I am in the process of transitionning from using Network Kernel Extensions to Network Extensions for socket-level filtering, 10.15.4 API additions having removed the showstoppers for our app (verdict change on open flows and data volume accounting), but I'm seeing some other limitations while testing and comparing against the existing KEXT-based solution.
Namely, no FaceTime traffic (AV streams from identityservicesd) seems to ever be seen, likely due to the specific networking setup FaceTime uses. The NEFilterDataProvider is setup to grab all traffic / all directions / all protocols and sees all other TCP and UDP networking just fine.
According to FB7665551, not seeing FT traffic is as designed. This is disappointing compared to KEXTs, because they saw that traffic just as normal and enabled accounting data volume used on FaceTime. From my limited testing it seems that Transparent Proxy does not catch that traffic either.
Note that nettop and other similar tools do account for that traffic.
Has anyone encountered similar limitations ?
