Capture issues with WinDivert in C# – Corrupted readLen after WinDivertRecv() #388
Description
@basil00 Hi Basil,
I hope you are doing well.
I am using WinDivert (latest version) in a C# project via P/Invoke to capture and filter inbound TCP traffic on port 2346.
However, I am facing a critical problem: the WinDivertRecv function is returning completely invalid packet lengths (readLen), typically around 3.5 GB or larger, even though the capture buffer (pkt) is correctly sized at 65535 bytes.
I have already verified the following:
My C# application is explicitly compiled as x64.
I am using the correct WinDivert64.dll from the amd64 folder of the official distribution.
The application is running with administrator privileges.
The WINDIVERT_ADDRESS structure is correctly defined for 64-bit in C#.
The issue occurs even with valid packets, preventing analysis and logging of malicious traffic.
LSO is disable in Ethernet
The exact behavior is:
WinDivertRecv returns true.
But readLen contains a huge corrupted value (e.g., 3501566773).
This triggers early packet discarding before parsing or logging.
As a result, we are unable to reliably detect or log attacks.
I am attaching some logs that illustrate this issue.
Could you please help us identify the possible cause?
We are considering if this could be related to driver issues, a subtle incompatibility in the P/Invoke call, or perhaps something system-specific with the Windows network stack.
Any advice or workaround to reliably capture traffic in C# would be greatly appreciated.
Thank you very much in advance, and congratulations on the excellent work with WinDivert.
Best regards,