Brian, Actually I am using a NKE with protocol filters, using proc *p = current_proc() Actually gets me who is doing it, the only reason I bring up this question, Is I am trying to find a way to distinguish Classic apps, That is very hard since they share the same pid, which is TruBlueEnvironment, well they all go through that pid, and that is what current_proc returns, My program runs fine if I care less about Classic traffic, I started out patching the syscall table, but was informed this was bad practice and I switched along time ago. I just figure now that I am going to give up on trying to intercept classic traffic, too hard to distinguish which app (Within Classic) made the call. Thanks, Matt On Mar 3, 2004, at 10:29 AM, Brian Bergstrand wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think Matt, wants something similar if functionality to ObDev's Little Snitch. And to do that you have to do what they are doing, and patch the kernel syscall table. There is no reliable way to get a PID from a NKE filter. The way little snitch does this, is by patching the kernel syscalls for socket opens (sosend, socreate, others?). Since these calls exist in the context of the BSD kernel the PID of the calling process is readily available and Little Snitch can pull the PID (and check the dest addr at the same time). If the check fails, it calls out to it's userland daemon to handle the failure. Once in userland, you can find the process name (or something close to it) from the process table. Of course none of this is guaranteed to work, it just happens to at the moment. In fact, Little Snitch ran into some panic problems with the upgrade to 10.3 because it does patch the syscall table. Patching is a very evil thing (as any 0S 9 developer and/or user can attest to). Little Snitch panic (that was eventually fixed) : <http://forums.macnn.com/showthread.php? s=&threadid=195232&highlight=little+snitch> HTH. On Mar 3, 2004, at 1:14 AM, Justin Walker wrote: On Tuesday, March 2, 2004, at 10:45 PM, Matt Jaffa wrote: Hi, Is there a way to determine which app that is running has control over a certain port. This is dealing with sockets, I have intercepted a raw_packet going out, and using the src_port I would like to know which app is listening, or owns it. Is there a way to do this within the Kernel, and /or within a daemon inside user space? The concept of "control" over a port does not exist. Ports in certain ranges are "allocated" by IANA to certain functions/services, but that is convention, and is locally dictated by things like "/etc/services" (if you decide to change that usage, of course, you end up breaking a lot of functionality, but that's a separate issue). In addition, an open socket can be handed to another process, and another UID, in a couple of ways: - parent forks, child and parent both have 'control' of an open socket - application execs a new executable (same process, different code) - process A can establish a local socket communication with process B, and then pass another open socket (say, INET4) to B - the UID of a process can change through system calls and the SETUID bit in the executable. Any number of processes, each running different code, can have the same socket open and be actively using it. Remember that a socket is a kernel structure that is treated like a file structure and shared among processes. Each proc table has an array of 'descriptors' that point to such things as socket structures, so the socket structure itself can't be "owned" by any one process. This has been discussed before, and you might benefit from trying to search the archives. For this kind of question, the ones to look at are darwin-kernel, darwin-development, and possibly the opendarwin lists. Depending on where your extension lives, you may be able to determine the identity of one of the users of the socket at the time it is accessed for read or write. That's the best you can hope for. Regards, Justin -- Justin C. Walker, Curmudgeon-At-Large * Institute for General Semantics | Some people have a mental | horizon of radius zero, and | call it their point of view. | -- David Hilbert *-------------------------------------- *-------------------------------* _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored. Brian Bergstrand <http://www.bergstrand.org/brian/>, AIM: triryche206 PGP Key: <http://www.bergstrand.org/brian/misc/public_key.txt> Conscience is the inner voice that warns us that someone might be looking. - H. L. Mencken As of 11:16:51 AM, iTunes is playing "The Shortest Straw" from "...And Justice For All" by "Metallica" -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQEYH3nnR2Fu2x7aiEQIaPQCgvX4NLw4iXGw44weSHTEWBXnIwrgAnA8k G0KUbNgGbs5QShJwYgfyB52M =ESqs -----END PGP SIGNATURE----- _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.