Netgroup packet filter driver что это
This section documents the internals of the Netgroup Packet Filter (NPF), the kernel portion of WinPcap. Normal users are probably interested in how to use WinPcap and not in its internal structure. Therefore the information present in this module is destined mainly to WinPcap developers and maintainers, or to the people interested in how the driver works. In particular, a good knowledge of OSes, networking and Win32 kernel programming and device drivers development is required to profitably read this section.
NPF is the WinPcap component that does the hard work, processing the packets that transit on the network and exporting capture, injection and analysis capabilities to user-level.
The following paragraphs will describe the interaction of NPF with the OS and its basic structure.
NPF and NDIS
NDIS (Network Driver Interface Specification) is a standard that defines the communication between a network adapter (or, better, the driver that manages it) and the protocol drivers (that implement for example TCP/IP). Main NDIS purpose is to act as a wrapper that allows protocol drivers to send and receive packets onto a network (LAN or WAN) without caring either the particular adapter or the particular Win32 operating system.
NDIS supports three types of network drivers:
- Network interface card or NIC drivers. NIC drivers directly manage network interface cards, referred to as NICs. The NIC drivers interface directly to the hardware at their lower edge and at their upper edge present an interface to allow upper layers to send packets on the network, to handle interrupts, to reset the NIC, to halt the NIC and to query and set the operational characteristics of the driver. NIC drivers can be either miniports or legacy full NIC drivers.
- Miniport drivers implement only the hardware-specific operations necessary to manage a NIC, including sending and receiving data on the NIC. Operations common to all lowest level NIC drivers, such as synchronization, is provided by NDIS. Miniports do not call operating system routines directly; their interface to the operating system is NDIS.
A miniport does not keep track of bindings. It merely passes packets up to NDIS and NDIS makes sure that these packets are passed to the correct protocols. - Full NIC drivers have been written to perform both hardware-specific operations and all the synchronization and queuing operations usually done by NDIS. Full NIC drivers, for instance, maintain their own binding information for indicating received data.
- Miniport drivers implement only the hardware-specific operations necessary to manage a NIC, including sending and receiving data on the NIC. Operations common to all lowest level NIC drivers, such as synchronization, is provided by NDIS. Miniports do not call operating system routines directly; their interface to the operating system is NDIS.
- Intermediate drivers. Intermediate drivers interface between an upper-level driver such as a protocol driver and a miniport. To the upper-level driver, an intermediate driver looks like a miniport. To a miniport, the intermediate driver looks like a protocol driver. An intermediate protocol driver can layer on top of another intermediate driver although such layering could have a negative effect on system performance. A typical reason for developing an intermediate driver is to perform media translation between an existing legacy protocol driver and a miniport that manages a NIC for a new media type unknown to the protocol driver. For instance, an intermediate driver could translate from LAN protocol to ATM protocol. An intermediate driver cannot communicate with user-mode applications, but only with other NDIS drivers.
- Transport drivers or protocol drivers. A protocol driver implements a network protocol stack such as IPX/SPX or TCP/IP, offering its services over one or more network interface cards. A protocol driver services application-layer clients at its upper edge and connects to one or more NIC driver(s) or intermediate NDIS driver(s) at its lower edge.
NPF is implemented as a protocol driver. This is not the best possible choice from the performance point of view, but allows reasonable independence from the MAC layer and as well as complete access to the raw traffic.
Notice that the various Win32 operating systems have different versions of NDIS: NPF is NDIS 5 compliant under Windows 2000 and its derivations (like Windows XP), NDIS 3 compliant on the other Win32 platforms.
Next figure shows the position of NPF inside the NDIS stack:
Figure 1: NPF inside NDIS.
The interaction with the OS is normally asynchronous. This means that the driver provides a set of callback functions that are invoked by the system when some operation is required to NPF. NPF exports callback functions for all the I/O operations of the applications: open, close, read, write, ioctl, etc.
The interaction with NDIS is asynchronous as well: events like the arrival of a new packet are notified to NPF through a callback function (Packet_tap() in this case). Furthermore, the interaction with NDIS and the NIC driver takes always place by means of non blocking functions: when NPF invokes a NDIS function, the call returns immediately; when the processing ends, NDIS invokes a specific NPF callback to inform that the function has finished. The driver exports a callback for any low-level operation, like sending packets, setting or requesting parameters on the NIC, etc.
NPF structure basics
Next figure shows the structure of WinPcap, with particular reference to the NPF driver.
Figure 2: NPF device driver.
NPF is able to perform a number of different operations: capture, monitoring, dump to disk, packet injection. The following paragraphs will describe shortly each of these operations.
Packet Capture
The most important operation of NPF is packet capture. During a capture, the driver sniffs the packets using a network interface and delivers them intact to the user-level applications.
