Version 2.2 Available

WinDivert Windows Packet Interception Library

WinDivert is a powerful user mode library that allows capturing filtering modifying and re injecting network packets on Windows systems.

10M+

Downloads

5,000+

GitHub Stars

100+

Contributors

1.2 Gbps

Throughput

Zero Copy

Architecture

About WinDivert

What is WinDivert ?

WinDivert is a powerful Windows-based packet-capture and network-filtering driver that enables applications to intercept, inspect, modify, and control network traffic in real time. It works at a low level within the Windows networking stack, giving developers and security tools deep visibility and precise control over both incoming and outgoing data packets.

Unlike traditional packet capture tools that only monitor traffic, WinDivert actively interacts with network packets. This means it can block unwanted connections, redirect traffic, alter packet headers, or reinject modified packets back into the network flow. Because of this capability, WinDivert is widely used in advanced networking, security, and traffic management solutions.

LGPL

Open Source License

x86/x64

Architecture Support

Packet Capture

Intercept network packets at the Windows kernel level

Protocol Analysis

Deep packet inspection for any network protocol

Real time Processing

Process millions of packets per second with minimal latency

Security Tools

Build firewalls, VPNs, and intrusion detection systems

Core Features

Powerful WinDivert Features

WinDivert provides a comprehensive set of features for capturing, filtering, and manipulating Windows network traffic

Packet Capture

Capture network packets at the kernel level with zero-copy architecture. Monitor all inbound and outbound traffic including TCP, UDP, ICMP, and raw IP packets. Perfect for building network analyzers, traffic monitors, and debugging tools.

Key Benefits:

Network Filtering

Filter packets using powerful expression syntax. Block, allow, or redirect traffic based on source, destination, protocol, ports, and more. Build firewalls and security tools with ease.

Key Benefits:

High Performance

Engineered for maximum throughput with minimal CPU overhead. Handle gigabit-speed traffic in user-mode without dropping packets. Batched operations and zero-copy transfers ensure optimal performance.

Key Benefits:

Packet Injection

Inject packets directly into the Windows network stack. Modify existing packets or create entirely new ones. Essential for building VPNs, tunneling applications, and network testing tools.

Key Benefits:

NAT Support

Implement Network Address Translation with full control over address and port mapping. Build load balancers, proxy servers, and network gateways with transparent NAT capabilities.

Key Benefits:

Easy Integration

Simple and intuitive C API with bindings for Python, C#, Go, Rust, and more. Comprehensive documentation and examples to get you started quickly. No kernel development experience required.

Key Benefits:

Smart Functionality

How WinDivert Works & Why It Stands Out

WinDivert intercepts, filters, and controls network packets in real time at the Windows network stack level. Its high-performance driver architecture delivers deep traffic visibility, precise control, and extensive customization, making it an ideal choice for advanced networking and security applications.

How WinDivert Works

WinDivert operates as a low-level Windows packet interception driver that sits directly between user-mode applications and the Windows network stack. This position allows it to observe, control, and manipulate network traffic in real time before packets reach their final destination.

Packet Interception at the Network Layer

WinDivert hooks into the Windows networking stack at the network layer.
Every incoming and outgoing packet that matches a defined filter rule is intercepted before it is processed by the operating system or sent over the network. This interception happens at a very early stage, ensuring maximum control and visibility over traffic.

Filter Rules and Traffic Selection

WinDivert uses powerful filtering expressions to decide which packets should be captured.
These filters can target:

Specific IP addresses
Ports and protocols (TCP, UDP, ICMP)
Direction of traffic (inbound or outbound)
Loopback and localhost traffic

Only packets that match the filter criteria are diverted, keeping performance overhead minimal.

User-Mode Packet Processing

Once intercepted, packets are delivered to a user-mode application.
Here, developers can:

Inspect packet headers and payloads.
Log or analyze traffic.
Modify packet contents.
Decide whether a packet should be forwarded or dropped.

This design provides flexibility without requiring custom kernel-mode development.

Packet Modification and Decision Making

After inspection, the application can take one of several actions:

Allow the packet to continue unchanged.
Modify packet data (headers or payload)
Drop the packet to block traffic.
Redirect traffic to a different destination.

This makes WinDivert suitable for advanced networking tools such as firewalls, traffic shapers, and security analyzers.

Packet Reinjection into the Network Stack

Approved or modified packets are then re-injected back into the Windows network stack.
From this point onward, the packet behaves as if it were never intercepted, ensuring compatibility with existing applications and network services.

