问题原因
Windows 系统内配置的 WFP 拦截规则可能会导致网络异常。
问题现象
无法ping通外网、网关和127.0.0.1。
C:\Users\Administrator\Desktop>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),解决方案
以无法ping通外网为例。
-
收集诊断数据
运行
netsh wfp show netevents收集netevents.xml的数据。然后再运行
netsh wfp show filters收集 filters.xml的数据。 -
分析NetEvents日志
在
netevents.xml中查找与 ping 操作相关的事件。重点关注以下字段:-
timestamp:事件发生时间。 -
localAddrV4:IP地址。 -
actionType:是否为DROP。 -
filterId:匹配的过滤规则ID。 -
ipProtocol:协议号,1-ICMP协议。
以下为 netevents.xml 中与 ping 操作相关的事件示例,其中
remoteAddrV4为8.8.8.8,事件类型为FWPM_NET_EVENT_TYPE_CLASSIFY_DROP,表明出站流量被丢弃:<netEvents numItems="3"> <item> <header> <timeStamp>2025-09-15T09:06:35.432Z</timeStamp> <flags numItems="5"> <item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item> <item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item> <item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item> <item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item> <item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item> </flags> <ipVersion>FWP_IP_VERSION_V4</ipVersion> <ipProtocol>1</ipProtocol> <localAddrV4>172.20.89.209</localAddrV4> <remoteAddrV4>8.8.8.8</remoteAddrV4> <localPort>8</localPort> <remotePort>0</remotePort> <scopeId>0</scopeId> <appId/> <userId/> <addressFamily>FWP_AF_INET</addressFamily> <packageSid/> <enterpriseId/> <policyFlags>0</policyFlags> <effectiveName/> </header> <type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type> <classifyDrop> <filterId>67346</filterId> <layerId>16</layerId> <reauthReason>0</reauthReason> <originalProfile>0</originalProfile> <currentProfile>0</currentProfile> <msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection> <isLoopback>false</isLoopback> </classifyDrop> </item> </netEvents> -
-
定位过滤器来源
在
filters.xml中搜索filterId="67346",找到对应的过滤器定义。搜索结果如下,该过滤器的完整定义为:
<item> <filterKey>{66567a32-a7a4-4029-b7db-dbf0e7fcee71}</filterKey> <displayData> <name>block-outbound-v4-port</name> <description>rule injected by scarlet</description> </displayData> <flags/> <providerKey>{c87bd7f1-28fc-4fc9-b2a9-a1ef377258cd}</providerKey> <providerData/> <layerKey>FWPM_LAYER_OUTBOUND_TRANSPORT_V4</layerKey> <subLayerKey>FWPM_SUBLAYER_UNIVERSAL</subLayerKey> <weight> <type>FWP_UINT64</type> <uint64>0</uint64> </weight> <filterCondition numItems="1"> <item> <fieldKey>FWPM_CONDITION_IP_LOCAL_PORT</fieldKey> <matchType>FWP_MATCH_GREATER_OR_EQUAL</matchType> <conditionValue> <type>FWP_UINT16</type> <uint16>0</uint16> </conditionValue> </item> </filterCondition> <action> <type>FWP_ACTION_BLOCK</type> <filterType/> </action> <filterId>67346</filterId> </item> </item> </filterCondition> <action> <type>FWP_ACTION_BLOCK</type> <filterType/> </action> <rawContext>0</rawContext> <reserved/> <filterId>67346</filterId> <effectiveWeight> <type>FWP_UINT64</type> <uint64>0</uint64> </effectiveWeight> </item> -
定位程序提供方
该规则名称为
block-outbound-v4-port,结合<providerKey>{c87bd7f1-28fc-4fc9-b2a9-a1ef377258cd}</providerKey>定位到应用信息。定位到的应用信息如下,提供程序名称为
scarlet,描述为alibaba ecsgo faults injection tool。<item> <providerKey>{c87bd7f1-28fc-4fc9-b2a9-a1ef377258cd}</providerKey> <displayData> <name>scarlet</name> <description>alibaba ecsgo faults injection tool</description> </displayData> <flags numItems="1"> <item>FWPM_PROVIDER_FLAG_PERSISTENT</item> </flags> <providerData/> <serviceName/> </item>说明此外还通常与某些安全驱动或防护软件相关。此类规则可能是以下情况造成的:
-
某驱动程序卸载不彻底,残留了 WFP 规则
-
第三方安全软件(如防火墙、杀毒软件)卸载后未清理相关过滤器
-
某服务仍在运行并应用了该规则
-
-
验证
执行
ping,若返回如下信息,表示可以正常ping通外网。C:\Users\Administrator\Desktop>ping 8.8.8.8 Pinging 8.8.8.8 with 32 bytes of data: Reply from 8.8.8.8: bytes=32 time=44ms TTL=112 Reply from 8.8.8.8: bytes=32 time=49ms TTL=112 Reply from 8.8.8.8: bytes=32 time=46ms TTL=112 Reply from 8.8.8.8: bytes=32 time=38ms TTL=112 Ping statistics for 8.8.8.8: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 38ms, Maximum = 49ms, Average = 44ms