An Architecture for High Performance Network Analysis
WinPcap includes a set of innovative features
(such as packet monitoring and packet injection) that are not available in previous systems. This paper presents the details of the architecture and it shows its excellent performance.
Packet filtering is made up of a kernel-mode component (to select packets) and a user-mode library (to deliver them to the applications). Last component
provides a standard interface for low-level network access and allows programmers to avoid kernel-level programming. WinPcap includes an optimized kernelmode driver, called Netgroup Packet Filter (NPF), and a
set of user-level libraries that are libpcap-compatible. Libpcap  API compatibility was a primary objective in order to create a cross-platform set of functions for packet capture. WinPcap makes the porting of Unix
applications to Win32 easier and it enables a large set of programs to be used on Win32 at once, just after a simple recompilation. Moreover, since the importance of traffic monitoring, WinPcap provides highly specific system
calls for that.BPF has been widely recognized having the best
implementation compared to other similar components available on Unix and it can be seen as a device driver that interacts with the network interface through the
interface’s driver.The Network Tap  is a function dedicated to snoop all packets flowing through the network. It is followed by the Filter, which analyzes
incoming packets in order to detect whether a packet is interesting for the user (the user can set capture filters to receive only a subset of the network traffic). A packet satisfying the filter is copied to the kernel buffer, which
is subdivided in two small buffers (store and hold) that are used to keep the captured packets for a while. These blocks of memory (whose size is usually 32Kbytes in recent BSD kernels) are allocated at run time at the
beginning of the capture process. The first buffer (store) is used to keep the data coming from the network adapter and the second one (hold) is used to copy the packets to the user buffer. When the store buffer is full and the hold
buffer is empty, BPF swaps them. In this way the userlevel application does not interfere with the adapter’s device driver because the former clears out the hold
buffer while the latter fills in the store one. WinPcap kernel buffer is larger (default 1MB) than BPF one. A small buffer penalizes the capturing process
especially in case the application is not able to read as fast as the driver captures for a limited time interval. Such situation is common when data has to be transferred to disk or when the network has bursty traffic. Vice versa,
user buffer is smaller and its default value is 256KB. Both kernel and user buffer can be changed at runtime2.Both BPF and NPF provide writing capabilities that allow the user sending raw packets to the network.
However libpcap does not use these calls, thus BPF is never used for this purpose; Unix applications often use raw sockets for that. On the other side, Win32 provides raw sockets only in Windows 2000 and they are quite
limited; therefore WinPcap is the first library that provides a standard and consistent set of functions for packet injection for all the Win32 flavors. Besides, NPF adds some new functions that allow sending a packet
several times using a single context switch between user and kernel mode. Data is copied to the kernel and then sent to the network by means of a single NDIS call. While WinPcap provides a new set of functions to
exploit these features, it does not provide a powerful abstraction for creating packets that need to be generated by hand or by means of other existing tools.
Tests confirm the excellent performance of WinPcap. The packet generation process, even in presence of a strange behavior (maximum number of packets per
second is reached with 88-bytes packets) is highly optimized and it is quite easy to reach the maximum load allowed by a Fast Ethernet LAN. The capturing process also has an excellent implementation and it outperforms
the original BPF / libpcap implementations. Tests with Windows 2000 show usually better results than the Windows 98 ones because of the larger number of
optimizations present in that driver (for example the delayed write capability).