1.\" Copyright (c) 1990 The Regents of the University of California. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that: (1) source code distributions 6.\" retain the above copyright notice and this paragraph in its entirety, (2) 7.\" distributions including binary code include the above copyright notice and 8.\" this paragraph in its entirety in the documentation or other materials 9.\" provided with the distribution, and (3) all advertising materials mentioning 10.\" features or use of this software display the following acknowledgement: 11.\" ``This product includes software developed by the University of California, 12.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 13.\" the University nor the names of its contributors may be used to endorse 14.\" or promote products derived from this software without specific prior 15.\" written permission. 16.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 17.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 18.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 19.\" 20.\" This document is derived in part from the enet man page (enet.4) 21.\" distributed with 4.3BSD Unix. 22.\" 23.\" $FreeBSD: src/share/man/man4/bpf.4,v 1.21.2.11 2002/04/07 04:57:13 dd Exp $ 24.\" 25.Dd March 14, 2008 26.Dt BPF 4 27.Os 28.Sh NAME 29.Nm bpf 30.Nd Berkeley Packet Filter 31.Sh SYNOPSIS 32.Cd pseudo-device bpf 33.Sh DESCRIPTION 34The Berkeley Packet Filter 35provides a raw interface to data link layers in a protocol 36independent fashion. 37All packets on the network, even those destined for other hosts, 38are accessible through this mechanism. 39.Pp 40The packet filter appears as a character special device, 41.Pa /dev/bpf0 , 42.Pa /dev/bpf1 , 43etc. 44After opening the device, the file descriptor must be bound to a 45specific network interface with the 46.Dv BIOCSETIF 47ioctl. 48A given interface can be shared by multiple listeners, and the filter 49underlying each descriptor will see an identical packet stream. 50.Pp 51A separate device file is required for each minor device. 52If a file is in use, the open will fail and 53.Va errno 54will be set to 55.Er EBUSY . 56.Pp 57Associated with each open instance of a 58.Nm 59file is a user-settable packet filter. 60Whenever a packet is received by an interface, 61all file descriptors listening on that interface apply their filter. 62Each descriptor that accepts the packet receives its own copy. 63.Pp 64Reads from these files return the next group of packets 65that have matched the filter. 66To improve performance, the buffer passed to read must be 67the same size as the buffers used internally by 68.Nm . 69This size is returned by the 70.Dv BIOCGBLEN 71ioctl (see below), and 72can be set with 73.Dv BIOCSBLEN . 74Note that an individual packet larger than this size is necessarily 75truncated. 76.Pp 77The packet filter will support any link level protocol that has fixed length 78headers. Currently, only Ethernet, 79.Tn SLIP , 80and 81.Tn PPP 82drivers have been modified to interact with 83.Nm . 84.Pp 85Since packet data is in network byte order, applications should use the 86.Xr byteorder 3 87macros to extract multi-byte values. 88.Pp 89A packet can be sent out on the network by writing to a 90.Nm 91file descriptor. The writes are unbuffered, meaning only one 92packet can be processed per write. 93Currently, only writes to Ethernets and 94.Tn SLIP 95links are supported. 96.Sh IOCTLS 97The 98.Xr ioctl 2 99command codes below are defined in 100.In net/bpf.h . 