Windows Packet Filter

Windows Packet Filter (WinpkFilter) is a high-performance packet filtering framework designed for Windows that enables developers to efficiently filter (inspect and modify) raw network packets at the NDIS level of the network stack with minimal impact on network activity. This is achieved without the need for writing any low-level driver code.

Windows Packet Filter framework includes NDIS 3.1/4 hooking VxD driver for Windows 95/ME, NDIS 4 hooking filter driver for Windows NT/2000/XP, NDIS 5 Intermediate for Windows XP/2003, and NDIS 6 Lightweight Filter (LWF) drivers for Windows Vista and later. Additionally, it comes with a companion user-mode API DLL and sample code.

One of the key benefits of using Windows Packet Filter in comparison to other packet filtering frameworks for Windows, such as those based on the Windows Filtering Platform (WFP) callout drivers, Layered Service Providers (LSP), TDI filters, etc., is its ability to manipulate raw Ethernet frames by installing the driver below all network protocol drivers and just above the network interface driver. This gives the WinpkFilter driver ultimate control over all network traffic flow entering and leaving the system, allowing you to modify any packet, drop it, or even forge and insert a new one. With Windows Packet Filter, there’s no need to have experience in kernel-mode programming, as it provides a powerful user-level API. However, if you need to improve performance by implementing your solution in kernel mode, you can do so by directly adding your functional code to the Windows Packet Filter driver’s code.

System Requirements

Windows 95/98/MillenniumWindows Server 2008*Windows Server 2012 R2
Windows NT 4.0Windows 7Windows 10
Windows 2000Windows Server 2008 R2Windows Server 2016
Windows XPWindows 8Windows Server 2019
Windows Server 2003Widows Server 2012Windows 11
Windows Vista*Windows 8.1Windows Server 2022

The following connections types are supported for the operating systems above:

  • Wired Ethernet (802.3)
  • Wi-Fi (802.11)
  • WAN (Analog/ISDN modems, PPPoE, 3G/4G mobile modems)
  • Mobile Broadband (PPIP)
  • VPN network interfaces (WinTun, WireGuard etc.)

Product features

  • Windows Packet Filter has been confirmed for its reliability and stability by hundreds of satisfied customers, ranging from small shareware companies to well-known corporations, since its launch in 2002.
  • It boasts high performance, allowing for seamless handling of Gigabit network bandwidth in user-mode applications without any noticeable degradation in performance.
  • It is completely portable across all Windows desktop platforms and operates on RAS/PPP adapters, as well as supporting Windows 7 Mobile Broadband stack (PPIP).
  • It offers both passive network listening (packet collection) and active filtering (with the ability to edit or drop packets) modes.
  • There is also an interface for injecting raw Ethernet frames into the network stack, in both directions from TCP/IP to the network and vice versa.
  • The support for MTU decrement (setting system-wide MTU decrement) is useful for adding additional headers to IP packets, such as for IP in IP packet tunneling, IPSEC-based VPN, and so on.
  • The powerful built-in network filters engine allows you to set rules to pass, block, or redirect network packets to a Windows Packet Filter-based application for further processing.
Windows Packet Filter architecture
Windows Packet Filter architecture

Applicability/Usage Scope

Windows Packet Filter can be used as a foundation for various types of network applications, including but not limited to:

  • User-mode firewall and content filtering solutions, eliminating the need to write kernel-mode drivers.
  • Kernel-mode firewall and content filtering solutions, which require kernel-mode programming skills and a Source Code license, but offer the maximum possible performance.
  • Internet Connection Sharing (Network Address Translation) that can be implemented in either user or kernel mode, depending on performance requirements.
  • Virtual Private Network solutions (IPSEC, SSL VPN, WireGuard, etc.) that can also be implemented in either user or kernel mode, depending on performance requirements.
  • Network packet tunneling solutions, where packets captured from the network can be tunneled from the client to the remote system using SSL, SSH, HTTP, ICMP, etc. The remote host can extract the packets and inject them into the real network after modifying the required packet headers. Response packets can be returned to the client in the same manner, potentially bypassing certain network access limitations.
  • Packet sniffer, allowing you to capture and inspect all packets sent and received by TCP/IP.
  • IP shaping solutions, to limit bandwidth for Internet users.
  • Network traffic counting and bandwidth management solutions.
  • Wireless Firewall Gateways, even with HTTP authorization.
  • Transparent proxy solutions based on NDIS level packet redirection, which can be used for tasks such as decrypting SSL (Man-In-The-Middle), parental content control, and e-mail SPAM filtering.
  • Transparent filtering network bridges.

Downloads

You can download the Windows Packet Filter driver installer, which is free for personal or educational use, including non-profit organizations. This will give you the opportunity to test and evaluate the reliability and performance of the software.

The source code for Windows Packet Filter samples, along with the latest NDISAPI library, is available on GitHub for those who want to explore the software further.

