Need packet filtering SDK for Windows

Hi,

I’m looking for a Windows Packet filter SDK using which I can write code to filter packets based on my own custom rules.
I’ve found WinPkFilter, MicroOLAP, Snort.
WinPkFilter seems to be good and sufficing my requirements.

I want to know whether there are any other popular Packet Filter SDKs
available.
It should be compatible with VC++.

Any help will be greatly appreciated.
Thanks.

I guess the question is at what level do you plan to inspect packets? If
you are filtering based on basic port / executable rules (much like Windows
Firewall) there is an SDK for that called Windows Filtering Platform (
http://msdn.microsoft.com/en-us/library/aa366510(VS.85).aspx). If you’re
posting here because you want to make a Filter Driver that exists on the
network controller device stack then perhaps the WDF is appropriate.

–Nate Zaugg

On Mon, Jan 4, 2010 at 6:57 AM, wrote:

> Hi,
>
> I’m looking for a Windows Packet filter SDK using which I can write code to
> filter packets based on my own custom rules.
> I’ve found WinPkFilter, MicroOLAP, Snort.
> WinPkFilter seems to be good and sufficing my requirements.
>
> I want to know whether there are any other popular Packet Filter SDKs
> available.
> It should be compatible with VC++.
>
> Any help will be greatly appreciated.
> Thanks.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Hi Nathan,

Thank you for the quick reply. Windows Filtering Platform is available Windows Vista onwards and I want to support all Windows OSs starting from Windows 2000.

I want to do the packet filtering in user mode. I don’t want to write a filter driver myself.
I want an SDK that will provide a set of APIs to communicate with an Intermediate NDIS driver of its own and get the work done for me. I should get notifications when a new packet has arrived at the network adapter so that I can read that packet, examine its contents and then decide whether to block it.
I want to be able to read ethernet packets as I’ll then retrieve the IP packet, TCP packet etc. from it and examine it.
The SDK should provide me an API that will let me decide whether or not to let this examined packet be forwarded to the network adapter or should be blocked from going ahead.

This is all being done for an IDS which I’m planning to develop but I want to save time on writing the NDIS level driver.

Here are the links of such SDKs I’ve found:

  1. WinPkFilter
    http://www.ntkernel.com/w&p.php?id=7

  2. MicroOLAP’s Packet Sniffer SDK
    http://www.microolap.com/products/network/pssdk/

I’ve found WinPkFilter to be pretty good for my requirement but I want to know if any of the experienced members here could recommend me anything better than that.

If you must support Operating Systems that are out of the support cycles
(Win 2000 mostly) and you do not want to be involved in Kernel mode
programming then yes, you need some 3rd party kernel driver to proxy the
requests to User Mode. However, according to the WinPkFilter website there
is a 30-40% performance penalty! The Windows 2000 requirement just seems
odd to me.

For the real-deal packet filters / IDS they put as much as logic as possible
as in the Kernel (i.e. close to the network stack) and only visit User Land
for exceptional cases. It’s not that user land is slow, it’s that it’s
expensive to safely marshal between kernel and user. Of course the ones I
am most familiar with are Linux-based high-end solutions. I always thought
that the Windows Kernel would make a great platform for appliances like this
but things like this are almost always more popular on Linux.

*So I leave it to someone else…Is there anything better than WinPkFilter
that anyone knows of?*

–Nate

On Mon, Jan 4, 2010 at 10:01 PM, wrote:

> Hi Nathan,
>
> Thank you for the quick reply. Windows Filtering Platform is available
> Windows Vista onwards and I want to support all Windows OSs starting from
> Windows 2000.
>
> I want to do the packet filtering in user mode. I don’t want to write a
> filter driver myself.
> I want an SDK that will provide a set of APIs to communicate with an
> Intermediate NDIS driver of its own and get the work done for me. I should
> get notifications when a new packet has arrived at the network adapter so
> that I can read that packet, examine its contents and then decide whether to
> block it.
> I want to be able to read ethernet packets as I’ll then retrieve the IP
> packet, TCP packet etc. from it and examine it.
> The SDK should provide me an API that will let me decide whether or not to
> let this examined packet be forwarded to the network adapter or should be
> blocked from going ahead.
>
> This is all being done for an IDS which I’m planning to develop but I want
> to save time on writing the NDIS level driver.
>
> Here are the links of such SDKs I’ve found:
>
> 1. WinPkFilter
> http://www.ntkernel.com/w&p.php?id=7
>
> 2. MicroOLAP’s Packet Sniffer SDK
> http://www.microolap.com/products/network/pssdk/
>
> I’ve found WinPkFilter to be pretty good for my requirement but I want to
> know if any of the experienced members here could recommend me anything
> better than that.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

