office: (770)
432-4580
fax: (770) 234-4182
skype: pcausa
Kernel-Mode Filter Driver Sample Collection
Overview
These samples illustrate filtering of network traffic in kernel-space. The samples two types of filters:
NDIS Filter Samples
A NDIS filter driver is layered between
an NDIS transport driver (such as the Microsoft Tcpip driver) and
the underlying NIC miniport drivers. In this logical position a NDIS
filter driver can monitor and influence the interaction between NDIS
transports and the lower-level NDIS miniports that they are bound
to.
The sample drivers illustrate current Windows NDIS filtering
technologies including:
- NDIS 5 Intermediate (IM) Filter Drivers (Windows XP)
- NDIS 6 Lightweight Filter (LWF) Drivers (Windows Vista and higher)
- Common API transparently supporting NDIS 5 and NDIS 6 drivers.
- Driver builds using current Windows Driver Kits (WDKs).
- Application build using current application development tools (Visual Studio 2008)
Transport-Level Filter Driver Samples
A transport-level filter driver is located
above (or integrated within...) the Windows kernel-mode TCP/IP
transport driver. In this location the transport filter operates on
IP datagrams instead of individual network packets.
One key benefit of filtering at the transport layer is that the
filter can observe unfragmented data exchanged between an IP client
and server located on the same Windows host. NDIS does not see any
packets in this situation.
The Microsoft Windows Filtering Platform (WFP ) is used for
transport-level filtering on Vista and later platforms. However, WFP
is not available on Windows XP since XP uses the older Transport
Data Interface (TDI) as the kernel-mode IP API. Theses samples
include a TDI filter for Windows XP and a WFP filter for Vista and
later platforms. The filtering capability presented to the
monitoring application is very similar across all platforms.
Although the TDI technology used in Windows XP is now deprecated,
the TDI driver is built using the most current WDK and is
implemented using the Windows Driver Framework (WDF/KMDF).
The collection currently includes the three sample drivers described on this page plus additional samples as they are provided. The sample drivers are intended to be used by developers as a starting point for their own development or simply for educational purposes.
Sample 1: IP Packet Redirector Driver (NDIS)
Conceptually the IP Packet Redirector is simple. It provides a
way to insert a user-mode application into the Windows network
“stack” in a way that allows it to examine and modify each IP packet
being sent or received by the Windows host. This sort of driver can
ne described as a "NDIS tap".
Using the IP Packet redirector all IPv4 and ARP filtering is
performed in the comfort and safety of a user-mode application.
Network packets are represented as simple "flat" byte arrays that
include each packet's Ethernet header and payload. Packet I/O is
performed using normal Win32 ReadFile and
WriteFile APIs.
The primary limitation of the IP Redirector is bandwidth. The
process of looping incoming and outgoing packets through user-mode
consumes processor resources. What has been found is that the IP
Redirector can be very effectively used to filter lower-bandwidth
interfaces. For example, on 10Mbps links the process of looping all
inbound and all outbound IPv4 and ARP packets through a user-mode
application imposes only small additions to processor loads and no
noticeable degradation in throughput.
This means that the IP Redirection approach may be appropriate for
use in filtering/optimizing on WAN links such as satellite links, 4G
and DSL.
Use of the user-mode IP Redirection technique on server platform
high-performance interfaces (RSS, Chimney Offload, etc.) would not
be appropriate.
Sample 2: NDIS Interface Impairment Generator (NDIS)
An obvious question is: Why would anyone want to impair a network
interface? The primary reason is to test network software
performance under "bad" conditions.
The Impairment Generator is a NDIS filter installed as low as
possible in the layer of filters above each Ethernet adapter
miniport. In this position the NDIS filter can manipulate packets
being sent or received to simulate various impairments. The
generator currently supports these impairments:
- Random Packet Drop on Send and Receive Paths
- Send and Receive Packet Delay in 1 millisecond (approximate...) Increments
In addition the generator is capable of editing the IP header TTL (IPv4) or hop limit (IPv6) fields on outgoing packets:
- Set TTL to Specified Value
- Decrement TTL by Specified Value
This tool may be useful to some as-is. In addition, it may be a
point of departure for developing custom products.
Use of the impairment generator on server platform high-performance
interfaces (RSS, Chimney Offload, etc.) would not be appropriate.
Sample 3: Simple Transport-Level IP Port Data Monitor (Transport)
The transport-level sample included in this collection includes both a TDI filter and a WFP filter that allow monitoring of TCP streams and UDP datagrams. They include the ability to monitor IP data when both endpoints are on the same host - as well as when one endpoint is remote.
Licensing Information
PCAUSA products are provided with a simple
turn-key license that includes the ability to redistribute your
application and the renamed product runtime components in executable
form with no recurring royalties. You can
view the PCAUSA License here.
Price List and Ordering Information
Product pricing does vary based on the length of time that technical support and product updates will be provided. The "Basic" editions include 90 days of technical support and updates, while the "Professional" editions include complete source code and one year of support and updates.
| SKU | Description | Price |
| 235 | Kernel-Mode Filter Driver Collection - Basic Edition (90 Days Support) | US$495.00 |
| 235 | Kernel-Mode Filter Driver Collection - Subscription Edition (One Year Support) | US$695.00 |
| 237 | Kernel-Mode Filter Driver Collection - Subscription Renewal | US$400.00 |
PCAUSA offers a 30-day money-back satisfaction guarantee on these products.
Press the button below for Online Ordering and other Purchase Information.
