I have been writing my NKE and so far have my userland and NKE talking
back and forth. That works fine.
Now I am trying to do some filtering using a combination of some of the
techniques from SharedIP and TCPlogger.
Basically I just put a bunch of printf statements in all my dispatch
vector calls, struct sockif, and struct sockutil.
I open my terminal window with tail –f /var/log/system.log. Now
on other calls, like start stop, from my NKE I can see all my printf statements
that I have inserted into these start/stop function, but now matter what I do I can not see any printf statements coming from my
sockif/sockutil intercept calls. I am doing some pining, web searching and etc.
so I would think I would see something. Of course there must be something wrong
with the way I have the filtering set up.
Following is the basic flow I use to get the filtering started.
In the struct sockif I over-ride the soreceive, solisten, sosend,
soconnect and so on. In the sockutil struct I just over ride
the sbappend.
To kick things off I do the pp = pffindproto(PF_NDRV,
0, SOCK_RAW), but I have tried many variations, i.e. (PF_INET, IPPROTO_RAW,
SOCK_RAW), (PF_NDRV 0, SOCK_RAW) and so on.
Then I do my register_sockfilter(&myNFDescriptor,
0, pp, &ctlref) trying both NFF_BEFORE and NFF_AFTER
Then if all succeeds, I call my ctl_register(KernCtlReg
,0, g_ctlref);
Now everything shows up as loading and unloading fine, using kextload
and kextunload, but as I said I just do not see any of my intercepts being hit.
Any suggestions?
Thanks All.
