3 простых шага по исправлению ошибок WINDIVERT.DLL
В вашей системе запущено много процессов, которые потребляют ресурсы процессора и памяти. Некоторые из этих процессов, кажется, являются вредоносными файлами, атакующими ваш компьютер.
Чтобы исправить критические ошибки windivert.dll,скачайте программу Asmwsoft PC Optimizer и установите ее на своем компьютере
1- Очистите мусорные файлы, чтобы исправить windivert.dll, которое перестало работать из-за ошибки.
2- Очистите реестр, чтобы исправить windivert.dll, которое перестало работать из-за ошибки.
3- Настройка Windows для исправления критических ошибок windivert.dll:
Всего голосов ( 182 ), 116 говорят, что не будут удалять, а 66 говорят, что удалят его с компьютера.
Как вы поступите с файлом windivert.dll?
Некоторые сообщения об ошибках, которые вы можете получить в связи с windivert.dll файлом
(windivert.dll) столкнулся с проблемой и должен быть закрыт. Просим прощения за неудобство.
(windivert.dll) перестал работать.
windivert.dll. Эта программа не отвечает.
(windivert.dll) — Ошибка приложения: the instruction at 0xXXXXXX referenced memory error, the memory could not be read. Нажмитие OK, чтобы завершить программу.
(windivert.dll) не является ошибкой действительного windows-приложения.
(windivert.dll) отсутствует или не обнаружен.
WINDIVERT.DLL
Проверьте процессы, запущенные на вашем ПК, используя базу данных онлайн-безопасности. Можно использовать любой тип сканирования для проверки вашего ПК на вирусы, трояны, шпионские и другие вредоносные программы.
процессов:
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
Как удалить WinDrv (рекламное ПО)
Информация об угрозе 
Название угрозы: WinDrv
Исполяемый файл: gspotbot.exe
Затронутые ОС: Win32/Win64 (Windows XP, Vista/7, 8/8.1, Windows 10)
Затронутые браузеры: Google Chrome, Mozilla Firefox, Internet Explorer, Safari
Способ заражения WinDrv
Скачайте утилиту для удаления
Скачайте эту продвинутую утилиту для удаления WinDrv и gspotbot.exe (загрузка начнется немедленно):
* Утилита для удаления был разработан компанией EnigmaSoftware и может удалить WinDrv автоматически. Протестирован нами на Windows XP, Windows Vista, Windows 7, Windows 8 и Windows 10. Триальная версия Wipersoft предоставляет функцию обнаружения угрозы WinDrv бесплатно.
Функции утилиты для удаления
Скачайте Spyhunter Remediation Tool от Enigma Software
Скачайте антивирусные сканер способный удалить WinDrv и gspotbot.exe (загрузка начнется немедленно):
Функции Spyhunter Remediation Tool
We noticed that you are on smartphone or tablet now, but you need this solution on your PC. Enter your email below and we’ll automatically send you an email with the downloading link for WinDrv Removal Tool, so you can use it when you are back to your PC.
Наша служба тех. поддержки удалит WinDrv прямо сейчас!
Здесь вы можете перейти к:
Как удалить WinDrv вручную
Проблема может быть решена вручную путем удаления файлов, папок и ключей реестра принадлежащих угрозе WinDrv. Поврежденные WinDrv системные файлы и компоненты могут быть восстановлены при наличии установочного пакета вашей операционной системы.
Чтобы избавиться от WinDrv, необходимо:
1. Остановить следующие процессы и удалить соответствующие файлы:
Предупреждение: нужно удалить только файлы с именами и путями указанными здесь. В системе могут находится полезные файлы с такими же именами. Мы рекомендуем использовать утилиту для удаления WinDrv для безопасного решения проблемы.
2. Удалить следующие вредоносные папки:
3. Удалить следующие вредоносные ключи реестра и значения:
Предупреждение: если указано значение ключа реестра, значит необходимо удалить только значение и не трогать сам ключ. Мы рекомендуем использовать для этих целей утилиту для удаления WinDrv.
