Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

WFP performance vs NDIS

john-7john-7 Member Posts: 13


I came across the following link which shows WFP to be significantly slower as compared to WinPCAP or NDIS.
I wanted to know if this observation is true in general or this seems to be an odd case.



  • Igor_SharovarIgor_Sharovar Member Posts: 618

    Yes, it is true because WinPCAP works as a NDIS driver. It means that WinPCAP gets network packets faster. It happened because NDIS provides Layer 2 packets( for example Ethernet) but WFP works on Layer 4(transport layer, TCP/IP) and gets network packets later after some processing.
    A simple flow of network data is
    network->miniport NDIS driver -> NDIS intermedia or protocol driver(WinPCAP works here)->Windows network kernel part->Any WFP installed drivers

    Igor Sharovar

  • john-7john-7 Member Posts: 13

    Thanks. The source code analysis for this blog suggested that the sample driver being used for benchmarking had only one consumer thread to process the blocked packets. So the sample blocks all incoming packets and puts in a queue. A single thread takes it out from the queue one by one. This is the reason why it is slow.

  • Igor_SharovarIgor_Sharovar Member Posts: 618

    Yes, it makes sence. In real, moder enviroment(multicore) the difference would be less visible.
    Igor Sharovar

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 OSR Seminar Space & ONLINE
Writing WDF Drivers 11 May 2020 OSR Seminar Space & ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA