WFP performance vs NDIS

Hello,

I came across the following link which shows WFP to be significantly slower as compared to WinPCAP or NDIS.
https://blog.nektra.com/main/2016/01/12/benchmarking-windows-packet-capture-methods/
I wanted to know if this observation is true in general or this seems to be an odd case.

Thanks.

Yes, it is true because WinPCAP works as a NDIS driver. It means that WinPCAP gets network packets faster. It happened because NDIS provides Layer 2 packets( for example Ethernet) but WFP works on Layer 4(transport layer, TCP/IP) and gets network packets later after some processing.
A simple flow of network data is
network->miniport NDIS driver → NDIS intermedia or protocol driver(WinPCAP works here)->Windows network kernel part->Any WFP installed drivers

Igor Sharovar

Thanks. The source code analysis for this blog suggested that the sample driver being used for benchmarking had only one consumer thread to process the blocked packets. So the sample blocks all incoming packets and puts in a queue. A single thread takes it out from the queue one by one. This is the reason why it is slow.

Yes, it makes sence. In real, moder enviroment(multicore) the difference would be less visible.
Igor Sharovar