man/man4/bpf.4

.\"	$OpenBSD: bpf.4,v 1.12 2001/10/05 14:45:53 mpech Exp $
.\"     $NetBSD: bpf.4,v 1.7 1995/09/27 18:31:50 thorpej Exp $
.\"
.\" Copyright (c) 1990 The Regents of the University of California.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.\" This document is derived in part from the enet man page (enet.4)
.\" distributed with 4.3BSD Unix.
.\"
.Dd May 23, 1991
.Dt BPF 4
.Os
.Sh NAME
.Nm bpf
.Nd Berkeley Packet Filter
.Sh SYNOPSIS
.Cd pseudo-device bpfilter 8
.Sh DESCRIPTION
The Berkeley Packet Filter provides a raw interface to data link layers in
a protocol-independent fashion.
All packets on the network, even those destined for other hosts, are
accessible through this mechanism.
.Pp
The packet filter appears as a character special device,
.Pa /dev/bpf0 ,
.Pa /dev/bpf1 ,
etc.
After opening the device, the file descriptor must be bound to a specific
network interface with the
.Dv BIOSETIF
ioctl.
A given interface can be shared between multiple listeners and the filter
underlying each descriptor will see an identical packet stream.
The total number of open files is limited to the value given in the kernel
configuration; the example given in the
.Sx SYNOPSIS
above sets the limit to 8.
.Pp
A separate device file is required for each minor device.
If a file is in use, the open will fail and
.Va errno
will be set to
.Er EBUSY .
.Pp
Associated with each open instance of a
.Nm
file is a user-settable
packet filter.
Whenever a packet is received by an interface, all file descriptors
listening on that interface apply their filter.
Each descriptor that accepts the packet receives its own copy.
.Pp
Reads from these files return the next group of packets that have matched
the filter.
To improve performance, the buffer passed to read must be the same size as
the buffers used internally by
.Nm bpf .
This size is returned by the
.Dv BIOCGBLEN
ioctl (see below), and under BSD, can be set with
.Dv BIOCSBLEN .
Note that an individual packet larger than this size is necessarily truncated.
.Pp
The packet filter will support any link level protocol that has fixed length
headers.
Currently, only Ethernet, SLIP, and PPP drivers have been modified to
interact with
.Nm bpf .
.Pp
Since packet data is in network byte order, applications should use the
.Xr byteorder 3
macros to extract multi-byte values.
.Pp
A packet can be sent out on the network by writing to a
.Nm
file descriptor.
The writes are unbuffered, meaning only one packet can be processed per write.
Currently, only writes to Ethernets and SLIP links are supported.
.Ss Ioctls
The ioctl command codes below are defined in
.Aq Pa net/bpf.h .
All commands require these includes:
.Pp
.Bd -offset indent
.Cd #include <sys/types.h>
.Cd #include <sys/time.h>
.Cd #include <sys/ioctl.h>
.Cd #include <net/bpf.h>
.Ed
.Pp
Additionally,
.Dv BIOCGETIF
and
.Dv BIOCSETIF
require
.Aq Pa net/if.h .
.Pp
The (third) argument to the
.Xr ioctl 2
call should be a pointer to the type indicated.
.Bl -tag -width Ds
.It Dv BIOCGBLEN Pf ( Li int Ns No )
Returns the required buffer length for reads on
.Nm
files.
.It Dv BIOCSBLEN Pf ( Li u_int Ns No )
Sets the buffer length for reads on
.Nm
files.
The buffer must be set before the file is attached to an interface with
.Dv BIOCSETIF .
If the requested buffer size cannot be accommodated, the closest allowable
size will be set and returned in the argument.
A read call will result in
.Er EIO
if it is passed a buffer that is not this size.
.It Dv BIOCGDLT Pf ( Li u_int Ns No )
Returns the type of the data link layer underlying the attached interface.
.Er EINVAL
is returned if no interface has been specified.
The device types, prefixed with
.Dq DLT_ ,
are defined in
.Aq Pa net/bpf.h .
.It Dv BIOCPROMISC
Forces the interface into promiscuous mode.
All packets, not just those destined for the local host, are processed.
Since more than one file can be listening on a given interface, a listener
that opened its interface non-promiscuously may receive packets promiscuously.
