xref: /386bsd/usr/share/man/cat4/bpf.0 (revision a2142627) 
1
2
3
4BPF(4)                         1991                        BPF(4)
5
6
7NNAAMMEE
8       bpf - Berkeley Packet Filter
9
10SSYYNNOOPPSSIISS
11       ppsseeuuddoo--ddeevviiccee bbppffiilltteerr 1166
12
13DDEESSCCRRIIPPTTIIOONN
14       The  Berkeley  Packet  Filter  provides a raw interface to
15       data link layers in a protocol independent  fashion.   All
16       packets  on  the  network,  even  those destined for other
17       hosts, are accessible through this mechanism.
18
19       The packet filter appears as a character  special  device,
20       /_d_e_v/_b_p_f_0,  /_d_e_v/_b_p_f_1, etc.  After opening the device, the
21       file descriptor  must  be  bound  to  a  specific  network
22       interface  with the BIOSETIF ioctl.  A given interface can
23       be shared be multiple listeners, and the filter underlying
24       each  descriptor will see an identical packet stream.  The
25       total number of open files is limited to the  value  given
26       in  the  kernel  configuration;  the  example given in the
27       SYNOPSIS above sets the limit to 16.
28
29       A separate device file is required for each minor  device.
30       If  a file is in use, the open will fail and _e_r_r_n_o will be
31       set to EBUSY.
32
33       Associated with each open instance of  a  _b_p_f  file  is  a
34       user-settable   packet   filter.   Whenever  a  packet  is
35       received by an interface, all file  descriptors  listening
36       on  that  interface  apply  their filter.  Each descriptor
37       that accepts the packet receives its own copy.
38
39       Reads from these files return the next  group  of  packets
40       that have matched the filter.  To improve performance, the
41       buffer passed to read must be the same size as the buffers
42       used  internally  by  _b_p_f.   This  size is returned by the
43       BIOCGBLEN ioctl (see below), and under  BSD,  can  be  set
44       with  BIOCSBLEN.   Note  that  an individual packet larger
45       than this size is necessarily truncated.
46
47       The packet filter will support  any  link  level  protocol
48       that  has fixed length headers.  Currently, only Ethernet,
49       SLIP and PPP drivers have been modified to  interact  with
50       _b_p_f.
51
52       Since  packet  data is in network byte order, applications
53       should use the _b_y_t_e_o_r_d_e_r(_3_n) macros to extract  multi-byte
54       values.
55
56       A  packet  can  be sent out on the network by writing to a
57       _b_p_f file descriptor.  The writes are  unbuffered,  meaning
58       only  one  packet  can be processed per write.  Currently,
59       only writes to Ethernets and SLIP links are supported.
60
61
62
63
64May                             23                              1
65
66
67
68
69
70BPF(4)                         1991                        BPF(4)
71
72
73IIOOCCTTLLSS
74       The _i_o_c_t_l command codes below are defined in  <net/bpf.h>.
75       All commands require these includes:
76
77            ##iinncclluuddee <<ssyyss//ttyyppeess..hh>>
78            ##iinncclluuddee <<ssyyss//ttiimmee..hh>>
79            ##iinncclluuddee <<ssyyss//iiooccttll..hh>>
80            ##iinncclluuddee <<nneett//bbppff..hh>>
81
82       Additionally,  BIOCGETIF and BIOCSETIF require <<nneett//iiff..hh>>.
83
84       In addition to FIONREAD  and  SIOCGIFADDR,  the  following
85       commands may be applied to any open _b_p_f file.  The (third)
86       argument to the _i_o_c_t_l should be  a  pointer  to  the  type
87       indicated.
88
89       BBIIOOCCGGBBLLEENN ((uu__iinntt))
90                 Returns  the required buffer length for reads on
91                 _b_p_f files.
92
93       BBIIOOCCSSBBLLEENN ((uu__iinntt))
94                 Sets the buffer length for reads on  _b_p_f  files.
95                 The  buffer  must  be  set  before  the  file is
96                 attached to an interface with BIOCSETIF.  If the
97                 requested buffer size cannot be accomodated, the
98                 closest allowable size will be set and  returned
99                 in the argument.  A read call will result in EIO
100                 if it is passed a buffer that is not this  size.
