English flagEnglish  
CLOSE

Suggested:

Windows Filtering Platform

HomeLearnWindows Driver Development Windows Filtering Platform
Updated on 02 Aug, 20259 mins read 18 views

Why WFP?

WFP is a powerful API provided by Microsoft that lets developers hook into the Windows networking stack at multiple layers – from application-level protocols like HTTP to transport-level flows like TCP/IP.

With WFP, you can:

  • Intercept, inspect, block or redirect traffic
  • Filter packets by process, user, port, or protocol
  • Build kernel-mode callouts that see every byte of data
  • Create sophisticated rules in user-mode and update them live

What is WFP?

Windows Filtering Platform (WFP) is a set of user-mode and kernel-mode APIs introduced in Windows Vista and later. It allows software to intercept, inspect, filter, block, modify, or monitor traffic at various points in the Windows networking stack.

You can think of it as a modular firewall framework, but one that's extensible and programmable through:

  • User-mode APIs (Fwpm*)
  • Kernel-mode APIs (Fwps*)
  • Custom callout drivers you write

Why Was WFP Introduced?

Before WFP, developers used:

  • TDI filters (Transport Driver Interface) – deprecated
  • Winsock Layered Service Providers (LSPs) – complex, unstable
  • NDIS Intermediate Drivers – low-level, hard to use

There were fragmented, hard to maintain, and limited in functionality.

WFP unified packet filtering, made it modular and secure, and supported per-app, per-user, per-protocol filtering with system integration.

How WFP Works: Conceptual Model

Here's a textual flow:

[ Application (Chrome.exe) ]
       |
[ Winsock - User Mode ]
       ↓
[ WFP: ALE_CONNECT Layer ]   ← Can inspect app info, user SID
       ↓
[ WFP: Transport Layer ]     ← Can inspect TCP/UDP headers
       ↓
[ WFP: Network Layer ]       ← Can inspect IP/ICMP headers
       ↓
[ WFP: Data-link Layer (NDIS) ]
       ↓
[ NIC Driver → Network ]

WFP sits at multiple layers, and you choose where to attach your driver.

WFP Key Concepts

1 Filtering Layers

WFP integrates deeply into the networking stack and offers hooks at multiple layers:

LayerExample
ALE (Application Layer Enforcement)Bind, Connect, Accept
Transport LayerTCP/UDP send/receive
Network LayerIP packet send/receive
Data-link Layer(NDIS filter drivers)

Each layer has filtering callouts you can register with.

2 Callouts

Callouts are custom functions (in drivers) that WFP calls when a packet reaches a filtering layer. You register these with the Base Filtering Engine (BFE).

Callouts are typically implemented in kernel-mode via a WFP callout driver.

3 Filtering Engine

The Base Filtering Engine (BFE) is a Windows service that manages filters and performs classification and enforcement based on filters and callouts.

You communicate with BFE from user-mode via the Fwpm API*.

 

Leave a comment

Your email address will not be published. Required fields are marked *

Your experience on this site will be improved by allowing cookies Cookie Policy