101All commands require 102these includes: 103.Bd -literal 104 #include <sys/types.h> 105 #include <sys/time.h> 106 #include <sys/ioctl.h> 107 #include <net/bpf.h> 108.Ed 109.Pp 110Additionally, 111.Dv BIOCGETIF 112and 113.Dv BIOCSETIF 114require 115.In sys/socket.h 116and 117.In net/if.h . 118.Pp 119In addition to 120.Dv FIONREAD 121and 122.Dv SIOCGIFADDR , 123the following commands may be applied to any open 124.Nm 125file. 126The (third) argument to 127.Xr ioctl 2 128should be a pointer to the type indicated. 129.Bl -tag -width ".Dv BIOCGRTIMEOUT" 130.It Dv BIOCGBLEN 131.Pq Li u_int 132Returns the required buffer length for reads on 133.Nm 134files. 135.It Dv BIOCSBLEN 136.Pq Li u_int 137Sets the buffer length for reads on 138.Nm 139files. The buffer must be set before the file is attached to an interface 140with 141.Dv BIOCSETIF . 142If the requested buffer size cannot be accommodated, the closest 143allowable size will be set and returned in the argument. 144A read call will result in 145.Er EIO 146if it is passed a buffer that is not this size. 147.It Dv BIOCGDLT 148.Pq Li u_int 149Returns the type of the data link layer underlying the attached interface. 150.Er EINVAL 151is returned if no interface has been specified. 152The device types, prefixed with 153.Dq Li DLT_ , 154are defined in 155.In net/bpf.h . 156.It Dv BIOCPROMISC 157Forces the interface into promiscuous mode. 158All packets, not just those destined for the local host, are processed. 159Since more than one file can be listening on a given interface, 160a listener that opened its interface non-promiscuously may receive 161packets promiscuously. This problem can be remedied with an 162appropriate filter. 163.It Dv BIOCFLUSH 164Flushes the buffer of incoming packets, 165and resets the statistics that are returned by 166.Dv BIOCGSTATS . 167.It Dv BIOCGETIF 168.Pq Li "struct ifreq" 169Returns the name of the hardware interface that the file is listening on. 170The name is returned in the ifr_name field of 171the 172.Li ifreq 173structure. 174All other fields are undefined. 175.It Dv BIOCLOCK 176This ioctl is designed to prevent the security issues associated 177with an open 178.Nm 179descriptor in unprivileged programs. 180Even with dropped privileges, an open 181.Nm 182descriptor can be abused by a rogue program to listen on any interface 183on the system, send packets on these interfaces if the descriptor was 184opened read-write and send signals to arbitrary processes using the 185signaling mechanism of 186.Nm . 187By allowing only 188.Dq known safe 189ioctls, the 190.Dv BIOCLOCK 191ioctl prevents this abuse. 192The allowable ioctls are 193.Dv BIOCGBLEN , 194.Dv BIOCFLUSH , 195.Dv BIOCGDLT , 196.Dv BIOCGDLTLIST , 197.Dv BIOCGETIF , 198.Dv BIOCGRTIMEOUT , 199.Dv BIOCGSTATS , 200.Dv BIOCVERSION , 201.Dv BIOCGRSIG , 202.Dv BIOCGHDRCMPLT , 203.Dv FIONREAD , 204.Dv BIOCLOCK , 205.Dv BIOCSRTIMEOUT , 206.Dv BIOCIMMEDIATE 207and 208.Dv TIOCGPGRP . 209Use of any other ioctl is denied with error 210.Er EPERM . 211Once a descriptor is locked, it is not possible to unlock it. 212A process with root privileges is not affected by the lock. 213.Pp 214A privileged program can open a 215.Nm 216device, drop privileges, set the interface, filters and modes on the 217descriptor, and lock it. 218Once the descriptor is locked, the system is safe 219from further abuse through the descriptor. 220Locking a descriptor does not prevent writes. 221If the application does not need to send packets through 222.Nm , 223it can open the device read-only to prevent writing. 