Writing firewall using TDI Filters, but no one sends TDI_LISTEN

I'm writing a firewall using TDI Filter drivers for windows XP.
I've currently filter TDI_CONNECT requests correctly. Now I want to be able to control what application tries to listen on a port. The problem is no one sends TDI_LISTEN request irp to me, and applications successfully start listening. I'm logging all minor functions sent to me, and I'm sure TDI_LISTEN is never received by me.
I've read somewhere that no MS driver use TDI_LISTEN function. If this is so, how can I filter listen requests, and if not, what's wrong in my filter?
Who is Participating?

It appears that applications are not using TDI_LISTEN to listen for incoming connections.
Instead of that try to wait for TDI_SET_EVENT_HANDLER request. In this minor function there is an event, named TDI_EVENT_CONNECT. You can use this one to find out if an application is trying to listen.
you can find more information here: http://msdn.microsoft.com/en-us/library/ff565576(VS.85).aspx

And as you mentioned that you are currently monitoring the TDI_CONNECT, I assume that you know how to get the source port. :D

Good Luck
ShayanOHAuthor Commented:
Thanks, that solved it! Why the hell TDI_LISTEN is there if no-one is using it???
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.