Nmap Development mailing list archives
Re: NDIS Filter driver in Npcap
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 14 Jul 2020 15:44:32 -0500
Lisa, Thanks for inquiring. I was not involved in Npcap design from the beginning, but I currently maintain it. The advantages of the filter driver implementation over protocol driver are primarily related to performance. As a protocol driver, WinPcap sits next to TCPIP and other protocol drivers and does not naturally see any of the traffic they generate. Instead, it has to instruct NDIS to loop back all traffic from other protocols when it reaches the miniport (network adapter), and this loopback path is less optimized than the standard path. A filter driver, on the other hand, processes all send and receive indications as they traverse the stack normally. There's a better description of this difference, complete with diagrams, in an old answer on StackOverflow here: https://stackoverflow.com/a/18478725/1183387 You probably already have most of this info, but here are a few places to go for research on this topic: * WinPcap's driver internals documentation: https://www.winpcap.org/docs/docs_412/html/group__NPF.html * Npcap's version of the above documentation: https://nmap.org/npcap/guide/npcap-internals.html * NDIS 6 driver types: https://docs.microsoft.com/en-us/windows-hardware/drivers/network/ndis-drivers Best of luck to you! Dan On Fri, Jul 10, 2020 at 6:10 AM Lisa Hofmann < lisa1.hofmann () st oth-regensburg de> wrote:
Hello, for my master thesis I am currently working on a similar tool as Npcap which will also be based on NDIS 6.x. Therefore I wanted to ask you why Npcap is using a NDIS filter driver while WinPcap uses a protocol driver? With kind regards, Lisa _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NDIS Filter driver in Npcap Lisa Hofmann (Jul 10)
- Re: NDIS Filter driver in Npcap Daniel Miller (Jul 14)
- AW: NDIS Filter driver in Npcap Lisa Hofmann (Jul 19)
- Re: NDIS Filter driver in Npcap Daniel Miller (Jul 14)