High-Performance and Stability

WinDivert is designed for high-throughput environments.
Its lightweight driver architecture minimizes latency while maintaining system stability, even under heavy network load.

Why Choose WinDivert?

WinDivert is a trusted solution for developers, security professionals, and network engineers who need precise control over network traffic on Windows systems. Its design focuses on performance, flexibility, and reliability, making it a preferred choice for low-level packet handling.

High-Performance Packet Interception

WinDivert operates at the kernel level, allowing it to intercept network packets in real time with minimal latency. This ensures high performance even under heavy network loads, which is essential for security tools and traffic-intensive applications.

Complete Control Over Network Traffic

Unlike traditional packet sniffers that only observe traffic, WinDivert enables active control over traffic. Users can capture, modify, drop, or reinject packets, giving full authority over how data flows through the Windows network stack.

Developer-Friendly and Flexible

WinDivert provides a simple yet powerful API that allows developers to implement custom filtering rules and traffic logic with ease. It supports a wide range of use cases, from lightweight testing tools to complex enterprise-level networking solutions.

Broad Compatibility and Protocol Support

WinDivert supports modern Windows versions and works seamlessly with both IPv4 and IPv6 traffic. This wide compatibility ensures it can be integrated into current and future networking environments without limitations.

Ideal for Security and Networking Applications

Due to its low-level access and precise packet handling, WinDivert is widely used in firewalls, VPNs, intrusion detection systems, ad-blocking software, and network monitoring tools. Its reliability makes it suitable for both research and production environments.

Lightweight, Reliable, and Proven

WinDivert is lightweight and does not introduce unnecessary system overhead. It has been extensively tested and adopted by numerous professional tools, demonstrating its stability and effectiveness in real-world scenarios.

Applications

Built for Any Use Case

From security tools to network optimization, WinDivert powers a wide range of applications

Firewalls

Build software firewalls with custom rules, application awareness, and real-time traffic control.

VPN Clients

Create VPN clients that tunnel traffic through encrypted connections without modifying system network configuration.

Network Analyzers

Develop packet sniffers and network analyzers for debugging, monitoring, and security auditing.

Load Balancers

Implement load balancers and traffic distributors for high-availability applications.

IDS/IPS Systems

Build intrusion detection and prevention systems that monitor and protect network traffic.

Traffic Shaping

Control bandwidth allocation and prioritize traffic for quality of service management.

Common Use Cases

WinDivert is designed for scenarios where traditional networking tools fall short. It enables software to interact directly with network traffic, making it suitable for environments that demand precision, flexibility, and real-time control. Its use cases extend beyond basic monitoring, supporting complex networking workflows across security, performance, and system-level traffic management.

Advanced Network Control

WinDivert is commonly used in applications that require fine-grained control over how data flows through a system. By intercepting packets before they are processed by the operating system, software can apply intelligent logic to allow, modify, delay, or discard traffic based on custom conditions.

Real-Time Packet Processing

Many modern networking solutions rely on immediate packet inspection and handling. WinDivert supports real-time processing, allowing applications to react instantly to network events such as abnormal traffic patterns, unexpected connections, or protocol-level changes.

System-Wide Traffic Management

Unlike application-level tools, WinDivert operates across the entire system. This makes it ideal for solutions that need visibility into all network activity, regardless of which application generates the traffic, ensuring consistent enforcement of rules and policies.

Secure Communication Handling

WinDivert is often used where secure data handling is critical. By examining packet headers and payload behavior, applications can enforce security checks, detect anomalies, and ensure data integrity during transmission without altering core system configurations.

High-Performance Networking Solutions

Performance-sensitive applications benefit from WinDivert’s lightweight and efficient design. It enables high-throughput traffic handling with minimal overhead, making it suitable for demanding environments such as enterprise networks and development testbeds.

Custom Network Logic Implementation

Developers use WinDivert to implement unique networking logic that cannot be achieved through standard APIs. This includes experimental networking features, protocol research, and specialized traffic workflows tailored to specific operational needs.

Scalable & Flexible Use

WinDivert adapts well to both small-scale tools and enterprise-grade solutions. Its flexibility allows it to support evolving requirements, making it a reliable choice for long-term networking projects.

