0
Follow
2
View

wfp flow monitoring about the stream layer

yantafeizei 注册会员
2023-01-25 12:03

Happy New Year! In the
wfp framework, Fwpm-layer-stream-v4 and Fwpm-layer-datagram data-v4 can be used to implement traffic monitoring functions.

Fwpm-layer-stream-v4 layer is about TCP streams and provides control and detection of TCP connections. Therefore, if you want to monitor TCP traffic, you usually bind filters at this layer.

Fwpm-layer-datagram-data-v4 layer is about UDP, which provides the control and detection function of UDP datagram. Therefore, if you want to monitor UDP traffic, you usually bind filters at this layer.

In actual applications, sometimes only the traffic of one protocol needs to be monitored, and the traffic of another protocol does not need to be monitored. Therefore, if you only need to monitor TCP traffic, then binding to Fwpm-layer-stream-v4 layer is fine; If you only need to monitor UDP traffic, then binding to the Fwpm-layer-datagram data-v4 layer is fine. If you need to monitor traffic for both protocols, you need to bind filters on both layers.