I'm developing network sniffer, bacically to to monitor complete network traffic - no blocking, no modification, interested in data volume, failing connections. I have it on TDI level now. For Windows 8 I need WFP. I've spent couple of days on several WFP examples. Instead of answers I'm having more and more questions.
Microsoft's example Inspect is cloning net buffers, processes them in worker thread and injects them back. Is it really necessary? The example is tight to single IP, so there is no performance considerations about it. I'm intending to monitor complete traffic and I'd like to do it as fast as possible.
I'm considering also NDIS based on Pass Thru, but WFP seems to be the first choice for me just now.