Quick Start

Easy Installation

Get started with WinDivert in just a few simple steps

				
					curl -LO https://github.com/basil00/Divert/releases/latest/download/WinDivert.zip
unzip WinDivert.zip

				
					#include "windivert.h"

// Open a WinDivert handle
HANDLE handle = WinDivertOpen(
    "tcp.DstPort == 80",
    WINDIVERT_LAYER_NETWORK,
    0, 0
);

				
					WINDIVERT_ADDRESS addr;
UINT packetLen;
char packet[MAXBUF];

// Receive a packet
if (!WinDivertRecv(handle, packet, 
    sizeof(packet), &packetLen, &addr)) {
    // Handle error
}

Security Assessment

Is WinDivert Safe to Use ?

WinDivert is safe to use in controlled and legitimate environments when obtained from an official or trusted source. It is a kernel-level packet interception driver for Windows that provides user-mode applications with direct access to network traffic for inspection, filtering, modification, and reinjection.

Security Characteristics of WinDivert

WinDivert does not contain malicious code and does not perform unauthorized data collection or system manipulation. Its functionality is limited to packet-level operations within the Windows networking stack, making it a neutral infrastructure component rather than an end-user application.

Antivirus Detection and Risk Classification

Security software often classifies WinDivert as Riskware, HackTool, or Potentially Unwanted Application (PUA). This classification is based on its capability, not its intent. Since WinDivert allows deep packet inspection and traffic manipulation, it meets the behavioral criteria used by antivirus engines to flag tools that could be misused by malware.

Potential Security Risks

Security risks arise only when WinDivert is embedded within malicious or untrusted software. In such scenarios, the threat originates from the host application leveraging WinDivert’s packet-handling capabilities, not from WinDivert itself.

Secure Deployment Practices

To maintain system security, WinDivert should be deployed following best practices:

Obtain binaries only from verified and official distributions.
Use digitally signed drivers where available.
Integrate WinDivert only within trusted applications.
Restrict administrative privileges to authorized users.

Examples

Code Examples

Get started quickly with these practical code samples

				
					#include "windivert.h"

int main() {
    HANDLE handle;
    WINDIVERT_ADDRESS addr;
    char packet[MAXBUF];
    UINT packetLen;
    
    // Open handle for all TCP traffic
    handle = WinDivertOpen(
        "tcp", WINDIVERT_LAYER_NETWORK, 0, 0);
    
    while (TRUE) {
        // Capture packet
        if (!WinDivertRecv(handle, packet, 
            sizeof(packet), &packetLen, &addr)) {
            continue;
        }
        
        // Process packet...
        printf("Captured %u bytes\n", packetLen);
        
        // Re-inject packet
        WinDivertSend(handle, packet, 
            packetLen, NULL, &addr);
    }
    
    return 0;
}

				
					// Filter for HTTP traffic only
HANDLE handle = WinDivertOpen(
    "tcp.DstPort == 80 or tcp.SrcPort == 80",
    WINDIVERT_LAYER_NETWORK,
    0, 0);

// Or filter HTTPS
HANDLE https = WinDivertOpen(
    "tcp.DstPort == 443 or tcp.SrcPort == 443",
    WINDIVERT_LAYER_NETWORK,
    0, 0);

				
					// Block traffic to/from specific IP
HANDLE handle = WinDivertOpen(
    "ip.SrcAddr == 192.168.1.100 or "
    "ip.DstAddr == 192.168.1.100",
    WINDIVERT_LAYER_NETWORK,
    0, 0);

// Capture and DROP (don't reinject)
while (WinDivertRecv(handle, packet, 
    sizeof(packet), &packetLen, &addr)) {
    // Packet is dropped by not calling 
    // WinDivertSend()
    printf("Blocked packet!\n");
}

Find more comprehensive examples in our GitHub repository, including:

NAT implementation example
Packet logging and analysis
Custom firewall implementation
Traffic shaping examples
Python and C# bindings usage

Technical Details

Technical Specifications

Everything you need to know about WinDivert’s technical capabilities

System Requirements

Protocol Support

IPv4 and IPv6 support
TCP, UDP, ICMP, and raw IP
Ethernet frame access (WINDIVERT_LAYER_ETHERNET)
Socket-layer filtering (WINDIVERT_LAYER_SOCKET)
Flow-layer tracking (WINDIVERT_LAYER_FLOW)
Reflected packet detection

Performance

Up to 1+ Gbps throughput
Sub-millisecond latency
Minimal CPU overhead
Batched operations for efficiency
Zero-copy packet access
Lock-free internal structures