101
102       BBIIOOCCGGDDLLTT ((uu__iinntt))
103                 Returns   the   type  of  the  data  link  layer
104                 underyling the attached  interface.   EINVAL  is
105                 returned  if  no  interface  has been specified.
106                 The device types, prefixed  with  ``DLT_'',  are
107                 defined in <net/bpf.h>.
108
109       BBIIOOCCPPRROOMMIISSCC
110                 Forces the interface into promiscuous mode.  All
111                 packets, not just those destined for  the  local
112                 host,  are  processed.  Since more than one file
113                 can  be  listening  on  a  given  interface,   a
114                 listener   that   opened   its   interface  non-
115                 promiscuously may receive packets promiscuously.
116                 This problem can be remedied with an appropriate
117                 filter.
118
119                 The interface remains in promiscuous mode  until
120                 all files listening promiscuously are closed.
121
122       BBIIOOCCFFLLUUSSHH Flushes  the  buffer  of  incoming  packets, and
123                 resets  the  statistics  that  are  returned  by
124                 BIOCGSTATS.
125
126
127
128
129
130May                             23                              2
131
132
133
134
135
136BPF(4)                         1991                        BPF(4)
137
138
139       BBIIOOCCGGEETTIIFF ((ssttrruucctt iiffrreeqq))
140                 Returns  the name of the hardware interface that
141                 the file is listening on.  The name is  returned
142                 in  the  if_name field of _i_f_r.  All other fields
143                 are undefined.
144
145       BBIIOOCCSSEETTIIFF ((ssttrruucctt iiffrreeqq))
146                 Sets the hardware interface associate  with  the
147                 file.  This command must be performed before any
148                 packets can be read.  The device is indicated by
149                 name  using  the  _i_f__n_a_m_e  field  of  the _i_f_r_e_q.
150                 Additionally, performs the actions of BIOCFLUSH.
151
152       BBIIOOCCSSRRTTIIMMEEOOUUTT,, BBIIOOCCGGRRTTIIMMEEOOUUTT ((ssttrruucctt ttiimmeevvaall))
153                 Set  or  get  the  read  timeout parameter.  The
154                 _t_i_m_e_v_a_l specifies the length  of  time  to  wait
155                 before  timing  out  on  a  read  request.  This
156                 parameter is initialized  to  zero  by  _o_p_e_n(_2),
157                 indicating no timeout.
158
159       BBIIOOCCGGSSTTAATTSS ((ssttrruucctt bbppff__ssttaatt))
160                 Returns   the   following  structure  of  packet
161                 statistics:
162
163                 ssttrruucctt bbppff__ssttaatt {{
164                      uu__iinntt bbss__rreeccvv;;
165                      uu__iinntt bbss__ddrroopp;;
166                 }};;
167
168                 The fields are:
169
170                 _b_s__r_e_c_v        the number of packets received by
171                                the  descriptor  since  opened or
172                                reset  (including  any   buffered
173                                since the last read call); and
174
175                 _b_s__d_r_o_p        the  number of packets which were
176                                accepted  by   the   filter   but
177                                dropped  by the kernel because of
178                                buffer   overflows   (i.e.,   the
179                                application's     reads    aren't
180                                keeping  up   with   the   packet
181                                traffic).
182
183       BBIIOOCCIIMMMMEEDDIIAATTEE ((uu__iinntt))
184                 Enable  or  disable ``immediate mode'', based on
185                 the truth value of the argument.  When immediate
186                 mode  is  enabled, reads return immediately upon
187                 packet reception.  Otherwise, a read will  block
188                 until either the kernel buffer becomes full or a
189                 timeout occurs.  This  is  useful  for  programs
190                 like  _r_a_r_p_d(_8_c),  which must respond to messages
191                 in real time.  The default for  a  new  file  is
192                 off.
