I am using the Windows Filtering Platform. I want to create a traffic filter, security manager, which monitors packets and network events or blocks urls... I know most of the WFP functions can be called from either user mode or kernel mode. I am wondering whether to write my filter by using kernel-mode functions or user-mode ones?? Is there any kind of network actions that can only be captured by using kernel-mode driver? Please help me in this regard.

Thanks in advance for any help on the matter

Alexandre is correct, some things can only be done with kernel mode WFP callout drivers.

However, you might also want to look at my project WinDivert (LGPL) which lifts some WFP kernel-mode functionality (i.e. intercepting and modifying packets) into a user-mode API. WinDivert provides the callout driver for you.

WFP Callouts can only be deployed using kernel mode drivers. As far as I know modifying packets (NAT, port forwarding, etc) can only be done using callouts on kernel mode drivers.

UPDATE:

• User-mode application may be used to do shallow packet inspecting and some simple stream operations as well as control kernel mode drivers.

• Kernel mode drivers may do deep and shallow packet inspection and all kinds of stream manipulation, but cannot interact with common applications without the use of user mode applications implementing the WFP API.

Alexandre is correct, some things can only be done with kernel mode WFP callout drivers.

However, you might also want to look at my project WinDivert (LGPL) which lifts some WFP kernel-mode functionality (i.e. intercepting and modifying packets) into a user-mode API. WinDivert provides the callout driver for you.