Windows Kernel Networking

Overview

The Windows kernel provides a robust networking subsystem that supports a wide range of protocols, transports, and hardware interfaces. This documentation covers the core components, extensibility points, and best practices for developing kernel-mode networking features.

Network Stack Architecture

The stack is layered as follows:

• NDIS (Network Driver Interface Specification) – abstracts network adapters.
• Transport Layer – TCP, UDP, RAW, etc.
• Internet Layer – IPv4/IPv6 processing.
• Application Layer – Winsock Kernel (WSK) and other kernel APIs.

Each layer communicates via well-defined interfaces, allowing drivers and services to interoperate seamlessly.

Network Driver Interface Specification (NDIS)

NDIS is the primary API for kernel-mode network drivers. It provides functions for packet transmission, receive handling, and power management.

// Example: Register a Miniport driver
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
    NDIS_MINIPORT_DRIVER_CHARACTERISTICS drvChars = {0};
    drvChars.Header.Type = NDIS_OBJECT_TYPE_MINIPORT_DRIVER_CHARACTERISTICS;
    drvChars.Header.Size = sizeof(NDIS_MINIPORT_DRIVER_CHARACTERISTICS);
    drvChars.Header.Revision = NDIS_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_1;
    drvChars.MajorNdisVersion = NDIS_MINIPORT_MAJOR_VERSION;
    drvChars.MinorNdisVersion = NDIS_MINIPORT_MINOR_VERSION;
    drvChars.InitializeHandlerEx = MyMiniportInitializeEx;
    // ... other handlers ...
    return NdisMRegisterMiniportDriver(DriverObject, RegistryPath, 
                                      NULL, &drvChars, &gMiniportHandle);
}

TCP/IP Stack

Windows implements a fully integrated TCP/IP stack in kernel mode. Key APIs include:

• TCPIP_DEVICE_OBJECT – for direct socket creation.
• TCPIP_ADDRESS – address management.
• TCPIP_PSEUDO_HEADER – checksum calculations.

Developers can use the WSK API for high-performance socket operations without transitioning to user mode.

Winsock Kernel (WSK)

WSK provides a socket-like interface for kernel drivers and services. It follows the familiar Winsock model with extended capabilities for asynchronous I/O.

// Example: Create a TCP socket with WSK
NTSTATUS status;
PWSK_SOCKET socket = NULL;
status = WskProviderNpi->Dispatch->WskSocket(
    WskProviderNpi->Client,
    AF_INET,
    SOCK_STREAM,
    IPPROTO_TCP,
    WSK_FLAG_CONNECTION_SOCKET,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    &socket);
if (!NT_SUCCESS(status)) {
    // handle error
}

Code Samples

Explore additional samples:

• NDIS Filter Driver Sample
• WSK Echo Server Sample
• Custom TCP/IP Stack Extension

Additional Resources

• Network Drivers on Microsoft Docs
• NDIS Overview
• Winsock Kernel Documentation
• Contact the Documentation Team