Is it possible to see pre- tunneled traffic in the filter-packet provider

From a filter-packet provider, any idea how I can see app traffic before they get encapsulated (and after they get decapsulated)?

Essentially you will need to make sure your NEFilterPacketProvider is up and running before the VPN, and that way your Network Configuration will receive the traffic before the VPN provider. This should allow you to see the traffic before it's encapsulated.

Now, this is may or may not be an easy thing to do based upon your configuration and the VPN's configuration, but this should work.

up and running before the VPN

Can you please clarify what's "up and running"? I am seeing the behavior (i.e. only seeing VPN encapsulated traffic) by starting my app (based on the SimpleFirewall sample) before dialing Cisco AnyConnect.

Or, by "up and running", you meant start up of the network extension itself? How can I tell which extension is started up first?

If that's the case how do I control the NE startup order? Obviously I do not have control Cisco's configuration.

% systemextensionsctl list | grep "activated enabled"
*	*	69Q4FM6AL9	com.example.apple-samplecode.SimpleFirewall69Q4FM6AL9.SimpleFirewallExtension (1.0/1)	SimpleFirewallExtension	[activated enabled]
*	*	DE8Y96K9QP	com.cisco.anyconnect.macos.acsockext (4.9.04053/4.9.04053)	Cisco AnyConnect Socket Filter Extension	[activated enabled]

Or, by "up and running", you meant start up of the network extension itself?

Starting up the actual Network System Extension and the associated Network Configuration.

Regarding:

If that's the case how do I control the NE startup order? Obviously I do not have control Cisco's configuration.

This is a very common issue as there is no way to control the service order. It is based upon which provider was configured first and starts first. If you are working with another vendor's provider then I would reach out to them and discuss working with them in your specific context.

based upon which provider was configured first and starts first

Does this mean even if we we install our NE first (i.e. enters "activated enabled" state first), followed by AnyConnect installation (which enters "activated enabled" state later). The service service startup order would still be non- deterministic (For example after a reboot)?

Does this mean even if we we install our NE first (i.e. enters "activated enabled" state first), followed by AnyConnect installation (which enters "activated enabled" state later). The service service startup order would still be non- deterministic (For example after a reboot)?

Nothing is guaranteed here. However, in my testing I have seen that the first Network System Extension that is installed on the system receives the traffic first. The second Network System Extension installed on the machine would receive the traffic after the first Network System Extension. Now, typically the install order does correlate to the start order when the system is rebooted, but this is not guaranteed. For example, there could be unexpected issues bring up one provider etc...

I did a test. I installed and started my app first. I could see inner packets being logged in console. Then I installed Cisco AnyConnect VPN. As soon as VPN is connected, I lost visibility to the inner packets and can only see port 443 packets (Cisco uses TCP & UDP port 443 for tunneling).

Actually for VPN connectivity I am not sure Cisco uses Network Extensions at all - I don't see packet-tunnel provider registered in their NE's info.plist file. Looks like they use utun interface. Perhaps utun traffic is somehow not being sent to filter-packet provider?

I am not able to speak about other apps or Development configurations, but the recommended path to create any VPN is through a Network Extension path.

If you are seeing inconsistencies here then you will want to open an enhancement request to control the network configuration service order, thus controlling which provider gets the traffic first. Please respond back with your Feedback ID.