Thanks again for your clarifications @DTS Engineer! Here is the flow I am thinking to follow with my existing app so far: Network Traffic │ NETransparentProxyProvider │ ├─ Detect Protocol (first bytes) │ ├─ HTTP ─────> HTTPFlowLogger (existing) │ └─-------- HTTPS │ TLS Interceptor (NEW) │ ┌─────---───────────────┐ │ │ Client TLS Server TLS (terminate) (re-initiate) │ │ └──── Decrypted Bytes ─----┘ │ HTTPFlowLogger (reuse) To start with, I am thinking of something basic: Supporting all HTTP/1.1 traffic so that I can reuse my existing HTTP parser. Is it possible to downgrade(at least a part of) HTTPS traffic without loosing anything while doing so? What can I expect in terms of complexity and performance here? Now, As you've mentioned: Keep in mind that the world has moved on from HTTP/1. A good TLS inspection product should support HTTP/2 + TLS + TCP and HTTP/3 + QUIC + DTLS + UDP To support at least HTTP/2 + TLS + TCP(as I think most of the traffic these days), What's the best approach in this scenario? Once I get the flow from override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { ..... I just branch to the specific handler based on ALPN extraction. Something like: private func classifyTLS(_ info: TLSClientHelloInfo) -> String { if info.alpnProtocols.contains("h2") { return "HTTP_2" } if info.alpnProtocols.contains("http/1.1") { return "HTTP_1_1" } return "UNKNOWN" } Where TLSClientHelloInfo is a struct: struct TLSClientHelloInfo { let serverName: String? let version: UInt16 let alpnProtocols: [String] } Now, for parsing HTTPS traffic of the kind HTTP/2 + TCP: Is it a good idea to use the SwiftNIO SSL library: NIO HTTP2 or NIO HTTP? What kind of issues I need to be prepared if I follow this approach in my System Extension Xcode target? Also, I can see multiple protocols when I just printed in some cases. Once I extracted, it has h2 and http/1.1. Now, Is it possible to downgrade the HTTPS traffic to just http/1.1 without loosing anything or we are going to face compatibility/anyother issues? I need to handle up to HTTP/2, at the very least, to cover majority of HTTPS traffic, right? And overall, how practical and achievable, the approach I am thinking? Thanks a lot for continuous support here.

Hi @DTS Engineer I’m referring to a MITM proxy in the generic sense, not the mitmproxy project. I’m also unsure whether mitmproxy can be cleanly integrated into an existing all-Swift codebase. Additionally, would this approach require bringing in external libraries such as SwiftNIO SSL? Overall, I’m looking for guidance on choosing the right approach to start with. And if possible, some more detailed steps and resources that'll help me here as it's my first time working with this kind of task. Thanks a lot

Hi @DTS Engineer , Thanks a lot for your clarifications again!! I’m working with the NETransparentProxyProvider class for a network extension app in my macOS. However, I’ve encountered an issue where the Transparent Proxy extension does not activate when the system is offline (network disabled). Here are the details: Content Filter extension is active and functioning properly(offline as well) Both the Transparent Proxy and Content Filter extensions are under the same Xcode target. I can see the Transparent Proxy extension listed in Settings → Network → Filters & Proxies, but it shows as "Disabled."(offline) My question: Is an active network connection required for the NETransparentProxyProvider extension to be enabled/activated, even temporarily, during installation? Background: The environment where I’m installing the system extension doesn’t have network access (e.g., in sandboxed VMs). Once installed, the extensions are always running, but the main app process (Xcode target 1) is started and stopped externally as needed. Any clarification on the network requirements for the NETransparentProxyProvider class would be greatly appreciated. Additionally, does the same apply to the NEDNSProxyProvider class(If I am able to integrate three extensions in same xcode target)? Please let me know if there are any more clarifications/inputs needed to understand my current issue better. Thanks a lot

Hi @DTS Engineer , Thank you very much for your responses, really helpful. For the past two weeks, I've been experimenting with a macOS System Extension application that manages three different Network Extension providers (NEFilterDataProvider, NETransparentProxyProvider, and NEDNSProxyProvider) housed within a single systemext bundle (Xcode target2), all managed and activated by a single main application(Xcode target1). My goal is to reliably capture comprehensive network activity logs from all three extensions simultaneously, particularly under high-traffic conditions. I've run into a few architectural questions regarding prioritization, concurrency, and logging reliability. Part 1: Extension Activation Order and Execution Predictability When multiple Network Extensions are active, how does the system process traffic, and is there a guaranteed order of execution? Q1: Given that all three extensions are active, is there a predictable order in which the network traffic will hit the providers? For example, should I assume the NEFilterDataProvider processes the socket/flow before the NETransparentProxyProvider or NEDNSProxyProvider handles the connection attempt? Q2: Is there a recommended or "safe" sequence for activating these three specific managers (NEFilterManager, NETransparentProxyManager, NEDNSProxyManager) from the main application to ensure the system applies them correctly and avoids conflicts? Q3: When the network is under high load, is there a risk that one provider (e.g., the DNS Proxy) might experience delays or resource starvation, potentially causing it to miss network events or logs while the others continue to process traffic? Part 2: Bidirectional Inter-Process Communication (IPC/XPC) I am using a single, bidirectional NSXPCConnection channel (IPCConnection) to send logs from all three providers back to the main application for processing. My Current IPC Setup (Simplified): /// App --> Provider IPC (Implemented by Provider) @objc protocol ProviderCommunication { func register(_ completionHandler: @escaping (Bool) -> Void) } /// Provider --> App IPC (Implemented by Main App) @objc protocol AppCommunication { func handleLogs(logData: Data) } And then in IPCConnection, I call the above function after receiving the logs from extension: func sendLogs(logData: Data) { if let logString = String(data: logData, encoding: .utf8) { os_log("IPCConnection: Log entry received: %{public}@", logString) } // Use remoteAppConnection (captured from app via register()) instead of currentConnection guard let appProxy = remoteAppConnection else { os_log("IPCConnection: No remote app proxy") return } appProxy.handleLogs(logData: logData) } Each extension sends the log to IPCConnection class/file by calling sendLogs function like: private let ipcConnection: IPCConnection ....... ipcConnection.sendLogs(logData: logEntry) or IPCConnection.shared.sendLogs(logData: logEntry) Q4: Since all three extensions (which run in the same Xcode target) will be asynchronously calling sendLogs(logData:) simultaneously during high network traffic, is it safe to use a single XPC connection? Any guidance on the interaction between these three types of network extensions and best practices for robust, concurrent XPC communication would be greatly appreciated. Please let me know if more clarifications needed from my end. Thank you

