Edit

Share via

TCP Packet Flows

  • Article
  • 08/23/2019

This section describes the order in which the layers of the Windows Filtering Platform (WFP) filter engine are traversed during a typical TCP session.

Note

TCP packet flows for IPv6 follow the same pattern as for IPv4.

 

Note

Non-TCP packet flows follow the same pattern as UDP packet flows.

 

TCP Connection Establishment

Server (receiver) performs Passive Open
  • bind: FWPM_LAYER_ALE_BIND_REDIRECT_V4 (Windows 7 / Windows Server 2008 R2 only)
  • bind: FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4
  • listen: FWPM_LAYER_ALE_AUTH_LISTEN_V4

Client (sender) performs Active Open

  • bind: FWPM_LAYER_ALE_BIND_REDIRECT_V4 (Windows 7 / Windows Server 2008 R2 only)
  • bind: FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4
  • connect: FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 (Windows 7 / Windows Server 2008 R2 only)
  • connect: FWPM_LAYER_ALE_AUTH_CONNECT_V4
  • SYN: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
  • SYN: FWPM_LAYER_OUTBOUND_IPPACKET_V4

Server

  • SYN: FWPM_LAYER_INBOUND_IPPACKET_V4
  • SYN: FWPM_LAYER_INBOUND_TRANSPORT_V4
  • SYN: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
  • SYN-ACK: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
  • SYN-ACK: FWPM_LAYER_OUTBOUND_IPPACKET_V4

Client

  • SYN-ACK: FWPM_LAYER_INBOUND_IPPACKET_V4
  • SYN-ACK: FWPM_LAYER_INBOUND_TRANSPORT_V4
  • FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
  • ACK: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
  • ACK: FWPM_LAYER_OUTBOUND_IPPACKET_V4

Server

  • ACK: FWPM_LAYER_INBOUND_IPPACKET_V4
  • ACK: FWPM_LAYER_INBOUND_TRANSPORT_V4
  • FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
  • Listen completes. Server can perform an accept.

TCP SYN Received with No One Listening on the Port or Protocol

Server (receiver)

  • SYN: FWPM_LAYER_INBOUND_IPPACKET_V4
  • SYN: FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD
  • RST: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
  • RST: FWPM_LAYER_OUTBOUND_IPPACKET_V4

Note

TCP SYN with no endpoint is indicated at TRANSPORT discard with a specific error condition. Block this packet at TRANSPORT discard to cause the stack not to send the corresponding event (RST). For an example of stealth-mode filtering, see Preventing Port Scanning.

 

Data Transmitted Over a TCP Connection

Client (sender)
  • send
  • data: FWPM_LAYER_STREAM_V4
  • TCP segments: FWPM_LAYER_OUTBOUND_TRANSPORT_V4
  • IP datagrams: FWPM_LAYER_OUTBOUND_IPPACKET_V4

Server (receiver)

  • IP datagrams: FWPM_LAYER_INBOUND_IPPACKET_V4
  • TCP segments: FWPM_LAYER_INBOUND_TRANSPORT_V4
  • data: FWPM_LAYER_STREAM_V4
  • Data is available to read.

Successful Reauthorization of a TCP Packet

Server (receiver)

  • IP datagrams: FWPM_LAYER_INBOUND_IPPACKET_V4
  • TCP segment: FWPM_LAYER_INBOUND_TRANSPORT_V4
  • TCP segment: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
  • data: FWPM_LAYER_STREAM_V4(INBOUND)

Failed Reauthorization of a TCP Packet

Server (receiver)

  • IP datagrams: FWPM_LAYER_INBOUND_IPPACKET_V4
  • TCP segment: FWPM_LAYER_INBOUND_TRANSPORT_V4
  • TCP segment: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
  • TCP segment: FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD

TCP Connection Termination

TCP connection termination is not indicated at any WFP layer.

ALE Reauthorization

Filtering Layer Identifiers