Удалить программу WinDrv и связанные с ней через Панель управления
Мы рекомендуем вам изучить список установленных программ и найти WinDrv а также любые другие подозрительные и незнакомы программы. Ниже приведены инструкции для различных версий Windows. В некоторых случаях WinDrv защищается с помощью вредоносного процесса или сервиса и не позволяет вам деинсталлировать себя. Если WinDrv не удаляется или выдает ошибку что у вас недостаточно прав для удаления, произведите нижеперечисленные действия в Безопасном режиме или Безопасном режиме с загрузкой сетевых драйверов или используйте утилиту для удаления WinDrv.
Windows 10
Windows 8/8.1
Windows 7/Vista
Windows XP
Удалите дополнения WinDrv из ваших браузеров
WinDrv в некоторых случаях устанавливает дополнения в браузеры. Мы рекомендуем использовать бесплатную функцию «Удалить тулбары» в разделе «Инструменты» в программе Spyhunter Remediation Tool для удаления WinDrv и свяанных дополнений. Мы также рекомендуем вам провести полное сканирование компьютера программами Wipersoft и Spyhunter Remediation Tool. Для того чтобы удалить дополнения из ваших браузеров вручную сделайте следующее:
Internet Explorer
Предупреждение: Эта инструкция лишь деактивирует дополнение. Для полного удаления WinDrv используйте утилиту для удаления WinDrv.
Google Chrome
Mozilla Firefox
Защитить компьютер и браузеры от заражения
Рекламное программное обеспечение по типу WinDrv очень широко распространено, и, к сожалению, большинство антивирусов плохо обнаруживают подобные угрозы. Чтобы защитится от этих угроз мы рекомендуем использовать SpyHunter, он имеет активные модули защиты компьютера и браузерных настроек. Он не конфликтует с установленными антивирусами и обеспечивает дополнительный эшелон защиты от угроз типа WinDrv.
Windivert64 sys что это
WinDivertTool.exe is a simple program for:
WinDivertTool.exe is designed to work for any version of WinDivert.
WinDivert is an open source (LGPL) software package for capturing and modifying network packets for Windows. WinDivert was originally developed as part of the ReQrypt project for tunneling HTTP(S) traffic. Since then, WinDivert has used by many applications such as packet filtering, packet sniffing, firewalls, NATs, VPNs, tunneling applications, etc. Some projects that use WinDivert include:
Why is WinDivert on my system?
In this example, the WinDivertTool.exe output indicates that a program called tallow.exe (see the Tallow project) is using WinDivert. The WinDivertTool.exe also prints some additional technical information, including the process ID and hash, as well as the WinDivert version, filter string, layer, priority and flags.
How do I uninstall WinDivert?
The recommended method for uninstalling WinDivert is to uninstall whatever application is using it. In the example above, this can be achieved by uninstalling Tallow.
WinDivertTool.exe can also forcibly terminate all programs/applications using WinDivert and uninstall the WinDivert driver(s) from your system. This approach is not recommended and should only be used as a last resort. To forcibly uninstall WinDivert, run WinDivertTool.exe with the uninstall argument:
Note that this will not prevent the program/application from reinstalling WinDivert after WinDivertTool.exe has completed.
For security reasons, a program using WinDivert must have Administrator access rights, else the WinDivert driver will refuse to load/work. This policy mirrors similar policies for related tools on other platforms, such as divert sockets for MacOSX and netfilterqueue for Linux. Programs do not run as Administrator by default, and a program requesting Administrator rights will trigger a comfirmation via the UAC prompt.
WinDivert 2.2: Windows Packet Divert
Table of Contents
1. Introduction
WinDivert is a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows 7, Windows 8 and Windows 10. WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without the need to write kernel-mode code.
The main features of the WinDivert are:
WinDivert provides similar functionality to divert sockets from FreeBSD/MacOS, NETLINK sockets from Linux.
2. Building
Note that pre-built WinDivert binary distributions are available from the WinDivert website. Most users do not need to build their own version of WinDivert from source.
The source code for WinDivert is available for download at:
To build the WinDivert drivers from source:
To build the WinDivert user-mode library ( WinDivert.dll ) and sample programs:
The generated WinDivert.dll / WinDivert.lib files should be compatible with all major compilers, including both MinGW and Visual Studio.
2.1 Driver Signing
If you built your own WinDivert32.sys / WinDivert64.sys drivers, they must be digitally signed before they can be used. See Driver Signing Requirements for Windows for more information.