193
194
195
196May                             23                              3
197
198
199
200
201
202BPF(4)                         1991                        BPF(4)
203
204
205       BBIIOOCCSSEETTFF ((ssttrruucctt bbppff__pprrooggrraamm))
206                 Sets  the  filter  program used by the kernel to
207                 discard  uninteresting  packets.   An  array  of
208                 instructions  and  its length is passed in using
209                 the following structure:
210
211                 ssttrruucctt bbppff__pprrooggrraamm {{
212                      iinntt bbff__lleenn;;
213                      ssttrruucctt bbppff__iinnssnn **bbff__iinnssnnss;;
214                 }};;
215
216                 The filter program is pointed to by the _b_f__i_n_s_n_s
217                 field  while  its  length  in  units  of `struct
218                 bpf_insn' is given by the _b_f__l_e_n  field.   Also,
219                 the actions of BIOCFLUSH are performed.
220
221                 See section FFIILLTTEERR MMAACCHHIINNEE for an explanation of
222                 the filter language.
223
224       BBIIOOCCVVEERRSSIIOONN ((ssttrruucctt bbppff__vveerrssiioonn))
225                 Returns the major and minor version  numbers  of
226                 the filter languange currently recognized by the
227                 kernel.     Before    installing    a    filter,
228                 applications must check that the current version
229                 is compatible with the running kernel.   Version
230                 numbers  are  compatible  if  the  major numbers
231                 match and the application minor is less than  or
232                 equal  to  the kernel minor.  The kernel version
233                 number is returned in the following structure:
234
235                 ssttrruucctt bbppff__vveerrssiioonn {{
236                      uu__sshhoorrtt bbvv__mmaajjoorr;;
237                      uu__sshhoorrtt bbvv__mmiinnoorr;;
238                 }};;
239
240                 The  current  version  numbers  are   given   by
241                 BBPPFF__MMAAJJOORR__VVEERRSSIIOONN   and  BBPPFF__MMIINNOORR__VVEERRSSIIOONN  from
242                 <net/bpf.h>.  An incompatible filter may  result
243                 in  undefined  behavior  (most  likely, an error
244                 returned  by   _i_o_c_t_l()   or   haphazard   packet
245                 matching).
246
247BBPPFF HHEEAADDEERR
248       The  following  structure  is  prepended  to  each  packet
249       returned by _r_e_a_d(_2):
250
251               ssttrruucctt bbppff__hhddrr {{
252                    ssttrruucctt ttiimmeevvaall bbhh__ttssttaammpp;;
253                    uu__lloonngg bbhh__ccaapplleenn;;
254                    uu__lloonngg bbhh__ddaattaalleenn;;
255                    uu__sshhoorrtt bbhh__hhddrrlleenn;;
256               }};;
257
258       The fields, whose values are stored  in  host  order,  and
259
260
261
262May                             23                              4
263
264
265
266
267
268BPF(4)                         1991                        BPF(4)
269
270
271       are:
272
273       _b_h__t_s_t_a_m_p      The  time at which the packet was processed
274                      by the packet filter.
275
276       _b_h__c_a_p_l_e_n      The length of the captured portion  of  the
277                      packet.    This   is  the  minimum  of  the
278                      truncation amount specified by  the  filter
279                      and the length of the packet.
280
281       _b_h__d_a_t_a_l_e_n     The  length  of  the  packet  off the wire.
282                      This value is independent of the truncation
283                      amount specified by the filter.
284
285       _b_h__h_d_r_l_e_n      The length of the BPF header, which may not
286                      be equal to _s_i_z_e_o_f(_s_t_r_u_c_t _b_p_f__h_d_r).
287
288       The _b_h__h_d_r_l_e_n field exists to account for padding  between
289       the  header and the link level protocol.  The purpose here
290       is to  guarantee  proper  alignment  of  the  packet  data
291       structures,  which  is  required  on  alignment  sensitive
292       architectures and and improves performance on  many  other
293       architectures.  The packet filter insures that the _b_p_f__h_d_r
294       and  the  _n_e_t_w_o_r_k  _l_a_y_e_r  header  will  be  word  aligned.
295       Suitable precautions must be taken when accessing the link
296       layer protocol fields on  alignment  restricted  machines.
297       (This isn't a problem on an Ethernet, since the type field
298       is a short falling on an even offset,  and  the  addresses
299       are probably accessed in a bytewise fashion).