This problem can be remedied with an appropriate filter.
.Pp
The interface remains in promiscuous mode until all files listening
promiscuously are closed.
.It Dv BIOCFLUSH
Flushes the buffer of incoming packets and resets the statistics that are
returned by
.Dv BIOCGSTATS .
.It Dv BIOCGETIF Pf ( Li "struct ifreq" Ns No )
Returns the name of the hardware interface that the file is listening on.
The name is returned in the
.Fa ifr_name
field of the
.Li struct ifreq .
All other fields are undefined.
.It Dv BIOCSETIF Pf ( Li "struct ifreq" Ns No )
Sets the hardware interface associated with the file.
This command must be performed before any packets can be read.
The device is indicated by name using the
.Fa ifr_name
field of the
.Li struct ifreq .
Additionally, performs the actions of
.Dv BIOCFLUSH .
.It Xo Dv BIOCSRTIMEOUT , Dv BIOCGRTIMEOUT (
.Li struct timeval Ns No )
.Xc
Set or get the read timeout parameter.
The
.Ar timeval
specifies the length of time to wait before timing out on a read request.
This parameter is initialized to zero by
.Xr open 2 ,
indicating no timeout.
.It Dv BIOCGSTATS Pf ( Li "struct bpf_stat" Ns No )
Returns the following structure of packet statistics:
.Pp
.Bd -literal -offset indent
struct bpf_stat {
	u_int bs_recv;
	u_int bs_drop;
};
.Ed
.Pp
The fields are:
.Pp
.Bl -tag -width bs_recv
.It Fa bs_recv
Number of packets received by the descriptor since opened or reset (including
any buffered since the last read call).
.It Fa bs_drop
Number of packets which were accepted by the filter but dropped by the kernel
because of buffer overflows (i.e., the application's reads aren't keeping up
with the packet traffic).
.El
.It Dv BIOCIMMEDIATE Pf ( Li u_int Ns No )
Enable or disable
.Dq immediate mode ,
based on the truth value of the argument.
When immediate mode is enabled, reads return immediately upon packet reception.
Otherwise, a read will block until either the kernel buffer becomes full or a
timeout occurs.
This is useful for programs like
.Xr rarpd 8 ,
which must respond to messages in real time.
The default for a new file is off.
.It Dv BIOCSETF Pf ( Li "struct bpf_program" Ns No )
Sets the filter program used by the kernel to discard uninteresting packets.
An array of instructions and its length is passed in using the following
structure:
.Pp
.Bd -literal -offset indent
struct bpf_program {
	int bf_len;
	struct bpf_insn *bf_insns;
};
.Ed
.Pp
The filter program is pointed to by the
.Fa bf_insns
field while its length in units of
.Li struct bpf_insn
is given by the
.Fa bf_len
field.
Also, the actions of
.Dv BIOCFLUSH
are performed.
.Pp
See section
.Sx FILTER MACHINE
for an explanation of the filter language.
.It Dv BIOCVERSION Pf ( Li "struct bpf_version" Ns No )
Returns the major and minor version numbers of the filter language currently
recognized by the kernel.
Before installing a filter, applications must check that the current version
is compatible with the running kernel.
Version numbers are compatible if the major numbers match and the application
minor is less than or equal to the kernel minor.
The kernel version number is returned in the following structure:
.Pp
.Bd -literal -offset indent
struct bpf_version {
	u_short bv_major;
	u_short bv_minor;
};
.Ed
.Pp
The current version numbers are given by
.Dv BPF_MAJOR_VERSION
and
.Dv BPF_MINOR_VERSION
from
.Aq Pa net/bpf.h .
An incompatible filter may result in undefined behavior (most likely, an
error returned by
.Xr ioctl 2
or haphazard packet matching).
.It Xo Dv BIOCSRSIG , Dv BIOCGRSIG (
.Li u_int Ns No )
.Xc
Set or get the receive signal.
This signal will be sent to the process or process group specified by
.Dv FIOSETOWN .
It defaults to
.Dv SIGIO .
.It Xo Dv BIOCSHDRCMPLT , Dv BIOCGHDRCMPLT (
.Li u_int Ns No )
.Xc
Set or get the status of the ``header complete'' flag.
