Click here to Skip to main content
15,072,134 members
Articles / Programming Languages / C++/CLI
Posted 19 Jul 2003


109 bookmarked

Packet Filtering in .NET

Rate me:
Please Sign up or sign in to vote.
4.85/5 (34 votes)
19 Jul 20034 min read
Class library to implement packet filtering funcionality in your .NET applications


Recently, I have been searching on how I can make filter applications using Packet Filtering API included in Windows 2000 and above. First, I decided to make a C++ class in order to encapsulate all and make easy next applications. But I thought... why don't write a .NET C++ class? Because I haven't seen any other class to do it for this platform, I answered "yes".

The problem is that I am a beginner with .NET. I know C++ and I have used C# a few times, but I haven't written mix managed/unmanaged C++ code ever. Anyway, I didn't change my answer, I decided to write this class and I'll write it :P (and in this way, I can learn more about .NET). For this reason, you may see bugs in my code or probably you might think you would write code better. Feel free to tell me all you think and we will learn together. You will learn something about packet filtering ( I hope it...) and I learn something about .NET mixing managed/unmanaged code (I hope it, too).

Packet Filtering API

With Windows 2000, Microsoft included one API in order to implement packet filtering functionality in our programs. This API is included in Windows XP and Windows 2003, too. Packet Filtering API allow us to associate filters to IP adapter interfaces. We can implement a functionality similar that included in TCP/IP filter options in TCP/IP properties of a network adapter. Now I will comment the basic functions for this API, used to write this class:

  • PfCreateInterface(...)

    Used to create an interface. In this function, we pass the default action for incoming and outgoing packets. Then, we associate filters to interfaces.

  • PfBindInterfaceToIPAddress(...)

    We created a interface, but we have to bind it with a IP address. To do it, we use this function.

  • PfAddFiltersToInterface(...)

    We have created the interface and bind it with a local IP. Now, we can associate filters in order to filter IP traffic. When we created the interface, we indicated the default action for incoming and outgoing packets. The filters reverse the default actions for the interface.

  • PfAddGlobalFilterToInterface(...)

    Add a global filter to all filters of an interface. We have three predefined global filters: check packets fragments, check fragments from the cache, check destination for incoming packets (check IP spoofing attacks).

  • PfRemoveGlobalFilterToInterface(...)

    Remove a global filter from an interface.

  • PfRemoveFiltersFromInterface(...)

    Remove an added filter from an interface.

  • PfUnBindInterface(...)

    Unbind an IP address and an interface.

  • PfDeleteInterface(...)

    Delete an interface created.

If you want more information about this functions parameters, you can find it in MSDN. One reason to write this article is the few documentation (I love documentation with samples!!!). Important: You can only use this functions if you have administrative privileges.

Installing our IP Filters

We know the functions we have to use. Now we have to know the process to install filters:

  1. We must know the IP address of the local interface where we want to apply packet filtering. The initial process is easy: create the interface and bind the known local IP address with it.
  2. Second, we add the filter rules as we want. We can add filter rules or global filters.
  3. When we finish, we must unbind interfaces and local IP address and delete interfaces created.

In C words:

// Creating the interface and associating it with 
// a local ip address INTERFACE_HANDLE hInterface;

// look this byte order for ip address!!
BYTE localIp[]    = {172,29,16,2};
PfBindInterfaceToIPAddress(hInterface, PF_IPV4, localIp);

// We go to add a filter. Forbid outgoing http traffic, for example.

// Fill the filter rule data
inFilter.dwFilterFlags       = FD_FLAGS_NOSYN;    //always this value
inFilter.dwRule              = 0;        //always this value
inFilter.pfatType            = PF_IPV4;    //using ipV4 addresses
inFilter.SrcAddr             = localIp;    //set local ip
inFilter.SrcMask             = "\xff\xff\xff\xff";   //mask for local ip
inFilter.wSrcPort            = FILTER_TCPUDP_PORT_ANY;  //any source port
inFilter.wSrcPortHighRange   = FILTER_TCPUDP_PORT_ANY;
inFilter.DstAddr             = 0;            //any destination
inFilter.DstMask             = 0;
inFilter.wDstPort            = 80;    //destination port 80(http service)
inFilter.wDstPortHighRange   = 80;
inFilter.dwProtocol          = FILTER_PROTO_TCP;    // Tcp protocol

// Add the filter
PfAddFiltersToInterface(hInterface, 1, &inFilter, 0, NULL, &fHandle);


// Remove the filter
PfRemoveFilterHandles(hInterface, 1, &fHandle);

// Unbind and delete interface

The .NET Classes

My packet filtering API for .NET implements two public classes:

  • TxFilterController.

    The basic class. Used to add filters or remove filters to an interface. You can implement filtering only with this class. This class create only the interfaces needed, without requiring the user to do it.

    Its methods are as follows:

    • int AddFilter(IPAddress *ip, TxIpFilter *filter)

      Add a filter to a local IP address. If no error, return 0. This method is overloaded in order to pass the filter rules without creating a TxIpFilter object. Packets that matches a filter rule will be dropped.

    • int AddGlobalFilter(IPAddress *ip, int globalFilter)

      Add a global filter to a local IP address. If no error return 0.

    • int RevomeFilter(IPAddress *ip, TxIpFilter *filter)

      Remove a filter from an interface. If no error, return 0. This method is overloaded in order to pass the filter rules without creating a TxIpFilter object.

    • int RevomeGlobalFilter(IPAddress *ip, int globalFilter)

      Remove a global filter from an interface. If no error, return 0.

    • CloseController()

      Remove and unbind all interfaces created.

  • TxIpFilter.

