Retail Products:

Winsock LSP vs TDI

Before we start, you can read: What is LSP and What is TDI.

The similarity between LSP and TDI is that they both operate on the Winsock functions and process the traffic as streams and not as packets. The main difference between LSP and TDI is that LSP is running at user level and in the workspace of the process it intercepts while TDI runs in Kernel mode, this main difference has number of effects:

• Crashes: If the LSP crashes then the application crashes with the send, don’t send dialog, if the TDI crashes then you get a BSOD.
• Debugging: LSP is easier to debug because it’s a user mode DLL, which TDI requires skills in driver debugging which is never easy.
• Documentation: LSP is far more documented from TDI
• Interception level: LSP intercepts all applications that uses Winsock DLL, TDI on the other hand also intercepts NetBIOS communication.
• Ease of removal: LSP can be removed using: “netsh reset”, but TDI can also be removed easily. In order to protect either LSP or TDI you need a Kernel level driver to protect it, similar to what Komodia’s watchdog is doing.
• Compatability: Both technologies have the same problem that when having two products using the same technology (two LSPs or two TDIs) problems may arise due to various reasons.
• End of life: According to Microsoft: TDI will be phased out in the next OS.

At Komodia we use Winsock LSP because on almost all of the targets the SDK is going to be installed on there will already by an Antivirus or Firewall that uses TDI, and we don’t want to have a conflict, also because Winsock LSP is at user mode it allows us to do extra manipulation which is not possible with TDI such as: DNS interception, SSL interception. And last but not least, TDI is not going to be supported soon.