Assume we want to capture IPv4 and IPv6 packets and do deep packet scans on them. I came to notice that it is also possible to capture packets using the Microsoft-Windows-NDIS-PacketCapture ETW provider.
Some example projects that are doing this:
https://github.com/packetzero/etwrealtime
https://github.com/egtra/ndiscap-packet
If our goal is to do deep packet inspection on IPv4 and IPv6 packets only, and also we are OK with the deep packet inspection to be asynchronous (No need to block the packet while doing the scan), Is there any drawback of using this provider to do packet inspection instead of using an NDIS LWF or WFP driver?
In general, we'd prefer that you use the OS's built-in packet capture, instead of writing your own driver. If the built-in capture works for you, go ahead and use it.
One drawback of the Microsoft-Windows-NDIS-PacketCapture provider is that you don't necessarily control when it starts or stops, and you don't necessarily control the packet filter. There's only a single global capture session, and some other app on the system can mess with your session. (Anything your app can do, their app can do.) But if the system is under your full control, like a lab system, then you can just avoid running anything that conflicts with your use of the built-in capture provider.