1 2 3 4BPF(4) 1991 BPF(4) 5 6 7NNAAMMEE 8 bpf - Berkeley Packet Filter 9 10SSYYNNOOPPSSIISS 11 ppsseeuuddoo--ddeevviiccee bbppffiilltteerr 1166 12 13DDEESSCCRRIIPPTTIIOONN 14 The Berkeley Packet Filter provides a raw interface to 15 data link layers in a protocol independent fashion. All 16 packets on the network, even those destined for other 17 hosts, are accessible through this mechanism. 18 19 The packet filter appears as a character special device, 20 /_d_e_v/_b_p_f_0, /_d_e_v/_b_p_f_1, etc. After opening the device, the 21 file descriptor must be bound to a specific network 22 interface with the BIOSETIF ioctl. A given interface can 23 be shared be multiple listeners, and the filter underlying 24 each descriptor will see an identical packet stream. The 25 total number of open files is limited to the value given 26 in the kernel configuration; the example given in the 27 SYNOPSIS above sets the limit to 16. 28 29 A separate device file is required for each minor device. 30 If a file is in use, the open will fail and _e_r_r_n_o will be 31 set to EBUSY. 32 33 Associated with each open instance of a _b_p_f file is a 34 user-settable packet filter. Whenever a packet is 35 received by an interface, all file descriptors listening 36 on that interface apply their filter. Each descriptor 37 that accepts the packet receives its own copy. 38 39 Reads from these files return the next group of packets 40 that have matched the filter. To improve performance, the 41 buffer passed to read must be the same size as the buffers 42 used internally by _b_p_f. This size is returned by the 43 BIOCGBLEN ioctl (see below), and under BSD, can be set 44 with BIOCSBLEN. Note that an individual packet larger 45 than this size is necessarily truncated. 46 47 The packet filter will support any link level protocol 48 that has fixed length headers. Currently, only Ethernet, 49 SLIP and PPP drivers have been modified to interact with 50 _b_p_f. 51 52 Since packet data is in network byte order, applications 53 should use the _b_y_t_e_o_r_d_e_r(_3_n) macros to extract multi-byte 54 values. 55 56 A packet can be sent out on the network by writing to a 57 _b_p_f file descriptor. The writes are unbuffered, meaning 58 only one packet can be processed per write. Currently, 59 only writes to Ethernets and SLIP links are supported. 60 61 62 63 64May 23 1 65 66 67 68 69 70BPF(4) 1991 BPF(4) 71 72 73IIOOCCTTLLSS 74 The _i_o_c_t_l command codes below are defined in <net/bpf.h>. 75 All commands require these includes: 76 77 ##iinncclluuddee <<ssyyss//ttyyppeess..hh>> 78 ##iinncclluuddee <<ssyyss//ttiimmee..hh>> 79 ##iinncclluuddee <<ssyyss//iiooccttll..hh>> 80 ##iinncclluuddee <<nneett//bbppff..hh>> 81 82 Additionally, BIOCGETIF and BIOCSETIF require <<nneett//iiff..hh>>. 83 84 In addition to FIONREAD and SIOCGIFADDR, the following 85 commands may be applied to any open _b_p_f file. The (third) 86 argument to the _i_o_c_t_l should be a pointer to the type 87 indicated. 88 89 BBIIOOCCGGBBLLEENN ((uu__iinntt)) 90 Returns the required buffer length for reads on 91 _b_p_f files. 92 93 BBIIOOCCSSBBLLEENN ((uu__iinntt)) 94 Sets the buffer length for reads on _b_p_f files. 95 The buffer must be set before the file is 96 attached to an interface with BIOCSETIF. If the 97 requested buffer size cannot be accomodated, the 98 closest allowable size will be set and returned 99 in the argument. A read call will result in EIO 100 if it is passed a buffer that is not this size. 101 102 BBIIOOCCGGDDLLTT ((uu__iinntt)) 103 Returns the type of the data link layer 104 underyling the attached interface. EINVAL is 105 returned if no interface has been specified. 106 The device types, prefixed with ``DLT_'', are 107 defined in <net/bpf.h>. 