Thanks a lot for your detailed explanation of the relevant concepts @DTS Engineer. It's very helpful and I really appreciate your time and support here. I am using Content Filter Extension to capture/log some basic details. As you've mentioned, it's the simplest one. I wanted to have a working network extension app for MacOS to begin with. However, my intention is to capture real network traffic with HTTP/HTTPS logs, actual urls, and actual endpoints along with DNS Record details by using all the relevant extensions together. Right now, My app is working with Content Filter extension. As you suggested, I am building with two Xcode targets, one with Main app and other with the System Extension(which contains multiple network extensions). To start with, I am only focusing on HTTP logs capture using NETransparentProxyProvider for now(Capturing/logging HTTPS requires more work dealing with TLS and Certificates, will look into this later). I am able to build, and run this binary with these added new files for AppProxy class(inherited from NETransparentProxyProvider), after updating extension's Info.plist and entitlement files with two extension types. However, Only Content Filter extension is active but not the Proxy extension. At General-> Login Items & Extensions tab, Under Extensions section, I can see "Network Extensions" with com.company.MyNetworkExtension.SystemExtensions(this is the name I have given to my system extension). Here are the Disk structure and other relevant details for the app with multiple network extensions under the single system extension target for your understanding: /Library/SystemExtensions/79F14D4A-D6E0-4CFA-972C-9B18E467D9FF/com.company.MyNetworkExtension.SystemExtensions.systemextension/Contents/MacOS Has com.company.MyNetworkExtension.SystemExtensions And file com.company.MyNetworkExtension.SystemExtensions command gives: com.company.MyNetworkExtension.SystemExtensions: Mach-O 64-bit executable x86_64 Also after placing my binary in /Applications directory: cd /Applications/MyNetworkExtension.app/Contents/MacOS has the following: __preview.dylib, MyNetworkExtension, MyNetworkExtension.debug.dylib /Applications/MyNetworkExtension.app/Contents/Library/SystemExtensions/ com.company.MyNetworkExtension.SystemExtensions.systemextension/ Contents/MacOS Has com.company.MyNetworkExtension.SystemExtensions And file com.company.MyNetworkExtension.SystemExtensions command gives: com.company.MyNetworkExtension.SystemExtensions: Mach-O 64-bit executable x86_64 How to Enable multiple extensions(like, Content Filter, Transparent Proxy, etc)? Are there any other missing things leading to inactivation of my Transparent Proxy? It would be very helpful if you can help me on all the relevant details regarding these and keeping multiple network extensions active for MacOS. Thank you once again for your continued support here.

Hi @DTS Engineer, Thank you for clarifying. I confirm that I am referring to Network Extensions within the context of System Extensions. Regarding the first approach I mentioned earlier, I am using separate NEMachServiceNames in the Info.plist files for two different extensions, while using the same App Groups name for all extensions in their respective targets. For the Second approach you suggested, I understand that in the configuration, we can place multiple extensions under the NEProviderClasses dictionary in the extension's entitlement file, and maintain a single NEMachServiceName in the Info.plist file of the Extension's target (Xcode Target2). Given that I am new to this framework, I would greatly appreciate it if you could provide more detailed guidance on how to: Utilize multiple NE Providers with a single system extension. Activate these providers one after another. Handle IPC (Inter-Process Communication) connections between the Main App and the single System Extension(apart from Info.plist config with service name) Any detailed examples or documentation would be extremely helpful. I am thinking of the following kind of project/folder structure(for Second approach), Correct me if I am wrong in understanding: MyNetworkExtensionProject/ ├── MyNetworkExtensionApp/ (Xcode Target1) │ ├── AppDelegate.swift │ ├── ViewController.swift │ ├── Resources/ │ │ ├── Assets.xcassets │ │ ├── Info.plist │ │ └── Main.storyboard │ └── MyNetworkExtensionApp.entitlements │ ├── MyNetworkSystemExtension/ (Xcode Target2) │ ├── Providers/ │ │ ├── AppProxyProvider.swift │ │ ├── DNSProxyProvider.swift │ │ ├── ContentFilterProvider.swift │ │ |── IPCConnection.swift |. |. |--- OtherFiles for parsing etc │ ├── Resources/ │ │ ├── Info.plist │ │ └── main.swift │ └── MyNetworkSystemExtension.entitlements │ └── Frameworks/ ├── NetworkExtension.framework └── libbsm.tbd Also, To capture HTTP(and HTTPS logs) of all kinds of network traffic, I am confused on which among 3 of the APIs/Classes best suites for this purpose for MacOS: NEAppProxyProvider/ NETransparentProxyProvider/ Packet Tunnel Provider And to capture/log DNS Records(all kinds possible), Is the NEDNSProxyProvider right one? Kindly help me choose the best suitable one for my usecase Your responses/clarifications are very helpful as I am starting with this project. Thanks a lot for your time and support