224If sending packets is necessary, a write-filter can be set before locking the 225descriptor to prevent arbitrary packets from being sent out. 226.It Dv BIOCSETIF 227.Pq Li "struct ifreq" 228Sets the hardware interface associated with the file. 229This command must be performed before any packets can be read. 230The device is indicated by name using the 231.Li ifr_name 232field of the 233.Li ifreq 234structure. 235Additionally, performs the actions of 236.Dv BIOCFLUSH . 237.It Dv BIOCSETWF 238.Pq Li "struct bpf_program *" 239Sets the write filter program used by the kernel to filter the packets 240written to the descriptor before the packets are sent out on the 241network. 242.It Dv BIOCSRTIMEOUT 243.It Dv BIOCGRTIMEOUT 244.Pq Li "struct timeval" 245Set or get the read timeout parameter. 246The argument 247specifies the length of time to wait before timing 248out on a read request. 249This parameter is initialized to zero by 250.Xr open 2 , 251indicating no timeout. 252.It Dv BIOCGSTATS 253.Pq Li "struct bpf_stat" 254Returns the following structure of packet statistics: 255.Bd -literal 256struct bpf_stat { 257 u_int bs_recv; /* number of packets received */ 258 u_int bs_drop; /* number of packets dropped */ 259}; 260.Ed 261.Pp 262The fields are: 263.Bl -hang -offset indent 264.It Li bs_recv 265the number of packets received by the descriptor since opened or reset 266(including any buffered since the last read call); 267and 268.It Li bs_drop 269the number of packets which were accepted by the filter but dropped by the 270kernel because of buffer overflows 271(i.e., the application's reads aren't keeping up with the packet traffic). 272.El 273.It Dv BIOCIMMEDIATE 274.Pq Li u_int 275Enable or disable 276.Dq immediate mode , 277based on the truth value of the argument. 278When immediate mode is enabled, reads return immediately upon packet 279reception. Otherwise, a read will block until either the kernel buffer 280becomes full or a timeout occurs. 281This is useful for programs like 282.Xr rarpd 8 283which must respond to messages in real time. 284The default for a new file is off. 285.It Dv BIOCSETF 286.Pq Li "struct bpf_program" 287Sets the read filter program used by the kernel to discard uninteresting 288packets. An array of instructions and its length is passed in using 289the following structure: 290.Bd -literal 291struct bpf_program { 292 int bf_len; 293 struct bpf_insn *bf_insns; 294}; 295.Ed 296.Pp 297The filter program is pointed to by the 298.Li bf_insns 299field while its length in units of 300.Sq Li struct bpf_insn 301is given by the 302.Li bf_len 303field. 304Also, the actions of 305.Dv BIOCFLUSH 306are performed. 307See section 308.Sx "FILTER MACHINE" 309for an explanation of the filter language. 310.It Dv BIOCVERSION 311.Pq Li "struct bpf_version" 312Returns the major and minor version numbers of the filter language currently 313recognized by the kernel. Before installing a filter, applications must check 314that the current version is compatible with the running kernel. Version 315numbers are compatible if the major numbers match and the application minor 316is less than or equal to the kernel minor. The kernel version number is 317returned in the following structure: 318.Bd -literal 319struct bpf_version { 320 u_short bv_major; 321 u_short bv_minor; 322}; 323.Ed 324.Pp 325The current version numbers are given by 326.Dv BPF_MAJOR_VERSION 327and 328.Dv BPF_MINOR_VERSION 329from 330.In net/bpf.h . 331An incompatible filter 332may result in undefined behavior (most likely, an error returned by 333.Fn ioctl 334or haphazard packet matching). 