The capture process relies on two main components:
The size of the user buffer is very important because it determines the maximum amount of data that can be copied from kernel space to user space within a single system call. On the other hand, it can be noticed that also the minimum amount of data that can be copied in a single call is extremely important. In presence of a large value for this variable, the kernel waits for the arrival of several packets before copying the data to the user. This guarantees a low number of system calls, i.e. low processor usage, which is a good setting for applications like sniffers. On the other side, a small value means that the kernel will copy the packets as soon as the application is ready to receive them. This is excellent for real time applications (like, for example, ARP redirectors or bridges) that need the better responsiveness from the kernel. From this point of view, NPF has a configurable behavior, that allows users to choose between best efficiency or best responsiveness (or any intermediate situation).
The wpcap library includes a couple of system calls that can be used both to set the timeout after which a read expires and the minimum amount of data that can be transferred to the application. By default, the read timeout is 1 second, and the minimum amount of data copied between the kernel and the application is 16K.
Packet injection
NPF allows to write raw packets to the network. To send data, a user-level application performs a WriteFile() system call on the NPF device file. The data is sent to the network as is, without encapsulating it in any protocol, therefore the application will have to build the various headers for each packet. The application usually does not need to generate the FCS because it is calculated by the network adapter hardware and it is attached automatically at the end of a packet before sending it to the network.
In normal situations, the sending rate of the packets to the network is not very high because of the need of a system call for each packet. For this reason, the possibility to send a single packet more than once with a single write system call has been added. The user-level application can set, with an IOCTL call (code pBIOCSWRITEREP), the number of times a single packet will be repeated: for example, if this value is set to 1000, every raw packet written by the application on the driver's device file will be sent 1000 times. This feature can be used to generate high speed traffic for testing purposes: the overload of context switches is no longer present, so performance is remarkably better.
Network monitoring
WinPcap offers a kernel-level programmable monitoring module, able to calculate simple statistics on the network traffic. The idea behind this module is shown in Figure 2: the statistics can be gathered without the need to copy the packets to the application, that simply receives and displays the results obtained from the monitoring engine. This allows to avoid great part of the capture overhead in terms of memory and CPU clocks.
The monitoring engine is made of a classifier followed by a counter. The packets are classified using the filtering engine of NPF, that provides a configurable way to select a subset of the traffic. The data that pass the filter go to the counter, that keeps some variables like the number of packets and the amount of bytes accepted by the filter and updates them with the data of the incoming packets. These variables are passed to the user-level application at regular intervals whose period can be configured by the user. No buffers are allocated at kernel and user level.
Dump to disk
The dump to disk capability can be used to save the network data to disk directly from kernel mode.
Figure 3: packet capture versus kernel-level dump.
In traditional systems, the path covered by the packets that are saved to disk is the one followed by the black arrows in Figure 3: every packet is copied several times, and normally 4 buffers are allocated: the one of the capture driver, the one in the application that keeps the captured data, the one of the stdio functions (or similar) that are used by the application to write on file, and finally the one of the file system.
When the kernel-level traffic logging feature of NPF is enabled, the capture driver addresses the file system directly, hence the path covered by the packets is the one of the red dotted arrow: only two buffers and a single copy are necessary, the number of system call is drastically reduced, therefore the performance is considerably better.
Current implementation dumps the to disk in the widely used libpcap format. It gives also the possibility to filter the traffic before the dump process in order to select the packet that will go to the disk.
Further reading
The structure of NPF and its filtering engine derive directly from the one of the BSD Packet Filter (BPF), so if you are interested the subject you can read the following papers:
- S. McCanne and V. Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture. Proceedings of the 1993 Winter USENIX Technical Conference (San Diego, CA, Jan. 1993), USENIX.
- A. Begel, S. McCanne, S.L.Graham, BPF+: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Architecture, Proceedings of ACM SIGCOMM '99, pages 123-134, Conference on Applications, technologies, architectures, and protocols for computer communications, August 30 - September 3, 1999, Cambridge, USA
The code documented in this manual is the one of the Windows NTx version of NPF. The Windows 9x code is very similar, but it is less efficient and lacks advanced features like kernel-mode dump.
Подлинный файл является одним из компонентов программного обеспечения WinPCap, разработанного Riverbed .
Npf.sys - это драйвер в Windows. Драйвер — это маленькая программа, обеспечивающая взаимодействие компьютера с оборудованием и устройствами. Это означает, что драйвер имеет прямой доступ к внутренностям операционной системы, аппаратным средствам и т.д.
Бесплатный форум с информацией о файлах может помочь вам разобраться является ли npf.sys вирусом, трояном, программой-шпионом, рекламой, которую вы можете удалить, или файл принадлежит системе Windows или приложению, которому можно доверять.
- Используйте программу Настройщик Windows, чтобы найти причину проблем, в том числе и медленной работы компьютера.
- Обновите программу npf.sys Kernel Driver. Обновление можно найти на сайте производителя (ссылка приведена ниже).
- В следующих пунктах предоставлено описание работы npf.sys.
Информация о файле npf.sys
Описание: npf.sys не является важным для Windows и часто вызывает проблемы. Npf.sys находится в папке C:\Windows\System32\drivers. Известны следующие размеры файла для Windows 10/8/7/XP 35,088 байт (60% всех случаев), 36,600 байт, 42,000 байт, 34,064 байт или 30,336 байт.