108 109 BBIIOOCCPPRROOMMIISSCC 110 Forces the interface into promiscuous mode. All 111 packets, not just those destined for the local 112 host, are processed. Since more than one file 113 can be listening on a given interface, a 114 listener that opened its interface non- 115 promiscuously may receive packets promiscuously. 116 This problem can be remedied with an appropriate 117 filter. 118 119 The interface remains in promiscuous mode until 120 all files listening promiscuously are closed. 121 122 BBIIOOCCFFLLUUSSHH Flushes the buffer of incoming packets, and 123 resets the statistics that are returned by 124 BIOCGSTATS. 125 126 127 128 129 130May 23 2 131 132 133 134 135 136BPF(4) 1991 BPF(4) 137 138 139 BBIIOOCCGGEETTIIFF ((ssttrruucctt iiffrreeqq)) 140 Returns the name of the hardware interface that 141 the file is listening on. The name is returned 142 in the if_name field of _i_f_r. All other fields 143 are undefined. 144 145 BBIIOOCCSSEETTIIFF ((ssttrruucctt iiffrreeqq)) 146 Sets the hardware interface associate with the 147 file. This command must be performed before any 148 packets can be read. The device is indicated by 149 name using the _i_f__n_a_m_e field of the _i_f_r_e_q. 150 Additionally, performs the actions of BIOCFLUSH. 151 152 BBIIOOCCSSRRTTIIMMEEOOUUTT,, BBIIOOCCGGRRTTIIMMEEOOUUTT ((ssttrruucctt ttiimmeevvaall)) 153 Set or get the read timeout parameter. The 154 _t_i_m_e_v_a_l specifies the length of time to wait 155 before timing out on a read request. This 156 parameter is initialized to zero by _o_p_e_n(_2), 157 indicating no timeout. 158 159 BBIIOOCCGGSSTTAATTSS ((ssttrruucctt bbppff__ssttaatt)) 160 Returns the following structure of packet 161 statistics: 162 163 ssttrruucctt bbppff__ssttaatt {{ 164 uu__iinntt bbss__rreeccvv;; 165 uu__iinntt bbss__ddrroopp;; 166 }};; 167 168 The fields are: 169 170 _b_s__r_e_c_v the number of packets received by 171 the descriptor since opened or 172 reset (including any buffered 173 since the last read call); and 174 175 _b_s__d_r_o_p the number of packets which were 176 accepted by the filter but 177 dropped by the kernel because of 178 buffer overflows (i.e., the 179 application's reads aren't 180 keeping up with the packet 181 traffic). 182 183 BBIIOOCCIIMMMMEEDDIIAATTEE ((uu__iinntt)) 184 Enable or disable ``immediate mode'', based on 185 the truth value of the argument. When immediate 186 mode is enabled, reads return immediately upon 187 packet reception. Otherwise, a read will block 188 until either the kernel buffer becomes full or a 189 timeout occurs. This is useful for programs 190 like _r_a_r_p_d(_8_c), which must respond to messages 191 in real time. The default for a new file is 192 off. 193 194 195 196May 23 3 197 198 199 200 201 202BPF(4) 1991 BPF(4) 203 204 205 BBIIOOCCSSEETTFF ((ssttrruucctt bbppff__pprrooggrraamm)) 206 Sets the filter program used by the kernel to 207 discard uninteresting packets. An array of 208 instructions and its length is passed in using 209 the following structure: 210 211 ssttrruucctt bbppff__pprrooggrraamm {{ 212 iinntt bbff__lleenn;; 213 ssttrruucctt bbppff__iinnssnn **bbff__iinnssnnss;; 214 }};; 215 216 The filter program is pointed to by the _b_f__i_n_s_n_s 217 field while its length in units of `struct 218 bpf_insn' is given by the _b_f__l_e_n field. Also, 219 the actions of BIOCFLUSH are performed. 220 221 See section FFIILLTTEERR MMAACCHHIINNEE for an explanation of 222 the filter language. 