300
301       Additionally,  individual  packets are padded so that each
302       starts  on  a  word  boundary.   This  requires  that   an
303       application  has  some knowledge of how to get from packet
304       to  packet.   The  macro  BPF_WORDALIGN  is   defined   in
305       <net/bpf.h>  to facilitate this process.  It rounds up its
306       argument to the nearest word aligned value (where  a  word
307       is BPF_ALIGNMENT bytes wide).
308
309       For  example, if `p' points to the start of a packet, this
310       expression will advance it to the next packet:
311
312              p = (char *)p + BPF_WORDALIGN(p->bh_hdrlen + p->bh_caplen)
313
314       For the alignment mechanisms to work properly, the  buffer
315       passed  to _r_e_a_d(_2) must itself be word aligned.  _m_a_l_l_o_c(_3)
316       will always return an aligned buffer.
317
318FFIILLTTEERR MMAACCHHIINNEE
319       A filter program is an array  of  instructions,  with  all
320       branches   forwardly  directed,  terminated  by  a  rreettuurrnn
321       instruction.  Each instruction performs some action on the
322       pseudo-machine  state,  which  consists of an accumulator,
323       index register, scratch memory store, and implicit program
324       counter.
325
326
327
328May                             23                              5
329
330
331
332
333
334BPF(4)                         1991                        BPF(4)
335
336
337       The following structure defines the instruction format:
338
339              ssttrruucctt bbppff__iinnssnn {{
340                   uu__sshhoorrtt   ccooddee;;
341                   uu__cchhaarr    jjtt;;
342                   uu__cchhaarr    jjff;;
343                   lloonngg kk;;
344              }};;
345
346       The  _k  field  is  used  in  differnet  ways  by different
347       insutructions, and the  _j_t  and  _j_f  fields  are  used  as
348       offsets  by  the  branch  intructions.   The  opcodes  are
349       encoded in a semi-hierarchical fashion.  There  are  eight
350       classes  of intructions: BPF_LD, BPF_LDX, BPF_ST, BPF_STX,
351       BPF_ALU, BPF_JMP, BPF_RET, and  BPF_MISC.   Various  other
352       mode and operator bits are or'd into the class to give the
353       actual instructions.  The classes and modes are defined in
354       <net/bpf.h>.
355
356       Below  are the semantics for each defined BPF instruction.
357       We use the convention that A is the accumulator, X is  the
358       index  register,  P[]  packet data, and M[] scratch memory
359       store.  P[i:n] gives the data at byte offset ``i'' in  the
360       packet,  interpreted  as  a  word (n=4), unsigned halfword
361       (n=2), or unsigned byte (n=1).  M[i] gives the  i'th  word
362       in  the  scratch  memory store, which is only addressed in
363       word units.   The  memory  store  is  indexed  from  0  to
364       BPF_MEMWORDS-1.   _k,  _j_t,  and  _j_f  are  the corresponding
365       fields in the instruction definition.  ``len''  refers  to
366       the length of the packet.
367
368
369       BBPPFF__LLDD    These   instructions   copy  a  value  into  the
370                 accumulator.  The type of the source operand  is
371                 specified by an ``addressing mode'' and can be a
372                 constant  (BBPPFF__IIMMMM),  packet  data  at  a  fixed
373                 offset  (BBPPFF__AABBSS),  packet  data  at  a variable
374                 offset (BBPPFF__IINNDD), the packet  length  (BBPPFF__LLEENN),
375                 or a word in the scratch memory store (BBPPFF__MMEEMM).
376                 For BBPPFF__IINNDD and BBPPFF__AABBSS, the data size  must  be
377                 specified  as  a word (BBPPFF__WW), halfword (BBPPFF__HH),
378                 or byte  (BBPPFF__BB).   The  semantics  of  all  the
379                 recognized BPF_LD instructions follow.
