I was wondering if there was any trace when a packet flow is modified by WinpkFilter. I am currently playing around with a GPN that seems to leverage WinpkFilter to actually intercept and redirect flows that are related to games.
I would be curious to understand a bit more how it’s structured and the selection logic between flows it ignores and flows that are hijacked.
Yes, you are right about ExitLag, it does indeed use WinpkFilter to intercept and process network traffic. However, I’m afraid the only way I can suggest for researching how it affects traffic flow is to create two winpkfilter-derived drivers and set one above and one below ExitLag in the stack. Thus, you can capture and record the traffic from these two drivers, save to a PCAP file, and analyze the difference in Wireshark.