335.It Dv BIOCSHDRCMPLT 336.It Dv BIOCGHDRCMPLT 337.Pq Li u_int 338Set or get the status of the 339.Dq header complete 340flag. 341Set to zero if the link level source address should be filled in automatically 342by the interface output routine. Set to one if the link level source 343address will be written, as provided, to the wire. This flag is initialized 344to zero by default. 345.It Dv BIOCSSEESENT 346.It Dv BIOCGSEESENT 347.Pq Li u_int 348Set or get the flag determining whether locally generated packets on the 349interface should be returned by BPF. Set to zero to see only incoming 350packets on the interface. Set to one to see packets originating 351locally and remotely on the interface. This flag is initialized to one by 352default. 353.El 354.Sh BPF HEADER 355The following structure is prepended to each packet returned by 356.Xr read 2 : 357.Bd -literal 358struct bpf_hdr { 359 struct timeval bh_tstamp; /* time stamp */ 360 u_long bh_caplen; /* length of captured portion */ 361 u_long bh_datalen; /* original length of packet */ 362 u_short bh_hdrlen; /* length of bpf header (this struct 363 plus alignment padding */ 364}; 365.Ed 366.Pp 367The fields, whose values are stored in host order, and are: 368.Pp 369.Bl -tag -compact -width bh_datalen 370.It Li bh_tstamp 371The time at which the packet was processed by the packet filter. 372.It Li bh_caplen 373The length of the captured portion of the packet. This is the minimum of 374the truncation amount specified by the filter and the length of the packet. 375.It Li bh_datalen 376The length of the packet off the wire. 377This value is independent of the truncation amount specified by the filter. 378.It Li bh_hdrlen 379The length of the 380.Nm 381header, which may not be equal to 382.\" XXX - not really a function call 383.Fn sizeof "struct bpf_hdr" . 384.El 385.Pp 386The 387.Li bh_hdrlen 388field exists to account for 389padding between the header and the link level protocol. 390The purpose here is to guarantee proper alignment of the packet 391data structures, which is required on alignment sensitive 392architectures and improves performance on many other architectures. 393The packet filter insures that the 394.Li bpf_hdr 395and the network layer 396header will be word aligned. Suitable precautions 397must be taken when accessing the link layer protocol fields on alignment 398restricted machines. (This isn't a problem on an Ethernet, since 399the type field is a short falling on an even offset, 400and the addresses are probably accessed in a bytewise fashion). 401.Pp 402Additionally, individual packets are padded so that each starts 403on a word boundary. This requires that an application 404has some knowledge of how to get from packet to packet. 405The macro 406.Dv BPF_WORDALIGN 407is defined in 408.In net/bpf.h 409to facilitate 410this process. It rounds up its argument 411to the nearest word aligned value (where a word is 412.Dv BPF_ALIGNMENT 413bytes wide). 414.Pp 415For example, if 416.Sq Li p 417points to the start of a packet, this expression 418will advance it to the next packet: 419.Dl p = (char *)p + BPF_WORDALIGN(p->bh_hdrlen + p->bh_caplen) 420.Pp 421For the alignment mechanisms to work properly, the 422buffer passed to 423.Xr read 2 424must itself be word aligned. 425The 426.Xr malloc 3 427function 428will always return an aligned buffer. 429.Sh FILTER MACHINE 430A filter program is an array of instructions, with all branches forwardly 431directed, terminated by a 432.Em return 433instruction. 434Each instruction performs some action on the pseudo-machine state, 435which consists of an accumulator, index register, scratch memory store, 436and implicit program counter. 