FWPM_NET_EVENT_HEADER3 structure (fwpmtypes.h)
The FWPM_NET_EVENT_HEADER3 structure contains information common to all events. FWPM_NET_EVENT_HEADER0 is available.
Syntax
typedef struct FWPM_NET_EVENT_HEADER3_ {
FILETIME timeStamp;
UINT32 flags;
FWP_IP_VERSION ipVersion;
UINT8 ipProtocol;
union {
UINT32 localAddrV4;
FWP_BYTE_ARRAY16 localAddrV6;
};
union {
UINT32 remoteAddrV4;
FWP_BYTE_ARRAY16 remoteAddrV6;
};
UINT16 localPort;
UINT16 remotePort;
UINT32 scopeId;
FWP_BYTE_BLOB appId;
SID *userId;
FWP_AF addressFamily;
SID *packageSid;
wchar_t *enterpriseId;
UINT64 policyFlags;
FWP_BYTE_BLOB effectiveName;
} FWPM_NET_EVENT_HEADER3;
Members
timeStamp
Time that the event occurred.
flags
Flags indicating which of the following members are set. Unused fields must be zero-initialized.
| Net event flag | Meaning |
|---|---|
| FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET | The ipProtocol member is set. |
| FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET | Either the localAddrV4 member or the localAddrV6 member is set. If this flag is present, FWPM_NET_EVENT_FLAG_IP_VERSION_SET must also be present. |
| FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET | Either the remoteAddrV4 member of the remoteAddrV6 field is set. If this flag is present, FWPM_NET_EVENT_FLAG_IP_VERSION_SET must also be present. |
| FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET | The localPort member is set. |
| FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET | The remotePort member is set. |
| FWPM_NET_EVENT_FLAG_APP_ID_SET | The appId member is set. |
| FWPM_NET_EVENT_FLAG_USER_ID_SET | The userId member is set. |
| FWPM_NET_EVENT_FLAG_SCOPE_ID_SET | The scopeId member is set. |
| FWPM_NET_EVENT_FLAG_IP_VERSION_SET | The ipVersion member is set. |
| FWPM_NET_EVENT_FLAG_REAUTH_REASON_SET | Indicates an existing connection was reauthorized. |
| FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET | The packageSid member is set. |
ipVersion
The IP version being used.
ipProtocol
The IP protocol specified as an IPPROTO value. See the socket reference topic for more information on possible protocol values.
localAddrV4
The IPv4 local address.
Available when ipVersion is FWP_IP_VERSION_V4.
localAddrV6
The IPv6 local address.
Available when ipVersion is FWP_IP_VERSION_V6.
remoteAddrV4
The IPv4 remote address.
Available when ipVersion is FWP_IP_VERSION_V4.
remoteAddrV6
The IPv6 remote address.
Available when ipVersion is FWP_IP_VERSION_V6.
localPort
The local port.
remotePort
The remote port.
scopeId
The IPv6 scope ID.
appId
The application ID of the local application associated with the event.
userId
The user ID corresponding to the traffic.
addressFamily
A superset of non-Internet protocols.
Available when ipVersion is FWP_IP_VERSION_NONE.
packageSid
The security identifier (SID) representing the package identifier (also referred to as the app container SID) intending to send or receive the network traffic.
enterpriseId
The enterprise identifier for use with enterprise data protection (EDP).
policyFlags
The policy flags for EDP.
effectiveName
The EDP remote server used for name-based policy.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 10, version 1607 [desktop apps only] |
| Minimum supported server | Windows Server 2016 [desktop apps only] |
| Header | fwpmtypes.h |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for