Set to zero if the link level source address should be filled in
automatically by the the interface output routine.
Set to one if the link level source address will be written,
as provided, to the wire.
This flag is initialized to zero by default.
.El
.Ss Standard ioctls
.Nm
now supports several standard ioctls which allow the user to do asynchronous
and/or non-blocking I/O to an open
.Nm
file descriptor.
.Bl -tag -width Ds
.It Dv FIONREAD Pf ( Li int Ns No )
Returns the number of bytes that are immediately available for reading.
.It Dv SIOCGIFADDR Pf ( Li "struct ifreq" Ns No )
Returns the address associated with the interface.
.It Dv FIONBIO Pf ( Li int Ns No )
Set or clear non-blocking I/O.
If the argument is non-zero, then doing a read when no data is available will
return \-1 and
.Va errno
will be set to
.Er EWOULDBLOCK .
If the argument is zero, non-blocking I/O is disabled.
Note: setting this overrides the timeout set by
.Dv BIOCSRTIMEOUT .
.It Dv FIOASYNC Pf ( Li int Ns No )
Enable or disable asynchronous I/O.
When enabled (argument is non-zero), the process or process group specified
by
.Dv FIOSETOWN
will start receiving
.Dv SIGIO
signals when packets arrive.
Note that you must perform an
.Dv FIOSETOWN
command in order for this to take effect, as the system will not do it by
default.
The signal may be changed via
.Dv BIOCSRSIG .
.It Xo Dv FIOSETOWN , Dv FIOGETOWN (
.Li int Ns No )
.Xc
Set or get the process or process group (if negative) that should receive
.Dv SIGIO
when packets are available.
The signal may be changed using
.Dv BIOCSRSIG
(see above).
.El
.Ss BPF header
The following structure is prepended to each packet returned by
.Xr read 2 :
.Pp
.Bd -literal -offset indent

struct bpf_hdr {
	struct bpf_timeval bh_tstamp;
	u_int32_t	bh_caplen;
	u_int32_t	bh_datalen;
	u_int16_t	bh_hdrlen;
};
.Ed
.Pp
The fields, stored in host order, are as follows:
.Bl -tag -width Ds
.It Fa bh_tstamp
Time at which the packet was processed by the packet filter.
.It Fa bh_caplen
Length of the captured portion of the packet.
This is the minimum of the truncation amount specified by the filter and the
length of the packet.
.It Fa bh_datalen
Length of the packet off the wire.
This value is independent of the truncation amount specified by the filter.
.It Fa bh_hdrlen
Length of the BPF header, which may not be equal to
.Li sizeof(struct bpf_hdr) .
.El
.Pp
The
.Fa bh_hdrlen
field exists to account for padding between the header and the link level
protocol.
The purpose here is to guarantee proper alignment of the packet data
structures, which is required on alignment-sensitive architectures and
improves performance on many other architectures.
The packet filter ensures that the
.Fa bpf_hdr
and the network layer header will be word aligned.
Suitable precautions must be taken when accessing the link layer protocol
fields on alignment restricted machines.
(This isn't a problem on an Ethernet, since the type field is a
.Li short
falling on an even offset, and the addresses are probably accessed in a
bytewise fashion).
.Pp
Additionally, individual packets are padded so that each starts on a
word boundary.
This requires that an application has some knowledge of how to get from packet
to packet.
The macro
.Dv BPF_WORDALIGN
is defined in
.Aq Pa net/bpf.h
to facilitate this process.
It rounds up its argument to the nearest word aligned value (where a word is
.Dv BPF_ALIGNMENT
bytes wide).
For example, if
.Va p
points to the start of a packet, this expression will advance it to the
next packet:
.Pp
.Dl p = (char *)p + BPF_WORDALIGN(p->bh_hdrlen + p->bh_caplen);
.Pp
For the alignment mechanisms to work properly, the buffer passed to
.Xr read 2
must itself be word aligned.
.Xr malloc 3
will always return an aligned buffer.
.Ss Filter machine
A filter program is an array of instructions with all branches forwardly
directed, terminated by a
.Dq return
instruction.
Each instruction performs some action on the pseudo-machine state, which
consists of an accumulator, index register, scratch memory store, and
implicit program counter.
