Re: NDIS Filter driver in Npcap

[Daniel Miller <bonsaiviking () gmail com>]

Lisa,

Thanks for inquiring. I was not involved in Npcap design from the
beginning, but I currently maintain it. The advantages of the filter driver
implementation over protocol driver are primarily related to performance.
As a protocol driver, WinPcap sits next to TCPIP and other protocol drivers
and does not naturally see any of the traffic they generate. Instead, it
has to instruct NDIS to loop back all traffic from other protocols when it
reaches the miniport (network adapter), and this loopback path is less
optimized than the standard path. A filter driver, on the other hand,
processes all send and receive indications as they traverse the stack
normally. There's a better description of this difference, complete with
diagrams, in an old answer on StackOverflow here:
https://stackoverflow.com/a/18478725/1183387

You probably already have most of this info, but here are a few places to
go for research on this topic:

* WinPcap's driver internals documentation:
https://www.winpcap.org/docs/docs_412/html/group__NPF.html
* Npcap's version of the above documentation:
https://nmap.org/npcap/guide/npcap-internals.html
* NDIS 6 driver types:
https://docs.microsoft.com/en-us/windows-hardware/drivers/network/ndis-drivers

Best of luck to you!

Dan

On Fri, Jul 10, 2020 at 6:10 AM Lisa Hofmann <
lisa1.hofmann () st oth-regensburg de> wrote:

> Hello,
>
>
>
> for my master thesis I am currently working on a similar tool as Npcap
> which will also be based on NDIS 6.x. Therefore I wanted to ask you why
> Npcap is using a NDIS filter driver while WinPcap uses a protocol driver?
>
>
>
> With kind regards,
>
> Lisa
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/