Microsoft developed TDI (Transport Driver Interface)Â for the purpose of giving additional functionalityÂ combined withÂ flexibility (compared to the existing interfaces). Windows 2000 (and later versions) has the transport providers directly interface with the TDI (Transport Driver Interface).Â This allows the TDI (Transport Driver Interface) to offer a more consistent interface with the (NTP)Â network transport protocols.
Komodia offers a free TDI guide for all your TDI modify packets questions.
Hook Winsock API, can be done in various ways including: Winsock LSP, TDI, NDIS, Hooks, WFP. Which one is correct for you? it depends on what you plan to do, so it’s recommended you read about the technologies.
How to intercept data on Internet? This can be done using number of technologies:
- Winsock LSP – Is good when you want to operate at user level and inspect streams and not packets.
- TDI – Soon to be phased out, it’s a driver like technology that can be used either in packet or stream level.
- NDIS – Kernel driver that inspects packets and has total control over the network.
- WFP – Microsoft new filterting platform, but until Windows XP is phased out, I forsee it will not gain momentum.
TDI DriverÂ is mostly used today for personal AV products. I know there are number of parental control, spam filters products that use it as well.
I’m not a fan of TDI, although it has its place in doing networking filtering, it’s time is up and in one and a half year it will be phased out, so I don’t see any reason to start a project using TDI.
You can read this nice article about the difference between LSP and TDI.
NDIS FilterÂ is used to perform packet filtering, modification and inspection, unlike other technologies like LSP and TDI which operate on streams.
NDIS Filter is actually a NDIS IM driver which receives packets (to send or receive), can perform processing on them and then send them to the next layer or drop them, that’s why NDIS IM drivers are used for: Firewalls, corporate firewalls, custom network solutions and more.
When stream operations is requires, NDIS IM is sometimes a bad choice because it imposes additional work to convert packets to streams, which can be avoided if using TDI or LSP.
There are several ways to implement a firewall:
- Winsock LSPÂ – Can be used for an application layer firewall, but it’s mostly not used for various reasons.
- TDI Driver – Mostly used for personal firewalls, according to Microsoft it will be phased out in the next OS.
- Ndis IM – Mostly used for gateway firewalls.
- WFP – The new plaform Microsoft is promoting, in my opinion that until XP is retired this will not gain momentum.
We have wrote a bit on what is TDI. Basically most personal firewall are using TDI for various reasons:
- It’s a driver so it has the false sense it’s hard to remove.
- It’s been with us since 1995 on Win95.
- It has the ability to view traffic as stream or packets.
TDI is being phased out by Microsoft, and according to their documentation the next Windows version might not support it anymore so investing in TDI can be quite risky.