Call this function to initialize an attachment with the hooking driver and set the event handler object. The library calls NF_EventHandler methods from a separate thread.
NF_STATUS nf_init(const char * driverName, NF_EventHandler * pHandler)


The name of network hooking driver, without ".sys" extension.
Pointer to NF_EventHandler object.

Return Values

NF_STATUS_SUCCESS on success, or other NF_STATUS error code on fail.


By default the driver uses NF_ALLOW filtering flag and doesn't filter the transmitted data. In this mode the library notifies API about creating and closing TCP connections (for TDI driver) and UDP sockets. To filter the transmitted packets add the filtering rules with necessary flags using the function nf_addRule.

The function returns NF_STATUS_FAIL in case if some other process is already attached to hooking driver. The driver doesn't allow multiple attachments. If additional process must filter the network data on the same system, it is possible to rename and register another copy of the driver, then use the new name in nf_init call from another process.

It is possible to call nf_setOptions before nf_init to specify additional parameters.


Driver type WFP, TDI
Header nfapi.h
Library nfapi.lib