Note that the pre-built WinDivert32.sys / WinDivert64.sys drivers from the official WinDivert distribution are already digitally signed.
3. Installing
WinDivert does not require any special installation. Depending on your target configuration, simply place the following files in your application’s home directory:
4. Uninstalling
Alternatively, the WinDivert driver can be removed by using the windivertctl.exe sample program by issuing the following command:
5. Programming API
5.1 WINDIVERT_LAYER
WinDivert supports several layers for diverting or capturing network packets/events. Each layer has its own capabilities, such as the ability to block events or to inject new events, etc. The list of supported WinDivert layers is summarized below:
| Layer | Capability | Description | |||
|---|---|---|---|---|---|
| Block? | Inject? | Data? | PID? | ||
| WINDIVERT_LAYER_NETWORK | ✔ | ✔ | ✔ | Network packets to/from the local machine. | |
| WINDIVERT_LAYER_NETWORK_FORWARD | ✔ | ✔ | ✔ | Network packets passing through the local machine. | |
| WINDIVERT_LAYER_FLOW | ✔ | Network flow established/deleted events. | |||
| WINDIVERT_LAYER_SOCKET | ✔ | ✔ | Socket operation events. | ||
| WINDIVERT_LAYER_REFLECT | ✔ | ✔ | WinDivert handle events. | ||
Here, the layer capabilities are:
The WINDIVERT_LAYER_NETWORK and WINDIVERT_LAYER_NETWORK_FORWARD layers allow the user application to capture/block/inject network packets passing to/from (and through) the local machine. Due to technical limitations, process ID information is not available at these layers.
The WINDIVERT_LAYER_FLOW layer captures information about network flow establishment/deletion events. Here, a flow represents either (1) a TCP connection, or (2) an implicit flow created by the first sent/received packet for non-TCP traffic, e.g., UDP. Old flows are deleted when the corresponding connection is closed (for TCP), or based on an activity timeout (non-TCP). Flow-related events can be captured, but not blocked nor injected. Process ID information is also available at this layer. Due to technical limitations, the WINDIVERT_LAYER_FLOW layer cannot capture flow events that occurred before the handle was opened.
5.2 WINDIVERT_EVENT
Each layer supports one or more events summarized below:
WINDIVERT_LAYER_NETWORK and WINDIVERT_LAYER_NETWORK_FORWARD : Only a single event is supported:
| Event | Description |
|---|---|
| WINDIVERT_EVENT_NETWORK_PACKET | A new network packet. |
WINDIVERT_LAYER_FLOW : Two events are supported:
| Event | Description |
|---|---|
| WINDIVERT_EVENT_FLOW_ESTABLISHED | A new flow is created. |
| WINDIVERT_EVENT_FLOW_DELETED | An old flow is deleted. |
WINDIVERT_LAYER_SOCKET : The following events are supported:
| Event | Description |
|---|---|
| WINDIVERT_EVENT_SOCKET_BIND | A bind() operation. |
| WINDIVERT_EVENT_SOCKET_CONNECT | A connect() operation. |
| WINDIVERT_EVENT_SOCKET_LISTEN | A listen() operation. |
| WINDIVERT_EVENT_SOCKET_ACCEPT | An accept() operation. |
| WINDIVERT_EVENT_SOCKET_CLOSE | A socket endpoint is closed. This corresponds to a previous binding being released, or an established connection being terminated. The event cannot be blocked. |
WINDIVERT_LAYER_REFLECT : Two events are supported:
| Event | Description |
|---|---|
| WINDIVERT_EVENT_REFLECT_OPEN | A new WinDivert handle was opened. |
| WINDIVERT_EVENT_REFLECT_CLOSE | An old WinDivert handle was closed. |
5.3 WINDIVERT_ADDRESS
Remarks
The WINDIVERT_ADDRESS structure represents the «address» of a captured or injected packet. The address includes the packet’s timestamp, layer, event, flags, and layer-specific data. All fields are set by WinDivertRecv() when the packet/event is captured. Only some fields are used by WinDivertSend() when a packet is injected.
The Event indicates the layer-specific event ( WINDIVERT_EVENT_* ) that was captured.
The Outbound flag is set for outbound packets/events, and is cleared for inbound or direction-less packets/events.
