The differences of SockFilter driver from WFP¶

SockFilter works on the highest possible kernel mode level, between user mode processes and sockets layer (AFD).
It doesn’t support binding rules.
It doesn’t support IP packet level filtering.
It filters only the traffic of user mode processes. The traffic generated by kernel mode modules like SMB is bypassed.
It filters the traffic of all user mode processes, including Metro applications and AppContainers.
tcpConnectRequest event is called also for inbound TCP connections, allowing to bypass the filtering by assigning pConnInfo->filteringFlag = NF_ALLOW.
It is possible to inject TCP packets in both directions immediately after the connection is established, for example from tcpConnected event. WFP driver allows injections only after getting in a callout at least one packet in the appropriate direction.
Supported versions of Windows: 8/10/11 and appropriate server versions.

The advantages of SockFilter driver¶

It has better compatibility with other network filters, for both UDP and TCP protocols.
It has better performance than other kinds of network filtering drivers.
It has access to unencrypted traffic before VPN clients and other packet level filters.
It is possible to run any number of SockFilter driver instances simultaneously under different names. There is no need in additional compatibility layers like with WFP driver.
There are no limitations for injecting TCP packets after the connection is established. It allows the implementation of proxy clients by redirecting original connections to required servers, without the need in redirecting TCP connections to a local proxy.
SockFilter user mode API (nfapi) is binary compatible with nfapi component of WFP drivers. It is possible to use the applications built with previous versions of nfapi with current nfapi.dll binaries even without rebuilding them.

The following filtering flags are not supported in rules: