Cocoa Monitor Packets On Ports
https://stackoverflow.com/questions/12617847
-
04-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to monitor packets on specific ports in Mac OS X. Being able to read their contents and sometimes changing their contents (if possible). I was wondering if it's possible by writing a KEXT or can I do this in an application and showing results instantly. I would appreciate any information on libraries and approaches I can use to achieve this.
Solution
"Monitor packets" in what sense?
If you mean "watch what packets to or from specific TCP or UDP ports are sent" or "what packets are sent or received on particular network interfaces", you would use the pcap library, just as on other UN*Xes. libpcap/WinPcap is the library that Wireshark - and tcpdump - use; on OS X, the underlying kernel mechanism it uses is BPF (the Berkeley Packet Filter), which is built into XNU (it is open-source - see the bsd/net/bpf.c and bsd/net/bpf_filter.c files, and the header files they include, in the XNU source) and doesn't require a kext. (Wireshark does not have its own kext; it uses libpcap/WinPcap so that it can work on Linux and OS X and *BSD and Solaris and HP-UX and AIX and Tru64 UNIX and IRIX and so on, as well as on Windows if WinPcap is installed, so, on OS X and *BSD, it ultimately uses BPF.)
Libpcap/WinPcap doesn't, except on Linux, allow you to capture on all interfaces with one "handle"; you would have to use pcap_findalldevs() to find all the currently-available interfaces, and then open separate handles for each of them. If by "ports" you mean "network ports", so that one "port" is your Ethernet port and another is your Wi-Fi adapter, you'd have to individually open all the "ports" on which you want to capture.
If by "ports" you mean TCP or UDP ports, and you only want to watch traffic to or from particular ports, you'd have to specify a "filter" expression, translate it to "BPF code" with pcap_compile(), and then make it the filter for a particular libpcap/WinPcap handle with pcap_setfilter().
If you want to use a Cocoa wrapper for pcap, a Google search I did a while ago found packetsniffer and CapKit; I have not used either of those, so I can't recommend one or the other.
OTHER TIPS
Have you seen Apple's overview documentation on Network Kernel Extensions? That should get you started.
The downloadable source code for this book also contains a few packet filtering example NKEs at various levels of the network stack. (The book of course also explains this stuff in some detail in chapter 13)
You also may be able to re-use an existing open source kext for pure monitoring: The Wireshark application already does this, and you should be able to hook into its kext. For actually modifying the packet stream, you will probably have to do that purely in the kernel.
Because OS X and iOS are Unix and Objective-C is C, the answer is, "the same way you do it on Unix in C" - Cocoa is high-level and what you want to do is low level. I can't find the question on SO but someone suggested looking at the source for MenuMeters as an example of network monitoring.
