none
WFP vs WinPCAP RRS feed

  • Question

  • Guys,

    Can you tell me what are the pros and cons between WFP and WinPCAP ?

    Thanks

    Sunday, March 27, 2011 5:35 PM

Answers

  • The suggested method would be to use WFP. You will need to implement a kernel-mode callout filter driver.  You would be best served by FWPM_LAYER_OUTBOUND_TRANSPORT_V{4/6} for your outbound packet caching, and FWPM_LAYER_INBOUND_TRANSPORT_V{4/6} for the inbound ACKs.  Essentially you will deep copy the NBLs for indicated in the callout classify routines for your cache.  Then inject those when (or discard) as needed.

    http://msdn.microsoft.com/en-us/library/ff571067(v=VS.85).aspx

     

     Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, May 23, 2011 5:19 AM
    Moderator
  • WFP has inspection points throughout the TCP/IP stack.  WFP allows 3rd party code to operate on the traffic and has a rich arbitration model for coexistence of multiple vendors.

    WinPCAP looks like it is NDIS only.  This means that you can see that a packet was received on / sent out an interface, but have no clue if the TCP/IP stack dropped it later on  (due to malformed headers, firewall, etc).

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, March 28, 2011 9:00 PM
    Moderator
  • The samples are provided with the DDK (http://msdn.microsoft.com/en-us/library/ff568374(v=VS.85).aspx).  In particular, you would likely find the following sample most helpful:

    http://msdn.microsoft.com/en-us/library/ff571072(v=VS.85).aspx

    Hope this helps

     

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, May 23, 2011 3:16 PM
    Moderator

All replies

  • WFP has inspection points throughout the TCP/IP stack.  WFP allows 3rd party code to operate on the traffic and has a rich arbitration model for coexistence of multiple vendors.

    WinPCAP looks like it is NDIS only.  This means that you can see that a packet was received on / sent out an interface, but have no clue if the TCP/IP stack dropped it later on  (due to malformed headers, firewall, etc).

    Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, March 28, 2011 9:00 PM
    Moderator
  •  

      I want to implement a TCP Proxy between transport and internet layer that caches all data packets from TCP layer for a local retransmission in case of packet loss. in fact, i don't know what plateform or library in C++ to use that really can help me to implement such a program. is WFP more useful than Winsock or WinPCAP in these kind of programs.

    What i am looking for now is how to capture and cache all TCP Outgoing data packets that come from the Transport layer also how to hook all incoming ACK packets ? 

    i am really wondering what to do especially that i am a beginner in Network Programming. 

    Thanks in advance for your help!  

     


    Rad
    Sunday, May 22, 2011 8:52 AM
  • The suggested method would be to use WFP. You will need to implement a kernel-mode callout filter driver.  You would be best served by FWPM_LAYER_OUTBOUND_TRANSPORT_V{4/6} for your outbound packet caching, and FWPM_LAYER_INBOUND_TRANSPORT_V{4/6} for the inbound ACKs.  Essentially you will deep copy the NBLs for indicated in the callout classify routines for your cache.  Then inject those when (or discard) as needed.

    http://msdn.microsoft.com/en-us/library/ff571067(v=VS.85).aspx

     

     Hope this helps


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, May 23, 2011 5:19 AM
    Moderator
  • Do you have a small code source that implements a callout driver as a start point for me 'cause it seems a bit complicated in the MSDN library !
    Rad
    Monday, May 23, 2011 10:28 AM
  • The samples are provided with the DDK (http://msdn.microsoft.com/en-us/library/ff568374(v=VS.85).aspx).  In particular, you would likely find the following sample most helpful:

    http://msdn.microsoft.com/en-us/library/ff571072(v=VS.85).aspx

    Hope this helps

     

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, May 23, 2011 3:16 PM
    Moderator