437.Pp 438The following structure defines the instruction format: 439.Bd -literal 440struct bpf_insn { 441 u_short code; 442 u_char jt; 443 u_char jf; 444 u_long k; 445}; 446.Ed 447.Pp 448The 449.Li k 450field is used in different ways by different instructions, 451and the 452.Li jt 453and 454.Li jf 455fields are used as offsets 456by the branch instructions. 457The opcodes are encoded in a semi-hierarchical fashion. 458There are eight classes of instructions: 459.Dv BPF_LD , 460.Dv BPF_LDX , 461.Dv BPF_ST , 462.Dv BPF_STX , 463.Dv BPF_ALU , 464.Dv BPF_JMP , 465.Dv BPF_RET , 466and 467.Dv BPF_MISC . 468Various other mode and 469operator bits are or'd into the class to give the actual instructions. 470The classes and modes are defined in 471.In net/bpf.h . 472.Pp 473Below are the semantics for each defined 474.Nm 475instruction. 476We use the convention that A is the accumulator, X is the index register, 477P[] packet data, and M[] scratch memory store. 478P[i:n] gives the data at byte offset 479.Dq i 480in the packet, 481interpreted as a word (n=4), 482unsigned halfword (n=2), or unsigned byte (n=1). 483M[i] gives the i'th word in the scratch memory store, which is only 484addressed in word units. The memory store is indexed from 0 to 485.Dv BPF_MEMWORDS 486- 1. 487.Li k , 488.Li jt , 489and 490.Li jf 491are the corresponding fields in the 492instruction definition. 493.Dq len 494refers to the length of the packet. 495.Bl -tag -width BPF_STXx 496.It Dv BPF_LD 497These instructions copy a value into the accumulator. The type of the 498source operand is specified by an 499.Dq addressing mode 500and can be a constant 501.Pq Dv BPF_IMM , 502packet data at a fixed offset 503.Pq Dv BPF_ABS , 504packet data at a variable offset 505.Pq Dv BPF_IND , 506the packet length 507.Pq Dv BPF_LEN , 508or a word in the scratch memory store 509.Pq Dv BPF_MEM . 510For 511.Dv BPF_IND 512and 513.Dv BPF_ABS , 514the data size must be specified as a word 515.Pq Dv BPF_W , 516halfword 517.Pq Dv BPF_H , 518or byte 519.Pq Dv BPF_B . 520The semantics of all the recognized 521.Dv BPF_LD 522instructions follow. 523.Pp 524.Bl -tag -width "BPF_LD+BPF_W+BPF_IND" -compact 525.It Li BPF_LD+BPF_W+BPF_ABS 526A <- P[k:4] 527.It Li BPF_LD+BPF_H+BPF_ABS 528A <- P[k:2] 529.It Li BPF_LD+BPF_B+BPF_ABS 530A <- P[k:1] 531.It Li BPF_LD+BPF_W+BPF_IND 532A <- P[X+k:4] 533.It Li BPF_LD+BPF_H+BPF_IND 534A <- P[X+k:2] 535.It Li BPF_LD+BPF_B+BPF_IND 536A <- P[X+k:1] 537.It Li BPF_LD+BPF_W+BPF_LEN 538A <- len 539.It Li BPF_LD+BPF_IMM 540A <- k 541.It Li BPF_LD+BPF_MEM 542A <- M[k] 543.El 544.It Dv BPF_LDX 545These instructions load a value into the index register. Note that 546the addressing modes are more restrictive than those of the accumulator loads, 547but they include 548.Dv BPF_MSH , 549a hack for efficiently loading the IP header length. 550.Pp 551.Bl -tag -width "BPF_LDX+BPF_W+BPF_MEM" -compact 552.It Li BPF_LDX+BPF_W+BPF_IMM 553X <- k 554.It Li BPF_LDX+BPF_W+BPF_MEM 555X <- M[k] 556.It Li BPF_LDX+BPF_W+BPF_LEN 557X <- len 558.It Li BPF_LDX+BPF_B+BPF_MSH 559X <- 4*(P[k:1]&0xf) 560.El 561.It Dv BPF_ST 562This instruction stores the accumulator into the scratch memory. 563We do not need an addressing mode since there is only one possibility 564for the destination. 565.Pp 566.Bl -tag -width "BPF_ST" -compact 567.It Li BPF_ST 568M[k] <- A 569.El 570.It Dv BPF_STX 571This instruction stores the index register in the scratch memory store. 