There is certainly a performance penalty for filtering packets in user-mode on Windows. However, the penalty may be totally acceptable in some cases. For example, for WAN optimization over relatively slow links (satellite, DSL, Wi-Fi, etc.). On these links there is measurable but inconsequential performance degradation.

On the high-end of 100 Mbps, Gbps and higher links per-packet user-mode filtering is currently unacceptable. On server adapters that implement RSS and Chimney offload user-mode per-packet filtering OR or packet filtering in kernel mode will probably degrade performance unacceptably.

I don’t think it is “unsafe” to marshal packets to user mode. I think this one is pretty safe and works on Windows XP through Windows 7 for the lower-performance links:

http://pcausa.com/filters/ipredir.htm

Good luck,

Thomas F. Divine
http://www.pcausa.com

From: Nathan Zaugg
Sent: Tuesday, January 05, 2010 12:47 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Need packet filtering SDK for Windows

If you must support Operating Systems that are out of the support cycles (Win 2000 mostly) and you do not want to be involved in Kernel mode programming then yes, you need some 3rd party kernel driver to proxy the requests to User Mode. However, according to the WinPkFilter website there is a 30-40% performance penalty! The Windows 2000 requirement just seems odd to me.

For the real-deal packet filters / IDS they put as much as logic as possible as in the Kernel (i.e. close to the network stack) and only visit User Land for exceptional cases. It’s not that user land is slow, it’s that it’s expensive to safely marshal between kernel and user. Of course the ones I am most familiar with are Linux-based high-end solutions. I always thought that the Windows Kernel would make a great platform for appliances like this but things like this are almost always more popular on Linux.

So I leave it to someone else…Is there anything better than WinPkFilter that anyone knows of?

–Nate

On Mon, Jan 4, 2010 at 10:01 PM, wrote:

Hi Nathan,

Thank you for the quick reply. Windows Filtering Platform is available Windows Vista onwards and I want to support all Windows OSs starting from Windows 2000.

I want to do the packet filtering in user mode. I don’t want to write a filter driver myself.
I want an SDK that will provide a set of APIs to communicate with an Intermediate NDIS driver of its own and get the work done for me. I should get notifications when a new packet has arrived at the network adapter so that I can read that packet, examine its contents and then decide whether to block it.
I want to be able to read ethernet packets as I’ll then retrieve the IP packet, TCP packet etc. from it and examine it.
The SDK should provide me an API that will let me decide whether or not to let this examined packet be forwarded to the network adapter or should be blocked from going ahead.

This is all being done for an IDS which I’m planning to develop but I want to save time on writing the NDIS level driver.

Here are the links of such SDKs I’ve found:

1. WinPkFilter
http://www.ntkernel.com/w&p.php?id=7

2. MicroOLAP’s Packet Sniffer SDK
http://www.microolap.com/products/network/pssdk/

I’ve found WinPkFilter to be pretty good for my requirement but I want to know if any of the experienced members here could recommend me anything better than that.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi Thomas,

Thank you for replying. The IP Packet Redirector looks like perfectly suitable for my need but I want to try using it. I found the information guide PDF and the binaries of the samples, but no source code of the samples.
Can you provide me with the source code of the user mode applications?
I’d like to try using it, would like to check how much programmer friendly it is, write different applications and get more accustomed to it.
Presently I have tried, as said earlier, WinPkFilter and MicroOLAP’s PSSDK.
and I need to try IP Packet Redir also in the same way so as to conclude as to which one to purchase.

Waiting for your reply