site_archiver@lists.apple.com Delivered-To: Darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=xDtkwOZeCq4u3wxlzmI7Ua4yvOZRlfybPwGW8HfFAks=; b=swa5el8/KNFiOkdvC/EaqNF3W8tpmIJfy+ujAg4qTvqjk/64hWSXhXwrkdX2IqAum7 WHHSVOsyVIS13ol1YlF5R8p8vTa1gs78bIXoxsKCfIAnfd0Y0IS4KmNL0a849rTly1Lh WfFwmStINf6XhoiGEqV/WpWuSB712JzySNTgI= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=i8YyambTsrXHFgRNakyoz5Yx6gdgmLn0nJCcm0RPjyJIB1prs04lScC4Wryr76GglY uTLQaoP04asV3P2we3YKC6rHXe6weKo7qRWFJ7CuFEcsXsCnEJECSMbhHeALXDHbO2iH 1xBkPxCZb75JYZusn0XmFwO/VXiQXHqLMaHrw= On Tue, Jan 12, 2010 at 11:18 AM, Matthew Mashyna <adc@frodis.com> wrote:
I'm working on a project that attempts to monitor some net activity. I'm using libpcap to watch http packets on port 80, for instance. When we see a particular type of http header we want to see what application made the request. pcap will give me the packet, socket, to and from addresses and more.
I know I can use lsof but that might not be fast enough. I'm looking for a way to do it in C or ObjC.
I submitted a patch long ago to oidentd that pulled the user id out of the kernel based on matching the foreign/local port/address, if the oidentd license is acceptable to your project (checkout src/kernel/darwin.c). It works by using kvm_nlist to read the list of inpcb structures (netinet/in_pcb.h) from the kernel. From the inpcb it gets the socket structure (sys/socketvar.h). In the socket structure I returned so_uid, but there's also a so_pgid (process group ID). Maybe that's sufficient for you? Frankly I don't remember how I figured this all out. I probably copied from the src/kernel/freebsd5.c source. You might be able to get the socket structure from sysctl, although I had to use the inpcb because I was matching by addresses and ports. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com