on LAYER_FLOW, could block the ESTABLISHED event a period?

[lysShub]

I need to proxy a process's all network packets (no fixed port):

1. open LAYER_FLOW type divert with pid, waiting for ESTABLISHED event.
2. then, open new LAYER_NETWORK type divert, with TCP/UDP port, on a new thread.

It's has a problem：before open LAYER_NETWORK divert, the process may have sent several packets.

If LAYER_FLOW type Recv have a callback-fn para, the callback-fn will execute before ESTABLISHED event complete. everything will be all greater!

[basil00]

This is already possible with WinDivert:

1. Open a FLOW handle to sniff all ESTABLISHED events.
2. Open a NETWORK handle to divert all TCP SYN packets.
3. The application only re-injects (or rejects) the SYN once BOTH the ESTABLISHED event and SYN have been received.

Note there is no guarantee that the ESTABLISHED event will be received before the SYN, so the application should handle both orderings. So if the SYN arrives first, it must be saved (or "pended") while the application waits for the corresponding ESTABLISHED. Tallow uses this trick, but with the SOCKET layer instead of FLOW.

This trick also works for non-TCP protocols like UDP, but is less efficient, as it requires diverting all packets rather than specifically SYNs.

[lysShub]

thx, i got it