Драйвер может быть включен и выключен из Панели Инструментов - Сервисы или другими программами. У процесса нет видимого окна. У процесса нет детального описания. Это не файл Windows. Это файл, подписанный Verisign. Поставлена цифровая подпись. npf.sys представляется сжатым файлом. Поэтому технический рейтинг надежности 22% опасности.
Важно: Некоторые вредоносные программы маскируют себя как npf.sys. Таким образом, вы должны проверить файл npf.sys на вашем ПК, чтобы убедиться, что это угроза. Мы рекомендуем Security Task Manager для проверки безопасности вашего компьютера.
Комментарий пользователя
Большинство самых приятных хакерских штуковин без WinPcap не работают. Так что наличие WINDOWS\System32\drivers\npf.sys и отсутствие при этом файлов wpcap.dll, Packet.dll и pthreadVC.dll в WINDOWS\system32\ признак того, что вас хакнули. В таком случае лучше убить файл npf.sys и почистить от "NetGroup Packet Filter Driver" реестр. (дополнительная информация) hotabych |
Большинство самых приятных хакерских штуковин без WinPcap не работают. Так что наличие WINDOWS\System32\drivers\npf.sys и отсутствие при этом файлов wpcap.dll, Packet.dll и pthreadVC.dll в WINDOWS\system32\ признак того, что вас хакнули. В таком случае лучше убить файл npf.sys и почистить от "NetGroup Packet Filter Driver" реестр. (дополнительная информация) hotabych |
Итого: Средняя оценка пользователей сайта о файле npf.sys: - на основе 2 голосов с 2 отзывами.
59 пользователей спрашивали про этот файл. 2 пользователей оценили, как кажется опасным.
Лучшие практики для исправления проблем с npf
Аккуратный и опрятный компьютер - это главное требование для избежания проблем с npf. Для этого требуется регулярная проверка компьютера на вирусы, очистка жесткого диска, используя cleanmgr и sfc /scannow, удаление программ, которые больше не нужны, проверка программ, которые запускаются при старте Windows (используя msconfig) и активация Автоматическое обновление Windows. Всегда помните о создании периодических бэкапов, или в крайнем случае о создании точек восстановления.
Если у вас актуальные проблемы, попробуйте вспомнить, что вы делали в последнее время, или последнюю программу, которую вы устанавливали перед тем, как появилась впервые проблема. Используйте команду resmon, чтобы определить процесс, который вызывает проблемы. Даже если у вас серьезные проблемы с компьютером, прежде чем переустанавливать Windows, лучше попробуйте восстановить целостность установки ОС или для Windows 8 и более поздних версий Windows выполнить команду DISM.exe /Online /Cleanup-image /Restorehealth. Это позволит восстановить операционную систему без потери данных.
Следующие программы могут вам помочь для анализа процесса npf.sys на вашем компьютере: Security Task Manager отображает все запущенные задания Windows, включая встроенные скрытые процессы, такие как мониторинг клавиатуры и браузера или записей автозагрузки. Уникальная оценка рисков безопасности указывает на вероятность процесса быть потенциально опасным - шпионской программой, вирусом или трояном. Malwarebytes Anti-Malware определяет и удаляет бездействующие программы-шпионы, рекламное ПО, трояны, кейлоггеры, вредоносные программы и трекеры с вашего жесткого диска.
npf сканер
Security Task Manager показывает все запущенные сервисы Windows, включая внедренные скрытые приложения (например, мониторинг клавиатуры или браузера, авто вход). Уникальный рейтинг надежности указывает на вероятность того, что процесс потенциально может быть вредоносной программой-шпионом, кейлоггером или трояном.
Бесплатный aнтивирус находит и удаляет неактивные программы-шпионы, рекламу, трояны, кейлоггеры, вредоносные и следящие программы с вашего жесткого диска. Идеальное дополнение к Security Task Manager.
Reimage бесплатное сканирование, очистка, восстановление и оптимизация вашей системы.
Npf.sys uses the SYS file extension, which is more specifically known as a npf.sys (NT5/6 AMD64) Kernel Driver file. It is classified as a Win64 EXE (Driver) file, created for WinPcap by Xi Software.
The first version of npf.sys for Easy WiFi Radar 1.05 was seen on 10/01/2007 in Windows 10. The latest version update [v4.1.0.2980] for Net Transport was 2.96L released on 07/21/2017. Npf.sys is packaged with Net Transport 2.96L, Streaming Video Recorder 6.2.4, and VSO Downloader 5.0.1.61.
Continue reading below to discover detailed file information, SYS file troubleshooting, and free downloads of several versions of npf.sys.
File Analysis Provided by Jason Geater (Author)
Recommended Download: Fix npf.sys / Net Transport-related registry issues with WinThruster.
