I am trying to write an application that does the following: A) URL logging (i.e. HTTP GET) B) HTTP GET blocking (URLs will be logged to a separate server; if the URLs can not be logged, then any GETs should be blocked immediately) C) The application needs to be as resistant as possible to the user disabling or killing the application. So I would much prefer if the user/administrator could not simply kill -9 the application. I have chosen the NKE (Network Kernel Extension) DLIL (Data Link Interface Layer) Protocol Filter as the way to implement this logging and blocking in conjunction with a user level process. I have two questions: 1. I have been able to log/block the HTTP GET packets successfully using dlil_attach_protocol_filter() by first calling dlil_find_dltag() to get the dltag for the network interface. However, I discovered that dlil_find_dltag() fails for APPLE_IF_FAM_PPP if the modem is not yet connected. How can I be notified/called whenever a new network interface is connected or disconnected (e.g. when modem makes an internet connection) so I can set up or cleanup the dlil protocol filter? 2. Is there a way to meet my application goals (above) entirely in user-space? It would be great to avoid the pitfalls of kernel programming and the possible instability in OS X that this application could introduce. -Nate Lim mailto:nathanlim@mac.com _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.