site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com
I am writing an NKE filter, and I'm wondering if i could get a process name (ideally - a full path to the process) that my filter has been attached to. When my "attach" function has been called, i have a pointer to the socket_t structure. Is there any way to trace the way to the process (a process' PID identifier) that has opened this socket, and find out its name?
You know, this question has been asked (and answered) in the mailing list archives :-) But, in short: - You can't necessarily turn a socket_t into a process (because multiple processes could have that descriptor). - But you can find out the context that invoked you at NKE attach time, which at least in some cases will be the userspace process. See the Apple sample code for tcplognke, specifically the use of proc_selfpid(). Note that in some cases (see the mailing list archives) this won't be useful to you. - You can use proc_selfname() to get at p_comm, which is probably the closest thing to what you want. But you should read this first: http://lists.apple.com/archives/darwin-kernel/2008/Mar/msg00086.html Although ... I'm sure Michael Smith has forgotten more about the Darwin kernel than I will ever know, but I don't see how you can change p_comm from userspace. But all of the usual caveats apply here - using this is almost certainly the Wrong Thing to do. --Ken _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com