S
S
slinkinone2018-12-09 18:38:30
Computer networks
slinkinone, 2018-12-09 18:38:30

Windows Filter Driver (Network) - is it possible to filter only on capturing mode?

Hello!
I'm learning driver development for Windows . There was a question concerning the network filtering driver . As far as I understand, it is possible to intercept packets in kernel-mode and make a decision about their future - drop or send / receive in accordance with the specified filter.
Applications can send/receive packets themselves, but they can also monitor the interface ( capturing mode ).
Capture is done by "writing to disk" as opposed to " talk mode" where packets are stored in virtual memory. You can look at the second illustration here , or just run the same Wiresharkin debug mode and look at the pcap_t structure and where it dumps data when it is captured.
The question is whether it is possible to set a filter ONLY for capturing packets at the driver level (let 's say dumpcap.exe started capturing, and the driver filter does not dump all packets into the file, but only selective ones).

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question