.Pp
The following structure defines the instruction format:
.Pp
.Bd -literal -offset indent
struct bpf_insn {
	u_int16_t	code;
	u_char		jt;
	u_char		jf;
	u_int32_t	k;
};
.Ed
.Pp
The
.Fa k
field is used in different ways by different instructions, and the
.Fa jt
and
.Fa jf
fields are used as offsets by the branch instructions.
The opcodes are encoded in a semi-hierarchical fashion.
There are eight classes of instructions:
.Dv BPF_LD ,
.Dv BPF_LDX ,
.Dv BPF_ST ,
.Dv BPF_STX ,
.Dv BPF_ALU ,
.Dv BPF_JMP ,
.Dv BPF_RET ,
and
.Dv BPF_MISC .
Various other mode and operator bits are logically OR'd into the class to
given the actual instructions.
The classes and modes are defined in
.Aq Pa net/bpf.h .
Below are the semantics for each defined
.Nm
instruction.
We use the convention that A is the accumulator, X is the index register,
P[] packet data, and M[] scratch memory store.
P[i:n] gives the data at byte offset
.Dq i
in the packet, interpreted as a word (n=4), unsigned halfword (n=2), or
unsigned byte (n=1).
M[i] gives the i'th word in the scratch memory store, which is only addressed
in word units.
The memory store is indexed from 0 to
.Dv BPF_MEMWORDS Ns No \-1 .
.Fa k ,
.Fa jt ,
and
.Fa jf
are the corresponding fields in the instruction definition.
.Dq len
refers to the length of the packet.
.Pp
.Bl -tag -width Ds
.It Dv BPF_LD
These instructions copy a value into the accumulator.
The type of the source operand is specified by an
.Dq addressing mode
and can be a constant
.Pf ( Dv BPF_IMM ) ,
packet data at a fixed offset
.Pf ( Dv BPF_ABS ) ,
packet data at a variable offset
.Pf ( Dv BPF_IND ) ,
the packet length
.Pf ( Dv BPF_LEN ) ,
or a word in the scratch memory store
.Pf ( Dv BPF_MEM ) .
For
.Dv BPF_IND
and
.Dv BPF_ABS ,
the data size must be specified as a word
.Pf ( Dv BPF_W ) ,
halfword
.Pf ( Dv BPF_H ) ,
or byte
.Pf ( Dv BPF_B ) .
The semantics of all recognized
.Dv BPF_LD
instructions follow.
.Pp
.Bl -tag -width 32n -compact
.Sm off
.It Xo Dv BPF_LD No + Dv BPF_W No +
.Dv BPF_ABS
.Xc
.Sm on
A <- P[k:4]
.Sm off
.It Xo Dv BPF_LD No + Dv BPF_H No +
.Dv BPF_ABS
.Xc
.Sm on
A <- P[k:2]
.Sm off
.It Xo Dv BPF_LD No + Dv BPF_B No +
.Dv BPF_ABS
.Xc
.Sm on
A <- P[k:1]
.Sm off
.It Xo Dv BPF_LD No + Dv BPF_W No +
.Dv BPF_IND
.Xc
.Sm on
A <- P[X+k:4]
.Sm off
.It Xo Dv BPF_LD No + Dv BPF_H No +
.Dv BPF_IND
.Xc
.Sm on
A <- P[X+k:2]
.Sm off
.It Xo Dv BPF_LD No + Dv BPF_B No +
.Dv BPF_IND
.Xc
.Sm on
A <- P[X+k:1]
.Sm off
.It Xo Dv BPF_LD No + Dv BPF_W No +
.Dv BPF_LEN
.Xc
.Sm on
A <- len
.Sm off
.It Dv BPF_LD No + Dv BPF_IMM
.Sm on
A <- k
.It Dv BPF_LD No + Dv BPF_MEM
.Sm on
A <- M[k]
.El
.It Dv BPF_LDX
These instructions load a value into the index register.
Note that the addressing modes are more restricted than those of the
accumulator loads, but they include
.Dv BPF_MSH ,
a hack for efficiently loading the IP header length.