Compatible with Windows 10, 8, 7, Vista, XP and 2000
Average User Rating
Optional Offer for WinThruster by Solvusoft
| EULA | Privacy Policy | Terms | Uninstall
Developer and Software Information | |
---|---|
Software Developer: | Riverbed Technology, Inc. |
Software Program: | WinPcap |
Legal Copyright: | Copyright © 2010-2013 Riverbed Technology, Inc. Copyright © 2005-2010 CACE Technologies. Copyright © 1999-2005 NetGroup, Politecnico di Torino. |
File Details | |
---|---|
Character Set: | Unicode |
Language Code: | Neutral |
File Flags: | (none) |
File Flags Mask: | 0x003f |
Entry Point: | 0x9008 |
Code Size: | 22016 |
File Info | Description |
---|---|
File Size: | 36 kB |
File Modification Date/Time: | 2020:02:21 09:40:19+00:00 |
File Type: | Win64 EXE |
MIME Type: | application/octet-stream |
Machine Type: | AMD AMD64 |
Time Stamp: | 2013:03:01 01:31:24+00:00 |
PE Type: | PE32+ |
Linker Version: | 8.0 |
Code Size: | 22016 |
Initialized Data Size: | 6144 |
Uninitialized Data Size: | 0 |
Entry Point: | 0x9008 |
OS Version: | 6.0 |
Image Version: | 6.0 |
Subsystem Version: | 6.0 |
Subsystem: | Native |
File Version Number: | 4.1.0.2980 |
Product Version Number: | 4.1.0.2980 |
File Flags Mask: | 0x003f |
File Flags: | (none) |
File OS: | Windows NT 32-bit |
Object File Type: | Driver |
File Subtype: | 7 |
Language Code: | Neutral |
Character Set: | Unicode |
Company Name: | Riverbed Technology, Inc. |
File Description: | npf.sys (NT5/6 AMD64) Kernel Driver |
File Version: | 4.1.0.2980 |
Internal Name: | NPF + TME |
Legal Copyright: | Copyright © 2010-2013 Riverbed Technology, Inc. Copyright © 2005-2010 CACE Technologies. Copyright © 1999-2005 NetGroup, Politecnico di Torino. |
Product Name: | WinPcap |
Product Version: | 4.1.0.2980 |
Legal Trademarks: |
✻ Portions of file data provided by Exiftool (Phil Harvey) distributed under the Perl Artistic License.
Optional Offer for WinThruster by Solvusoft | EULA | Privacy Policy | Terms | Uninstall
Npf.sys Blue Screen of Death (BSOD) Errors
There are a number of reasons why you could be encountering issues with npf.sys. Most of the issues concerning SYS files involve Blue Screen of Death (BSOD) errors. These types of npf.sys errors can be cause by hardware problems, outdated firmware, corrupt drivers, or other software-related (eg. Net Transport update) issues. Some of these errors include:
- npf.sys could not be found.
- npf.sys failed to load.
- The file npf.sys is missing or corrupt.
- Windows failed to start - npf.sys.
A problem has been detected and Windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: npf.sys.
:( Your PC ran into a problem that it couldn't handle, and now needs to restart. You can search for the error online: [BSOD] (npf.sys).
STOP 0x0000007E: SYSTEM THREAD EXCEPTION NOT HANDLED (npf.sys)
STOP 0×0000007A: KERNEL DATA INPAGE (npf.sys)
STOP 0x00000050: PAGE FAULT IN A NONPAGED AREA (npf.sys)
STOP 0x0000000A: IRQL NOT LESS EQUAL (npf.sys)
STOP 0x0000003B: SYSTEM SERVICE EXCEPTION (npf.sys)
STOP 0x0000001E: KMODE EXCEPTION NOT HANDLED (npf.sys)
It's Critical to Resolve Blue Screen of Death Errors
In the majority of cases, you will encounter npf.sys BSOD errors after you've installed new hardware, software (Net Transport), or performed a failed Windows Update. In other cases, software corruption caused by a malware infection can lead to npf.sys Blue Screen of Death errors. Therefore, it's critical to make sure your anti-virus is kept up-to-date and scanning regularly.
GEEK TIP : As a rule of thumb, it's always a good idea to create a Windows "Snapshot" backup / System Restore Point before making any hardware or software changes to your computer. That way, it's very easy to restore your system in the unfortunate event you encounter a npf.sys Blue Screen of Death error after recent changes.
Optional Offer for WinThruster by Solvusoft | EULA | Privacy Policy | Terms | Uninstall
If you're encountering one of the error messages above, follow these troubleshooting steps to resolve your npf.sys issue. These troubleshooting steps are listed in the recommended order of execution.
Step 1: Restore your PC back to the latest restore point, "snapshot", or backup image before error occurred.
To begin System Restore (Windows XP, Vista, 7, 8, and 10):
- Hit the Windows Start button
- When you see the search box, type "System Restore" and press "ENTER".
- In the search results, find and click System Restore.
- Please enter the administrator password (if applicable / prompted).
