WFP Network
Windows Filtering PlatformNetwork traffic monitoring via Windows Filtering Platform callouts.
Overview
WFP provides kernel-level network filtering with process attribution. Unlike NDIS which sees raw packets, WFP operates at the transport layer and knows which process owns each connection.
Supported Protocols
| Protocol | Information Captured |
|---|---|
| TCP | Source/Dest IP, Port, Process, Direction |
| UDP | Source/Dest IP, Port, Process, Direction |
| DNS | Query domain, Response IPs, Process |
| ICMP | Type, Code, Source/Dest IP |
WFP Layers
DioIPS registers callouts at the following WFP layers:
- •
FWPM_LAYER_ALE_AUTH_CONNECT_V4— Outbound connections - •
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4— Inbound connections - •
FWPM_LAYER_OUTBOUND_TRANSPORT_V4— Outbound packets - •
FWPM_LAYER_INBOUND_TRANSPORT_V4— Inbound packets
Captured Information
- • Process — PID and name of the owning process
- • Local — Local IP address and port
- • Remote — Remote IP address and port
- • Protocol — TCP, UDP, ICMP
- • Direction — Inbound or outbound
- • DNS — Domain name for DNS queries
UI Features
- • Network tab — View all network events
- • Protocol filter — Filter by TCP, UDP, DNS, ICMP
- • IP filter — Focus on specific IP addresses
- • Port filter — Filter by port number
- • Process filter — See network activity by process
- • DNS view — See domain names being resolved
IPS Rule Examples
IP: 192.168.1.* | Action: Log
Port: 4444 | Action: Block
DNS: *.malware.com | Action: Alert
Process: powershell.exe | Port: 443 | Action: Log