The Loopback flag is set for loopback packets. Note that Windows considers any packet originating from, and destined to, the current machine to be a loopback packet, so loopback packets are not limited to localhost addresses. Note that WinDivert considers loopback packets to be outbound only, and will not capture loopback packets on the inbound path.
The IPv6 flag is set for IPv6 packets/events, and cleared for IPv4 packets/events.
The *Checksum flags indicate whether the packet has valid checksums or not. When IP/TCP/UDP checksum offloading is enabled, it is possible that captured packets do not have valid checksums. Invalid checksums may be arbitrary values.
The Network.* fields are only valid at the WINDIVERT_LAYER_NETWORK and WINDIVERT_LAYER_NETWORK_FORWARD layers. The Network.IfIdx / Network.SubIfIdx indicate the packet’s network adapter (a.k.a. interface) index. These values are ignored for outbound packets.
5.4 WinDivertOpen
Return Value
A valid WinDivert handle on success, or INVALID_HANDLE_VALUE if an error occurred. Use GetLastError() to get the reason for the error. Common errors include:
A typical application is only interested in a subset of all network traffic or events. In this case the filter should match as closely as possible to the subset of interest. This avoids unnecessary overheads introduced by diverting packets to the user-mode application. See the filter language section for more information.
The layer of the WinDivert handle is determined by the layer parameter. See WINDIVERT_LAYER for more information. Currently the following layers are supported:
| Layer | Description |
|---|---|
| WINDIVERT_LAYER_NETWORK = 0 | Network packets to/from the local machine. This is the default layer. |
| WINDIVERT_LAYER_NETWORK_FORWARD | Network packets passing through the local machine. |
| WINDIVERT_LAYER_FLOW | Network flow established/deleted events. |
| WINDIVERT_LAYER_SOCKET | Socket operation events. |
| WINDIVERT_LAYER_REFLECT | WinDivert handle events. |
Different WinDivert handles can be assigned different priorities by the priority parameter. Packets are diverted to higher priority handles before lower priority handles. Packets injected by a handle are then diverted to the next priority handle, and so on, provided the packet matches the handle’s filter. A packet is only diverted once per priority level, so handles should not share priority levels unless they use mutually exclusive filters. Otherwise it is not defined which handle will receive the packet first. Higher priority values represent higher priorities, with WINDIVERT_PRIORITY_HIGHEST being the highest priority, 0 the middle (and a good default) priority, and WINDIVERT_PRIORITY_LOWEST the lowest priority.
Different flags affect how the opened handle behaves. The following flags are supported:
Note that any combination of (WINDIVERT_FLAG_SNIFF | WINDIVERT_FLAG_DROP) or (WINDIVERT_FLAG_RECV_ONLY | WINDIVERT_FLAG_SEND_ONLY) are considered invalid.
Some layers have mandatory flags, as listed below:
| Layer | Required Flags |
|---|---|
| WINDIVERT_LAYER_FLOW | WINDIVERT_FLAG_SNIFF | WINDIVERT_FLAG_RECV_ONLY |
| WINDIVERT_LAYER_SOCKET | WINDIVERT_FLAG_RECV_ONLY |
| WINDIVERT_LAYER_REFLECT | WINDIVERT_FLAG_SNIFF | WINDIVERT_FLAG_RECV_ONLY |
5.5 WinDivertRecv
Return Value
TRUE if a packet/event was successfully received, or FALSE if an error occurred. Use GetLastError() to get the reason for the error.
Common errors include:
| Name | Code | Description |
|---|---|---|
| ERROR_INSUFFICIENT_BUFFER | 122 | The captured packet is larger than the pPacket buffer. |
| ERROR_NO_DATA | 232 | The handle has been shutdown using WinDivertShutdown() and the packet queue is empty. |
Only some layers can capture packets/data, as summarized below:
| Layer | Data? | Description |
|---|---|---|
| WINDIVERT_LAYER_NETWORK | ✔ | Network packet. |
| WINDIVERT_LAYER_NETWORK_FORWARD | ✔ | Network packet. |
| WINDIVERT_LAYER_FLOW | — | |
| WINDIVERT_LAYER_SOCKET | — | |
| WINDIVERT_LAYER_REFLECT | ✔ | Filter object. |
Captured packets are guaranteed to have correct checksums or have the corresponding *Checksum flag unset (see WINDIVERT_ADDRESS ).
