D
DioIPS

NDIS Filter

NDIS LWF

NDIS Lightweight Filter (LWF) driver for raw packet inspection at the network adapter level. Captures all inbound and outbound traffic before it reaches the TCP/IP stack.

Separate Driver

The NDIS filter is a separate driver from the main kernel driver. It requires its own installation via netcfg.

Overview

The NDIS filter sits between the network adapter and the protocol drivers, allowing inspection of raw Ethernet frames. Events are pushed to the main driver via IOCTL and displayed in the Network tab.

  • Raw frames — Access to complete Ethernet frames
  • Protocol parsing — IP, TCP, UDP, ICMP, ARP
  • Flow deduplication — 1024-bucket hash table
  • Direction tracking — Inbound vs outbound
  • ARP monitoring — IP→MAC mapping table

Supported Protocols

ProtocolLayerInformation Captured
EthernetL2Source/Dest MAC, EtherType
IPv4L3Source/Dest IP, Protocol, TTL
TCPL4Source/Dest Port, Flags, Seq/Ack
UDPL4Source/Dest Port, Length
ICMPL3Type, Code
ARPL2Operation, Sender/Target IP+MAC

Features

Packet Inspection
Raw Ethernet frame parsing with IP/TCP/UDP/ICMP/ARP analysis
ARP Spoof Detection
Detect ARP spoofing attacks with IP→MAC table tracking
Build & Sign
Build and sign the NDIS filter driver with expired certificate

Architecture

┌─────────────────────────────────────┐
│         User Applications           │
├─────────────────────────────────────┤
│           TCP/IP Stack              │
├─────────────────────────────────────┤
│    DioIPS NDIS Filter (LWF)  ◄──────┼── Packet inspection here
├─────────────────────────────────────┤
│         Network Adapter             │
└─────────────────────────────────────┘

Usage

  1. Install the NDIS filter driver (see Build & Sign)
  2. Start the DioIPS application
  3. Navigate to the Network tab
  4. NDIS events appear alongside WFP events
  5. Use filters to focus on specific protocols or IPs