.Pp
.Bl -tag -width 32n -compact
.Sm off
.It Xo Dv BPF_LDX No + Dv BPF_W No +
.Dv BPF_IMM
.Xc
.Sm on
X <- k
.Sm off
.It Xo Dv BPF_LDX No + Dv BPF_W No +
.Dv BPF_MEM
.Xc
.Sm on
X <- M[k]
.Sm off
.It Xo Dv BPF_LDX No + Dv BPF_W No +
.Dv BPF_LEN
.Xc
.Sm on
X <- len
.Sm off
.It Xo Dv BPF_LDX No + Dv BPF_B No +
.Dv BPF_MSH
.Xc
.Sm on
X <- 4*(P[k:1]&0xf)
.El
.It Dv BPF_ST
This instruction stores the accumulator into the scratch memory.
We do not need an addressing mode since there is only one possibility for
the destination.
.Pp
.Bl -tag -width 32n -compact
.It Dv BPF_ST
M[k] <- A
.El
.It Dv BPF_STX
This instruction stores the index register in the scratch memory store.
.Pp
.Bl -tag -width 32n -compact
.It Dv BPF_STX
M[k] <- X
.El
.It Dv BPF_ALU
The ALU instructions perform operations between the accumulator and index
register or constant, and store the result back in the accumulator.
For binary operations, a source mode is required
.Pf ( Dv BPF_K
or
.Dv BPF_X ) .
.Pp
.Bl -tag -width 32n -compact
.Sm off
.It Xo Dv BPF_ALU No + BPF_ADD No +
.Dv BPF_K
.Xc
.Sm on
A <- A + k
.Sm off
.It Xo Dv BPF_ALU No + BPF_SUB No +
.Dv BPF_K
.Xc
.Sm on
A <- A - k
.Sm off
.It Xo Dv BPF_ALU No + BPF_MUL No +
.Dv BPF_K
.Xc
.Sm on
A <- A * k
.Sm off
.It Xo Dv BPF_ALU No + BPF_DIV No +
.Dv BPF_K
.Xc
.Sm on
A <- A / k
.Sm off
.It Xo Dv BPF_ALU No + BPF_AND No +
.Dv BPF_K
.Xc
.Sm on
A <- A & k
.Sm off
.It Xo Dv BPF_ALU No + BPF_OR No +
.Dv BPF_K
.Xc
.Sm on
A <- A | k
.Sm off
.It Xo Dv BPF_ALU No + BPF_LSH No +
.Dv BPF_K
.Xc
.Sm on
A <- A << k
.Sm off
.It Xo Dv BPF_ALU No + BPF_RSH No +
.Dv BPF_K
.Xc
.Sm on
A <- A >> k
.Sm off
.It Xo Dv BPF_ALU No + BPF_ADD No +
.Dv BPF_X
.Xc
.Sm on
A <- A + X
.Sm off
.It Xo Dv BPF_ALU No + BPF_SUB No +
.Dv BPF_X
.Xc
.Sm on
A <- A - X
.Sm off
.It Xo Dv BPF_ALU No + BPF_MUL No +
.Dv BPF_X
.Xc
.Sm on
A <- A * X
.Sm off
.It Xo Dv BPF_ALU No + BPF_DIV No +
.Dv BPF_X
.Xc
.Sm on
A <- A / X
.Sm off
.It Xo Dv BPF_ALU No + BPF_AND No +
.Dv BPF_X
.Xc
.Sm on
A <- A & X
.Sm off
.It Xo Dv BPF_ALU No + BPF_OR No +
.Dv BPF_X
.Xc
.Sm on
A <- A | X
.Sm off
.It Xo Dv BPF_ALU No + BPF_LSH No +
.Dv BPF_X
.Xc
.Sm on
A <- A << X
.Sm off
.It Xo Dv BPF_ALU No + BPF_RSH No +
.Dv BPF_X
.Xc
.Sm on
A <- A >> X
.Sm off
.It Dv BPF_ALU No + BPF_NEG
.Sm on
A <- -A
.El
.It Dv BPF_JMP
The jump instructions alter flow of control.
Conditional jumps compare the accumulator against a constant
.Pf ( Dv BPF_K )
or the index register
.Pf ( Dv BPF_X ) .
If the result is true (or non-zero), the true branch is taken, otherwise the
false branch is taken.
Jump offsets are encoded in 8 bits so the longest jump is 256 instructions.