- Follow the steps in the System Restore Wizard to choose a relevant restore point.
- Restore your computer to that backup image.
If the Step 1 fails to resolve the npf.sys error, please proceed to the Step 2 below.
Step 2: If recently installed Net Transport (or related software), uninstall then try reinstalling Net Transport software.
You can uninstall Net Transport software by following these instructions (Windows XP, Vista, 7, 8, and 10):
- Hit the Windows Start button
- In the search box, type "Uninstall" and press "ENTER".
- In the search results, find and click "Add or Remove Programs"
- Find the entry for Net Transport 2.96L and click "Uninstall"
- Follow the prompts for uninstallation.
After the software has been fully uninstalled, restart your PC and reinstall Net Transport software.
If this Step 2 fails as well, please proceed to the Step 3 below.
Net Transport 2.96L
Step 3: Perform a Windows Update.
When the first two steps haven't solved your issue, it might be a good idea to run Windows Update. Many npf.sys error messages that are encountered can be contributed to an outdated Windows Operating System. To run Windows Update, please follow these easy steps:
- Hit the Windows Start button
- In the search box, type "Update" and press "ENTER".
- In the Windows Update dialog box, click "Check for Updates" (or similar button depending on your Windows version)
- If updates are available for download, click "Install Updates".
- After the update is completed, restart your PC.
If Windows Update failed to resolve the npf.sys error message, please proceed to next step. Please note that this final step is recommended for advanced PC users only.
Optional Offer for WinThruster by Solvusoft | EULA | Privacy Policy | Terms | Uninstall
If none of the previous three troubleshooting steps have resolved your issue, you can try a more aggressive approach (Note: Not recommended for amateur PC users) by downloading and replacing your appropriate npf.sys file version. We maintain a comprehensive database of 100% malware-free npf.sys files for every applicable version of Net Transport. Please follow the steps below to download and properly replace you file:
- Locate your Windows operating system version in the list of below "Download npf.sys Files".
- Click the appropriate "Download Now" button and download your Windows file version.
- Copy this file to the appropriate Net Transport folder location:
Windows 10: C:\Windows\System32\drivers\
Windows 10: C:\Windows\System32\drivers\
Windows 10: C:\Windows\System32\drivers\
Windows 10: C:\Windows\SysWOW64\drivers\
Windows 10: C:\Windows\System32\drivers\
Show 1 more directory +
If this final step has failed and you're still encountering the error, you're only remaining option is to do a clean installation of Windows 10.
GEEK TIP : We must emphasize that reinstalling Windows will be a very time-consuming and advanced task to resolve npf.sys problems. To avoid data loss, you must be sure that you have backed-up all of your important documents, pictures, software installers, and other personal data before beginning the process. If you are not currently backing up your data, you need to do so immediately.
Optional Offer for WinThruster by Solvusoft | EULA | Privacy Policy | Terms | Uninstall
Разработка Microsoft® Windows® Operating System компанией Microsoft послужила толчком для создания последней версии файла WdFilter.sys. Он также известен как файл Microsoft antimalware file system filter driver (расширение SYS), который классифицируется как файл Win32 EXE (Драйвер).
Файл WdFilter.sys впервые был выпущен для ОС Windows 8 08/01/2012 с Windows 8. 07/29/2015 вышла версия 4.11.15063.0 (WinBuild.160101.0800) для Windows 10. Файл WdFilter.sys входит в комплект Windows 10, Windows 8.1 и Windows 8.
Ниже приведены исчерпывающие сведения о файле, инструкции для простого устранения неполадок, возникших с файлом SYS, и список бесплатных загрузок WdFilter.sys для каждой из имеющихся версий файла.
Совместимость с Windows 10, 8, 7, Vista, XP и 2000
Средняя оценка пользователей
Сведения о разработчике и ПО | |
---|---|
Разработчик ПО: | Microsoft Corporation |
Программа: | Microsoft® Windows® Operating System |
Авторское право: | © Microsoft Corporation. All rights reserved. |
Сведения о файле | |
---|---|
Набор символов: | Unicode |
Код языка: | English (U.S.) |
Флаги файлов: | (none) |
Маска флагов файлов: | 0x003f |
Точка входа: | 0x31000 |
Размер кода: | 203264 |
Информация о файле | Описание |
---|---|
Размер файла: | 237 kB |
Дата и время изменения файла: | 2017:03:18 18:18:26+00:00 |
Дата и время изменения индексного дескриптора файлов: | 2017:11:05 07:07:54+00:00 |
Тип файла: | Win32 EXE |
Тип MIME: | application/octet-stream |
Тип компьютера: | Intel 386 or later, and compatibles |
Метка времени: | 1970:07:17 23:18:10+00:00 |
Тип PE: | PE32 |
Версия компоновщика: | 14.10 |
Размер кода: | 203264 |
Размер инициализированных данных: | 30720 |
Размер неинициализированных данных: | 0 |
Точка входа: | 0x31000 |
Версия ОС: | 10.0 |
Версия образа: | 10.0 |
Версия подсистемы: | 6.2 |
Подсистема: | Native |
Номер версии файла: | 4.11.15063.0 |
Номер версии продукта: | 4.11.15063.0 |
Маска флагов файлов: | 0x003f |
Флаги файлов: | (none) |
Файловая ОС: | Windows NT 32-bit |
Тип объектного файла: | Driver |
Подтип файла: | 0 |
Код языка: | English (U.S.) |
Набор символов: | Unicode |
Наименование компании: | Microsoft Corporation |
Описание файла: | Microsoft antimalware file system filter driver |
Версия файла: | 4.11.15063.0 (WinBuild.160101.0800) |
Внутреннее имя: | WdFilter |
Авторское право: | © Microsoft Corporation. All rights reserved. |
Оригинальное имя файла: | WdFilter.sys |
Название продукта: | Microsoft® Windows® Operating System |
Версия продукта: | 4.11.15063.0 |
✻ Фрагменты данных файлов предоставлены участником Exiftool (Phil Harvey) и распространяются под лицензией Perl Artistic.
