Hi, Matt, On Wednesday, March 10, 2004, at 10:16 PM, Matt Jaffa wrote: I am interested in the send function(sosend), that is the function that i am filtering within my app. I am using this to extract information out of the mbuf: [snip] but when It prints out the information to the syslog, it is all wrong, am i getting the ip header and the tcp header correctly out of the mbuf structure? I mean this only in the nicest way :-} - you *really* need to take time and learn about the environment that you are coding for. Either read the kernel code, or get Stevens's TCP/IP Illustrated Volume 2. Spend time with it. The reason everything appears all wrong is that you are looking for something that is not there: there are no protocol headers in the mbuf chain when you get to look at it. If you look at the code in sosend(), you will see that, stripped to its essentials, the sequence is roughly this: while not done do get the data from the user, if necessary. check if it's ok to send. call the NKEs linked to the socket. call the protocol send code (pru_send) etc. od Given this, you should be able to determine that your NKE will see the mbufs before the protocol code sees them, so all that is in the mbufs is the data that is being passed in, either to TCP, UDP, or raw IP. The information you seem to want is in the control blocks that dangle off the socket. For TCP, this information (source and destination port/address) never changes, once the session is ESTABLISHED. For UDP or raw IP, these can change for each 'send'. Regards, Justin -- Justin C. Walker, Curmudgeon-At-Large * Institute for General Semantics | If you're not confused, | You're not paying attention *--------------------------------------*-------------------------------* _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.