223 224 BBIIOOCCVVEERRSSIIOONN ((ssttrruucctt bbppff__vveerrssiioonn)) 225 Returns the major and minor version numbers of 226 the filter languange currently recognized by the 227 kernel. Before installing a filter, 228 applications must check that the current version 229 is compatible with the running kernel. Version 230 numbers are compatible if the major numbers 231 match and the application minor is less than or 232 equal to the kernel minor. The kernel version 233 number is returned in the following structure: 234 235 ssttrruucctt bbppff__vveerrssiioonn {{ 236 uu__sshhoorrtt bbvv__mmaajjoorr;; 237 uu__sshhoorrtt bbvv__mmiinnoorr;; 238 }};; 239 240 The current version numbers are given by 241 BBPPFF__MMAAJJOORR__VVEERRSSIIOONN and BBPPFF__MMIINNOORR__VVEERRSSIIOONN from 242 <net/bpf.h>. An incompatible filter may result 243 in undefined behavior (most likely, an error 244 returned by _i_o_c_t_l() or haphazard packet 245 matching). 246 247BBPPFF HHEEAADDEERR 248 The following structure is prepended to each packet 249 returned by _r_e_a_d(_2): 250 251 ssttrruucctt bbppff__hhddrr {{ 252 ssttrruucctt ttiimmeevvaall bbhh__ttssttaammpp;; 253 uu__lloonngg bbhh__ccaapplleenn;; 254 uu__lloonngg bbhh__ddaattaalleenn;; 255 uu__sshhoorrtt bbhh__hhddrrlleenn;; 256 }};; 257 258 The fields, whose values are stored in host order, and 259 260 261 262May 23 4 263 264 265 266 267 268BPF(4) 1991 BPF(4) 269 270 271 are: 272 273 _b_h__t_s_t_a_m_p The time at which the packet was processed 274 by the packet filter. 275 276 _b_h__c_a_p_l_e_n The length of the captured portion of the 277 packet. This is the minimum of the 278 truncation amount specified by the filter 279 and the length of the packet. 280 281 _b_h__d_a_t_a_l_e_n The length of the packet off the wire. 282 This value is independent of the truncation 283 amount specified by the filter. 284 285 _b_h__h_d_r_l_e_n The length of the BPF header, which may not 286 be equal to _s_i_z_e_o_f(_s_t_r_u_c_t _b_p_f__h_d_r). 287 288 The _b_h__h_d_r_l_e_n field exists to account for padding between 289 the header and the link level protocol. The purpose here 290 is to guarantee proper alignment of the packet data 291 structures, which is required on alignment sensitive 292 architectures and and improves performance on many other 293 architectures. The packet filter insures that the _b_p_f__h_d_r 294 and the _n_e_t_w_o_r_k _l_a_y_e_r header will be word aligned. 295 Suitable precautions must be taken when accessing the link 296 layer protocol fields on alignment restricted machines. 297 (This isn't a problem on an Ethernet, since the type field 298 is a short falling on an even offset, and the addresses 299 are probably accessed in a bytewise fashion). 300 301 Additionally, individual packets are padded so that each 302 starts on a word boundary. This requires that an 303 application has some knowledge of how to get from packet 304 to packet. The macro BPF_WORDALIGN is defined in 305 <net/bpf.h> to facilitate this process. It rounds up its 306 argument to the nearest word aligned value (where a word 307 is BPF_ALIGNMENT bytes wide). 308 309 For example, if `p' points to the start of a packet, this 310 expression will advance it to the next packet: 311 312 p = (char *)p + BPF_WORDALIGN(p->bh_hdrlen + p->bh_caplen) 313 314 For the alignment mechanisms to work properly, the buffer 315 passed to _r_e_a_d(_2) must itself be word aligned. _m_a_l_l_o_c(_3) 316 will always return an aligned buffer. 317 318FFIILLTTEERR MMAACCHHIINNEE 319 A filter program is an array of instructions, with all 320 branches forwardly directed, terminated by a rreettuurrnn 321 instruction. Each instruction performs some action on the 322 pseudo-machine state, which consists of an accumulator, 323 index register, scratch memory store, and implicit program 324 counter. 