Windows WFP driver for packet policy and traffic collection
An established network-security vendor needed Windows endpoint support for a product that controlled how far data could travel. Joya Systems built the WFP driver, agent integration, installation tooling, and certification support that made it ship.
Platforms
- Windows client x64
- Windows Server x64
Services
- WFP driver development
- Packet capture
- Service integration
- Certification support
The challenge
The existing product model depended on controlling outbound packet behavior and collecting raw traffic data. The Windows implementation had to support IPv4 and IPv6, match policy by flow, coexist with security software, run on client and server SKUs, and pass Microsoft certification.
What we built
We implemented a Windows Filtering Platform callout driver that matched outbound traffic by policy and rewrote TTL values before the packets left the machine. The policy path supported practical 5-tuple matching rather than a narrow prototype case.
We added asynchronous packet capture for inbound and outbound traffic and connected that data path to a user-mode agent. The collector integration reused the product team's existing model while accounting for Windows-specific packet delivery and buffering rules.
The engagement also covered a user service, configuration utility, PowerShell install flow, coexistence testing with Windows Defender, EC2 logging validation, and Microsoft HCT certification work.
Project outcome
- Passed Microsoft HCT certification and shipped the product on both Windows and Windows Server x64 endpoints.
- Shipped packet-policy enforcement and raw IPv4/IPv6 capture in a single driver-backed data path instead of two components.
- Delivered the full production surface — user service, config app, PowerShell installer, and Defender coexistence testing — not just a kernel proof of concept.
Technical takeaway
For network security products, Windows support is rarely just a port. The packet path, service boundary, installer, and certification plan all need to be designed together.
Working on something similar?
If your team is building in this area — a driver, kernel module, packet path, file system filter, security sensor, or certification plan — start with a technical conversation, not a sales call. Contact Joya Systems and describe the product, platform, and current state of the code.
Related consulting work
Related case studies
- Kernel network monitoring for an endpoint security sensor
- FreeBSD TCP acceleration ported to Windows NDIS
Frequently asked questions
Can a WFP callout driver rewrite packet fields like TTL before traffic leaves the machine?
Yes. A WFP callout registered at an outbound layer is handed each matching packet in its classify function, where it can modify fields such as TTL and then reinject the packet, for both IPv4 and IPv6. The work that makes this production-grade is policy matching by flow, coexistence with other security software, and passing Microsoft certification — not the rewrite itself.
What does it actually take to ship a Windows packet-filtering driver to production?
Beyond the callout driver you need a user-mode service to own policy, a configuration utility, a reliable installer, coexistence testing against products like Windows Defender, and a certification path (HCT/HLK). Joya Systems delivered all of these together so the vendor could ship on client and server SKUs.
Case Studies
What our customers say about us?
Read our customer testimonials to find out why our clients keep returning for their projects.
View Testimonials