// Define the filter function NTSTATUS FilterPacket(PFILTER_PACKET packet) // Check if the packet's source IP address matches the filter criteria if (packet->IpHeader->SourceAddress == 0xC0A80001) // Drop the packet return FILTER_PACKET_DROP;
int main() // Initialize the WinPKFilter driver WinPKFilter_Init();
Why it's cool: Most firewalls work at the application layer or TDI. WinPkFilter does it at the NDIS level – even ICMP or malformed packets can be blocked. winpkfilter
Features APIs like ReadPackets and SendPacketsToAdapter . These allow applications to batch up to 256 packets in a single context switch ( MAX_PACKET_CHUNK ), reducing the CPU overhead generated by user-to-kernel mode transitions.
Includes a built-in kernel-level rule processor to pass, block, or redirect packets based on defined network traits. This permits remote debugging or bypassing processing loops for critical connections like Remote Desktop Protocol (RDP). These allow applications to batch up to 256
WinPKFilter is a kernel-mode network filter driver that allows developers to capture, filter, and modify network traffic on Windows-based systems. It provides a powerful and flexible way to interact with network packets, enabling tasks such as network traffic filtering, analysis, and redirection.
// Add rule: block all UDP port 53 (DNS) from 192.168.1.100 PF_FILTER_DESCRIPTION desc; desc.dwFilterType = PF_INDISCARD; desc.dwDirection = PF_DIR_IN; desc.dwProtocol = IPPROTO_UDP; desc.dwLocalPort = 53; desc.dwRemoteAddress = inet_addr("192.168.1.100"); DeviceIoControl(hFilter, IOCTL_PF_ADD_FILTER, &desc, ...); WinPKFilter is a kernel-mode network filter driver that
When building network filtering tools on Windows, developers typically choose between WinpkFilter, the native Windows Filtering Platform (WFP), or packet capture engines like WinPcap/Npcap. Windows Packet Filter - NT KERNEL