325 326 327 328May 23 5 329 330 331 332 333 334BPF(4) 1991 BPF(4) 335 336 337 The following structure defines the instruction format: 338 339 ssttrruucctt bbppff__iinnssnn {{ 340 uu__sshhoorrtt ccooddee;; 341 uu__cchhaarr jjtt;; 342 uu__cchhaarr jjff;; 343 lloonngg kk;; 344 }};; 345 346 The _k field is used in differnet ways by different 347 insutructions, and the _j_t and _j_f fields are used as 348 offsets by the branch intructions. The opcodes are 349 encoded in a semi-hierarchical fashion. There are eight 350 classes of intructions: BPF_LD, BPF_LDX, BPF_ST, BPF_STX, 351 BPF_ALU, BPF_JMP, BPF_RET, and BPF_MISC. Various other 352 mode and operator bits are or'd into the class to give the 353 actual instructions. The classes and modes are defined in 354 <net/bpf.h>. 355 356 Below are the semantics for each defined BPF instruction. 357 We use the convention that A is the accumulator, X is the 358 index register, P[] packet data, and M[] scratch memory 359 store. P[i:n] gives the data at byte offset ``i'' in the 360 packet, interpreted as a word (n=4), unsigned halfword 361 (n=2), or unsigned byte (n=1). M[i] gives the i'th word 362 in the scratch memory store, which is only addressed in 363 word units. The memory store is indexed from 0 to 364 BPF_MEMWORDS-1. _k, _j_t, and _j_f are the corresponding 365 fields in the instruction definition. ``len'' refers to 366 the length of the packet. 367 368 369 BBPPFF__LLDD These instructions copy a value into the 370 accumulator. The type of the source operand is 371 specified by an ``addressing mode'' and can be a 372 constant (BBPPFF__IIMMMM), packet data at a fixed 373 offset (BBPPFF__AABBSS), packet data at a variable 374 offset (BBPPFF__IINNDD), the packet length (BBPPFF__LLEENN), 375 or a word in the scratch memory store (BBPPFF__MMEEMM). 376 For BBPPFF__IINNDD and BBPPFF__AABBSS, the data size must be 377 specified as a word (BBPPFF__WW), halfword (BBPPFF__HH), 378 or byte (BBPPFF__BB). The semantics of all the 379 recognized BPF_LD instructions follow. 380 381 382 BBPPFF__LLDD++BBPPFF__WW++BBPPFF__AABBSS A <- P[k:4] 383 384 BBPPFF__LLDD++BBPPFF__HH++BBPPFF__AABBSS A <- P[k:2] 385 386 BBPPFF__LLDD++BBPPFF__BB++BBPPFF__AABBSS A <- P[k:1] 387 388 BBPPFF__LLDD++BBPPFF__WW++BBPPFF__IINNDD A <- P[X+k:4] 389 390 BBPPFF__LLDD++BBPPFF__HH++BBPPFF__IINNDD A <- P[X+k:2] 391 392 393 394May 23 6 395 396 397 398 399 400BPF(4) 1991 BPF(4) 401 402 403 BBPPFF__LLDD++BBPPFF__BB++BBPPFF__IINNDD A <- P[X+k:1] 404 405 BBPPFF__LLDD++BBPPFF__WW++BBPPFF__LLEENN A <- len 406 407 BBPPFF__LLDD++BBPPFF__IIMMMM A <- k 408 409 BBPPFF__LLDD++BBPPFF__MMEEMM A <- M[k] 410 411 412 BBPPFF__LLDDXX These instructions load a value into the index 413 register. Note that the addressing modes are 414 more retricted than those of the accumulator 415 loads, but they include BBPPFF__MMSSHH,, a hack for 416 efficiently loading the IP header length. 417 418 BBPPFF__LLDDXX++BBPPFF__WW++BBPPFF__IIMMMM X <- k 419 420 BBPPFF__LLDDXX++BBPPFF__WW++BBPPFF__MMEEMM X <- M[k] 421 422 BBPPFF__LLDDXX++BBPPFF__WW++BBPPFF__LLEENN X <- len 423 424 BBPPFF__LLDDXX++BBPPFF__BB++BBPPFF__MMSSHH X <- 425 4*(P[k:1]&0xf) 426 427 428 BBPPFF__SSTT This instruction stores the accumulator into the 429 scratch memory. We do not need an addressing 430 mode since there is only one possibility for the 431 destination. 432 433 BBPPFF__SSTT M[k] <- A 434 435 436 BBPPFF__SSTTXX This instruction stores the index register in 437 the scratch memory store. 438 439 BBPPFF__SSTTXX M[k] <- X 440 441 442 BBPPFF__AALLUU The alu instructions perform operations between 443 the accumulator and index register or constant, 444 and store the result back in the accumulator. 445 For binary operations, a source mode is required 446 (BBPPFF__KK or BBPPFF__XX). 