Introducing… WinTAP

As part of my GCIA Gold project & paper that was recently published, Defensive Depth, in collaboration with New Tribes Mission USA, funded the development of WinTAP, a Daemonlogger clone for Windows.

The first iteration of WinTAP was a proof of concept that was essentially a .NET wrapper around WinPcap.  This worked well, but performance was not as well as could be hoped for.  The next iteration took the proof of concept, and instead of using WinPcap, implemented WinTAP as a kernel mode driver, using NDIS 6.0.  This allowed for much better performance and stability.

From the official description:

WinTap is a packet sniffer and soft-tap developed to mirror packets flowing through an Ethernet interface. It is purely based on the NDIS which allows us to sniff packets and rewrite them to a second interface acting as a soft-tap. WinTap consists of two components,

1. NDIS 6.0 based protocol driver.
2. User mode soft-tap.

These two act in tandem to create a soft-tap, where the protocol driver sniffs the traffic and delivers to the user mode application. User mode application does the redirection logic and returns the packets to be rewritten to second interface.

WinTAP is licensed under GPL 2; source can be found on Github.

 

Tagged , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s