For .NET developers, there is a C++/CLI class library included in the NDISAPI library, as well as an alternative p/Invoke C# library, NDISAPI.NET, for those who prefer to work in C#.

Driver packages:

Windows Packet Filter 3.4.0.1 ARM64.msiWindows 10/11Download
Windows Packet Filter 3.4.0.1 x64.msiWindows Vista* and laterDownload
Windows Packet Filter 3.4.0.1 x86.msiWindows Vista* and laterDownload
Windows Packet Filter 3.4.0.1.exeWindows 95/98/ME/NT/2000/XP/2003Download

Samples:

Advanced native C++ samples binariesARM64 buildsDownload
Basic and advanced native C++ samples binariesx64 buildsDownload
Basic and advanced native C++ samples binariesx86 buildsDownload
Basic native C++ samples binariesx86 VC++ 6.0 buildsDownload

Important notes:

Please note that the functionality of the samples may be limited by installed third-party firewall software. Additionally, the standard driver builds have a network MTU limit of 1500 bytes, which may result in a performance degradation for 10 Gbps networks with Jumbo frames. However, builds supporting Ethernet Jumbo frames up to 9000 bytes are available to licensed customers for a better network experience.

Windows Packet Filter Advanced Samples

The available sample applications provided with Windows Packet Filter include:

  1. Internet Gateway (snat.exe) – a simple MFC application for Internet connection sharing.
  2. WAN Emulator (lfnemu.exe) – a console application that simulates Long Fat Network behavior.
  3. capture – a native C++ sample that intercepts and saves packets to a PCAP file.
  4. dns_proxy – a native C++ sample that redirects DNS protocol through a transparent UDP proxy.
  5. dnstrace – a native C++ sample that intercepts and decodes DNS responses.
  6. ethernet_bridge – a native C++ sample that implements bridging wired and wireless networks.
  7. ipv6_parser – a native C++ sample that intercepts IPv6 packets and matches to the originating process.
  8. sni_inspector – a native C++ sample that intercepts network packets and extracts SNI from HTTPS and Host from HTTP packets.
  9. socksify – a native C++ sample that redirects selected TCP connections through a SOCKS5 proxy.
  10. udp2tcp – a native C++ sample that demonstrates how to convert UDP packets to TCP and vice versa.
  11. TestDotNet – a C# sample that demonstrates the usage of the NDISAPI library in filtering scenarios.

These sample applications offer a great starting point for exploring the capabilities of Windows Packet Filter and can be used as a foundation for building your own custom network applications.

License

Windows Packet Filter is free for personal or educational use, including non-profit organizations.

For the software publishers who wish to use Windows Packet Filter in their products, we offer two types of licenses. Each license includes one year of free updates & support and custom driver build*.

The first type of license is a Binary License, which allows the use of our pre-compiled Windows Packet Filter driver in your product. This license is ideal for software publishers who do not need to modify the driver or its behavior.

The second type of license is a Source Code License, which provides access to the source code of Windows Packet Filter driver and allows you to modify it to fit your specific needs. This license is ideal for software publishers who require customization of the driver or its behavior.

License typeComplete Source CodePrice (USD)Online Order
DeveloperNO3000.00Buy Now!
Source CodeYES9000.00Buy Now!
Developer to Source UpgradeYES6000.00Buy Now!

Notes:
* – For those who need to redistribute the WinpkFilter drivers as part of their software, it is advisable to create or request a custom build. This can help prevent potential conflicts with other applications that are based on WinpkFilter. As a licensed Developer, you can request a custom build by contacting support@ntkernel.com. A single custom build per license is included with both the Developer and Source Code subscriptions, and any additional custom-builds will incur an additional charge of 100 USD each.

Subscription Renewal

To renew your support plan, simply select the desired option and follow the checkout process. If you have any questions or need assistance, please do not hesitate to contact us at support@ntkernel.com. Our team is always ready to help and ensure that you get the most out of your investment in Windows Packet Filter.

  • Renew Support & Updates for 1 year: This option allows you to receive software updates and technical support for a period of 1 year.
  • Renew Support & Updates for 2 years: This option provides you with two years of software updates and technical support.
  • Renew Support & Updates for 3 years: This option offers you a three-year period of software updates and technical support.
License typePrice (USD)Online Order
Developer Renew Support & Updates for 1 year2000.00Buy Now!
Developer Renew Support & Updates for 2 years3000.00Buy Now!
Developer Renew Support & Updates for 3 years4000.00Buy Now!
Source Code Renew Support & Updates for 1 year6000.00Buy Now!
Source Code Renew Support & Updates for 2 years9000.00Buy Now!
Source Code Renew Support & Updates for 3 years12000.00Buy Now!

Support

Please ask questions in our support forum.

* – due to EOL of SHA-1 code signing on December 1, 2020, it is no longer possible to sign drivers for Windows Vista/2008. To run Windows Packet Filter on these operating systems, you will need to use the Disable Driver Signing Enforcement option.