WdFilter.sys — ошибки «синего экрана» (BSOD)
Существует ряд причин, по которым вы можете столкнуться с проблемами с WdFilter.sys. Большинство проблем с файлами SYS связаны с ошибками «синего экрана» (BSOD). Эти типы ошибок WdFilter.sys могут быть вызваны аппаратными проблемами, устаревшей прошивкой, поврежденными драйверами или другими проблемами, связанными с программным обеспечением (например, обновление Windows). В число этих ошибок входят:
- Не удается найти WdFilter.sys.
- Не удалось загрузить WdFilter.sys.
- Файл WdFilter.sys отсутствует или поврежден.
- Windows не удалось запустить — WdFilter.sys.
Обнаружена проблема, в результате которой ОС Windows завершила работу, чтобы предотвратить повреждение компьютера. По всей видимости, причиной проблемы стал следующий файл: WdFilter.sys.
:( На вашем ПК возникла проблема, которую не удалось устранить, и его необходимо перезагрузить. Сведения об ошибке можно найти в Интернете: [BSOD] (WdFilter.sys).
STOP 0x0000001E: KMODE EXCEPTION NOT HANDLED (WdFilter.sys)
STOP 0x0000007E: SYSTEM THREAD EXCEPTION NOT HANDLED (WdFilter.sys)
STOP 0x00000050: PAGE FAULT IN A NONPAGED AREA (WdFilter.sys)
STOP 0x0000003B: SYSTEM SERVICE EXCEPTION (WdFilter.sys)
STOP 0x0000000A: IRQL NOT LESS EQUAL (WdFilter.sys)
STOP 0×0000007A: KERNEL DATA INPAGE (WdFilter.sys)
Крайне важно устранять ошибки «синего экрана»
В большинстве случаев ошибки BSOD WdFilter.sys возникают после установки нового оборудования, программного обеспечения (Windows) или выполнения неудачного обновления Windows. В остальных случаях к ошибке «синего экрана» WdFilter.sys может привести повреждение программного обеспечения, вызванное заражением вредоносным программным обеспечением. Таким образом, крайне важно, чтобы антивирус постоянно поддерживался в актуальном состоянии и регулярно проводил сканирование системы.
СОВЕТ ОТ СПЕЦИАЛИСТА: Как показывает опыт, целесообразно всегда создавать резервную копию системы Windows и (или) точку восстановления системы, прежде чем вносить какие-либо изменения в аппаратное или программное обеспечение на компьютере. Таким образом, в случае неблагоприятного поворота событий и возникновения связанной с файлом WdFilter.sys ошибки «синего экрана» после недавних изменений можно восстановить систему в предыдущее состояние.
Шаг 1. Восстановите компьютер до последней точки восстановления, «моментального снимка» или образа резервной копии, которые предшествуют появлению ошибки.
Чтобы начать восстановление системы (Windows XP, Vista, 7, 8 и 10):
Если на этапе 1 не удается устранить ошибку WdFilter.sys, перейдите к шагу 2 ниже.
Шаг 2. Запустите средство проверки системных файлов (System File Checker), чтобы восстановить поврежденный или отсутствующий файл WdFilter.sys.
Средство проверки системных файлов (System File Checker) — это утилита, входящая в состав каждой версии Windows, которая позволяет искать и восстанавливать поврежденные системные файлы. Воспользуйтесь средством SFC для исправления отсутствующих или поврежденных файлов WdFilter.sys (Windows XP, Vista, 7, 8 и 10):
Следует понимать, что это сканирование может занять некоторое время, поэтому необходимо терпеливо отнестись к процессу его выполнения.
Если на этапе 2 также не удается устранить ошибку WdFilter.sys, перейдите к шагу 3 ниже.
Шаг 3. Выполните обновление Windows.
