Windows Packet Filter

Windows Packet Filter (WinpkFilter) is a high performance packet filtering framework for Windows that allows developers to transparently filter (view and modify) raw network packets at the NDIS level of the network stack with minimal impact on network activity and without having to write any low level driver code.

Windows Packet Filter includes NDIS 3.1/4 hooking VxD driver (Windows 95/ME), NDIS 4 hooking filter driver (Windows NT/2000/XP), NDIS 5 Intermediate (Windows XP/2003) and NDIS 6 Lightweight Filter (LWF) drivers as well as companion user-mode API DLL and samples.

Key advantage of Windows Packet Filter in comparison to other packet filtering frameworks for Windows (based on Windows Filtering Platform (WFP) callout drivers, Layered Service Poviders (LSP), TDI filters and etc..) is the ability to manipulate raw Ethernet frames achieved by installing driver below all network protocol drivers and just above network interface driver. Thus WinpkFilter driver has an ultimate control over all network traffic flow destined to or originated from your system and allows you modify any packet, drop it or even forge and insert a completely new one. Using Windows Packet Filter requires no experience in kernel mode programming on your behalf since it provides you with a powerful user level API. However, if you need to implement your solution (to achieve better performance) in kernel mode, you can do that as well by adding your functional code directly to Windows Packet Filter driver’s code.

System Requirements

Windows 95/98/Millennium Windows Vista Widows Server 2012
Windows NT 4.0 Windows Server 2008 Windows 8.1
Windows 2000 Windows 7 Windows Server 2012 R2
Windows XP Windows Server 2008 R2 Windows 10
Windows Server 2003 Windows 8 Windows Server 2016

The following connections types are supported for the operating systems above:

  • Wired Ethernet (802.3)
  • Wi-Fi (802.11)
  • WAN (Analog/ISDN modems, PPPoE, 3G/4G mobile modems)
  • Mobile Broadband (PPIP)

Product features

  • Reliability and stability confirmed by hundreds of satisfied customers since product launch in 2002 ranged from small shareware companies to world known corporations.
  • High performance. WinpkFilter allows handling Gigabit network bandwidth in user mode application without noticeable performance degradation.
  • Complete and easy portability across all Windows desktop platforms.
  • Operates on RAS/PPP adapters and supports Windows 7 Mobile Broadband stack(PPIP)
  • Passive network listening (collecting network packets) and active filtering (with capability to edit/drop network packets) modes
  • Interface for injecting raw Ethernet frames into the network stack (either destined from the TCP/IP to the network and in reversed direction)
  • Support for MTU decrement (allows setting system-wide MTU decrement). This option is useful if you plan to add additional headers to IP packets (implement IP in IP packet tunneling, IPSEC based VPN and so on).
  • Powerful built-in network filters engine allows setting rules to pass, block or redirect network packet to Windows Packet Filter based application for further processing.
Windows Packet Filter architecture

Windows Packet Filter architecture

Applicability/Usage Scope

Windows Packet Filter can be used as a base for the following kinds of network applications (including but not limited to):

  • User-mode firewall and content filtering solutions. No more need to write kernel mode drivers to implement the firewall!
  • Kernel-mode firewall and content filtering solutions. This requires kernel-mode programming skills and Source Code license (to integrate your network packet processing code directly into the drivers) but provides the maximum possible performance.
  • Internet Connection Sharing (Network Address Translation) that can be implemented either in user or kernel depending on performance requirements.
  • Virtual Private Network solution (IPSEC, SSL VPN and etc.) that can also be implemented both in user and kernel depending on performance requirements.
  • Network packets tunneling solution. An example, packets captured from the network can be tunneled from the client to the remote system inside the SSL, SSH, HTTP, ICMP and etc., extracted by the remote host and injected into the real network (after required packet headers modifications). Response packets can be returned back to the client in the same manner. This may allow to bypass certain network access limitations.
  • Packet sniffer. You can capture and inspect all packets sent to (received from) TCP/IP.
  • IP shaping solutions (when you need to limit bandwidth for Internet users).
  • Network traffic counting and bandwidth management solutions.
  • Wireless Firewall Gateways even with HTTP authorization.
  • Transparent proxy solution based on NDIS level packet redirection. This can be used, an example, to decrypt SSL(Man-In-The-Middle), parent content control, e-mail SPAM filtering and etc…
  • Transparent filtering bridge

Windows Packet Filter run-time libraries

You can download Windows Packet Filter run-time libraries package (free for private or educational use) in order to test and evaluate the reliability and performance of our software. The package below includes three simple console applications with complete source code implemented in Visual C++, C++ Builder, Delphi and Visual C# to demonstrate how Windows Packet Filter can be used for rapid development of network packets filtering/modifying modules. Several more advanced network tools are implemented in Visual C++ and complete source code is also included.

