Joya Systems

Call Us: 1-877-DEV-KERNEL

Windows Filtering Platform

About Windows Filtering Platform, TDI Filter Drivers

The Windows Filtering Platform allows driver developers to filter networking events for both stream and packets as they flow up and down the windows networking stack. Microsoft TDI device drivers are a legacy mechanism to filter networking traffic above the packet level. TDI filters were once the preferred mechanism for intercepting layer 4 traffic for TCP streams and UDP messages. However, the Windows Filtering Platform should now be used to intercept network connections, transform network streams, and process network packets for windows driver developers.

There are no good books on windows networking drivers, or windows filtering platform drivers. However, the Windows® Internals Fifth Edition offers a solid section on the windows networking stack.

Building a WFP driver? See our Windows driver development services or contact us to discuss your project.

Frequently Asked Questions

What is the Windows Filtering Platform (WFP)?
The Windows Filtering Platform is a set of kernel-mode and user-mode APIs introduced in Windows Vista that allows software to intercept and inspect network traffic at multiple well-defined layers of the TCP/IP stack. WFP replaced the legacy TDI filter driver model and provides a layered architecture spanning IP, TCP, UDP, and application-layer streams. Microsoft's own Windows Defender Firewall and most commercial endpoint security products use WFP as their network interception foundation.
What is a WFP callout driver?
A WFP callout driver is a kernel-mode driver that registers one or more callout functions with the WFP engine. When traffic reaches a filtering layer where the callout is registered, WFP invokes the callout's classify function with packet metadata and, for stream-level callouts, the stream data itself. The callout can then permit, block, redirect, or modify the traffic. Callout drivers are necessary when filtering logic requires direct access to packet content or must make decisions that WFP's built-in filter conditions cannot express on their own.
How does WFP differ from NDIS for network filtering?
NDIS Lightweight Filter drivers operate at the packet level just above the network adapter, before TCP/IP has processed the data. WFP operates inside the TCP/IP stack at multiple layers simultaneously, giving access to connection state, flow context, process identity, and reassembled stream data that are not visible at the NDIS level. For most firewall and security use cases WFP is the better choice because of the richer context it provides per packet or connection.
What security products use WFP?
Windows Defender Firewall uses WFP as its core interception mechanism. Most commercial endpoint security products — including antivirus suites, EDR platforms, host intrusion prevention systems, and VPN clients — use WFP callout drivers for their network monitoring and filtering components. The combination of kernel-mode performance, multiple filtering layers, and process-level attribution has made WFP the standard for Windows network security software.
Can WFP be used for VPN development?
Yes. WFP is used by many VPN products to intercept and redirect IP traffic before it leaves the host. The platform's redirection capabilities allow a VPN client to capture packets destined for an external address, encapsulate them, and route them through a tunnel interface, all within the kernel. WFP's flow context feature also makes it practical to track session state across large numbers of concurrent connections efficiently.

Technologies

Developer Tools

  • What our customers say about us?

    Read our customer testimonials to find out why our clients keep returning for their projects.

    View Testimonials