Why does Windows Filtering Platform apply ALE reauthorization for EVERY single incoming multicast UDP packet from same source?
I am using iperf network testing tool and observe the following: if, on box A (Windows Server 2019), I have a single sender that posts to some multicast address/port, and 5 multicast receivers, joining same multicast group, on box B (also Windows Server 2019), there will be packet loss at certain packet rate, which does NOT happen in case of single receiver, so it is NOT sender or wire level loss
Exploring with xperf (stackwalk with DPC details) shows that there is some relevant activity in ntoskrnl.exy, but in netio.sys, it points to tcpip.sys!WfpAleReauthorizeConnection , which is called from tcpip.sys!TlShimOptionalReauthorizeConnection. The part "optional" feels like it's not something that HAS TO happen. Is there a way to control it and make it to not take that option?
Looking at the WFP performance counters, I see that counter "Reason:NewInboundMCastBCastPacket" (WFP Reauthorization counter group) value is exactly equal to the number of UDP datagram processed (input stream packet rate multiplied by 5, because 5 receivers). That tells me Reauthorization is indeed applied to every single packet. There has to be a way to control this. The issue is not limited to testing tool - we have an actual application, which is also "5 copies of multicast receivers" that is running into same exact issue.
Windows Defender Firewall is off, so, it is not something that it is doing. Switching network profile from "public" to "private". Adding a filter to explicitly permit all UDP traffic at FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 layer did not change anything - I am guessing I need to somehow adjust filtering engine to not even try to apply filtering, but WFP documentation is extremely vague , and there is NO mentioning of NewInboundMCastBCastPacket as a possible cause of WFP ALE reauthorization
Tried the following: Completely uninstalled Symantec Endpoint Protection Tried to add FWP_ACTION_PERMIT at FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 layer to allow ALL inbound UDP traffic (but I think I need a way to force FWP engine to not even apply the checking) Switched network profile from "Public" to "Private"
Turns out there is a way to exempt multicast traffic from inspection by UDP port:
You can create a
REG_MULTI_SZtype registry key namedUdpExemptPortRangeto configure the port ranges that are exempted from the base filtering engine. To do this, create the registry key in the following path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\ParametersFor example, you can configure the following value in the registry key:
34001000-10302000-2050The smallest port number to use is
1and the highest is65535.Notes
- Each exempted port range should be in a new line.
- You must restart the computer after you changed the registry key.
- Multicast works on WSL1, but not WSL2
- How to distinguish the incoming packets group when joining multiple multicast feeds in UdpSocket
- How can I enable IGMP Snooping in OpenWRT?
- Do I need a PORT when joining a multicast group or just the IP?
- Wireshark: Filter by Multicast in GUI
- Send data to all sockets at exact time
- Confused about Linux multicast
- How can I translate this TCP/IP MULTICAST code from Python to Go
- Why does Windows Filtering Platform apply ALE reauthorization for EVERY single incoming multicast UDP packet from same source?
- Question to multicast concept with BSD Socket APIs
- Multiple Netty clients listening on the same multicast group
- Why UDP socket subscribed to a multicast group is picking up a non-multicast message?
- Understand the received packet length from a multicast group address
- C++ Multicasting while connected through Mobile Hotspot device
- IP Multicast + UDP: Should I receive data for all groups?
- No IGMP report packets on multicast stream
- Python socket transmitting on correct interface but with wrong source address
- How to set IP_MULTICAST_LOOP on multicast UDPConn in Golang
- Multicast-Message within VLAN using IPv6 has no 802.1Q-field (VLAN) within Ethernet frame
- Mdns packets not received by avahi
- How to avoid multicast timeout due to IGMP snooping
- OpenSUSE multicast not working?
- vsomeip - how to discover service in QEMU-QNX guest from Ubuntu host?
- How can chrome.socket be used for broadcasting or multicasting?
- What is the difference between "receive" and "deliver" in a distributed multicast?
- how to list rooms on socket.io nodejs server
- When subscribing to a multicast group, what is the best way to filter traffic from other hosts in the group?
- Swift multicast multiple connection to the same port
- Multicast doesn't work on Linux in golang
- Boost Asio async_send_to multicast with use_future does not work