Process ID from NEFilterPacketHandler?

Does anyone know if it is possible to identify the Process ID associated with a packet in the NEFilterPacketHandler closure for macOS?


I've been looking around for what I might be able to squeeze out of the NEFilterPacketContext, but I haven't found anything yet.


Thanks.

Up vote post of THeberlein Down vote post of THeberlein
767 views
Posted by
THeberlein
Reply
Add a Comment

Replies

If you delay the packet then you’ll get back an 

NEPacket
object. That has a 
metadata
property and you may be able to get info from that (I’ve never actually tried this myself).

However, you have to be careful here. A filter packet provider is extremely performance sensitive, so it’s unwise to delay every packet. You’ll need some mechanism to ensure that most packets go via the fast path (that is, your 

NEFilterPacketHandler
returning 
.allow
or 
.drop
). For example:

  • You might choose to only delay packets that meet specific criteria.

  • You might maintain a flow cache, and only delay the first packet, or first few packets, of any given flow.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

ps DTS is closed 21 Dec through 1 Jan.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment