This sample code is associated with my blog post macOS vs. Windows - What the kernels tell you about security events: Part 2. It demonstrates the use of NEFilterPacketProvider class of Apple's Content Filter APIs announced in WWDC 2019. The pcap capture demonstrated in this sample code is useful to debug your own Content Filter. This sample code project only runs on macOS. When the network extension in the sample is correctly built and run, it automatically generate a mySimplePcap.pcap file under /tmp folder. The pcap file captures all the network packets that go through your NEFilterPacketProvider.
The network extension is implemented as part of the SimplePcap app. The app has a simple UI for the user to start/stop the pcap and show some basic infomation about the pcap file. The UI is written in Swift and the network extension is written in Objective-C. Following picture shows the app UI when the network extension is running:
git clone git@github.com:Trinity2019/SimplePcap.git
The main purpose of this project is for demonstrating the usage of NEFilterPacketProvider class and enrich the online sample resources of NetworkExtensions. To be able to build, you need to 1. register as an Apple developer, 2. apply for content-filter-provider entitlement from Apple, 3. configure the projects correctly with information abtained from step 1. and 2.