WinDivertRecv() should not be used on any WinDivert handle created with the WINDIVERT_FLAG_DROP set.
5.6 WinDivertRecvEx
Return Value
TRUE if a packet was successfully received, or FALSE otherwise. Use GetLastError() to get the reason. The error code ERROR_IO_PENDING indicates that the overlapped operation has been successfully initiated and that completion will be indicated at a later time. All other codes indicate an error.
Remarks
This function is equivalent to WinDivertRecv() except:
Batched I/O makes it possible to receive up to WINDIVERT_BATCH_MAX packets at once using a single operation, reducing the number of kernel/user-mode context switches and improving performance. To enable batched I/O:
5.7 WinDivertSend
Return Value
TRUE if a packet was successfully injected, or FALSE if an error occurred. Use GetLastError() to get the reason for the error.
Common errors include:
| Name | Code | Description |
|---|---|---|
| ERROR_HOST_UNREACHABLE | 1232 | This error occurs when an impostor packet (with pAddr->Impostor set to 1 ) is injected and the ip.TTL or ipv6.HopLimit field goes to zero. This is a defense of last resort against infinite loops caused by impostor packets. |
Only the WINDIVERT_LAYER_NETWORK and WINDIVERT_LAYER_NETWORK_FORWARD layers support packet injection, as summarized below:
| Layer | Inject? |
|---|---|
| WINDIVERT_LAYER_NETWORK | ✔ |
| WINDIVERT_LAYER_NETWORK_FORWARD | ✔ |
| WINDIVERT_LAYER_FLOW | |
| WINDIVERT_LAYER_SOCKET | |
| WINDIVERT_LAYER_REFLECT |
For packets injected into the inbound path, the pAddr->Network.IfIdx and pAddr->Network.SubIfIdx fields are assumed to contain valid interface numbers. These may be retrieved from WinDivertRecv() (for packet modification), or from the IP Helper API.
For outbound injected packets, the IfIdx and SubIfIdx fields are currently ignored and may be arbitrary values. Injecting an inbound packet on the outbound path may work (for some types of packets), however this should be considered «undocumented» behavior, and may be changed in the future.
Injected packets must have the correct checksums or have the corresponding pAddr->*Checksum flag unset. A packet/address pair captured by WinDivertRecv() is guaranteed to satisfy this condition, so can be reinjected unmodified without recalculating checksums. Otherwise, if a modification is necessary, checksums can be recalculated using the WinDivertHelperCalcChecksums() function.
5.8 WinDivertSendEx
Return Value
TRUE if a packet was successfully injected, or FALSE otherwise. Use GetLastError() to get the reason. The error code ERROR_IO_PENDING indicates that the overlapped operation has been successfully initiated and that completion will be indicated at a later time. All other codes indicate an error.
Remarks
This function is equivalent to WinDivertSend() except:
Batched I/O makes it possible to send up to WINDIVERT_BATCH_MAX packets at once using a single operation, reducing the number of kernel/user-mode context switches and improving performance. To use batched I/O:
5.9 WinDivertShutdown
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
Remarks
This operation causes all or part of a WinDivert handle to be shut down. The possible values for how are:
5.10 WinDivertClose
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
5.11 WinDivertSetParam
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
Remarks
Sets a WinDivert parameter. Currently, the following WinDivert parameters are defined.
5.12 WinDivertGetParam
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
| Parameter | Description |
|---|---|
| WINDIVERT_PARAM_VERSION_MAJOR | Returns the major version of the driver. |
| WINDIVERT_PARAM_VERSION_MINOR | Returns the minor version of the driver. |
6. Helper Programming API
6.1 WINDIVERT_IPHDR
Fields
See here for more information.
Remarks
IPv4 header definition.
The following fields can only be get/set using the following macro definitions:
6.2 WINDIVERT_IPV6HDR
Fields
See here for more information.
Remarks
IPv6 header definition.
The following fields can only be get/set using the following macro definitions:
6.3 WINDIVERT_ICMPHDR
Fields
See here for more information.
Remarks
ICMP header definition.