Если ни один из предыдущих трех шагов по устранению неполадок не разрешил проблему, можно попробовать более агрессивный подход (примечание: не рекомендуется пользователям ПК начального уровня), загрузив и заменив соответствующую версию файла WdFilter.sys. Мы храним полную базу данных файлов WdFilter.sys со 100%-ной гарантией отсутствия вредоносного программного обеспечения для любой применимой версии Windows . Чтобы загрузить и правильно заменить файл, выполните следующие действия:
Windows 10: C:\Windows\System32\drivers\
Windows 8.1: C:\Windows\System32\drivers\
Windows 8: C:\Windows\System32\drivers\
Если этот последний шаг оказался безрезультативным и ошибка по-прежнему не устранена, единственно возможным вариантом остается выполнение чистой установки Windows 10.
СОВЕТ ОТ СПЕЦИАЛИСТА: Мы должны подчеркнуть, что переустановка Windows является достаточно длительной и сложной задачей для решения проблем, связанных с WdFilter.sys. Во избежание потери данных следует убедиться, что перед началом процесса вы создали резервные копии всех важных документов, изображений, установщиков программного обеспечения и других персональных данных. Если вы в настоящее время не создаете резервных копий своих данных, вам необходимо сделать это немедленно.
This section documents the internals of the Netgroup Packet Filter (NPF), the kernel portion of WinPcap. Normal users are probably interested in how to use WinPcap and not in its internal structure. Therefore the information present in this module is destined mainly to WinPcap developers and maintainers, or to the people interested in how the driver works. In particular, a good knowledge of OSes, networking and Win32 kernel programming and device drivers development is required to profitably read this section.
NPF is the WinPcap component that does the hard work, processing the packets that transit on the network and exporting capture, injection and analysis capabilities to user-level.
The following paragraphs will describe the interaction of NPF with the OS and its basic structure.
NPF and NDIS
NDIS (Network Driver Interface Specification) is a standard that defines the communication between a network adapter (or, better, the driver that manages it) and the protocol drivers (that implement for example TCP/IP). Main NDIS purpose is to act as a wrapper that allows protocol drivers to send and receive packets onto a network (LAN or WAN) without caring either the particular adapter or the particular Win32 operating system.
NDIS supports three types of network drivers:
- Network interface card or NIC drivers. NIC drivers directly manage network interface cards, referred to as NICs. The NIC drivers interface directly to the hardware at their lower edge and at their upper edge present an interface to allow upper layers to send packets on the network, to handle interrupts, to reset the NIC, to halt the NIC and to query and set the operational characteristics of the driver. NIC drivers can be either miniports or legacy full NIC drivers.
- Miniport drivers implement only the hardware-specific operations necessary to manage a NIC, including sending and receiving data on the NIC. Operations common to all lowest level NIC drivers, such as synchronization, is provided by NDIS. Miniports do not call operating system routines directly; their interface to the operating system is NDIS.
A miniport does not keep track of bindings. It merely passes packets up to NDIS and NDIS makes sure that these packets are passed to the correct protocols. - Full NIC drivers have been written to perform both hardware-specific operations and all the synchronization and queuing operations usually done by NDIS. Full NIC drivers, for instance, maintain their own binding information for indicating received data.
- Miniport drivers implement only the hardware-specific operations necessary to manage a NIC, including sending and receiving data on the NIC. Operations common to all lowest level NIC drivers, such as synchronization, is provided by NDIS. Miniports do not call operating system routines directly; their interface to the operating system is NDIS.
- Intermediate drivers. Intermediate drivers interface between an upper-level driver such as a protocol driver and a miniport. To the upper-level driver, an intermediate driver looks like a miniport. To a miniport, the intermediate driver looks like a protocol driver. An intermediate protocol driver can layer on top of another intermediate driver although such layering could have a negative effect on system performance. A typical reason for developing an intermediate driver is to perform media translation between an existing legacy protocol driver and a miniport that manages a NIC for a new media type unknown to the protocol driver. For instance, an intermediate driver could translate from LAN protocol to ATM protocol. An intermediate driver cannot communicate with user-mode applications, but only with other NDIS drivers.
- Transport drivers or protocol drivers. A protocol driver implements a network protocol stack such as IPX/SPX or TCP/IP, offering its services over one or more network interface cards. A protocol driver services application-layer clients at its upper edge and connects to one or more NIC driver(s) or intermediate NDIS driver(s) at its lower edge.
NPF is implemented as a protocol driver. This is not the best possible choice from the performance point of view, but allows reasonable independence from the MAC layer and as well as complete access to the raw traffic.
Notice that the various Win32 operating systems have different versions of NDIS: NPF is NDIS 5 compliant under Windows 2000 and its derivations (like Windows XP), NDIS 3 compliant on the other Win32 platforms.
Next figure shows the position of NPF inside the NDIS stack:
Figure 1: NPF inside NDIS.
The interaction with the OS is normally asynchronous. This means that the driver provides a set of callback functions that are invoked by the system when some operation is required to NPF. NPF exports callback functions for all the I/O operations of the applications: open, close, read, write, ioctl, etc.
