TCP Packet Flows
This section describes the order in which the layers of the Windows Filtering Platform (WFP) filter engine are traversed during a typical TCP session.
Note
TCP packet flows for IPv6 follow the same pattern as for IPv4.
Note
Non-TCP packet flows follow the same pattern as UDP packet flows.
TCP Connection Establishment
- Server (receiver) performs Passive Open
- bind: FWPM_LAYER_ALE_BIND_REDIRECT_V4 (Windows 7 / Windows Server 2008 R2 only)
- bind: FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4
- listen: FWPM_LAYER_ALE_AUTH_LISTEN_V4
- bind: FWPM_LAYER_ALE_BIND_REDIRECT_V4 (Windows 7 / Windows Server 2008 R2 only)
- bind: FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4
- connect: FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 (Windows 7 / Windows Server 2008 R2 only)
- connect: FWPM_LAYER_ALE_AUTH_CONNECT_V4
- SYN: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
- SYN: FWPM_LAYER_OUTBOUND_IPPACKET_V4
- SYN: FWPM_LAYER_INBOUND_IPPACKET_V4
- SYN: FWPM_LAYER_INBOUND_TRANSPORT_V4
- SYN: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
- SYN-ACK: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
- SYN-ACK: FWPM_LAYER_OUTBOUND_IPPACKET_V4
- SYN-ACK: FWPM_LAYER_INBOUND_IPPACKET_V4
- SYN-ACK: FWPM_LAYER_INBOUND_TRANSPORT_V4
- FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
- ACK: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
- ACK: FWPM_LAYER_OUTBOUND_IPPACKET_V4
- ACK: FWPM_LAYER_INBOUND_IPPACKET_V4
- ACK: FWPM_LAYER_INBOUND_TRANSPORT_V4
- FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
- Listen completes. Server can perform an accept.
Client (sender) performs Active Open
Server
Client
Server
TCP SYN Received with No One Listening on the Port or Protocol
Server (receiver)
- SYN: FWPM_LAYER_INBOUND_IPPACKET_V4
- SYN: FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD
- RST: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
- RST: FWPM_LAYER_OUTBOUND_IPPACKET_V4
Note
TCP SYN with no endpoint is indicated at TRANSPORT discard with a specific error condition. Block this packet at TRANSPORT discard to cause the stack not to send the corresponding event (RST). For an example of stealth-mode filtering, see Preventing Port Scanning.
Data Transmitted Over a TCP Connection
- Client (sender)
- send
- data: FWPM_LAYER_STREAM_V4
- TCP segments: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
- IP datagrams: FWPM_LAYER_OUTBOUND_IPPACKET_V4
- IP datagrams: FWPM_LAYER_INBOUND_IPPACKET_V4
- TCP segments: FWPM_LAYER_INBOUND_TRANSPORT_V4
- data: FWPM_LAYER_STREAM_V4
- Data is available to read.
Server (receiver)
Successful Reauthorization of a TCP Packet
Server (receiver)
- IP datagrams: FWPM_LAYER_INBOUND_IPPACKET_V4
- TCP segment: FWPM_LAYER_INBOUND_TRANSPORT_V4
- TCP segment: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
- data: FWPM_LAYER_STREAM_V4(INBOUND)
Failed Reauthorization of a TCP Packet
Server (receiver)
- IP datagrams: FWPM_LAYER_INBOUND_IPPACKET_V4
- TCP segment: FWPM_LAYER_INBOUND_TRANSPORT_V4
- TCP segment: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
- TCP segment: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD
TCP Connection Termination
TCP connection termination is not indicated at any WFP layer.
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for