447 448 BBPPFF__AALLUU++BBPPFF__AADDDD++BBPPFF__KK A <- A + k 449 450 BBPPFF__AALLUU++BBPPFF__SSUUBB++BBPPFF__KK A <- A - k 451 452 BBPPFF__AALLUU++BBPPFF__MMUULL++BBPPFF__KK A <- A * k 453 454 BBPPFF__AALLUU++BBPPFF__DDIIVV++BBPPFF__KK A <- A / k 455 456 BBPPFF__AALLUU++BBPPFF__AANNDD++BBPPFF__KK A <- A & k 457 458 459 460May 23 7 461 462 463 464 465 466BPF(4) 1991 BPF(4) 467 468 469 BBPPFF__AALLUU++BBPPFF__OORR++BBPPFF__KK A <- A | k 470 471 BBPPFF__AALLUU++BBPPFF__LLSSHH++BBPPFF__KK A <- A << k 472 473 BBPPFF__AALLUU++BBPPFF__RRSSHH++BBPPFF__KK A <- A >> k 474 475 BBPPFF__AALLUU++BBPPFF__AADDDD++BBPPFF__XX A <- A + X 476 477 BBPPFF__AALLUU++BBPPFF__SSUUBB++BBPPFF__XX A <- A - X 478 479 BBPPFF__AALLUU++BBPPFF__MMUULL++BBPPFF__XX A <- A * X 480 481 BBPPFF__AALLUU++BBPPFF__DDIIVV++BBPPFF__XX A <- A / X 482 483 BBPPFF__AALLUU++BBPPFF__AANNDD++BBPPFF__XX A <- A & X 484 485 BBPPFF__AALLUU++BBPPFF__OORR++BBPPFF__XX A <- A | X 486 487 BBPPFF__AALLUU++BBPPFF__LLSSHH++BBPPFF__XX A <- A << X 488 489 BBPPFF__AALLUU++BBPPFF__RRSSHH++BBPPFF__XX A <- A >> X 490 491 BBPPFF__AALLUU++BBPPFF__NNEEGG A <- -A 492 493 494 BBPPFF__JJMMPP The jump instructions alter flow of control. 495 Conditional jumps compare the accumulator 496 against a constant (BBPPFF__KK) or the index register 497 (BBPPFF__XX). If the result is true (or non-zero), 498 the true branch is taken, otherwise the false 499 branch is taken. Jump offsets are encoded in 8 500 bits so the longest jump is 256 instructions. 501 However, the jump always (BBPPFF__JJAA) opcode uses 502 the 32 bit _k field as the offset, allowing 503 arbitrarily distant destinations. All 504 conditionals use unsigned comparison 505 conventions. 506 507 BBPPFF__JJMMPP++BBPPFF__JJAA pc += k 508 509 BBPPFF__JJMMPP++BBPPFF__JJGGTT++BBPPFF__KK pc += (A > k) ? jt 510 : jf 511 512 BBPPFF__JJMMPP++BBPPFF__JJGGEE++BBPPFF__KK pc += (A >= k) ? 513 jt : jf 514 515 BBPPFF__JJMMPP++BBPPFF__JJEEQQ++BBPPFF__KK pc += (A == k) ? 516 jt : jf 517 518 BBPPFF__JJMMPP++BBPPFF__JJSSEETT++BBPPFF__KK pc += (A & k) ? jt 519 : jf 520 521 BBPPFF__JJMMPP++BBPPFF__JJGGTT++BBPPFF__XX pc += (A > X) ? jt 522 : jf 523 524 525 526May 23 8 527 528 529 530 531 532BPF(4) 1991 BPF(4) 533 534 535 BBPPFF__JJMMPP++BBPPFF__JJGGEE++BBPPFF__XX pc += (A >= X) ? 536 jt : jf 537 538 BBPPFF__JJMMPP++BBPPFF__JJEEQQ++BBPPFF__XX pc += (A == X) ? 539 jt : jf 540 541 BBPPFF__JJMMPP++BBPPFF__JJSSEETT++BBPPFF__XX pc += (A & X) ? jt 542 : jf 543 544 BBPPFF__RREETT The return instructions terminate the filter 545 program and specify the amount of packet to 546 accept (i.e., they return the truncation 547 amount). A return value of zero indicates that 548 the packet should be ignored. The return value 549 is either a constant (BBPPFF__KK) or the accumulator 550 (BBPPFF__AA). 551 552 BBPPFF__RREETT++BBPPFF__AA accept A bytes 553 554 BBPPFF__RREETT++BBPPFF__KK accept k bytes 555 556 BBPPFF__MMIISSCC The miscellaneous category was created for 557 anything that doesn't fit into the above 558 classes, and for any new instructions that might 559 need to be added. Currently, these are the 560 register transfer intructions that copy the 561 index register to the accumulator or vice versa. 562 563 BBPPFF__MMIISSCC++BBPPFF__TTAAXX X <- A 564 565 BBPPFF__MMIISSCC++BBPPFF__TTXXAA A <- X 566 567 The BPF interface provides the following macros to 568 facilitate array initializers: 569 BBPPFF__SSTTMMTT(_o_p_c_o_d_e, _o_p_e_r_a_n_d) 570 and 571 BBPPFF__JJUUMMPP(_o_p_c_o_d_e, _o_p_e_r_a_n_d, _t_r_u_e__o_f_f_s_e_t, 572 _f_a_l_s_e__o_f_f_s_e_t) 573 574 575EEXXAAMMPPLLEESS 576 The following filter is taken from the Reverse ARP Daemon. 577 It accepts only Reverse ARP requests. 