Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

AW: NDIS Filter driver in Npcap

From: Lisa Hofmann <lisa1.hofmann () st oth-regensburg de>
Date: Sun, 19 Jul 2020 14:54:43 +0000
Hello Daniel,


thank you for your answer. It really helped me with my problem.


Best regards,

Lisa

________________________________
Von: Daniel Miller <bonsaiviking () gmail com>
Gesendet: Dienstag, 14. Juli 2020 22:44:32
An: Lisa Hofmann
Cc: dev () nmap org
Betreff: Re: NDIS Filter driver in Npcap

Lisa,

Thanks for inquiring. I was not involved in Npcap design from the beginning, but I currently maintain it. The 
advantages of the filter driver implementation over protocol driver are primarily related to performance. As a protocol 
driver, WinPcap sits next to TCPIP and other protocol drivers and does not naturally see any of the traffic they 
generate. Instead, it has to instruct NDIS to loop back all traffic from other protocols when it reaches the miniport 
(network adapter), and this loopback path is less optimized than the standard path. A filter driver, on the other hand, 
processes all send and receive indications as they traverse the stack normally. There's a better description of this 
difference, complete with diagrams, in an old answer on StackOverflow here: https://stackoverflow.com/a/18478725/1183387

You probably already have most of this info, but here are a few places to go for research on this topic:

* WinPcap's driver internals documentation: https://www.winpcap.org/docs/docs_412/html/group__NPF.html
* Npcap's version of the above documentation: https://nmap.org/npcap/guide/npcap-internals.html
* NDIS 6 driver types: https://docs.microsoft.com/en-us/windows-hardware/drivers/network/ndis-drivers

Best of luck to you!

Dan

On Fri, Jul 10, 2020 at 6:10 AM Lisa Hofmann <lisa1.hofmann () st oth-regensburg de<mailto:lisa1.hofmann () st 
oth-regensburg de>> wrote:

Hello,



for my master thesis I am currently working on a similar tool as Npcap which will also be based on NDIS 6.x. Therefore 
I wanted to ask you why Npcap is using a NDIS filter driver while WinPcap uses a protocol driver?



With kind regards,

Lisa

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: