These samples illustrate filtering of network traffic in kernel-space. The samples two types of filters:
A NDIS filter driver is layered between
an NDIS transport driver (such as the Microsoft Tcpip driver) and
the underlying NIC miniport drivers. In this logical position a NDIS
filter driver can monitor and influence the interaction between NDIS
transports and the lower-level NDIS miniports that they are bound
The sample drivers illustrate current Windows NDIS filtering technologies including:
A transport-level filter driver is located
above (or integrated within...) the Windows kernel-mode TCP/IP
transport driver. In this location the transport filter operates on
IP datagrams instead of individual network packets.
One key benefit of filtering at the transport layer is that the filter can observe unfragmented data exchanged between an IP client and server located on the same Windows host. NDIS does not see any packets in this situation.
The Microsoft Windows Filtering Platform (WFP ) is used for transport-level filtering on Vista and later platforms. However, WFP is not available on Windows XP since XP uses the older Transport Data Interface (TDI) as the kernel-mode IP API. Theses samples include a TDI filter for Windows XP and a WFP filter for Vista and later platforms. The filtering capability presented to the monitoring application is very similar across all platforms.
Although the TDI technology used in Windows XP is now deprecated, the TDI driver is built using the most current WDK and is implemented using the Windows Driver Framework (WDF/KMDF).
The collection currently includes the three sample drivers described on this page plus additional samples as they are provided. The sample drivers are intended to be used by developers as a starting point for their own development or simply for educational purposes.
Conceptually the IP Packet Redirector is simple. It provides a
way to insert a user-mode application into the Windows network
“stack” in a way that allows it to examine and modify each IP packet
being sent or received by the Windows host. This sort of driver can
ne described as a "NDIS tap".
Using the IP Packet redirector all IPv4 and ARP filtering is performed in the comfort and safety of a user-mode application. Network packets are represented as simple "flat" byte arrays that include each packet's Ethernet header and payload. Packet I/O is performed using normal Win32 ReadFile and WriteFile APIs.
The primary limitation of the IP Redirector is bandwidth. The process of looping incoming and outgoing packets through user-mode consumes processor resources. What has been found is that the IP Redirector can be very effectively used to filter lower-bandwidth interfaces. For example, on 10Mbps links the process of looping all inbound and all outbound IPv4 and ARP packets through a user-mode application imposes only small additions to processor loads and no noticeable degradation in throughput.
This means that the IP Redirection approach may be appropriate for use in filtering/optimizing on WAN links such as satellite links, 4G and DSL.
Use of the user-mode IP Redirection technique on server platform high-performance interfaces (RSS, Chimney Offload, etc.) would not be appropriate.
An obvious question is: Why would anyone want to impair a network
interface? The primary reason is to test network software
performance under "bad" conditions.
The Impairment Generator is a NDIS filter installed as low as possible in the layer of filters above each Ethernet adapter miniport. In this position the NDIS filter can manipulate packets being sent or received to simulate various impairments. The generator currently supports these impairments:
In addition the generator is capable of editing the IP header TTL (IPv4) or hop limit (IPv6) fields on outgoing packets:
This tool may be useful to some as-is. In addition, it may be a
point of departure for developing custom products.
Use of the impairment generator on server platform high-performance interfaces (RSS, Chimney Offload, etc.) would not be appropriate.
The transport-level sample included in this collection includes both a TDI filter and a WFP filter that allow monitoring of TCP streams and UDP datagrams. They include the ability to monitor IP data when both endpoints are on the same host - as well as when one endpoint is remote.
PCAUSA products are provided with a simple
turn-key license that includes the ability to redistribute your
application and the renamed product runtime components in executable
form with no recurring royalties. You can
view the PCAUSA License here.
Product pricing does vary based on the length of time that technical support and product updates will be provided. The "Basic" editions include 90 days of technical support and updates, while the "Professional" editions include complete source code and one year of support and updates.
|235||Kernel-Mode Filter Driver Collection - Basic Edition (90 Days Support)||US$495.00|
|235||Kernel-Mode Filter Driver Collection - Subscription Edition (One Year Support)||US$695.00|
|237||Kernel-Mode Filter Driver Collection - Subscription Renewal||US$400.00|
PCAUSA offers a 30-day money-back satisfaction guarantee on these products.
Press the button below for Online Ordering and other Purchase Information.