How does the NPF driver (WinPcap) work?

S

slinkinone2019-04-12 19:28:31

Computer networks

slinkinone, 2019-04-12 19:28:31

Good day!
After several times reading WinPcap internals: NPF driver internals manual and some research (I looked at what DeviceControlIO sends Wireshark when setting the packet-capture filter (according to the documentation, WinPcap sends IOCTL to the NPF driver with BPF structure to set the filter)), there were questions. For clarity, below are the main schemes from the WinPcap documentation.

-------------------------------------------------- -------------------------------------------------- -

1. Do I understand correctly that NPFis engaged in filtering only traffic that is "captured"?
2. If you implement your own NDIS filter (as in the official Microsoft example from github ) and implement drop packages, will the packages drop to the entire system (i.e. applications will not be able to function with the network) or only for applications that dump traffic?