Packet Capture
WFPRing 0Windows Filtering Platform (WFP) based packet capture with per-process filtering, real-time monitoring, and packet injection capabilities.
Kernel Component Required
Overview
The packet capture system provides comprehensive network monitoring capabilities through Windows Filtering Platform integration. It captures TCP/UDP packets for specific processes, applies filtering rules, and enables packet analysis and manipulation.
Architecture
System Components
Kernel Layer (WFP)
WFP callouts intercept packets at the network stack. Implements filtering logic and manages a 10,000 packet ring buffer for high-performance capture.
Usermode Layer (Rust)
IOCTL interface communicates with the driver. Provides packet storage, PCAP export, and packet injection capabilities.
UI Layer (Dioxus)
Real-time packet display with filtering, editing, and management features. Includes packet library with search and tagging.
WFP Callout Registration
The kernel driver registers WFP callouts for inbound and outbound traffic at the FWPM_LAYER_ALE_AUTH_CONNECT_V4 and FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 layers.
// WFP Callout Functions
void NTAPI WfpClassifyOutbound(
_In_ const FWPS_INCOMING_VALUES0* inFixedValues,
_In_ const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
_Inout_opt_ void* layerData,
_In_opt_ const void* classifyContext,
_In_ const FWPS_FILTER0* filter,
_In_ UINT64 flowContext,
_Inout_ FWPS_CLASSIFY_OUT0* classifyOut
);
void NTAPI WfpClassifyInbound(
// Same parameters as outbound
);Packet Processing Pipeline
1. Packet intercepted by WFP callout
2. Process ID verification against target PID
3. Filter rule evaluation (allow/block)
4. Packet metadata extraction
5. Storage in ring buffer (FIFO, 10K capacity)
6. Drop counting when buffer overflow occurs
Data Structures
// Captured Packet Structure
#pragma pack(push, 1)
struct CapturedPacket
{
UINT64 Id; // Unique packet identifier
UINT64 Timestamp; // Windows FILETIME
UINT32 ProcessId; // Target process ID
PacketDirection Direction; // Inbound/Outbound
PacketProtocol Protocol; // TCP/UDP
UINT32 LocalAddr; // Local IP address
UINT16 LocalPort; // Local port
UINT32 RemoteAddr; // Remote IP address
UINT16 RemotePort; // Remote port
UINT16 PayloadSize; // Payload data size
UINT8 Payload[MAX_PACKET_PAYLOAD_SIZE]; // Packet data (1500 bytes)
};
#pragma pack(pop)
// Filter Rule Structure
struct PacketFilterRule
{
BOOLEAN Enabled;
PacketFilterAction Action; // Allow/Block
UINT16 Port; // 0 = any port
UINT32 IpAddress; // 0 = any IP
PacketProtocol Protocol; // TCP/UDP
};IOCTL Interface
// Packet Capture IOCTLs
#define IOCTL_DIOPROCESS_PACKET_START_CAPTURE 0x00222400
#define IOCTL_DIOPROCESS_PACKET_STOP_CAPTURE 0x00222404
#define IOCTL_DIOPROCESS_PACKET_GET_PACKETS 0x00222408
#define IOCTL_DIOPROCESS_PACKET_INJECT 0x0022240C
#define IOCTL_DIOPROCESS_PACKET_ADD_FILTER 0x00222410
#define IOCTL_DIOPROCESS_PACKET_REMOVE_FILTER 0x00222414
#define IOCTL_DIOPROCESS_PACKET_CLEAR_FILTERS 0x00222418
#define IOCTL_DIOPROCESS_PACKET_CLEAR_BUFFER 0x0022241C
#define IOCTL_DIOPROCESS_PACKET_GET_STATE 0x00222420UI Features
Capture Controls
- • Start/stop capture by PID
- • Real-time packet counter
- • Auto-scroll toggle
- • Clear buffer option
Filter Management
- • Add port-based filters
- • Allow/block actions
- • Visual filter tags
- • Clear all filters
Packet Operations
- • Hex/ASCII editing
- • Single/loop resend
- • Configurable intervals
- • Send status feedback
Packet Library
- • Save with metadata
- • Tag-based organization
- • Full-text search
- • .dpp import/export
Security Considerations
Network Interception
Privacy: Captured packets contain unencrypted network data.
Permissions: Requires administrator privileges for kernel driver access.
Storage: Packet data is stored in plaintext in SQLite database.
Network: Packet injection can generate network traffic from the host.