380
381
382                 BBPPFF__LLDD++BBPPFF__WW++BBPPFF__AABBSS          A <- P[k:4]
383
384                 BBPPFF__LLDD++BBPPFF__HH++BBPPFF__AABBSS          A <- P[k:2]
385
386                 BBPPFF__LLDD++BBPPFF__BB++BBPPFF__AABBSS          A <- P[k:1]
387
388                 BBPPFF__LLDD++BBPPFF__WW++BBPPFF__IINNDD          A <- P[X+k:4]
389
390                 BBPPFF__LLDD++BBPPFF__HH++BBPPFF__IINNDD          A <- P[X+k:2]
391
392
393
394May                             23                              6
395
396
397
398
399
400BPF(4)                         1991                        BPF(4)
401
402
403                 BBPPFF__LLDD++BBPPFF__BB++BBPPFF__IINNDD          A <- P[X+k:1]
404
405                 BBPPFF__LLDD++BBPPFF__WW++BBPPFF__LLEENN          A <- len
406
407                 BBPPFF__LLDD++BBPPFF__IIMMMM                A <- k
408
409                 BBPPFF__LLDD++BBPPFF__MMEEMM                A <- M[k]
410
411
412       BBPPFF__LLDDXX   These  instructions  load a value into the index
413                 register.  Note that the  addressing  modes  are
414                 more  retricted  than  those  of the accumulator
415                 loads, but they  include  BBPPFF__MMSSHH,,  a  hack  for
416                 efficiently loading the IP header length.
417
418                 BBPPFF__LLDDXX++BBPPFF__WW++BBPPFF__IIMMMM         X <- k
419
420                 BBPPFF__LLDDXX++BBPPFF__WW++BBPPFF__MMEEMM         X <- M[k]
421
422                 BBPPFF__LLDDXX++BBPPFF__WW++BBPPFF__LLEENN         X <- len
423
424                 BBPPFF__LLDDXX++BBPPFF__BB++BBPPFF__MMSSHH         X               <-
425                                               4*(P[k:1]&0xf)
426
427
428       BBPPFF__SSTT    This instruction stores the accumulator into the
429                 scratch  memory.   We  do not need an addressing
430                 mode since there is only one possibility for the
431                 destination.
432
433                 BBPPFF__SSTT                        M[k] <- A
434
435
436       BBPPFF__SSTTXX   This  instruction  stores  the index register in
437                 the scratch memory store.
438
439                 BBPPFF__SSTTXX                       M[k] <- X
440
441
442       BBPPFF__AALLUU   The alu instructions perform operations  between
443                 the  accumulator and index register or constant,
444                 and store the result back  in  the  accumulator.
445                 For binary operations, a source mode is required
446                 (BBPPFF__KK or BBPPFF__XX).
447
448                 BBPPFF__AALLUU++BBPPFF__AADDDD++BBPPFF__KK         A <- A + k
449
450                 BBPPFF__AALLUU++BBPPFF__SSUUBB++BBPPFF__KK         A <- A - k
451
452                 BBPPFF__AALLUU++BBPPFF__MMUULL++BBPPFF__KK         A <- A * k
453
454                 BBPPFF__AALLUU++BBPPFF__DDIIVV++BBPPFF__KK         A <- A / k
455
456                 BBPPFF__AALLUU++BBPPFF__AANNDD++BBPPFF__KK         A <- A & k
457
458
459
460May                             23                              7
461
462
463
464
465
466BPF(4)                         1991                        BPF(4)