Compatibility

Windows Compatibility

WinDivert supports a wide range of Windows versions and architectures

Supported Windows Versions

Architectures

Comparison

WinDivert vs Traditional Packet Capture Tools

See how WinDivert compares to other Windows networking tools

WinDivert Comparison Table

Feature	WinDivert	Npcap / WinPcap	Raw Sockets
User-mode API	✓	✓	–
Packet Injection	✓	–	✓
Packet Modification	✓	–	✓
Filter Expressions	✓	✓	–
Zero-copy Capture	✓	✓	–
No Admin Rights Needed	–	–	–
Works on All Windows	✓	✓	–
LGPL License	✓	–	✓

Download

Getting Started with WinDivert

Getting started with WinDivert is straightforward for developers and network professionals who want full control over Windows network traffic. Below is a clear, practical overview to help you begin using WinDivert effectively.

Trusted by Developers Worldwide

WinDivert powers thousands of networking applications across the globe

10M+

Total Downloads

50,000+

Active Projects

500+

Forks

99.9%

Uptime

Testimonials

Loved by Developers

See what developers and companies are saying about WinDivert

WinDivert Testimonials

"WinDivert is the backbone of our VPN client. The ability to capture and inject packets in user-mode is invaluable for our tunneling implementation."

A

Alex Chen

Lead Developer at SecureNet VPN

"We evaluated multiple options for our network security product. WinDivert's performance and ease of integration made it the clear choice."

S

Sarah Mitchell

CTO at CyberShield Inc

"The filter expression syntax is incredibly powerful. We built a complete application-aware firewall using WinDivert in just two weeks."

M

Marcus Weber

Security Engineer at NetGuard Systems

FAQ's

Frequently Asked Questions

Get answers to common questions about WinDivert

What is WinDivert?

WinDivert is a Windows packet interception driver that allows applications to capture, filter, modify, and reinject network packets in real time.

What is WinDivert mainly used for?

WinDivert is commonly used for network monitoring, firewall development, traffic filtering, ad blocking, VPN tools, and security research.

Is WinDivert free to use?

Yes, WinDivert is free to use and is typically distributed as an open-source networking utility for Windows.

Which Windows versions support WinDivert?

WinDivert supports modern Windows operating systems, including Windows 7, Windows 8, Windows 10, and Windows 11.

Does WinDivert support IPv6 traffic?

Yes, WinDivert fully supports both IPv4 and IPv6 network traffic.

Is WinDivert a VPN?

No, WinDivert is not a VPN. It is a packet-level driver that can be used to build VPNs or similar networking tools.

Can WinDivert slow down internet speed?

When properly configured, WinDivert has minimal performance impact. Poorly written filters or heavy traffic processing may affect speed.

Is WinDivert suitable for beginners?

WinDivert is primarily designed for developers and advanced users with networking knowledge, but beginners can learn it with proper documentation.

Does WinDivert require administrator privileges?

Yes, installing and running WinDivert requires administrator-level permissions because it works at the system network level.

Is WinDivert open-source?

Yes, WinDivert is an open-source project, allowing developers to inspect, modify, and integrate it into their own tools.

Is WinDivert safe to use?

Yes, WinDivert itself is safe when downloaded from a trusted source and used for legitimate purposes.

Why do antivirus programs flag WinDivert?

Antivirus software may flag WinDivert because it intercepts network traffic, a behavior also used by some malware.

Is WinDivert a virus or malware?

No, WinDivert is not a virus or malware. It is a legitimate network driver used by many trusted applications.

Can hackers use WinDivert?

Like many powerful tools, WinDivert can be misused. Security depends on how the tool is implemented and who controls it.

Should I allow WinDivert in my firewall?

If you trust the application using WinDivert, allowing it through the firewall is generally safe.

Can WinDivert be used for packet sniffing?

Yes, WinDivert can capture and analyze network packets, making it suitable for packet sniffing and traffic inspection.

Does WinDivert modify system files?

WinDivert installs a driver to handle packet interception but does not modify core Windows system files.

How do I uninstall WinDivert?

WinDivert can be removed by uninstalling the application that installed it or manually removing the driver if needed.

Is WinDivert legal to use?

Yes, WinDivert is legal to use for legitimate purposes such as development, testing, and network management.

Can WinDivert be used in commercial software?

Yes, WinDivert can be integrated into commercial software, subject to its license terms.

WinDivert – Real-Time Network Traffic Control on Windows

WinDivert lets you capture, modify, and inject network packets on Windows. Perfect for firewall testing, network monitoring, and packet analysis.

Price: Free

Price Currency: $

Operating System: Windows

Application Category: Software

Editor's Rating:
4.7