How to ideally track open sockets on macOS

Hello,

We would like to track the open sockets on the machine. we don't want to use a constantly running thread that polls the open sockets (such as by using sysctlbyname) since it sometimes will miss short-lived sockets.

After some research we decided to implement a content filter (NEFilterDataProvider) that pass-through every socket flow.

However, as we see and read in the forum, all previously opened sockets are disconnected once the filter is applied, which is an undesired thing for users using a VPN that will disconnect as well.

We would like to know if there is a better way to track all sockets, preferably in an event-driven way, or, to prevent the existing sockets from disconnecting if we use the filter or other network extension.

Up vote post of BoazH Down vote post of BoazH
369 views
Posted by
BoazH
Reply
Add a Comment

Replies

or, to prevent the existing sockets from disconnecting if we use the filter or other network extension.

I think you should open an enhancement request for this for NEFilterProviderConfiguration to add a capability to preserve any existing connections that may be opened by NEFilterDataProvider starts. Please post your feedback ID here.

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Hi,

Here is the enhancement request ID: FB13696531

Thanks

Posted by
BoazH
Up vote reply of BoazH Down vote reply of BoazH
Add a Comment

Besides the capability enhancement, Is there another way besides content Filter to get events on new sockets?

Posted by
BoazH
Up vote reply of BoazH Down vote reply of BoazH
Add a Comment

FB13696531

Thanks for that.

Is there another way besides content Filter to get events on new sockets?

I’m not sure you need that. Rather, at the time you product starts up, combine the approaches you’ve already described:

  • Use libproc to learn about connections.

  • Use an NE filter to learn about new ones.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks,

we just want to make sure if this is the recommended way by Apple to track the opened socket (using filter network extension), so we proceed with our implementation.

Posted by
BoazH
Up vote reply of BoazH Down vote reply of BoazH
Add a Comment