Hello. I’m new to kernel programming, and was researching a solution to monitor pid, source and destination. I’ve looked at socket filter with NKE, but saw that NKE is to be deprecated. So, can Network Extension be used to achieve this? Or is NKE still the way to go? I’m not looking to filter traffic, only to monitor TCP and UDP connection, by PID. Thanks in advanced.
Given that you mentioned NKEs, I’m assuming you’re working on the Mac. In that case the answer is “not really”. Network Extension framework supports four different types of providers:
Packet tunnel providers, which can operate either in normal mode or as a per-app VPN
App proxy providers, which is the standard mechanism for per-app VPN
Content filters
DNS proxy providers
Of these, only the first two are supported on the Mac. It’s possible to [ab]use these technologies for other purposes, but it’s best if you use them for what they were intended for.
Can you tell me more about your intended product here? Is this something you plan to ship to a wide variety of users? Are you targeting the Mac App Store? Is this a security product? Specifically, if you miss stuff is that consider a security vulnerability?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Thanks for replying 🙂
And yes, this is a security tool for OS X, not targeting the app store.
Basically this tool is a flight recorder, recording process, file and network activity.
And I didn't what to go down a potential, to be depricated way.
So, NKE is still the way to go?
Thanks in advance
So, NKE is still the way to go?
Yes. The Network Extension providers that let you see traffic are either not supported on macOS (like content filters) or require the user to connect (like the VPN providers). The latter is less than ideal in a security product because you want it to be always on.
I should stress that we’re actively discouraging folks from writing new NKEs. This has a couple of consequences:
If you rely on this, you should file an enhancement request against Network Extension for a provider that gives you the functionality you need. Please post your bug number, just for the record.
You should try to isolate your core code from the details of the NKE interface, so that you can move it over to some new architecture in the future. The nice thing about doing this is that it also makes it easier to build and test your code outside of the kernel.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Ups, did not see the nt audit class :) Think Ill go down the audit trail then. Thanks for pointing that out.
And I accidentally deleted you reply, nice...... BSM audit subsystem it is. Thanks👍-1F3FB;