![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 11%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
4,659 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello Stanislav,
Thank you for your question and for reaching out with your question today.
As of my knowledge, it is not possible to directly filter decrypted SMB (Server Message Block) traffic using Windows Filtering Platform (WFP) or NDIS (Network Driver Interface Specification) drivers if SMB encryption is activated.
When SMB encryption is enabled, the communication between the SMB client and server is encrypted at the transport layer. This encryption occurs before the data is sent over the network and is decrypted at the receiving end. The encryption and decryption processes happen within the SMB protocol stack, which is typically handled by the operating system's networking stack.
WFP and NDIS drivers operate at a lower network layer and are primarily designed to intercept and filter network traffic before it reaches the transport layer. They can inspect and filter network packets based on various criteria, such as source and destination IP addresses, ports, protocols, and packet contents.
However, since SMB encryption is applied at the transport layer, the WFP and NDIS drivers would not have access to the decrypted contents of the SMB traffic. They would only see the encrypted packets, making it impossible to perform deep packet inspection or filtering based on the decrypted SMB payload.
If you have specific requirements for filtering or inspecting decrypted SMB traffic, you may need to explore alternative solutions, such as using specialized security appliances or software that are specifically designed for intercepting and analyzing encrypted network traffic. These solutions often employ techniques like TLS interception or decryption to access the decrypted contents of encrypted protocols. It's important to note that such interception should be done in accordance with applicable laws and regulations, and with proper authorization and consent from the involved parties.
It's recommended to consult with security professionals or network specialists who can provide more detailed guidance based on your specific requirements and environment.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.