Below, we compare different ways of intercepting network packets, and of filtering and analyzing their content to see if kernel drivers which use NDIS and WFP frameworks perform better than WinPcap.

We tested the performance of each method. See table.

Testing

We measured network bandwidth after applying a basic filter which:

Intercepts all packets Verifies whether they are TCP/IP packets, and whether their source/destination is a certain IP Copies the packets’ data to a buffer Calls an empty callout function to process the packets’ payloads

We applied the filter to each of the methods. See source codes here. We used iperf3, a tool that generates network traffic and provides IP network statistics, to measure maximum achievable bandwidth. It is highly configurable and flexible and worked very well for our purposes.

Both the client and server’s operating systems were Windows Server 2008 R2 x64. We used HP NC552SFP 10GbE 2-port network cards. We followed the same steps for each method:

Set up the testing environment on the server. Start iperf3 on the server in server mode (iperf3 -s). Start Iperf3 on the client in client mode (iperf3 -c <server-ip> -P 16). Configure server IP and number of threads to start generating maximum achievable traffic. Measure how fast the server receives the packets.

Test Results

(in Gbit/s) Native WinPcap NDIS 6.0 WFP Average 9.33 9.15 8.01 2.11 Min 9.25 9.09 7.02 1.25 Max 9.54 9.39 9.3 2.44 Std. Deviation 0.25 0.33 0.95 1.1

Test Conclusion

As one can easily see, WinPcap outperforms the others and WFP is significantly slower.

Suggestions

If you can do it with WinPcap, do it with WinPcap. Given the ease of use of WinPcap’s API, and the test results, we strongly recommend WinPcap for traffic inspection, packet payload analysis, basic filtering, raw packet transmitting, and basic network statistics.

However, WinPcap cannot be used for firewalling or to analyze application-level connections. In addition, the pcap filtering language is not designed to classify packets, so if this is a priority you will have to add a deep packet inspection library.

Both NDIS and WFP can be used for firewalling, but only NDIS works in XP and older operating systems. WFP is your only option when you need to peer into the plaintext of an IPsec-protected packet, query the identity of the user or application that originally sent a packet, authorize the creation of a socket, or monitor loopback traffic. Unlike NDIS, WFP is actively supported by Microsoft.

Source Code

Notes

The original version of WinPcap does not support Windows 10. You should use Win10Pcap instead.

Credits

This article and code would not have been possible without the support of our Windows driver development team and custom development software engineers.

References