API to intercept network traffic

Question

Could some give a hint at which API one would intercept in- and outgoing network traffic like Little Snitch does on Mac OS X?

A cocoa based API is favored.

Would one need to write a kext or would an - somehow authorized - user-land app could do the job too?

Answer 1

I don't know how Little Snitch does it (but I'd love to…); I've been using these dTrace probes:

# Socket accepts by process name:

dtrace -n 'syscall::accept*:entry { @[execname] = count(); }'

# Socket connections by process and user stack trace:

dtrace -n 'syscall::connect*:entry { trace(execname); ustack(); }'

# Who is connecting to what:

dtrace -n 'tcp:::accept-established { @[args[3]->tcps_raddr, args[3]->tcps_lport] = count(); }'

(these are from "DTrace: Dynamic Tracing in Oracle Solaris, Mac OS X, and FreeBSD by Brendan Gregg and Jim Mauro, Prentice Hall 2011" http://www.dtracebook.com/index.php/Network_Lower_Level_Protocols.)

You should also checkout Brendan Gregg's DTraceToolkit: http://www.brendangregg.com/dtrace.html#DTraceToolkit

Specifically tcpsnoop and tcptop.