    The equivalent of PF_FILTER_DESCRIPTOR in packet filtering API. Define a filter rule. You can add as TxIpFilters as you want to TxFilterController.

Sample application

To test the class, I wrote a simple C# application that installs two rules: forbid all incoming ICMP traffic and forbid all outgoing HTTP traffic. You can see how I use my classes, seeing the code:

static void Main(string[] args) 
    TxFilterController fltCont = new TxFilterController();
    TxIpFilter flt = new TxIpFilter(); 

    // Not icmp traffic 
    // For    icmp traffic: 
    // source port = icmp type 
    // destination port = icmp code 
    flt.direction       = TxIpFilter.IN_DIRECTION; 
    flt.ipSource        = IPAddress.Any; 
    flt.maskSource      = IPAddress.Any; 
    flt.ipDestination   = IPAddress.Any; 
    flt.maskDestination = IPAddress.Any; 
    flt.protocol        = TxIpFilter.ICMP_PROTOCOL; 
    flt.sourcePort      = TxIpFilter.ANY_ICMP_TYPES; 
    flt.destinationPort = TxIpFilter.ANY_ICMP_TYPES; 
    fltCont.AddFilter(IPAddress.Parse(""), flt);

    // Not allow outgoing http traffic



Where can you use this class? You can use in applications where you can add easily, packet filtering functionality. You can use in a complete filtering application because this API is few flexible: you can only filter at IP and transport level (IPs, ports and protocol), don't filter at link level and don't filter at application level.

I don't know if you can use Packet Filtering API with Wan interfaces, because I don't have a modem to test. If you test it, please tell me the result.

And... that's all. I hope this class will be useful for somebody.


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Jesus Oliva
Chief Technology Officer
Spain Spain
To summarize: learn, learn, learn... and then try to remember something I.... I don't Know what i have to remember...

Comments and Discussions

QuestionBlock P2P and FTP traffic? Pin
jude_aj5-Nov-17 1:02
Memberjude_aj5-Nov-17 1:02 
QuestionThings have changed from windows vista onwards Pin
Dr Gadgit27-Jul-15 11:41
MemberDr Gadgit27-Jul-15 11:41 
QuestionI can't download the source code,why? Pin
cyl06162-Sep-12 16:43
Membercyl06162-Sep-12 16:43 
GeneralMy vote of 5 Pin
simviews1-Mar-12 19:26
Membersimviews1-Mar-12 19:26 
QuestionHow add multi-port in one rule? Pin
lamhung6-Oct-11 17:18
Memberlamhung6-Oct-11 17:18 
AnswerRe: How add multi-port in one rule? Pin
cyl06162-Sep-12 16:55
Membercyl06162-Sep-12 16:55 
Questionworks on windows? Pin
xsymail9-Jan-11 22:12
Memberxsymail9-Jan-11 22:12 
AnswerRe: works on windows? Pin
AlexandreDrouin19-Apr-11 18:02
MemberAlexandreDrouin19-Apr-11 18:02 
GeneralFilter works but i still get "connected" / "disconnected" on the server on destination IP Pin
qinta18-Nov-09 3:37
Memberqinta18-Nov-09 3:37 
GeneralConfused about code, no documentation Pin
Jordanwb7-Nov-09 12:27
MemberJordanwb7-Nov-09 12:27 
GeneralRe: Confused about code, no documentation Pin
Jordanwb7-Nov-09 12:46
MemberJordanwb7-Nov-09 12:46 
GeneralVery nice article and it helped me alot Pin
Srikanth. Vemulapalli7-May-09 4:36
MemberSrikanth. Vemulapalli7-May-09 4:36 
Generalplease correct this in your source code. the example do not work correctly because of this Pin
Christian Salazar15-Feb-09 6:49
MemberChristian Salazar15-Feb-09 6:49 
GeneralRe: please correct this in your source code. the example do not work correctly because of this Pin
Jordanwb7-Nov-09 12:22
MemberJordanwb7-Nov-09 12:22 
GeneralRe: please correct this in your source code. the example do not work correctly because of this Pin
Christian Salazar7-Nov-09 14:49
MemberChristian Salazar7-Nov-09 14:49 
GeneralDefault firewall rule:Disable everything Pin
gunnarJonsson28-Oct-08 2:05
MembergunnarJonsson28-Oct-08 2:05 
QuestionObtain packets Pin
Radu_2029-Sep-08 4:27
MemberRadu_2029-Sep-08 4:27 
QuestionRestricting web access through code Pin
Chuks Ogbechie12-Jul-07 5:40
MemberChuks Ogbechie12-Jul-07 5:40 
QuestionIs it possible to block a specific IP? Pin
Praveen Nair (NinethSense)21-Jun-07 3:48
MemberPraveen Nair (NinethSense)21-Jun-07 3:48 
AnswerRe: Is it possible to block a specific IP? Pin
pku200930-Dec-08 20:16
Memberpku200930-Dec-08 20:16 
GeneralHints Pin
balazs_hideghety19-Jun-07 19:56
Memberbalazs_hideghety19-Jun-07 19:56 
GeneralOddly not working (Windows XP SP2) Pin
Matt.J15-Apr-07 23:01
MemberMatt.J15-Apr-07 23:01 
GeneralRe: Oddly not working (Windows XP SP2) Pin
eic0906621-Apr-07 5:17
Membereic0906621-Apr-07 5:17 
GeneralRe: Oddly not working (Windows XP SP2) Pin
eic0906624-Apr-07 8:22
Membereic0906624-Apr-07 8:22 
GeneralCrash on Server 2003 Pin
jcarle20-Jan-07 18:50
Memberjcarle20-Jan-07 18:50 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.