हिन्दी flagहिन्दी  
CLOSE

Suggested:

Windows Filtering Platform

HomeLearnWindows Driver Development Windows Filtering Platform
Updated on 02 Aug, 202518 mins read 20 views

Why WFP?

WFP is a powerful API provided by Microsoft that lets developers hook into the Windows networking stack at multiple layers – from application-level protocols like HTTP to transport-level flows like TCP/IP.

With WFP, you can:

  • Intercept, inspect, block or redirect traffic
  • Filter packets by process, user, port, or protocol
  • Build kernel-mode callouts that see every byte of data
  • Create sophisticated rules in user-mode and update them live

What is WFP?

Windows Filtering Platform (WFP) is a set of user-mode and kernel-mode APIs introduced in Windows Vista and later. It allows software to intercept, inspect, filter, block, modify, or monitor traffic at various points in the Windows networking stack.

You can think of it as a modular firewall framework, but one that's extensible and programmable through:

  • User-mode APIs (Fwpm*)
  • Kernel-mode APIs (Fwps*)
  • Custom callout drivers you write

Why Was WFP Introduced?

Before WFP, developers used:

  • TDI filters (Transport Driver Interface) – deprecated
  • Winsock Layered Service Providers (LSPs) – complex, unstable
  • NDIS Intermediate Drivers – low-level, hard to use

There were fragmented, hard to maintain, and limited in functionality.

WFP unified packet filtering, made it modular and secure, and supported per-app, per-user, per-protocol filtering with system integration.

How WFP Works: Conceptual Model

Here's a textual flow:

[ Application (Chrome.exe) ]
       |
[ Winsock - User Mode ]
       ↓
[ WFP: ALE_CONNECT Layer ]   ← Can inspect app info, user SID
       ↓
[ WFP: Transport Layer ]     ← Can inspect TCP/UDP headers
       ↓
[ WFP: Network Layer ]       ← Can inspect IP/ICMP headers
       ↓
[ WFP: Data-link Layer (NDIS) ]
       ↓
[ NIC Driver → Network ]

WFP sits at multiple layers, and you choose where to attach your driver.

WFP Key Concepts

Layers

Imagine traffic in Windows passing through a stack of checkpoints (called layers). WFP lets you attach your logic to one or more of these layers.

Example of layers:

Layer NameWhat It's For
ALE_AUTH_CONNECT_V4App trying to connect to the internet
INBOUND_TRANSPORT_V4A TCP or UDP packet arriving
OUTBOUND_TRANSPORT_V4A packet being sent
INBOUND_IPPACKET_V4A raw IP packet received
RESOURCE_ASSIGNMENTBefore a connection is even assigned

Each layer gives you different types of information and control.

Filters

Filters are rules that say:

“If traffic looks like this; do something about it.”

They are defined in user mode and describe:

  • Which layer to attach to
  • What conditions must match (like port, IP, protocol)
  • What action to take

Example:

If destination port is 80 AND protocol is TCP → run my callout

You define filters with the Fwpm API* in user mode.

Callouts

Callouts are your custom logic that runs when a filter matches. You write this logic in a kernel-mode driver.

You implement a function (like ClassifyFn) that decides:

  • Should this packet be blocked, allowed, modified, or ignored?

Example use:

Your ClassifyFn might check if a packet contains bad content, and then block it.

Callout = “code”

Filter = "rule"

The Filtering Engine

The Filtering Engine is part of Windows that evaluates all the filters and decides:

  • Should it call a driver?
  • What priority does each rule have?
  • What action does the system?

It lives in kernel-mode and works 24/7.

Think of it as:

A smart traffic cop reading your filter signs and deciding who to stop.

The Base Filtering Engine (BFE)

A user-mode service that helps manage:

  • Filters
  • Callouts
  • Sublayers

It's like the manager behind the scenes.

If BFE is stopped, network traffic may fail completely.

Sublayers

Filters are grouped into sublayers.

Why?

  • To organize them
  • To assign priorities within a group
  • To manage them more easily

Each sublayer can contain many filters.

Sublayers are like folders. Filters are like documents inside.

Contexts & Metadata

When a packet hits your callout, WFP gives you extra info called metadata.

You can access:

  • Source & destination IP addresses
  • Ports
  • App path (e.g., chrome.exe)
  • User SID
  • Timestamps
  • Interface info

You can also flow context if you want to remember something between packets in a connection.

Injection

WFP also lets you:

  • Modify a packet and send it forward
  • Drop it entirely
  • Clone a packet and send a copy somewhere else
  • Create your own packet from scratch and inject it

This is done using APIs like:

  • FwpsInjectNetworkSend*
  • FwpsInjectTransportSend*

Be careful: Injection done wrong can crash the system.

ClassifyFn, NotifyFn, FlowDeleteFn

When you write a WFP driver, your core functions are:

FunctionPurpose
ClassifyFnCalled when a packet matches your filter — this is where the logic happens
NotifyFnCalled when a filter is added or removed
FlowDeleteFnCalled when a network flow ends — for cleanup

1 Filtering Layers

WFP integrates deeply into the networking stack and offers hooks at multiple layers:

LayerExample
ALE (Application Layer Enforcement)Bind, Connect, Accept
Transport LayerTCP/UDP send/receive
Network LayerIP packet send/receive
Data-link Layer(NDIS filter drivers)

Each layer has filtering callouts you can register with.

2 Callouts

Callouts are custom functions (in drivers) that WFP calls when a packet reaches a filtering layer. You register these with the Base Filtering Engine (BFE).

Callouts are typically implemented in kernel-mode via a WFP callout driver.

3 Filtering Engine

The Base Filtering Engine (BFE) is a Windows service that manages filters and performs classification and enforcement based on filters and callouts.

You communicate with BFE from user-mode via the Fwpm API*.

 

Leave a comment

Your email address will not be published. Required fields are marked *

Your experience on this site will be improved by allowing cookies Cookie Policy