467
468
469                 BBPPFF__AALLUU++BBPPFF__OORR++BBPPFF__KK          A <- A | k
470
471                 BBPPFF__AALLUU++BBPPFF__LLSSHH++BBPPFF__KK         A <- A << k
472
473                 BBPPFF__AALLUU++BBPPFF__RRSSHH++BBPPFF__KK         A <- A >> k
474
475                 BBPPFF__AALLUU++BBPPFF__AADDDD++BBPPFF__XX         A <- A + X
476
477                 BBPPFF__AALLUU++BBPPFF__SSUUBB++BBPPFF__XX         A <- A - X
478
479                 BBPPFF__AALLUU++BBPPFF__MMUULL++BBPPFF__XX         A <- A * X
480
481                 BBPPFF__AALLUU++BBPPFF__DDIIVV++BBPPFF__XX         A <- A / X
482
483                 BBPPFF__AALLUU++BBPPFF__AANNDD++BBPPFF__XX         A <- A & X
484
485                 BBPPFF__AALLUU++BBPPFF__OORR++BBPPFF__XX          A <- A | X
486
487                 BBPPFF__AALLUU++BBPPFF__LLSSHH++BBPPFF__XX         A <- A << X
488
489                 BBPPFF__AALLUU++BBPPFF__RRSSHH++BBPPFF__XX         A <- A >> X
490
491                 BBPPFF__AALLUU++BBPPFF__NNEEGG               A <- -A
492
493
494       BBPPFF__JJMMPP   The jump instructions  alter  flow  of  control.
495                 Conditional   jumps   compare   the  accumulator
496                 against a constant (BBPPFF__KK) or the index register
497                 (BBPPFF__XX).   If  the result is true (or non-zero),
498                 the true branch is taken,  otherwise  the  false
499                 branch  is taken.  Jump offsets are encoded in 8
500                 bits so the longest jump  is  256  instructions.
501                 However,  the  jump  always (BBPPFF__JJAA) opcode uses
502                 the 32 bit  _k  field  as  the  offset,  allowing
503                 arbitrarily     distant    destinations.     All
504                 conditionals     use     unsigned     comparison
505                 conventions.
506
507                 BBPPFF__JJMMPP++BBPPFF__JJAA                pc += k
508
509                 BBPPFF__JJMMPP++BBPPFF__JJGGTT++BBPPFF__KK         pc += (A > k) ? jt
510                                               : jf
511
512                 BBPPFF__JJMMPP++BBPPFF__JJGGEE++BBPPFF__KK         pc += (A >=  k)  ?
513                                               jt : jf
514
515                 BBPPFF__JJMMPP++BBPPFF__JJEEQQ++BBPPFF__KK         pc  +=  (A == k) ?
516                                               jt : jf
517
518                 BBPPFF__JJMMPP++BBPPFF__JJSSEETT++BBPPFF__KK        pc += (A & k) ? jt
519                                               : jf
520
521                 BBPPFF__JJMMPP++BBPPFF__JJGGTT++BBPPFF__XX         pc += (A > X) ? jt
522                                               : jf
523
524
525
526May                             23                              8
527
528
529
530
531
532BPF(4)                         1991                        BPF(4)
533
534
535                 BBPPFF__JJMMPP++BBPPFF__JJGGEE++BBPPFF__XX         pc += (A >=  X)  ?
536                                               jt : jf
537
538                 BBPPFF__JJMMPP++BBPPFF__JJEEQQ++BBPPFF__XX         pc  +=  (A == X) ?
539                                               jt : jf
540
541                 BBPPFF__JJMMPP++BBPPFF__JJSSEETT++BBPPFF__XX        pc += (A & X) ? jt
542                                               : jf
543
544       BBPPFF__RREETT   The  return  instructions  terminate  the filter
545                 program and specify  the  amount  of  packet  to
546                 accept   (i.e.,   they   return  the  truncation
547                 amount).  A return value of zero indicates  that
548                 the  packet should be ignored.  The return value
549                 is either a constant (BBPPFF__KK) or the  accumulator
550                 (BBPPFF__AA).
551
552                 BBPPFF__RREETT++BBPPFF__AA                 accept A bytes
553
554                 BBPPFF__RREETT++BBPPFF__KK                 accept k bytes
555
556       BBPPFF__MMIISSCC  The   miscellaneous  category  was  created  for
557                 anything  that  doesn't  fit  into   the   above
558                 classes, and for any new instructions that might
559                 need to be  added.   Currently,  these  are  the
560                 register  transfer  intructions  that  copy  the
561                 index register to the accumulator or vice versa.
