Joya Systems

Call Us: 1-877-DEV-KERNEL

NDIS Lightweight Filters

About NDIS Lightweight Filters, Windows Filtering Platform, TDI Filter Drivers

An NDIS Lightweight Filter offers reduced complexity and increased scalability and control over legacy NDIS intermediate (IM) drivers. Rather than requiring both miniport and protocol NDIS interfaces to be implemented, NDIS lightweight filters (LWF) allow developers access to packets as they are processed up and down the Windows networking stack.

Windows Filtering Platform is an alternative filtering platform which allows hooking into the stream and packet processing for the Windows networking stack.

There are no good books on windows networking drivers, or windows filtering platform drivers. However, the Windows® Internals Fifth Edition offers a solid section on the windows networking stack.

Need help with an NDIS LWF driver? See our Windows driver development services or contact us to discuss your project.

Frequently Asked Questions

What is an NDIS Lightweight Filter (LWF) driver?
An NDIS Lightweight Filter is a kernel-mode driver model introduced in Windows Vista that intercepts the Windows networking stack without requiring both miniport and protocol NDIS interfaces to be implemented. LWF drivers insert between the NDIS miniport (network adapter driver) and protocol drivers such as TCP/IP, receiving send and receive indications flowing in both directions. The LWF model replaced the older NDIS Intermediate Driver model for most filtering use cases and offers better scalability, simpler registration, and cleaner lifecycle management.
What is the difference between an NDIS filter driver and a miniport driver?
An NDIS miniport driver represents a network adapter to the operating system — it owns the hardware and services send requests and receive completions at the physical layer. An NDIS Lightweight Filter driver sits above one or more miniport drivers and intercepts the data path between the miniport and protocol drivers; it does not own hardware. A filter driver can inspect, modify, drop, or inject packets but does not need to implement the full miniport interface, which makes it significantly easier to write and maintain.
What are common uses for NDIS LWF drivers?
Common uses include network traffic monitoring and logging, packet filtering for firewall and intrusion detection products, traffic shaping and QoS enforcement, VPN encapsulation below the protocol layer, and bandwidth metering. LWF drivers are well suited for use cases that require examining or modifying packets close to the wire, before the full TCP/IP stack has processed them.
How do NDIS LWF drivers interact with the Windows network stack?
LWF drivers register with NDIS and attach to specific adapters or all adapters on the system. NDIS invokes the filter's send and receive handlers as packets move through the stack, and the filter can complete them early, pass them through, modify them, or inject new packets. Drivers must handle both the send path — from protocol drivers down to the adapter — and the receive path — from the adapter up to the protocol drivers — and must correctly manage NET_BUFFER_LIST chains and NDIS buffer ownership.

Technologies

Developer Tools

  • What our customers say about us?

    Read our customer testimonials to find out why our clients keep returning for their projects.

    View Testimonials