Alternatively you can download driver only installations to build and run Windows Packet Filter samples available on GitHub:

  • Windows Packet Filter x64.msi can be installed on 64 bit editions of Windows Vista/7/8/10 and Windows Server 2008/2012/2016.
  • Windows Packet Filter x86.msi can be installed on 32 bit editions of Windows Vista/7/8/10 and Windows Server 2008/2012/2016.
  • Windows Packet Filter can be installed on Windows 95/98/ME and Windows NT4/2000/XP/2003. Both x64 and x86 platforms of Windows XP and Windows Server 2003 are supported.
WinpkFilter Runtime & Tools 3.2.18 24.02.2019 8.2 MB Download
Windows Packet Filter x64.msi 3.2.18 24.02.2019 580 KB Download
Windows Packet Filter x86.msi 3.2.18 24.02.2019 576 KB Download
Windows Packet Filter 3.2.18 24.02.2019 475 KB Download

Important notes:

  • Installed third-party firewall software may limit samples functionality.
  • Standard driver builds above limit the network MTU to 1500 bytes. It may cause performance degradation of 10 Gbps networks with Jumbo frames. Builds supporting Ethernet Jumbo frames (up to 9000 bytes) are available to licensed customers.

Windows Packet Filter Advanced Samples

Since some of of Windows Packet Filter customers are interested in the more functional samples than the basic ones we had started development of Advanced WinpkFilter Samples series. All these sample binaries are released as freeware. Currently available samples are:

  • Internet Gateway is a simple MFC Internet Connection sharing application based on Windows Packet Filter. It implements a simple TCP and UDP dynamic NAT and allows sharing single Internet connection over your home network providing the major Internet services (e-mail, WWW, FTP and etc…).
  • LAN HTTP Monitor is a simple MFC application based on Windows Packet Filter. It allows interception of all HTTP connections from Local Area Network to Internet. It is supposed that application runs on the software Internet gateway (an example, system system sharing WAN connection over WiFi/LAN or even WiFi over Virtual WiFi). It redirects all HTTP page queries through the local proxy, so you can inspect the network traffic for these connections. This proxy functionality is completely transparent for clients. LAN HTTP Monitor parses all GET queries and shows it in the list control. It can be easily extended to monitor and to change traffic for popular messengers, FTP, SMTP, POP3 and etc. Also, it can be used to cache internet pages or to filter internet traffic content.
  • WAN Emulator is a simple console application for Windows based on Windows Packet Filter. It is also known as Long Fat Network (LFN) Emulator which primary task is simulating Long Fat Network behavior over normal Local Area Network by adding packets delays and drops.
  • Ethernet Bridge – implements MAC level bridging of TCP/IP bound network interfaces. It can be used, an example, with OpenVPN in its bridging mode, especially with the server-end running on a Windows 2000 machine (which misses native bridging available since Windows XP).

How to install

Unzip and run winpkflt_rtl.exe.

Price & licensing

We offer two types of licenses. Each license includes one year of free updates & support and custom driver’s build*.

License type Complete Source Code Price (USD) Online Order
Developer NO 1995.00 Secure Online Payments and Credit Card Processing by BlueSnap
Source Code YES 4995.00 Secure Online Payments and Credit Card Processing by BlueSnap
Developer to Source Upgrade YES 3000.00 Secure Online Payments and Credit Card Processing by BlueSnap

Please be very careful when choosing the license type:

  • Developer license can be used for creating royalty free Windows Packet Filter based software. NT Kernel Resources strongly recommends you to request custom software build* from us to use for production.
  • Source Code license is similar to Developer license, but it also includes complete source code of Windows Packet Filter.

* – You may need custom build of WinpkFilter drivers if you are going to redistribute helper drivers as a part of your software. Custom builds allow avoiding any possible conflicts with other WinpkFilter based applications. If you have purchased Developer license you can request custom build by sending e-mail to One custom build per license is included in Developer and Source Code subscriptions. Additional custom builds are subject of extra charge 100 USD per build.

Subscription Renewal

If you are already WinpkFilter customer, but your support plan is out-of-date, then you can renew it using the links below (please note that NT Kernel Resources may request your previous order ID and date for confirmation):

License type Complete Source Code Price (USD) Online Order
Developer Subscription Renew NO 1495.00 Secure Online Payments and Credit Card Processing by BlueSnap
Source Code Subscription Renew YES 3995.00 Secure Online Payments and Credit Card Processing by BlueSnap


Windows Packet Filter software is supplied AS-IS, without warranties of any kind.