Network Filtering Performance

Radek_Voltr · January 17, 2012, 10:33am

I am looking for network filtering capabilities and I am unable to find performance numbers of possible technologies. Did somebody tested it ?

I am looking for this :

is MS Passthru sample for NDIS 5.1 fastest solution for NDIS 5.1 Intermediate or it can be speeded up somehow ?
how looks performance of NDIS 5.1 intermediate against Windows Filtering Platform ?

Jeffrey_Tippet_MSFT · January 17, 2012, 1:37pm

PASSTHRU is not designed for maximum performance. PASSTHRU is designed to be easy to read, understand, and modify. There are certainly “tricks” you can use to get more performance out of PASSTHRU. But first make sure that that is the right thing to do.

On Windows Vista and later, WFP is significantly faster than any IM driver. Off the top of my head:

A WFP callout only touches the packets you care about (e.g., if you only care about incoming TCP port 80, you’ll only see those packets). On the other hand, an IM driver sits in the path of EVERY packet.
NDIS 5.1 IM drivers use the legacy NDIS_PACKET datapath. This means NDIS has to convert its native NBLs to NDIS_PACKETs for the IM driver, then convert the NDIS_PACKETs back to NBLs when the IM driver is done. WFP natively uses NBLs directly, so there’s no conversion overhead.
Because NDIS 5 IM drivers use the legacy NDIS_PACKET format, they can’t take advantage of the scalability of NBLs: it’s harder to manipulate many packets at a time.
If there are multiple IM drivers in the stack (more than 2, and Windows XP comes with 1 already), you may end up having to allocate a new packet for each receive indication. In contrast, you can have a large number of WFP callouts without needing to allocate extra packet bookkeeping on the datapath.
We (Microsoft) stopped trying to improve NDIS 5 a decade ago. However, we’ve relentlessly pursued performance improvements for WFP and NDIS 6.x. Our internal performance benchmarks all use WFP and NDIS 6.x, and that’s where we spend all our time. The operating system doesn’t use NDIS 5.1 IM drivers anymore, because the perf overhead would be so bad.

Additionally, WFP is significantly easier for you to write. That means that you’ll spend less time debugging strange deadlocks, and you’ll have more time to spend tuning your own performance (or more time to go home early ).

If you are targeting Windows XP, then you have no choice: WFP is not supported on that platform, and you must use an NDIS 5.x IM driver or TDI.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@xacti.com
Sent: Tuesday, January 17, 2012 7:35 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Network Filtering Performance

I am looking for network filtering capabilities and I am unable to find performance numbers of possible technologies. Did somebody tested it ?

I am looking for this :

is MS Passthru sample for NDIS 5.1 fastest solution for NDIS 5.1 Intermediate or it can be speeded up somehow ?
how looks performance of NDIS 5.1 intermediate against Windows Filtering Platform ?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

David_R_Cattley · January 17, 2012, 4:44pm

> - is MS Passthru sample for NDIS 5.1 fastest solution for NDIS 5.1 Intermediate or it can be speeded up somehow ?

Are you concerned about some specific aspect of the performance characteristics of PASSTHRU? In its NDIS5.1 (with packet stacking enabled) form, it is about as effecient as it can be in terms of ‘doing nothing’ given the nature of NDIS5.

Comparing it to WFP an apples to oranges comparison. If you have the option of using WFP (or even an NDIS6 LWF driver) than you should not even look at PASSTHRU. If you have to target NT5 then you do not need to compare the solution to WFP since it is not a choice on NT5. If you have to target *both* platforms than seriously consider doing whatever you are doing in two separate driver implemenations. If the problem is inherently a ‘layer 2’ (Ethernet) problem, then an NDIS IM and NDIS LWF are appropriate. If the problem is inherently ‘layer 3’ (IP) then WFP on NT6 and, well, good luck on NT5. Again, the IM driver is a choice. With careful planning you can often build the ‘core’ of your processing with largely shared code that is agnostic with respect to how it gets access to the packet data.

Good luck,
Dave Cattley