Why all these difficulties, if you can simply install and configure fail2ban or an intrusion detection system if you need heavy artillery. The headache is to write your own solution in the presence of ready-made and time-tested ones.

Do you have an organization's website on Winserver? who looks in the Internet? I sympathize then))
In general, only the required port is opened for entry, the rest is closed. and don't care, let them break.
Usually this is done at the gateway...

You will need to configure WinPCAP, which is an NDIS driver built into the Windows networking stack.
Alternatively, you can try to inject a self-made ws2_32.dll into the process
. Both require extensive system programming experience in C/C++ under the window, as well as reading a ton of MSDN pages in English.

suggestions about WinPCAP, NDIS driver, ws2_32.dll, etc.

It's OK. Difficulties force development.

you were given twice a hint that this direction of the solution is inadequately difficult compared to the goal.
The correct solution is to put a firewall (adequacy here should suggest * nix * OS or ready-made pieces of iron with the necessary functionality) between the Internet and the target server with the application, this firewall will listen to connections and make a decision.
Any version of this solution will be cheaper in terms of cost and time than research in the field of 'how to deal with the fact that microsoft nagovnokodili messed up the network subsystem and standards'
ps microsoft has tools for logging access via rdp, can start with them?

requested type of software - traffic analyzer.
One of the main options for Windows wireshark
is to set up filtering by port and write the stream of packets to disk, then take your time to parse, identify left-handedness and find the conditions for cutting them through the firewall.
I hope the firewall in Windows is able to filter streams according to protocols.