Re: How to get a socket's PID ?
Re: How to get a socket's PID ?
- Subject: Re: How to get a socket's PID ?
- From: "Stephen J. Butler" <email@hidden>
- Date: Tue, 12 Jan 2010 11:58:29 -0600
On Tue, Jan 12, 2010 at 11:18 AM, Matthew Mashyna <email@hidden> wrote:
> I'm working on a project that attempts to monitor some net activity. I'm
> using libpcap to watch http packets on port 80, for instance. When we see a
> particular type of http header we want to see what application made the
> request. pcap will give me the packet, socket, to and from addresses and
> more.
>
> I know I can use lsof but that might not be fast enough. I'm looking for a
> way to do it in C or ObjC.
I submitted a patch long ago to oidentd that pulled the user id out of
the kernel based on matching the foreign/local port/address, if the
oidentd license is acceptable to your project (checkout
src/kernel/darwin.c). It works by using kvm_nlist to read the list of
inpcb structures (netinet/in_pcb.h) from the kernel. From the inpcb it
gets the socket structure (sys/socketvar.h). In the socket structure I
returned so_uid, but there's also a so_pgid (process group ID). Maybe
that's sufficient for you?
Frankly I don't remember how I figured this all out. I probably copied
from the src/kernel/freebsd5.c source.
You might be able to get the socket structure from sysctl, although I
had to use the inpcb because I was matching by addresses and ports.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden