Process ID from NEFilterPacketHandler?

App & System Services Drivers
THeberlein OP
Created Dec ’19
Replies 1
Boosts 0
Views 857
Participants 2

Does anyone know if it is possible to identify the Process ID associated with a packet in the NEFilterPacketHandler closure for macOS?


I've been looking around for what I might be able to squeeze out of the NEFilterPacketContext, but I haven't found anything yet.


Thanks.

Replies  1
Boosts  0
Views  857
Participants  2
DTS Engineer OP
Apple
Dec ’19

If you delay the packet then you’ll get back an 

NEPacket
object. That has a 
metadata
property and you may be able to get info from that (I’ve never actually tried this myself).

However, you have to be careful here. A filter packet provider is extremely performance sensitive, so it’s unwise to delay every packet. You’ll need some mechanism to ensure that most packets go via the fast path (that is, your 

NEFilterPacketHandler
returning 
.allow
or 
.drop
). For example:

  • You might choose to only delay packets that meet specific criteria.

  • You might maintain a flow cache, and only delay the first packet, or first few packets, of any given flow.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

ps DTS is closed 21 Dec through 1 Jan.

0
Process ID from NEFilterPacketHandler?
First post date Last post date
 
 
Q