572.Pp 573.Bl -tag -width "BPF_STX" -compact 574.It Li BPF_STX 575M[k] <- X 576.El 577.It Dv BPF_ALU 578The alu instructions perform operations between the accumulator and 579index register or constant, and store the result back in the accumulator. 580For binary operations, a source mode is required 581.Dv ( BPF_K 582or 583.Dv BPF_X ) . 584.Pp 585.Bl -tag -width "BPF_ALU+BPF_MUL+BPF_K" -compact 586.It Li BPF_ALU+BPF_ADD+BPF_K 587A <- A + k 588.It Li BPF_ALU+BPF_SUB+BPF_K 589A <- A - k 590.It Li BPF_ALU+BPF_MUL+BPF_K 591A <- A * k 592.It Li BPF_ALU+BPF_DIV+BPF_K 593A <- A / k 594.It Li BPF_ALU+BPF_AND+BPF_K 595A <- A & k 596.It Li BPF_ALU+BPF_OR+BPF_K 597A <- A | k 598.It Li BPF_ALU+BPF_LSH+BPF_K 599A <- A << k 600.It Li BPF_ALU+BPF_RSH+BPF_K 601A <- A >> k 602.It Li BPF_ALU+BPF_ADD+BPF_X 603A <- A + X 604.It Li BPF_ALU+BPF_SUB+BPF_X 605A <- A - X 606.It Li BPF_ALU+BPF_MUL+BPF_X 607A <- A * X 608.It Li BPF_ALU+BPF_DIV+BPF_X 609A <- A / X 610.It Li BPF_ALU+BPF_AND+BPF_X 611A <- A & X 612.It Li BPF_ALU+BPF_OR+BPF_X 613A <- A | X 614.It Li BPF_ALU+BPF_LSH+BPF_X 615A <- A << X 616.It Li BPF_ALU+BPF_RSH+BPF_X 617A <- A >> X 618.It Li BPF_ALU+BPF_NEG 619A <- -A 620.El 621.It Dv BPF_JMP 622The jump instructions alter flow of control. Conditional jumps 623compare the accumulator against a constant 624.Pq Dv BPF_K 625or the index register 626.Pq Dv BPF_X . 627If the result is true (or non-zero), 628the true branch is taken, otherwise the false branch is taken. 629Jump offsets are encoded in 8 bits so the longest jump is 256 instructions. 630However, the jump always 631.Pq Dv BPF_JA 632opcode uses the 32 bit 633.Li k 634field as the offset, allowing arbitrarily distant destinations. 635All conditionals use unsigned comparison conventions. 636.Pp 637.Bl -tag -width "BPF_JMP+BPF_KSET+BPF_X" -compact 638.It Li BPF_JMP+BPF_JA 639pc += k 640.It Li BPF_JMP+BPF_JGT+BPF_K 641pc += (A > k) ? jt : jf 642.It Li BPF_JMP+BPF_JGE+BPF_K 643pc += (A >= k) ? jt : jf 644.It Li BPF_JMP+BPF_JEQ+BPF_K 645pc += (A == k) ? jt : jf 646.It Li BPF_JMP+BPF_JSET+BPF_K 647pc += (A & k) ? jt : jf 648.It Li BPF_JMP+BPF_JGT+BPF_X 649pc += (A > X) ? jt : jf 650.It Li BPF_JMP+BPF_JGE+BPF_X 651pc += (A >= X) ? jt : jf 652.It Li BPF_JMP+BPF_JEQ+BPF_X 653pc += (A == X) ? jt : jf 654.It Li BPF_JMP+BPF_JSET+BPF_X 655pc += (A & X) ? jt : jf 656.El 657.It Dv BPF_RET 658The return instructions terminate the filter program and specify the amount 659of packet to accept (i.e., they return the truncation amount). A return 660value of zero indicates that the packet should be ignored. 661The return value is either a constant 662.Pq Dv BPF_K 663or the accumulator 664.Pq Dv BPF_A . 665.Pp 666.Bl -tag -width "BPF_RET+BPF_K" -compact 667.It Li BPF_RET+BPF_A 668accept A bytes 669.It Li BPF_RET+BPF_K 670accept k bytes 671.El 672.It Dv BPF_MISC 673The miscellaneous category was created for anything that doesn't 674fit into the above classes, and for any new instructions that might need to 675be added. Currently, these are the register transfer instructions 676that copy the index register to the accumulator or vice versa. 677.Pp 678.Bl -tag -width "BPF_MISC+BPF_TAX" -compact 679.It Li BPF_MISC+BPF_TAX 680X <- A 681.It Li BPF_MISC+BPF_TXA 682A <- X 683.El 684.El 685.Pp 686The 687.Nm 688interface provides the following macros to facilitate 689array initializers: 690.Fn BPF_STMT opcode operand 691and 692.Fn BPF_JUMP opcode operand true_offset false_offset . 693.Sh FILES 694.Bl -tag -compact -width /dev/bpfXXX 695.It Pa /dev/bpf Ns Sy n 696the packet filter device 697.El 698.Sh EXAMPLES 699The following filter is taken from the Reverse ARP Daemon. It accepts 700only Reverse ARP requests. 