Déc 292018

Following previous article, I did some more googling around windows raw sockets feature and found this interesting article.

And in particular this part when weighting the pros and cons of using windows raw sockets :

Since raw sockets are built into the kernel TCP/IP implementation, there is no need for additional kernel-mode code (such as NDIS filter drivers or WFP callout drivers). There are however a number of drawbacks compared to the first two techniques:

· No filtering in kernel-mode is possible – all packets are delivered to the user-mode application (which has performance implications).

· There is no visibility of how many packets are lost/dropped as a result of insufficient buffering.

· The packets are first time-stamped when processed by a user-mode application, which might be some time after they “could have been” time-stamped by filter/callout driver kernel-mode code running in a DPC (Deferred Procedure Call).

· There is no guarantee of the order in which the kernel adds packets to the raw socket. Monitoring the kernel activity with the “Microsoft-Windows-TCPIP” and “Microsoft-Windows-Winsock-AFD” providers indicates that the outbound response to an inbound packet is often copied to the raw socket before the inbound packet.

Poster un Commentaire


Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

Notifier de