The interaction with NDIS is asynchronous as well: events like the arrival of a new packet are notified to NPF through a callback function (Packet_tap() in this case). Furthermore, the interaction with NDIS and the NIC driver takes always place by means of non blocking functions: when NPF invokes a NDIS function, the call returns immediately; when the processing ends, NDIS invokes a specific NPF callback to inform that the function has finished. The driver exports a callback for any low-level operation, like sending packets, setting or requesting parameters on the NIC, etc.
NPF structure basics
Next figure shows the structure of WinPcap, with particular reference to the NPF driver.
Figure 2: NPF device driver.
NPF is able to perform a number of different operations: capture, monitoring, dump to disk, packet injection. The following paragraphs will describe shortly each of these operations.
Packet Capture
The most important operation of NPF is packet capture. During a capture, the driver sniffs the packets using a network interface and delivers them intact to the user-level applications.
The capture process relies on two main components:
The size of the user buffer is very important because it determines the maximum amount of data that can be copied from kernel space to user space within a single system call. On the other hand, it can be noticed that also the minimum amount of data that can be copied in a single call is extremely important. In presence of a large value for this variable, the kernel waits for the arrival of several packets before copying the data to the user. This guarantees a low number of system calls, i.e. low processor usage, which is a good setting for applications like sniffers. On the other side, a small value means that the kernel will copy the packets as soon as the application is ready to receive them. This is excellent for real time applications (like, for example, ARP redirectors or bridges) that need the better responsiveness from the kernel. From this point of view, NPF has a configurable behavior, that allows users to choose between best efficiency or best responsiveness (or any intermediate situation).
The wpcap library includes a couple of system calls that can be used both to set the timeout after which a read expires and the minimum amount of data that can be transferred to the application. By default, the read timeout is 1 second, and the minimum amount of data copied between the kernel and the application is 16K.
Packet injection
NPF allows to write raw packets to the network. To send data, a user-level application performs a WriteFile() system call on the NPF device file. The data is sent to the network as is, without encapsulating it in any protocol, therefore the application will have to build the various headers for each packet. The application usually does not need to generate the FCS because it is calculated by the network adapter hardware and it is attached automatically at the end of a packet before sending it to the network.
In normal situations, the sending rate of the packets to the network is not very high because of the need of a system call for each packet. For this reason, the possibility to send a single packet more than once with a single write system call has been added. The user-level application can set, with an IOCTL call (code pBIOCSWRITEREP), the number of times a single packet will be repeated: for example, if this value is set to 1000, every raw packet written by the application on the driver's device file will be sent 1000 times. This feature can be used to generate high speed traffic for testing purposes: the overload of context switches is no longer present, so performance is remarkably better.
Network monitoring
WinPcap offers a kernel-level programmable monitoring module, able to calculate simple statistics on the network traffic. The idea behind this module is shown in Figure 2: the statistics can be gathered without the need to copy the packets to the application, that simply receives and displays the results obtained from the monitoring engine. This allows to avoid great part of the capture overhead in terms of memory and CPU clocks.
The monitoring engine is made of a classifier followed by a counter. The packets are classified using the filtering engine of NPF, that provides a configurable way to select a subset of the traffic. The data that pass the filter go to the counter, that keeps some variables like the number of packets and the amount of bytes accepted by the filter and updates them with the data of the incoming packets. These variables are passed to the user-level application at regular intervals whose period can be configured by the user. No buffers are allocated at kernel and user level.
Dump to disk
The dump to disk capability can be used to save the network data to disk directly from kernel mode.
Figure 3: packet capture versus kernel-level dump.
In traditional systems, the path covered by the packets that are saved to disk is the one followed by the black arrows in Figure 3: every packet is copied several times, and normally 4 buffers are allocated: the one of the capture driver, the one in the application that keeps the captured data, the one of the stdio functions (or similar) that are used by the application to write on file, and finally the one of the file system.
When the kernel-level traffic logging feature of NPF is enabled, the capture driver addresses the file system directly, hence the path covered by the packets is the one of the red dotted arrow: only two buffers and a single copy are necessary, the number of system call is drastically reduced, therefore the performance is considerably better.
Current implementation dumps the to disk in the widely used libpcap format. It gives also the possibility to filter the traffic before the dump process in order to select the packet that will go to the disk.
Further reading
The structure of NPF and its filtering engine derive directly from the one of the BSD Packet Filter (BPF), so if you are interested the subject you can read the following papers:
- S. McCanne and V. Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture. Proceedings of the 1993 Winter USENIX Technical Conference (San Diego, CA, Jan. 1993), USENIX.
- A. Begel, S. McCanne, S.L.Graham, BPF+: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Architecture, Proceedings of ACM SIGCOMM '99, pages 123-134, Conference on Applications, technologies, architectures, and protocols for computer communications, August 30 - September 3, 1999, Cambridge, USA
The code documented in this manual is the one of the Windows NTx version of NPF. The Windows 9x code is very similar, but it is less efficient and lacks advanced features like kernel-mode dump.
Читайте также: