning of the IP header. |
|
FWPS_LAYER_OUTBOUND_MAC_FRAME_ETHERNET |
The beginning of the MAC header. |
|
FWPS_LAYER_INBOUND_MAC_FRAME_NATIVE |
The beginning of the MAC header. |
|
FWPS_LAYER_OUTBOUND_MAC_FRAME_NATIVE |
The beginning of the MAC header. |
|
FWPS_LAYER_INGRESS_VSWITCH_ETHERNET |
The beginning of the ethernet header. |
|
FWPS_LAYER_EGRESS_VSWITCH_ETHERNET |
The beginning of the ethernet header. |
|
FWPS_LAYER_INGRESS_VSWITCH_TRANSPORT_V4 |
The beginning of the IP header. |
|
FWPS_LAYER_INGRESS_VSWITCH_TRANSPORT_V6 |
The beginning of the IP header. |
|
FWPS_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 |
The beginning of the IP header. |
|
FWPS_LAYER_EGRESS_VSWITCH_TRANSPORT_V6 |
The beginning of the IP header. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for