Skip to content
This repository has been archived by the owner. It is now read-only.
A userland network manager with monitoring and limiting capabilities for macOS. #nsacyber
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
src initial commit Nov 28, 2016


Network Management, Monitoring, and Limiting

netman is a userland network manager, with monitoring and limiting capabilities for macOS. See below for example use-cases.

Installation and Usage

  1. make
  2. make install
  3. netman --help

Note: some of netman's functionality requires elevated privileges

Use Cases

Command Data Limiting

 sudo netman --command="wget | sh" --limit=25 -H monitor

The above command will limit the wget | sh command to 25MB system wide. After that, the command will be terminated.

Command Chaining

Example One

 sudo netman --command="wget | sh" --limit=25 -H monitor && sudo netman down

The above command is similiar to the ''Command Data Limiting'' example, but afterwards it will shutdown all network interfaces.

Example Two

 netman down && netman up en0 && sudo netman --command="wget | sh" --limit=25 -H monitor && sudo netman down

The above command is similiar to example one except the command will only use the en0 network interface.

Example Three

 netman --limit=100 -H && kill -9 6543

The above command is similiar to using the --command flag except after 100MB the process with the id 6543 is terminated.

Technical Details

Network Interfaces

Interfaces are retrieved from getifaddrs (3). Interfaces are stored in a custom interface struct.

 struct interface {
 	char *name;
 	struct sockaddr *if_addr;
 	u_long obytes;
 	u_long ibytes;
 typedef struct interface interface;

The alternative method is to use ioctl with the SIOCGIFCONF flag.


Using a modified version of MinUnit -- a minimal unit testing framework for C.

For debug mode, make with DEBUG=1. To run tests, make with TEST=1

BFP - Berkley Packet Filter

The logging of used bytes is done using Berkley Packet Filters (bfp) with no filters applied.

Basic examples of bfps:


macOS does not have eBPFs yet so netman cannot monitor specific sockets for specific applications, only interfaces. What does this mean? Well if multiple applications are the network then your byte limit may be reached much faster. Socket filters would be a logical next step.





You can’t perform that action at this time.