701.Bd -literal 702struct bpf_insn insns[] = { 703 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 704 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3), 705 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), 706 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1), 707 BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) + 708 sizeof(struct ether_header)), 709 BPF_STMT(BPF_RET+BPF_K, 0), 710}; 711.Ed 712.Pp 713This filter accepts only IP packets between host 128.3.112.15 and 714128.3.112.35. 715.Bd -literal 716struct bpf_insn insns[] = { 717 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 718 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 8), 719 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 26), 720 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 2), 721 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), 722 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 3, 4), 723 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 0, 3), 724 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30), 725 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 1), 726 BPF_STMT(BPF_RET+BPF_K, (u_int)-1), 727 BPF_STMT(BPF_RET+BPF_K, 0), 728}; 729.Ed 730.Pp 731Finally, this filter returns only TCP finger packets. We must parse 732the IP header to reach the TCP header. The 733.Dv BPF_JSET 734instruction 735checks that the IP fragment offset is 0 so we are sure 736that we have a TCP header. 737.Bd -literal 738struct bpf_insn insns[] = { 739 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 740 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 10), 741 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 23), 742 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, 8), 743 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), 744 BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x1fff, 6, 0), 745 BPF_STMT(BPF_LDX+BPF_B+BPF_MSH, 14), 746 BPF_STMT(BPF_LD+BPF_H+BPF_IND, 14), 747 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 2, 0), 748 BPF_STMT(BPF_LD+BPF_H+BPF_IND, 16), 749 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 0, 1), 750 BPF_STMT(BPF_RET+BPF_K, (u_int)-1), 751 BPF_STMT(BPF_RET+BPF_K, 0), 752}; 753.Ed 754.Sh SEE ALSO 755.Xr tcpdump 1 , 756.Xr ioctl 2 , 757.Xr byteorder 3 , 758.Xr ng_bpf 4 759.Rs 760.%A McCanne, S. 761.%A Jacobson V. 762.%T "An efficient, extensible, and portable network monitor" 763.Re 764.Sh HISTORY 765The Enet packet filter was created in 1980 by Mike Accetta and 766Rick Rashid at Carnegie-Mellon University. Jeffrey Mogul, at 767Stanford, ported the code to 768.Bx 769and continued its development from 7701983 on. Since then, it has evolved into the Ultrix Packet Filter 771at 772.Tn DEC , 773a 774.Tn STREAMS 775.Tn NIT 776module under 777.Tn SunOS 4.1 , 778and 779.Tn BPF . 780.Sh AUTHORS 781.An -nosplit 782.An Steven McCanne , 783of Lawrence Berkeley Laboratory, implemented BPF in 784Summer 1990. Much of the design is due to 785.An Van Jacobson . 786.Sh BUGS 787The read buffer must be of a fixed size (returned by the 788.Dv BIOCGBLEN 789ioctl). 790.Pp 791A file that does not request promiscuous mode may receive promiscuously 792received packets as a side effect of another file requesting this 793mode on the same hardware interface. This could be fixed in the kernel 794with additional processing overhead. However, we favor the model where 795all files must assume that the interface is promiscuous, and if 796so desired, must utilize a filter to reject foreign packets. 797.Pp 798Data link protocols with variable length headers are not currently supported. 799