How to analyze/intercept packets before they are sent/received by the OS?

Question

I have always wondered how software firewalls work under the covers, and would like to be able to write my own custom tools to analyze or intercept packets before they are sent or received by the OS. I'm fairly acquainted with core networking principles; I just have no clue where to start if I want to write software that fits inside the networking stack similar to the way firewalls do. Could anyone give me some pointers?

I would be especially interested if this can be accomplished using C#, but I can do other languages too. I am mainly focusing on Windows, but would like to know if there were any cross-platform libraries out there as well.

EDIT Using an NDIS driver (as Wireshark does) sounds like a good option, and Vista's packet filtering capabilities sound neat, but how do firewalls do it, say, on Windows XP? They don't have to install a special driver that I know of.

Answer 1

On Windows Vista and up, you might want to look at the Windows Filtering Platform. In earlier versions of Windows you need to use filter drivers (the linked to MSDN page mentions what technologies WFP replaces.)

Answer 2

As I recall it involves writing an NDIS driver. This sits practically on top of the NIC (Network Interface Card) and you have absolute control of what goes in or comes out of the NIC before anything else - right down to the ethernet packet level.

This cannot be accomplished with C#. You really need to use C or C++ for this task.

UPDATE: I last did this in Window XP days. I see from another response there is a new, and by the looks of it, simpler API if you are using Windows Vista onwards.

Answer 3

Not sure if it's "before the O/S", but have a look at WireShark and the library it uses, libpcap.

Answer 4

Take a look at WinPcap - it uses an NDIS driver to implement its packet filtering capabilities. This library can probably provide an excellent base for any packet inspection / firewall program you'd want to write, and it's open-source. From http://www.winpcap.org/docs/docs_40_2/html/group__internals.html:

First, a capture system needs to bypass the operating systems's protocol stack in order to access the raw data transiting on the network. This requires a portion running inside the kernel of OS, interacting directly with the network interface drivers. This portion is very system dependent, and in our solution it is realized as a device driver, called Netgroup Packet Filter (NPF); we provide different versions of the driver for Windows 95, Windows 98, Windows ME, Windows NT 4, Windows 2000 and Windows XP. These drivers offer both basic features like packet capture and injection, as well as more advanced ones like a programmable filtering system and a monitoring engine. The first one can be used to restrict a capture session to a subset of the network traffic (e.g. it is possible to capture only the ftp traffic generated by a particular host), the second one provides a powerful but simple to use mechanism to obtain statistics on the traffic (e.g. it is possible to obtain the network load or the amount of data exchanged between two hosts).