There is certainly a performance penalty for filtering packets in user-mode on Windows. However, the penalty may be totally acceptable in some cases. For example, for WAN optimization over relatively slow links (satellite, DSL, Wi-Fi, etc.). On these links there is measurable but inconsequential performance degradation.
On the high-end of 100 Mbps, Gbps and higher links per-packet user-mode filtering is currently unacceptable. On server adapters that implement RSS and Chimney offload user-mode per-packet filtering OR or packet filtering in kernel mode will probably degrade performance unacceptably.
I don’t think it is “unsafe” to marshal packets to user mode. I think this one is pretty safe and works on Windows XP through Windows 7 for the lower-performance links:
http://pcausa.com/filters/ipredir.htm
Good luck,
Thomas F. Divine
http://www.pcausa.com
From: Nathan Zaugg
Sent: Tuesday, January 05, 2010 12:47 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Need packet filtering SDK for Windows
If you must support Operating Systems that are out of the support cycles (Win 2000 mostly) and you do not want to be involved in Kernel mode programming then yes, you need some 3rd party kernel driver to proxy the requests to User Mode. However, according to the WinPkFilter website there is a 30-40% performance penalty! The Windows 2000 requirement just seems odd to me.
For the real-deal packet filters / IDS they put as much as logic as possible as in the Kernel (i.e. close to the network stack) and only visit User Land for exceptional cases. It’s not that user land is slow, it’s that it’s expensive to safely marshal between kernel and user. Of course the ones I am most familiar with are Linux-based high-end solutions. I always thought that the Windows Kernel would make a great platform for appliances like this but things like this are almost always more popular on Linux.
So I leave it to someone else…Is there anything better than WinPkFilter that anyone knows of?
–Nate
On Mon, Jan 4, 2010 at 10:01 PM, wrote:
Hi Nathan,
Thank you for the quick reply. Windows Filtering Platform is available Windows Vista onwards and I want to support all Windows OSs starting from Windows 2000.
I want to do the packet filtering in user mode. I don’t want to write a filter driver myself.
I want an SDK that will provide a set of APIs to communicate with an Intermediate NDIS driver of its own and get the work done for me. I should get notifications when a new packet has arrived at the network adapter so that I can read that packet, examine its contents and then decide whether to block it.
I want to be able to read ethernet packets as I’ll then retrieve the IP packet, TCP packet etc. from it and examine it.
The SDK should provide me an API that will let me decide whether or not to let this examined packet be forwarded to the network adapter or should be blocked from going ahead.
This is all being done for an IDS which I’m planning to develop but I want to save time on writing the NDIS level driver.
Here are the links of such SDKs I’ve found:
1. WinPkFilter
http://www.ntkernel.com/w&p.php?id=7
2. MicroOLAP’s Packet Sniffer SDK
http://www.microolap.com/products/network/pssdk/
I’ve found WinPkFilter to be pretty good for my requirement but I want to know if any of the experienced members here could recommend me anything better than that.
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer