ProtocolFilters is a library that classifies data packets provided on input, detects high-level protocols and allows filtering the classified objects. It is designed to work with NetFilter SDK API, but also can be used for parsing and filtering the network packets obtained from other sources. The library has a simple API, which can be used from C/C++/.NET/Delphi code.

Key features:
  • The library supports filtering outgoing HTTP, POP3, SMTP, SSL, FTP, NNTP, ICQ, XMPP and raw data.
  • The protocol is detected automatically by analyzing the first packets. Unsupported protocols are bypassed automatically. It is possible to allow the library to classify all outgoing network traffic and filter only classified protocols.
  • Proxy filter detects HTTPS, SOCKS v4/4a/5 proxies, including chained requests.
  • HTTP filter decodes the transmitted requests and responses, and allows filtering plain de-chunked and uncompressed HTTP data. It is possible to bypass the filtering or block some request or response by analyzing the initial bytes of transmitted content.
  • SSL filter decodes SSL v2/3 and TLS by generating a local certificate for each domain.
  • The filters for POP3, SMTP and NNTP protocols allow filtering the incoming and outgoing mail and news messages.
  • FTP protocol filter allows monitoring and modifying FTP commands, responses and transmitted data.
  • ICQ filter classifies OSCAR protocol, allows monitoring/modifying/blocking chat messages, file transfers and other data.
  • XMPP filter classifies Jabber protocol, allows monitoring/modifying/blocking chat messages, file transfers and other data.
  • It is possible to filter the unclassified content as raw buffers.
  • The filtering chain with protocol filters is created dynamically for each new connection. It is possible to apply different chains of filters with different filtering flags for the connections, after analyzing connection properties: process identifier, name and owner, local and remote addresses/ports.
Included samples:
  • Delphi\PFNetFilter - Delphi application that uses ProtocolFilters for filtering supported protocols.
  • CSharp\PFNetFilterCS - C# application that uses managed API for filtering supported protocols.
  • PFDump - filters outgoing TCP connections and saves classified objects to *.bin files.
  • PFHttpBlocker - Filters TCP connections and blocks HTTP content by URL and text body.
  • PFHttpContentFilter - Filters outgoing TCP connections and adds a prefix to the titles of HTML pages downloaded via HTTP.
  • PFMailFilter - Adds a prefix to the subjects of incoming messages, and blocks outgoing messages having the specified prefix in subject.