Berkeley Packet Filter

Berkeley Packet Filter

The Berkeley Packet Filter or BPF provides, on some Unix-like systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode, so that all packets on the network, even those destined for other hosts, can be received.

In addition, it supports "filtering" packets, so that only "interesting" packets can be supplied to the software using BPF; this can avoid copying "uninteresting" packets from the operating system kernel to software running in user mode, reducing the CPU requirement to capture packets and the buffer space required to avoid dropping packets. BPF's filtering capabilities are implemented as an interpreter for a machine language for the BPF virtual machine; programs in that language can fetch data from the packet, perform arithmetic operations on data from the packet, and compare the results against constants or against data in the packet or test bits in the results, accepting or rejecting the packet based on the results of those tests. On some platforms, including FreeBSD and WinPcap, just-in-time compilation is used to convert virtual machine instructions into native code in order to further avoid overhead.

Kernel-mode interpreters for that same virtual machine language are used in raw data link layer mechanisms in other operating systems, such as Tru64 Unix, and for socket filters in Linux and in the WinPcap packet capture mechanism.

A user-mode interpreter for it is provided with the libpcap/WinPcap implementation of the pcap application programming interface (API), so that, when capturing packets on systems without kernel-mode support for that filtering mechanism, packets can be filtered in user mode; code using the pcap API will work on both types of systems, although, on systems where the filtering is done in user mode, all packets, including those that will be filtered out, are copied from the kernel to user space. That interpreter can also be used when reading a file containing packets captured using pcap.

BPF is sometimes used to refer just to the filtering mechanism, rather than to the entire interface.

BSD kernels implement routines such as bpf_mtap() and bpf_tap(), with some wrapping them in macros such as BPF_MTAP() and BPF_TAP(), which are called by network interface drivers (and pseudo-drivers) to deliver incoming and outgoing packets to the BPF mechanism.

In 2007, Watson and Peron added zero-copy buffer extensions to the BPF implementation in the FreeBSD operating system, allowing kernel packet capture in the device driver interrupt handler to write directly to user process memory in order to avoid the requirement for two copies for all packet data received via the BPF device. While one copy remains in the receipt path for user processes, this preserves the independence of different BPF device consumers, as well as allowing the packing of headers into the BPF buffer rather than copying complete packet data.

External links

* [ 1993 USENIX paper that describes BPF] (PDF)
* [ FreeBSD Developer Summit presentation describing Zero-copy BPF] (PDF)
* [ FreeBSD 8.x BPF(4) man page, including description of zero-copy BPF buffers]

Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • BSD Packet Filter — Le filtre BPF (Berkeley Packet Filter) est un langage permettant de filtrer les paquets échangés sur un réseau. Ce langage est utilisé entre autres par des logiciels spécialisés dans l analyse d échanges réseau (exemples : ngrep, tcpdump,… …   Wikipédia en Français

  • BPF filter — BSD Packet Filter Le filtre BPF (BSD Packet Filter) est un langage permettant de filtrer les paquets échangés sur un réseau. Ce langage est utilisé entre autres par des logiciels spécialisés dans l analyse d échanges réseau (exemples : ngrep …   Wikipédia en Français

  • netsniff-ng — toolkit Original author(s) Daniel Borkmann Developer(s) …   Wikipedia

  • Tcpdump — Infobox Software name = tcpdump caption = tcpdump console output developer = The Tcpdump team latest release version = 3.9.7 latest release date = July 24, 2007 operating system = Linux, Solaris, FreeBSD, NetBSD, OpenBSD, Mac OS X, additional… …   Wikipedia

  • ngrep — Developer(s) Jordan Ritter Stable release 1.45 / November 28, 2006 Written in C Operating system Linux, Solaris, FreeBSD …   Wikipedia

  • SCO-Linux controversies — The SCO Linux controversies are a series of legal and public disputes between the software company SCO Group (SCO) and various Linux vendors and users. The SCO Group alleges that its license agreements with IBM means that source code that IBM… …   Wikipedia

  • BPF — may stand for:* Band pass filter, a device that passes frequencies within a certain range and attenuates frequencies outside that range. * Batting Park Factor, a baseball statistic. * Bayesian Particle Filter, a technique for combining several… …   Wikipedia

  • BPF — Band Pass Filter (Academic & Science » Electronics) *** Berkeley Packet Filter (Computing » Networking) * Business Process Fusion (Business » General) * Bloodline Potential Factor (Medical » Physiology) …   Abbreviations dictionary

  • BPF — electr. abbr. Band Pass Filter abbr. Berkeley Packet Filter (BSD, Unix) …   United dictionary of abbreviations and acronyms

  • Filtro — Saltar a navegación, búsqueda El término filtro puede referirse a: Tecnología el filtro electrónico, un dispositivo que elimina o selecciona ciertas frecuencias de un espectro; el filtro fotográfico, un lente que modifica las condiciones… …   Wikipedia Español

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”