[Winpcap-users] packet redirection

Guy Harris guy at alum.mit.edu
Wed Sep 14 17:53:34 GMT 2005 

Alex Narinsky wrote:
> That is a very interesting discussion. As a user, I am not getting the
> definite conclusion yet.  
> 
> So far, winpcap cannot work as a firewall.  Will it be possible with
> future modifications to use winpcap for building a firewall even with a
> performance drawback? In another words would it be possible to protect
> sensible applications from undesired packets?

What do you mean by "protect"?

WinPcap currently uses an NDIS transport driver, which means that a 
packet that arrives as input is handed to the driver - but it's also 
separately handed to the rest of the network stack, and the copy handed 
to them does *not* pass through WinPcap, so WinPcap cannot insert itself 
into the network stack's input path.

If it were to use an NDIS intermediate driver, it could do so.  However, 
I don't know whether it could function as a Windows port of libpcap if 
it were to use an NDIS intermediate driver; if it could not, then making 
it use an NDIS intermediate driver would be a pointless exercise, as the 
*raison d'etre* of WinPcap is to be a Windows port of libpcap and to 
support applications of the sort that would use libpcap.

Note that "functioning as a Windows port of libpcap" includes allowing 
an application to function as a passive tap, without having to pass on 
any packets to the rest of the networking stack.

As far as I know, the mechanisms used on various UN*Xes to implement 
firewalls, etc. are separate from the mechanisms used to implement 
packet capture with libpcap, etc..  Perhaps the same should be the case 
on Windows, with a library and driver, *separate* from WinPcap's library 
and driver.  (The various Linux and BSD mechanisms - ipf, pf, and ipfw - 
appear to do the filtering in the kernel, with the policies parsed in 
userland and entered into the kernel with ioctls.  I don't know if 
there's a filtering mechanism that does the filtering in userland, and I 
didn't check whether any of them support, as one of the packet actions, 
"communicate with a userland daemon".)

More information about the Winpcap-users mailing list