578 579 struct bpf_insn insns[] = { 580 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 581 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3), 582 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), 583 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1), 584 BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) + 585 sizeof(struct ether_header)), 586 BPF_STMT(BPF_RET+BPF_K, 0), 587 }; 588 589 590 591 592May 23 9 593 594 595 596 597 598BPF(4) 1991 BPF(4) 599 600 601 This filter accepts only IP packets between host 602 128.3.112.15 and 128.3.112.35. 603 604 struct bpf_insn insns[] = { 605 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 606 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 8), 607 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 26), 608 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 2), 609 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 30), 610 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 3, 4), 611 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 0, 3), 612 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 30), 613 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 1), 614 BPF_STMT(BPF_RET+BPF_K, (u_int)-1), 615 BPF_STMT(BPF_RET+BPF_K, 0), 616 }; 617 618 Finally, this filter returns only TCP finger packets. We 619 must parse the IP header to reach the TCP header. The 620 BBPPFF__JJSSEETT instruction checks that the IP fragment offset is 621 0 so we are sure that we have a TCP header. 622 623 struct bpf_insn insns[] = { 624 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12), 625 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 10), 626 BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 23), 627 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, 8), 628 BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20), 629 BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x1fff, 6, 0), 630 BPF_STMT(BPF_LDX+BPF_B+BPF_MSH, 14), 631 BPF_STMT(BPF_LD+BPF_H+BPF_IND, 14), 632 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 2, 0), 633 BPF_STMT(BPF_LD+BPF_H+BPF_IND, 16), 634 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 0, 1), 635 BPF_STMT(BPF_RET+BPF_K, (u_int)-1), 636 BPF_STMT(BPF_RET+BPF_K, 0), 637 }; 638 639SSEEEE AALLSSOO 640 tcpdump(1) 641 642 McCanne, S., Jacobson V., `_A_n _e_f_f_i_c_i_e_n_t, _e_x_t_e_n_s_i_b_l_e, _a_n_d 643 _p_o_r_t_a_b_l_e _n_e_t_w_o_r_k _m_o_n_i_t_o_r' 644 645FFIILLEESS 646 /dev/bpf0, /dev/bpf1, ... 647 648BBUUGGSS 649 The read buffer must be of a fixed size (returned by the 650 BIOCGBLEN ioctl). 651 652 A file that does not request promiscuous mode may receive 653 promiscuously received packets as a side effect of another 654 file requesting this mode on the same hardware interface. 655 656 657 658May 23 10 659 660 661 662 663 664BPF(4) 1991 BPF(4) 665 666 667 This could be fixed in the kernel with additional 668 processing overhead. However, we favor the model where 669 all files must assume that the interface is promiscuous, 670 and if so desired, must utilize a filter to reject foreign 671 packets. 672 673 Data link protocols with variable length headers are not 674 currently supported. 675 676 Under SunOS, if a BPF application reads more than 2^31 677 bytes of data, read will fail in EINVAL. You can either 678 fix the bug in SunOS, or lseek to 0 when read fails for 679 this reason. 680 681HHIISSTTOORRYY 682 The Enet packet filter was created in 1980 by Mike Accetta 683 and Rick Rashid at Carnegie-Mellon University. Jeffrey 684 Mogul, at Stanford, ported the code to BSD and continued 685 its development from 1983 on. Since then, it has evolved 686 into the Ultrix Packet Filter at DEC, a STREAMS NIT module 687 under SunOS 4.1, and BPF. 688 689AAUUTTHHOORRSS 690 Steven McCanne, of Lawrence Berkeley Laboratory, 691 implemented BPF in Summer 1990. Much of the design is due 692 to Van Jacobson. 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724May 23 11 725 726 727