6.4 WINDIVERT_ICMPV6HDR
Fields
See here for more information.
Remarks
ICMPv6 header definition.
6.5 WINDIVERT_TCPHDR
Fields
See here for more information.
Remarks
TCP header definition.
6.6 WINDIVERT_UDPHDR
Fields
See here for more information.
Remarks
UDP header definition.
6.7 WinDivertHelperParsePacket
Return Value
TRUE if successful, FALSE if an error occurred.
Remarks
Parses a raw packet or batch of packets (e.g. from WinDivertRecv() ) into the various packet headers and/or payloads that may or may not be present.
This function does not do any verification of the header/payload contents beyond checking the header length and any other minimal information required for parsing. This function will always succeed provided the pPacket buffer contains at least one IPv4 or IPv6 header and the packetLen is correct.
6.8 WinDivertHelperHashPacket
Return Value
A 64bit hash value.
Remarks
Calculates a 64bit hash value of the given packet. Note that the hash function depends on the packet’s IP and transport headers only, and not the payload of the packet. That said, a weak dependency on the payload will exist if the TCP/UDP checksums are valid. The hash function itself is based on the xxHash algorithm and is not cryptographic.
The optional seed value is also incorporated into the hash.
6.9 WinDivertHelperParseIPv4Address
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
6.10 WinDivertHelperParseIPv6Address
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
6.11 WinDivertHelperParseIPv4Address
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
Remarks
Convert an IPv4 address into a string.
6.12 WinDivertHelperParseIPv6Address
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
Remarks
Convert an IPv6 address into a string.
6.13 WinDivertHelperCalcChecksums
Return Value
TRUE if successful, FALSE if an error occurred.
By default this function will calculate each checksum from scratch, even if the existing checksum is correct. This may be inefficient for some applications. For better performance, incremental checksum calculations should be used instead (not provided by this API).
6.14 WinDivertHelperDecrementTTL
For IPv4, this function will preserve the validity of the IPv4 checksum. That is, if the packet had a valid checksum before the operation, the resulting checksum will also be valid after the operation. This function updates the checksum field incrementally.
6.15 WinDivertHelperCompileFilter
Return Value
TRUE if the packet filter compilation is successful, FALSE otherwise.
The compilation operation will succeed if the given filter string is valid with respect to the filter language. Otherwise, if the filter is invalid, then a human readable description of the error is returned by errorStr (if non- NULL ), and the error’s position is returned by errorPos (if non- NULL ).
Note that all strings returned through errorStr are global static objects, and therefore do not need to be deallocated.
6.16 WinDivertHelperEvalFilter
Return Value
TRUE if the packet matches the filter string, FALSE otherwise.
Remarks
Evaluates the given packet against the given packet filter string. This function returns TRUE if the packet matches, and returns FALSE otherwise.
Note that this function is relatively slow since the packet filter string will be (re)compiled for each call. This overhead can be minimized by pre-compiling the filter string into the object representation using the WinDivertHelperCompileFilter() function.
6.17 WinDivertHelperFormatFilter
Return Value
TRUE if successful, FALSE if an error occurred. Use GetLastError() to get the reason for the error.
6.18 WinDivertHelperNtoh*
Return Value
The output value in host byte order.
Remarks
Converts a value/IPv6-address from network to host byte-order.
6.19 WinDivertHelperHton*
Return Value
The output value in network byte order.
Remarks
Converts a value/IPv6-address from host to network byte-order.
7. Filter Language
The WinDivertOpen() function accepts a string containing a filter. Only packets/events that match the filter will be blocked and/or captured. All other non-matching packets/events will be allowed to continue as normal.
The filter allows an application to select only a subset traffic that is of interest. For example, a HTTP blacklist filter is only interested in packets that might contain URLs. This could be achieved using the following filter.
