Packet Inspection
NDIS LWFRaw Ethernet frame parsing with protocol analysis at the network adapter level.
Overview
The NDIS filter captures raw Ethernet frames before they reach the TCP/IP stack. This provides visibility into all network traffic including protocols that WFP doesn't see.
Protocol Parsing
| Layer | Protocol | Fields Parsed |
|---|---|---|
| L2 | Ethernet | Source MAC, Dest MAC, EtherType |
| L2 | ARP | Operation, Sender/Target IP+MAC |
| L3 | IPv4 | Source IP, Dest IP, Protocol, TTL, Flags |
| L4 | TCP | Source Port, Dest Port, Flags, Seq, Ack |
| L4 | UDP | Source Port, Dest Port, Length |
| L3 | ICMP | Type, Code, Checksum |
Flow Deduplication
To reduce event volume, the NDIS filter uses a 1024-bucket hash table to deduplicate flows. Only the first packet of each unique flow is reported.
Flow Key
hash(SrcIP, DstIP, SrcPort, DstPort, Protocol)
Direction Tracking
Inbound
Packets received from the network, heading to the TCP/IP stack
Outbound
Packets sent from the TCP/IP stack, heading to the network
UI Features
- • Network tab — NDIS events appear alongside WFP events
- • Source filter — Filter by NDIS vs WFP source
- • Protocol filter — Filter by protocol type
- • MAC address view — See L2 addressing
- • Direction filter — Inbound vs outbound
NDIS vs WFP
| Feature | NDIS | WFP |
|---|---|---|
| Layer | L2 (Ethernet) | L3/L4 (IP/Transport) |
| Process info | No | Yes |
| ARP visibility | Yes | No |
| MAC addresses | Yes | No |