---

Using Network Kernel Extensions

This chapter provides an overview for the TCPLogger sample which is included in the NKE documentation package.

Example: TCPLogger

tcplognke is a socket NKE which is invoked for each TCP connection. It records detailed information about each connection, including the number of bytes sent to and from the system, the time the connection was up, and the remote IP address. The tcplog command line utility demonstrates control of the tcplognke NKE to enable/disable logging, dump log information, and specify different logging criteria.

When tcplognke is loaded and initialized, it installs itself in the TCP protocol structure ready for use and it registers a Kernel Controller structure. The tcplog utility demonstrates the use of the PF_SYSTEM socket to enable/disable logging in the tcplognke, to have the NKE send saved log information to the tool, for the tool to display in the terminal window. Other command options are implemented in the tool to control the operations of the NKE.

The tcplognke NKE keeps a buffer of connection records. If no control program attaches to it, the buffer is continually overwritten as connections are established and terminated. To retain or view the information that the tcplognke NKE gathers, use the enclosed tcplog command line utility. The tool configures the tcplognke NKE to send log records to the tcplog program. The tcplog tool then loops, displaying and writing log records as the tcplognke NKE creates them.

The source code for the tcplognke NKE and for the tcplog command line utility are available for the current (10.4 and later) version of the NKE architecture as the tcplognke sample code project. See the Read Me file with the TCPLogger sample code for more instructions on the design and use of the sample NKE.

The legacy tcplognke NKE (for 10.3 and earlier) is not published and is not supported. You must contact Apple developer technical support to obtain this sample code.

---