This filter selects only the subset of all traffic that is:
A filter is a Boolean expression of the form:
A test is of the following form:
where op is one of the following:
| Operator | Description |
|---|---|
| == or = | Equal |
| != | Not equal |
| Less-than | |
| > | Greater-than |
| Less-than-or-equal | |
| >= | Greater-than-or-equal |
Finally, a field is some layer-specific property matching the packet or event. The possible fields are:
| Field | Layer | Description | ||||
|---|---|---|---|---|---|---|
| NETWORK | FORWARD | FLOW | SOCKET | REFLECT | ||
| zero | ✔ | ✔ | ✔ | ✔ | ✔ | The value zero |
| timestamp | ✔ | ✔ | ✔ | ✔ | ✔ | The packet/event timestamp |
| event | ✔ | ✔ | ✔ | ✔ | ✔ | The event |
| outbound | ✔ | ✔ | Is outbound? | |||
| inbound | ✔ | ✔ | Is inbound? | |||
| ifIdx | ✔ | ✔ | Interface index | |||
| subIfIdx | ✔ | ✔ | Sub-interface index | |||
| loopback | ✔ | ✔ | ✔ | Is loopback packet? | ||
| impostor | ✔ | ✔ | Is impostor packet? | |||
| fragment | ✔ | ✔ | Is IP fragment packet? | |||
| endpointId | ✔ | ✔ | Endpoint ID | |||
| parentEndpointId | ✔ | ✔ | Parent endpoint ID | |||
| processId | ✔ | ✔ | ✔ | Process ID | ||
| random8 | ✔ | ✔ | 8-bit random number | |||
| random16 | ✔ | ✔ | 16-bit random number | |||
| random32 | ✔ | ✔ | 32-bit random number | |||
| layer | ✔ | The handle’s layer | ||||
| priority | ✔ | The handle’s priority | ||||
| packet[i] | ✔ | ✔ | The i th 8-bit word of the packet | |||
| packet16[i] | ✔ | ✔ | The i th 16-bit word of the packet | |||
| packet32[i] | ✔ | ✔ | The i th 32-bit word of the packet | |||
| length | ✔ | ✔ | The packet length | |||
| ip | ✔ | ✔ | ✔ | ✔ | Is IPv4? | |
| ipv6 | ✔ | ✔ | ✔ | ✔ | Is IPv6? | |
| icmp | ✔ | ✔ | ✔ | ✔ | Is ICMP? | |
| icmpv6 | ✔ | ✔ | ✔ | ✔ | Is ICMPv6? | |
| tcp | ✔ | ✔ | ✔ | ✔ | Is TCP? | |
| udp | ✔ | ✔ | ✔ | ✔ | Is UDP? | |
| protocol | ✔ | ✔ | ✔ | The protocol | ||
| localAddr | ✔ | ✔ | ✔ | The local address | ||
| localPort | ✔ | ✔ | ✔ | The local port | ||
| remoteAddr | ✔ | ✔ | ✔ | The remote address | ||
| remotePort | ✔ | ✔ | ✔ | The remote port | ||
| ip.* | ✔ | ✔ | IPv4 fields (see WINDIVERT_IPHDR ) | |||
| ipv6.* | ✔ | ✔ | IPv6 fields (see WINDIVERT_IPV6HDR ) | |||
| icmp.* | ✔ | ✔ | ICMP fields (see WINDIVERT_ICMPHDR ) | |||
| icmpv6.* | ✔ | ✔ | ICMPV6 fields (see WINDIVERT_ICMPV6HDR ) | |||
| tcp.* | ✔ | ✔ | TCP fields (see WINDIVERT_TCPHDR ) | |||
| tcp.PayloadLength | ✔ | ✔ | The TCP payload length | |||
| tcp.Payload[i] | ✔ | ✔ | The i th 8-bit word of the TCP payload | |||
| tcp.Payload16[i] | ✔ | ✔ | The i th 16-bit word of the TCP payload | |||
| tcp.Payload32[i] | ✔ | ✔ | The i th 32-bit word of the TCP payload | |||
| udp.* | ✔ | ✔ | UDP fields (see WINDIVERT_UDPHDR ) | |||
| udp.PayloadLength | ✔ | ✔ | The UDP payload length | |||
| udp.Payload[i] | ✔ | ✔ | The i th 8-bit word of the UDP payload | |||
| udp.Payload16[i] | ✔ | ✔ | The i th 16-bit word of the UDP payload | |||
| udp.Payload32[i] | ✔ | ✔ | The i th 32-bit word of the UDP payload | |||
A test will also fails if the field is not relevant. For example, the test tcp.DstPort == 80 will fail if the packet does not contain a TCP header.
