Retail Products

WFP practical guide

Make sure to read the WFP high level overview guide before reading this guide.

Why is WFP so complex?

Main implementation of WFP is driver based and driver development has always been hard and with shortage of documentation, also (not an official statement by Microsoft), at the past you could take an inexperienced developer, take the LSP samples, compile it, and show something that “worked” for interception, but the real problems came in the field and the developer could not solve them, giving users bad experience and crashes. With WFP the same inexperienced developer would not get far, he would not be able to produce the “working” scenario even on VMWare, so Microsoft had increased the bar of requirements from developers in order to write a WFP.

How do I get started?

There are number of prerequisites before starting to develop WFP:


If you find WFP complex, and you want to develop a solution that requires network redirection, you should consider purchasing our Network Redirection SDK, it works using LSP for Windows XP/Vista/2003/7/2008 and WFP for Windows 8/2012 and will save you great amount of time, trial and error, and frustration.

WFP Sample

Microsoft provides a sample that encompasses all of WFP functionality, the sample is quite big and can be confusing, never the less, you can take code snippets from it, and save time, you can get the sample here.

Callout selection

First step would be to select the right callout, a callout will get us the traffic to inspect/modify and the callout will depend on what we plan to do, for transparent proxy redirection we will use the callout: FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 this callout will let us change every outgoing TCPv4 connection and redirect it to a proxy (local or remote). There are other type of callouts that will allow you to intercept: Packets, streams, discraded packets, incoming connections, but they will not be covered in this short guide.

Callout registration

A callout is registered via the method FwpsCalloutRegister0 (for Windows Vista/7/2008) or FwpsCalloutRegister1 (for Windows 8/2012) it expects the current driver device, the callout structure: FWPS_CALLOUT0 or FWPS_CALLOUT1 (both contain the classification and notification functions) and the ID of the callout (the one we selected the paragraph before).

Acquiring the filtering engine handle

The handle is required for many WFP operations and you can get it using the function FwpmEngineOpen0.

Adding the callout

Once we registered our driver with the specific callout, we need to add it to the filtering engine using the method FwpmCalloutAdd0, it expects the handle to the filtering engine, FWPM_CALLOUT0 structure, security descriptor (optional), and an unique ID (optional).

Adding the filter

Last but not least we need to add the filter which describes on top of the callout type, which traffic we want to intercept (Protocol, flags, etc), we do that using the method: FwpmFilterAdd0, which expects the handle to the filtering engine, FWPM_FILTER0 structure, security descriptor (optional), and an unique ID (optional).