Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
BPF(9)			 BSD Kernel Developer's	Manual			BPF(9)

NAME
     bpf -- Berkeley Packet Filter

SYNOPSIS
     #include <net/bpf.h>

     void
     bpfattach(struct ifnet *ifp, u_int	dlt, u_int hdrlen);

     void
     bpfattach2(struct ifnet *ifp, u_int dlt, u_int hdrlen,
	 struct	bpf_if **driverp);

     void
     bpfdetach(struct ifnet *ifp);

     void
     bpf_tap(struct ifnet *ifp,	u_char *pkt, u_int *pktlen);

     void
     bpf_mtap(struct ifnet *ifp, struct	mbuf *m);

     void
     bpf_mtap2(struct bpf_if *bp, void *data, u_int dlen, struct mbuf *m);

     u_int
     bpf_filter(const struct bpf_insn *pc, u_char *pkt,	u_int *wirelen,
	 u_int *buflen);

     int
     bpf_validate(const	struct bpf_insn	*fcode,	int flen);

DESCRIPTION
     The Berkeley Packet Filter	provides a raw interface, that is protocol in-
     dependent,	to data	link layers.  It allows	all packets on the network,
     even those	destined for other hosts, to be	passed from a network inter-
     face to user programs.  Each program may specify a	filter,	in the form of
     a bpf filter machine program.  bpf(4) describes the interface used	by
     user programs.  This man page describes the functions used	by interfaces
     to	pass packets to	bpf and	the functions for testing and running bpf fil-
     ter machine programs.

     bpfattach() attaches a network interface to bpf.  ifp is a	pointer	to the
     structure that defines the	interface to be	attached to an interface.  dlt
     is	the data link-layer type: DLT_NULL (no link-layer encapsulation),
     DLT_EN10MB	(Ethernet), DLT_IEEE802_11 (802.11 wireless networks), etc.
     The rest of the link layer	types can be found in /usr/src/sys/net/bpf.h.
     hdrlen is the fixed size of the link header; variable length headers are
     not yet supported.	 The bpf system	will hold a pointer to ifp-_if_bpf.
     This variable will	set to a non-NULL value	when bpf requires packets from
     this interface to be tapped using the functions below.

     bpfattach2() allows multiple bpf instances	to be attached to a single in-
     terface, by registering an	explicit if_bpf	rather than using ifp-_if_bpf.
     It	is then	possible to run	tcpdump(1) on the interface for	any data link-
     layer types attached.

     bpfdetach() detaches a bpf	instance from an interface, specified by ifp.
     bpfdetach() should	be called once for each	bpf instance attached.

     bpf_tap() is used by an interface to pass the packet to bpf.  The packet
     data (including link-header), pointed to by pkt, is of length pktlen,
     which must	be a contiguous	buffer.	 ifp is	a pointer to the structure
     that defines the interface	to be tapped.  The packet is parsed by each
     processes filter, and if accepted,	it is buffered for the process to
     read.

     bpf_mtap()	is like	bpf_tap() except that it is used to tap	packets	that
     are in an mbuf chain, m.  ifp is a	pointer	to the structure that defines
     the interface to be tapped.  Like bpf_tap(), bpf_mtap() requires a	link-
     header for	whatever data link layer type is specified.  Note that bpf
     only reads	from the mbuf chain, it	does not free it or keep a pointer to
     it.  This means that a mbuf containing the	link-header can	be prepended
     to	the chain if necessary.	 A cleaner interface to	achieve	this is	pro-
     vided by bpf_mtap2().

     bpf_mtap2() allows	the user to pass a link-header data, of	length dlen,
     independent of the	mbuf m,	containing the packet.	This simplifies	the
     passing of	some link-headers.

     bpf_filter() executes the filter program starting at pc on	the packet
     pkt.  wirelen is the length of the	original packet	and buflen is the
     amount of data present.

     bpf_validate() checks that	the filter code	fcode, of length flen, is
     valid.

RETURN VALUES
     bpf_filter() returns -1 (cast to an unsigned integer) if there is no fil-
     ter.  Otherwise, it returns the result of the filter program.

     bpf_validate() returns 0 when the program is not a	valid filter program.

SEE ALSO
     tcpdump(1), bpf(4).

HISTORY
     The Enet packet filter was	created	in 1980	by Mike	Accetta	and Rick
     Rashid at Carnegie-Mellon University.  Jeffrey Mogul, at Stanford,	ported
     the code to BSD and continued its development from	1983 on.  Since	then,
     it	has evolved into the Ultrix Packet Filter at DEC, a STREAMS NIT	module
     under SunOS 4.1, and BPF.

AUTHORS
     Steven McCanne, of	Lawrence Berkeley Laboratory, implemented BPF in Sum-
     mer 1990.	Much of	the design is due to Van Jacobson.  This manpage by
     was written by Orla McGann.

BSD				 May 19, 2004				   BSD

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | SEE ALSO | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=bpf&sektion=9&manpath=FreeBSD+5.4-RELEASE>

home | help