Please note I have already seen the answers pointing to the audit_token.
From what I'm observing, the audit_token does not return the pid from a NEFilterFlow but actually returns the epid.
For instance, if Safari is sending a HTTP GET request and the server name of the URL needs to be resolved, mDNSResponder will resolve the URL on behalf of Safari.
In this case, the debug info for the NEFilterFlow shows that:
- the procPID for the flow representing the UDP communication to port 53 is the one of mDNSResponder.
- the eprocPID for this flow is the one of Safari.
If you use the audit_token of the sourceApp, you will end up with the eprocPID: the Safari one. Which makes sense since it's the audit_token for the sourceApp. But, IMO, it's not the pid of the network flow.
There is obviously a non official API to retrieve the eprocPID value since Objective-C is the nice language that lets you retrieve that kind of info easily.
The issue is that this is quite probably not considered as safe/secure as the way you get the eprocPID through the audit_token.
So:
[Q] How are we supposed to get the real pid from a NEFilterFlow?