Berkeley Packet Filters

The Berkeley Packet Filter ( BPF ), and Berkeley filter , provides on Unix-like operating systems, interface for data link layer , which allows data packets to the data link layer to send and receive messages. If the driver of the network interface supports promiscuous mode , the interface can be switched to this mode so that all packets on the network , including those intended for other network adapters, can be received.

The BPF also supports the filtering of data packets so that only interesting packets are processed and thus computing power is saved.

The Berkeley filter functionality is implemented as an interpreter in machine language for the BPF- VM . Computer programs can thus read data from the packet, perform arithmetic operations on it, compare the result against the filter definition and then accept or reject the packet. On some systems, including FreeBSD and WinPcap , is just-in-time compilation support (conversion of the virtual machine instructions into machine language) to the power to improve the system. Since just-in-time compilation has also been supported under Linux , the BPF has developed into a universal virtual machine in the kernel. BPF is an official back-end for LLVM (from version 3.7).

The interpreter can run in kernel mode or user mode . Kernel mode interpreters are e.g. B. used for socket filters under Linux or WinPcap mechanisms. A user-mode interpreter provides the libpcap- / WinPcap implementation of pcap - API . On systems without kernel mode support for the filter mechanism, it can be used to filter packets in user mode.

In 2007 Robert Watson and Christian Peron added the zero-copy buffer extensions to the BPF implementation. This means that packets recorded by the device driver can be written directly to the memory of programs in user mode and there is no need to copy the data.

Individual evidence

↑ Michael Larabel: Understanding The Linux Kernel's BPF In-Kernel Virtual Machine. Phoronix , March 3, 2015, accessed March 4, 2015 .
↑ Michael Larabel: BPF Goes Through With Becoming An Official LLVM Back-End. Phoronix, June 10, 2015, accessed June 11, 2015 .

Web links

1993 USENIX article on BPF (English, PDF, 133 kB)
FreeBSD developer summit presentation on Zero-copy buffer extensions for BPF (English, PDF, 80 kB)
BPF help pages (English)
Filter definition syntax (English, PDF, 77 kB)
bpfc, BPF compiler for Linux (part of the netsniff-ng toolkit)
Documentation in the Linux kernel: Linux Socket Filtering aka Berkeley Packet Filter (BPF)

[1] Michael Larabel: Understanding The Linux Kernel's BPF In-Kernel Virtual Machine. Phoronix , March 3, 2015, accessed March 4, 2015 .

[2] Michael Larabel: BPF Goes Through With Becoming An Official LLVM Back-End. Phoronix, June 10, 2015, accessed June 11, 2015 .