Windows Packet Filter Basic Samples

Windows Packet Filter includes several basic sample application to help you to get started:

ListAdapters

This sample demonstrates the basic usage of CNdisApi object, CNdisApi::GetTcpipBoundAdaptersInfo, adapter name conversion functions and CNdisApi::GetMTUDecrement. It dumps all information requested from helper driver on the console screen. Network interfaces indexes dumped by this utility can be passed to PacketSniffer and PassThru.

Source Code: Visual C++, Visual C#, Delphi

Notes:

  • Displayed MTU value is a real network interface MTU (size of maximum IP packet) without system-wide MTU decrement
  • On Windows NT/2000/XP, MTU is not defined for Device\NDISWANIP (dial-up interface) before connection was established
  • When multiply NDISWAN connections established (Windows 2000/XP supports more than one active NDISWAN device) it also displays available information on WAN links.

PassThru (PackThru)

This sample demonstrates the basic usage of active filtering modes. It sets chosen network interface into the filtering mode (sent and received packets queued), register Win32 event (CNdisApi::SetPacketEvent) and start waiting for the new packets. This sample’s functionality is close to Windows DDK PassThru intermediate driver sample. PackThru is the same as PassThru, but it uses bulk of packets sends/receives.

Source Code: Visual C++, Visual C#, Delphi

Notes:

  • If you set an adapter into the filtering mode, you should remember that the internal helper driver packet queue size is limited (500 packets in current version). If you don’t read packets from the queue (with CNdisApi::ReadPacket) or release the queued packets directly by calling CNdisApi::FlushAdapterPacketQueue then after the queue reaches its maximum limit all network activities will be frozen. Please be attentive, don’t forget to release network interface after you have finished reading packets from it (see ReleaseInterface function in the PassThru.cpp).
  • Use ListAdapters for getting information about MSTCP network interfaces and for getting network interface index for calling PacketSniffer
  • Note that as far as network interfaces can be enabled/disabled dynamically on Windows 2000/XP adapter list is also changed when these operations are performed.

PacketSniffer

This sample demonstrates the basic usage of listening modes. It sets the chosen network interface into the listening mode (sent and received packets queued) and polls the helper driver for new packets. Starting from version 2.0 of WinpkFilter, this sample, it also demonstrates the usage of promiscuous mode.

Source Code: Visual C++, Visual C#, Delphi

Notes:

  • If you set an adapter into the listening mode, you should remember that the internal helper driver packet queue size is limited (500 packets in current version). If you don’t read packets from the queue (with CNdisApi::ReadPacket) or release the queued packets directly by calling CNdisApi::FlushAdapterPacketQueue then after the queue reaches its maximum limit all network activities will be frozen. Please be attentive, don’t forget to release network interface after you have finished reading packets from it (see ReleaseInterface function in the PacketSniffer.cpp).
  • Use ListAdapters for getting information about MSTCP network interfaces and for getting network interface index for calling PacketSniffer
  • Note that as far as network interfaces can be enabled/disabled dynamically on Windows 2000/XP, adapter list also changes when these operations performed.
  • PacketSniffer uses polling helper driver for packets. This is not effective and has a serious performance impact. Take a look at the more advanced PassThru for more effective approach with Win32 event.

NdisRequest

This sample demonstrates the basic usage of NdisrdRequest function. It queries all locally installed network interfaces for their current MAC address, frames transmitted without errors, frames received without errors, frames not transmitted or transmitted with errors, frames received with errors.

Source Code: Visual C++, Visual C#, Delphi

Filter

This sample demonstrates the basic usage of the SetPacketFilterTable API. It introduces sets of filters for the following scenarios:

  1. Redirect only DNS packets for processing in user mode.
  2. Redirect only HTTP(TCP port 80) packets for processing in user mode.
  3. Drop all ICMP packets. Redirect all other packets to user mode (default behavior).
  4. Block access to http://www.ntkernel.com. Pass all other packets without processing in user mode.
  5. Redirect only ARP/RARP packets to user mode. Pass all others.

Source Code: Visual C++, Visual C#

FilterStats

This sample demonstrates the basic usage of the GetPacketFilterTable and GetPacketFilterTableResetStats. It can be used together with the Filter sample application.

Source Code: Visual C++, Visual C#

WWWCensor

This is a simple packet content filtering sample. It accepts a single word or phrase as input and drops every HTTP packet where it finds the specified pattern. An example, if you start “wwwcensor.exe porn” the application will block access to any website which contains “porn” as part of the URL also no pages containing the word porn will be displayed in browser.
Source Code: Visual C++

GRETunnel

This sample demonstrates IP over GRE tunneling. For each outgoing IP packet, the application inserts a GRE header before the IP header. For each incoming packet, the application checks if it has the GRE header and removes it. To test the application, you have to run it on two systems connected over a network. While the applications are active, these two systems will be able to communicate over network with each other (over GRE tunnels) but won’t be able to communicate with any other system.

Source Code: Visual C++