The processId field matches the ID of the process associated to an event. Due to technical limitations, this field is not supported by the WINDIVERT_LAYER_NETWORK* layers. That said, it is usually possible to associate process IDs to network packets matching the same network 5-tuple. Note that a fundamental race condition exists between the processId and the termination of the corresponding process, see the know issues listed below.
These fields can be used to match filters against the contents of packets/payloads in addition to address/header information. Words are assumed to be in network-byte ordering. If the index is out-of-bounds then the corresponding test is deemed to have failed.
The random* fields are not really random but use a deterministic hash value calculated using the WinDivertHelperHashPacket() function.
| Macro | Layer | Value | ||||
|---|---|---|---|---|---|---|
| NETWORK | FORWARD | FLOW | SOCKET | REFLECT | ||
| TRUE | ✔ | ✔ | ✔ | ✔ | ✔ | 1 |
| FALSE | ✔ | ✔ | ✔ | ✔ | ✔ | 0 |
| TCP | ✔ | ✔ | ✔ | ✔ | ✔ | IPPROTO_TCP ( 6 ) |
| UDP | ✔ | ✔ | ✔ | ✔ | ✔ | IPPROTO_UDP ( 17 ) |
| ICMP | ✔ | ✔ | ✔ | ✔ | ✔ | IPPROTO_ICMP ( 1 ) |
| ICMPV6 | ✔ | ✔ | ✔ | ✔ | ✔ | IPPROTO_ICMPV6 ( 58 ) |
| PACKET | ✔ | ✔ | WINDIVERT_EVENT_NETWORK_PACKET | |||
| ESTABLISHED | ✔ | WINDIVERT_EVENT_FLOW_ESTABLISHED | ||||
| DELETED | ✔ | WINDIVERT_EVENT_FLOW_DELETED | ||||
| BIND | ✔ | WINDIVERT_EVENT_SOCKET_BIND | ||||
| CONNECT | ✔ | WINDIVERT_EVENT_SOCKET_CONNECT | ||||
| ACCEPT | ✔ | WINDIVERT_EVENT_SOCKET_ACCEPT | ||||
| LISTEN | ✔ | WINDIVERT_EVENT_SOCKET_LISTEN | ||||
| OPEN | ✔ | WINDIVERT_EVENT_REFLECT_OPEN | ||||
| CLOSE | ✔ | ✔ | WINDIVERT_EVENT_SOCKET_CLOSE for the SOCKET layer, or WINDIVERT_EVENT_REFLECT_CLOSE for the REFLECT layer. | |||
| NETWORK | ✔ | WINDIVERT_LAYER_NETWORK | ||||
| NETWORK_FORWARD | ✔ | WINDIVERT_LAYER_NETWORK_FORWARD | ||||
| FLOW | ✔ | WINDIVERT_LAYER_FLOW | ||||
| SOCKET | ✔ | WINDIVERT_LAYER_SOCKET | ||||
| REFLECT | ✔ | WINDIVERT_LAYER_REFLECT | ||||
7.1 Filter Examples
7.2 Filter Usage
The purpose of the filter is to help applications select the subset of all network traffic that the application is interested in. Ideally the filter should be
For some applications these two objectives can conflict. That is, a selective filter is not short, and a short filter is not selective. For such applications the developer should experiment with different filter configurations and carefully measure the performance impact to find the optimal solution.
8. Performance
Using WinDivert to redirect network traffic to/from a user application incurs performance overheads, such as copying packet data and user/kernel mode context switching. Under heavy load (≥1Gbps) these overheads can be significant. The following techniques can be used to reduce overheads (in order of importance):
The passthru.exe sample program can be used to experiment with different batch sizes and thread counts.
9. Samples
Some samples have been provided to demonstrate the WinDivert API. The sample programs are:
The samples are intended for educational purposes only, and are not fully-featured applications.
The following basic template for a WinDivert application using the WINDIVERT_LAYER_NETWORK layer. The basic idea is to open a WinDivert handle, then enter a capture-modify-reinject loop:
10. Known Issues
WinDivert has some known limitations listed below:
11. License
WinDivert is dual-licensed under your choice of either the GNU Lesser General Public License (LGPL) Version 3 or the GNU General Public License (GPL) Version 2. Please see the notices below: