WFP NDF Helper Class [Filtering]
The Windows Filtering Platform (WFP) includes a Network Diagnostics Framework (NDF) helper class to aid in identifying the root causes of connectivity issues that are caused by WFP. The Filtering Platform helper class (FPHC) will also attempt to resolve the most common connectivity issues.
FPHC maintains failure events, like paket drops and IPSec negotiation failures, in event logs. Once NDF is invoked to diagnose a network issue, helper classes are contacted to investigate various potential issues. If a higher level helper class determines that a network failure may be caused by WFP, it generates a hypothesis for FPHC based on available information. NDF passes this hypothesis, in the form of several attributes to FPHC. These attributes are used to create an enum handle used to query the WFP event logs for events that match the attributes.
The most recent event to match the attributes is selected as being relevant to the network issue. If no matching events are found and the time the event happened is covered in the WFP log, FPHC indicates to NDF that it is healthy. If no matching events are found and the WFP logs do not include the time the event occurred, FPHC returns an indeterminate status to NDF.
The following table lists the event attributes.
Attribute | Data type | Description |
---|---|---|
Provider GUID | GUID | Filter provider |
Timestamp | FILETIME | Time of the event. |
ipProtocol | UINT8 | TL protocol |
LocalAddr | UINT32 or FWP_BYTE_ARRAY16 | Local IP port |
RemoteAddr | UINT32 or FWP_BYTE_ARRAY16 | Remote IP port |
userId | SID | User security identifier |
appId | FWP_BYTE_BLOB | Path of the application |
WFP primarilly serves as a platform which is mainly configured by other components, such as 3rd party firewalls. Because of this, WFP may be flagged as the source of a network connectivity problem when in actuality, the problem is being caused by a component implementing WFP. FPHC will point to these components when it detects that they may be the source of the problem. FPHC passes the same attributes it received from NDF to WFPClients, which controls the hierarchy of external component helper classes.
WFP uses the Provider GUID to identify the provider of the filter, and passes the parameters back to NDF, along with provider ID. NDF locates the helper class of an external component by matching an attribute set pair of "providerID = GUID" among the registered helper classes. Note that the GUID registered by external helper classes should be the same as the WFP provider GUID.
The interface between the helper classes is defined by the following attributes being passed from WFPClients to the external HCs.
Attribute | Data type | Description |
---|---|---|
Timestamp | FILETIME | Time of the event. |
ipProtocol | UINT8 | TL protocol |
LocalAddr | UINT32 or FWP_BYTE_ARRAY16 | Local IP port |
RemoteAddr | UINT32 or FWP_BYTE_ARRAY16 | Remote IP port |
userId | SID | User security identifier |
appId | FWP_BYTE_BLOB | Path of the application |
Network Diagnostics Framework
WFP NDF Helper Class Functions