Hello Everyone,
I am trying to port my Windows project to Mac OS X and it seems like I am experiencing problems with this task.
The main idea of the project is to show network usage by applications. Therefore, it is essential to know the following information about each connection:
1. IP, Port
2. Pid of the process making connection
3. File path of “Pid”
4. User Id of the process making connection
In Windows this is achievable by using PsSetLoadImageNotifyRoutine (…) in kernel driver and getting notifications about each process started/stopped. For the networking part one may use TDI, or LWF or/and NDIS IM filter.
In Mac OS X it seems like I can use socket level NKE which is very well illustrated in tcplognke example. However, it seems like I cannot get process start/exit notifications. I checked this newsgroup for similar posts and I saw that there is no official way to accomplish this.
I would like to list alternatives I can follow, maybe someone may suggest a better way? So far, I have been thinking about the following directions:
1. Hooking SYS_execve and friends in my kext (Very unstable and unreliable solution. I would like to avoid it)
2. Using NSWorkspace NSWorkspaceDidLaunchApplicationNotification notification in user mode application (Reports only “visible” applications and only per login session)
3. Using dtrace in user mode applicatioin (Can see everything, but libdtrace is non-documented and may alter in future)
For the given moment, I am playing with the solution №3: using libdtrace. It seems like it works, but a lot of research has to be done before actually making a commercial product based on quite unstable approach
...
Did I miss something else? Any help or feedback is highly appriciated!
P.S. I could also have specified that one may use kauth approach, but the "process" scope has never been implemented by Apple :( It works though for file system scope which is good.
--
with best regards, Volodymyr