562
563                 BBPPFF__MMIISSCC++BBPPFF__TTAAXX              X <- A
564
565                 BBPPFF__MMIISSCC++BBPPFF__TTXXAA              A <- X
566
567       The   BPF  interface  provides  the  following  macros  to
568       facilitate array initializers:
569              BBPPFF__SSTTMMTT(_o_p_c_o_d_e, _o_p_e_r_a_n_d)
570              and
571              BBPPFF__JJUUMMPP(_o_p_c_o_d_e,       _o_p_e_r_a_n_d,        _t_r_u_e__o_f_f_s_e_t,
572              _f_a_l_s_e__o_f_f_s_e_t)
573
574
575EEXXAAMMPPLLEESS
576       The following filter is taken from the Reverse ARP Daemon.
577       It accepts only Reverse ARP requests.
578
579              struct bpf_insn insns[] = {
580                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
581                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3),
582                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
583                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1),
584                   BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) +
585                         sizeof(struct ether_header)),
586                   BPF_STMT(BPF_RET+BPF_K, 0),
587              };
588
589
590
591
592May                             23                              9
593
594
595
596
597
598BPF(4)                         1991                        BPF(4)
599
600
601       This  filter  accepts  only  IP   packets   between   host
602       128.3.112.15 and 128.3.112.35.
603
604              struct bpf_insn insns[] = {
605                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
606                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 8),
607                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 26),
608                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 2),
609                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 30),
610                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 3, 4),
611                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 0, 3),
612                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 30),
613                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 1),
614                   BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
615                   BPF_STMT(BPF_RET+BPF_K, 0),
616              };
617
618       Finally,  this filter returns only TCP finger packets.  We
619       must parse the IP header to reach  the  TCP  header.   The
620       BBPPFF__JJSSEETT instruction checks that the IP fragment offset is
621       0 so we are sure that we have a TCP header.
622
623              struct bpf_insn insns[] = {
624                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
625                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 10),
626                   BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 23),
627                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, 8),
628                   BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
629                   BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x1fff, 6, 0),
630                   BPF_STMT(BPF_LDX+BPF_B+BPF_MSH, 14),
631                   BPF_STMT(BPF_LD+BPF_H+BPF_IND, 14),
632                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 2, 0),
633                   BPF_STMT(BPF_LD+BPF_H+BPF_IND, 16),
634                   BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 0, 1),
635                   BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
636                   BPF_STMT(BPF_RET+BPF_K, 0),
637              };
638
639SSEEEE AALLSSOO
640       tcpdump(1)
641
642       McCanne, S., Jacobson V., `_A_n _e_f_f_i_c_i_e_n_t,  _e_x_t_e_n_s_i_b_l_e,  _a_n_d
643       _p_o_r_t_a_b_l_e _n_e_t_w_o_r_k _m_o_n_i_t_o_r'
644
645FFIILLEESS
646       /dev/bpf0, /dev/bpf1, ...
647
648BBUUGGSS
649       The  read  buffer must be of a fixed size (returned by the
650       BIOCGBLEN ioctl).
651
652       A file that does not request promiscuous mode may  receive
653       promiscuously received packets as a side effect of another
654       file requesting this mode on the same hardware  interface.
655
656
657
658May                             23                             10
659
660
661
662
663
664BPF(4)                         1991                        BPF(4)
665
666
667       This   could  be  fixed  in  the  kernel  with  additional
668       processing overhead.  However, we favor  the  model  where
669       all  files  must assume that the interface is promiscuous,
670       and if so desired, must utilize a filter to reject foreign
671       packets.
672
673       Data  link  protocols with variable length headers are not
674       currently supported.
675
676       Under SunOS, if a BPF application  reads  more  than  2^31
677       bytes  of  data, read will fail in EINVAL.  You can either
678       fix the bug in SunOS, or lseek to 0 when  read  fails  for
679       this reason.
680
681HHIISSTTOORRYY
682       The Enet packet filter was created in 1980 by Mike Accetta
683       and Rick Rashid at  Carnegie-Mellon  University.   Jeffrey
684       Mogul,  at  Stanford, ported the code to BSD and continued
685       its development from 1983 on.  Since then, it has  evolved
686       into the Ultrix Packet Filter at DEC, a STREAMS NIT module
687       under SunOS 4.1, and BPF.
688
689AAUUTTHHOORRSS
690       Steven   McCanne,   of   Lawrence   Berkeley   Laboratory,
691       implemented BPF in Summer 1990.  Much of the design is due
692       to Van Jacobson.
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724May                             23                             11
725
726
727