Berkeley Packet Filter
Encyclopedia
The Berkeley Packet Filter or BPF provides, on some Unix-like
systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received. In addition, if the driver for the network interface supports promiscuous mode
, it allows the interface to be put into that mode, so that all packets on the network
, even those destined for other hosts, can be received.
In addition, it supports "filtering" packets, so that only "interesting" packets can be supplied to the software using BPF; this can avoid copying "uninteresting" packets from the operating system
kernel to software running in user mode, reducing the CPU requirement to capture packets and the buffer
space required to avoid dropping packets. BPF's filtering capabilities are implemented as an interpreter for a machine language for the BPF virtual machine
; programs in that language can fetch data from the packet, perform arithmetic
operations on data from the packet, and compare the results against constants or against data in the packet or test bit
s in the results, accepting or rejecting the packet based on the results of those tests. On some platforms, including FreeBSD
and WinPcap, just-in-time compilation
is used to convert virtual machine instructions into native code in order to further avoid overhead.
Kernel-mode interpreters for that same virtual machine language are used in raw data link layer mechanisms in other operating systems, such as Tru64 Unix
, and for socket filters in Linux
and in the WinPcap packet capture mechanism.
A user-mode interpreter for it is provided with the libpcap/WinPcap implementation of the pcap
application programming interface
(API), so that, when capturing packets on systems without kernel-mode support for that filtering mechanism, packets can be filtered in user mode; code using the pcap API will work on both types of systems, although, on systems where the filtering is done in user mode, all packets, including those that will be filtered out, are copied from the kernel to user space. That interpreter can also be used when reading a file containing packets captured using pcap.
BPF is sometimes used to refer just to the filtering mechanism, rather than to the entire interface.
BSD kernels implement routines such as
In August 2003, SCO Group
publicly claimed to own Unix code which they alleged the Linux kernel
infringed. Programmers quickly discovered the code in question was the Berkeley Packet Filter. While clear that SCO did not own the BPF code, they did not explain or acknowledge the mistake, although legal action is ongoing
that may eventually force an answer.
In 2007, Robert Watson and Christian Peron added zero-copy buffer extensions to the BPF implementation in the FreeBSD
operating system, allowing kernel packet capture in the device driver interrupt handler to write directly to user process memory in order to avoid the requirement for two copies for all packet data received via the BPF device. While one copy remains in the receipt path for user processes, this preserves the independence of different BPF device consumers, as well as allowing the packing of headers into the BPF buffer rather than copying complete packet data.
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
systems, a raw interface to data link layers, permitting raw link-layer packets to be sent and received. In addition, if the driver for the network interface supports promiscuous mode
Promiscuous mode
In computer networking, promiscuous mode or promisc mode is a mode for a network interface controller that causes the NIC to pass all traffic it receives to the central processing unit rather than just passing frames the NIC is intended to receive...
, it allows the interface to be put into that mode, so that all packets on the network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
, even those destined for other hosts, can be received.
In addition, it supports "filtering" packets, so that only "interesting" packets can be supplied to the software using BPF; this can avoid copying "uninteresting" packets from the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
kernel to software running in user mode, reducing the CPU requirement to capture packets and the buffer
Buffer (computer science)
In computer science, a buffer is a region of a physical memory storage used to temporarily hold data while it is being moved from one place to another. Typically, the data is stored in a buffer as it is retrieved from an input device or just before it is sent to an output device...
space required to avoid dropping packets. BPF's filtering capabilities are implemented as an interpreter for a machine language for the BPF virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
; programs in that language can fetch data from the packet, perform arithmetic
Arithmetic
Arithmetic or arithmetics is the oldest and most elementary branch of mathematics, used by almost everyone, for tasks ranging from simple day-to-day counting to advanced science and business calculations. It involves the study of quantity, especially as the result of combining numbers...
operations on data from the packet, and compare the results against constants or against data in the packet or test bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s in the results, accepting or rejecting the packet based on the results of those tests. On some platforms, including FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
and WinPcap, just-in-time compilation
Just-in-time compilation
In computing, just-in-time compilation , also known as dynamic translation, is a method to improve the runtime performance of computer programs. Historically, computer programs had two modes of runtime operation, either interpreted or static compilation...
is used to convert virtual machine instructions into native code in order to further avoid overhead.
Kernel-mode interpreters for that same virtual machine language are used in raw data link layer mechanisms in other operating systems, such as Tru64 Unix
Tru64 UNIX
Tru64 UNIX is a 64-bit UNIX operating system for the Alpha instruction set architecture , currently owned by Hewlett-Packard . Previously, Tru64 UNIX was a product of Compaq, and before that, Digital Equipment Corporation , where it was known as Digital UNIX .As its original name suggests, Tru64...
, and for socket filters in Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
and in the WinPcap packet capture mechanism.
A user-mode interpreter for it is provided with the libpcap/WinPcap implementation of the pcap
Pcap
In the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...
application programming interface
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
(API), so that, when capturing packets on systems without kernel-mode support for that filtering mechanism, packets can be filtered in user mode; code using the pcap API will work on both types of systems, although, on systems where the filtering is done in user mode, all packets, including those that will be filtered out, are copied from the kernel to user space. That interpreter can also be used when reading a file containing packets captured using pcap.
BPF is sometimes used to refer just to the filtering mechanism, rather than to the entire interface.
BSD kernels implement routines such as
bpf_mtap and bpf_tap, with some wrapping them in macros such as BPF_MTAP and BPF_TAP, which are called by network interface drivers (and pseudo-drivers) to deliver incoming and outgoing packets to the BPF mechanism.In August 2003, SCO Group
SCO Group
TSG Group, Inc. is a software company formerly called The SCO Group, Caldera Systems, and Caldera International. After acquiring the Santa Cruz Operation's Server Software and Services divisions, as well as UnixWare and OpenServer technologies, the company changed its focus to UNIX...
publicly claimed to own Unix code which they alleged the Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
infringed. Programmers quickly discovered the code in question was the Berkeley Packet Filter. While clear that SCO did not own the BPF code, they did not explain or acknowledge the mistake, although legal action is ongoing
SCO-Linux controversies
The SCO-Linux controversies are a series of legal and public disputes between the software company SCO Group and various Linux vendors and users. The SCO Group alleges that its license agreements with IBM means that source code that IBM wrote and donated to be incorporated into Linux was added in...
that may eventually force an answer.
In 2007, Robert Watson and Christian Peron added zero-copy buffer extensions to the BPF implementation in the FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
operating system, allowing kernel packet capture in the device driver interrupt handler to write directly to user process memory in order to avoid the requirement for two copies for all packet data received via the BPF device. While one copy remains in the receipt path for user processes, this preserves the independence of different BPF device consumers, as well as allowing the packing of headers into the BPF buffer rather than copying complete packet data.