However, the jump always
.Pf ( Dv BPF_JA )
opcode uses the 32-bit
.Fa k
field as the offset, allowing arbitrarily distant destinations.
All conditionals use unsigned comparison conventions.
.Pp
.Bl -tag -width 32n -compact
.Sm off
.It Dv BPF_JMP No + BPF_JA
pc += k
.Sm on
.Sm off
.It Xo Dv BPF_JMP No + BPF_JGT No +
.Dv BPF_K
.Xc
.Sm on
pc += (A > k) ? jt : jf
.Sm off
.It Xo Dv BPF_JMP No + BPF_JGE No +
.Dv BPF_K
.Xc
.Sm on
pc += (A >= k) ? jt : jf
.Sm off
.It Xo Dv BPF_JMP No + BPF_JEQ No +
.Dv BPF_K
.Xc
.Sm on
pc += (A == k) ? jt : jf
.Sm off
.It Xo Dv BPF_JMP No + BPF_JSET No +
.Dv BPF_K
.Xc
.Sm on
pc += (A & k) ? jt : jf
.Sm off
.It Xo Dv BPF_JMP No + BPF_JGT No +
.Dv BPF_X
.Xc
.Sm on
pc += (A > X) ? jt : jf
.Sm off
.It Xo Dv BPF_JMP No + BPF_JGE No +
.Dv BPF_X
.Xc
.Sm on
pc += (A >= X) ? jt : jf
.Sm off
.It Xo Dv BPF_JMP No + BPF_JEQ No +
.Dv BPF_X
.Xc
.Sm on
pc += (A == X) ? jt : jf
.Sm off
.It Xo Dv BPF_JMP No + BPF_JSET No +
.Dv BPF_X
.Xc
.Sm on
pc += (A & X) ? jt : jf
.El
.It Dv BPF_RET
The return instructions terminate the filter program and specify the amount
of packet to accept (i.e., they return the truncation amount).
A return value of zero indicates that the packet should be ignored.
The return value is either a constant
.Pf ( Dv BPF_K )
of the accumulator
.Pf ( Dv BPF_A ) .
.Pp
.Bl -tag -width 32n -compact
.It Dv BPF_RET No + Dv BPF_A
Accept A bytes.
.It Dv BPF_RET No + Dv BPF_K
Accept k bytes.
.El
.It Dv BPF_MISC
The miscellaneous category was created for anything that doesn't fit into
the above classes, and for any new instructions that might need to be added.
Currently, these are the register transfer instructions that copy the index
register to the accumulator or vice versa.
.Pp
.Bl -tag -width 32n -compact
.Sm off
.It Dv BPF_MISC No + Dv BPF_TAX
.Sm on
X <- A
.Sm off
.It Dv BPF_MISC No + Dv BPF_TXA
.Sm on
A <- X
.El
.El
.Pp
The
.Nm
interface provides the following macros to facilitate array initializers:
.Pp
.Bd -offset indent
.Dv BPF_STMT Ns No ( Ns Ar opcode ,
.Ar operand Ns No )
.Pp
.Dv BPF_JUMP Ns No ( Ns Ar opcode ,
.Ar operand ,
.Ar true_offset ,
.Ar false_offset Ns No )
.Ed
.Sh EXAMPLES
The following filter is taken from the Reverse ARP daemon.
It accepts only Reverse ARP requests.
.Pp
.Bd -literal -offset indent
struct bpf_insn insns[] = {
	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_REVARP, 0, 3),
	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, REVARP_REQUEST, 0, 1),
	BPF_STMT(BPF_RET+BPF_K, sizeof(struct ether_arp) +
	    sizeof(struct ether_header)),
	BPF_STMT(BPF_RET+BPF_K, 0),
};
.Ed
.Pp
This filter accepts only IP packets between host 128.3.112.15 and
128.3.112.35.
.Pp
.Bd -literal -offset indent
struct bpf_insn insns[] = {
	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 8),
	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 26),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 2),
	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 3, 4),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x80037023, 0, 3),
	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 30),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x8003700f, 0, 1),
	BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
	BPF_STMT(BPF_RET+BPF_K, 0),
};
.Ed
.Pp
Finally, this filter returns only TCP finger packets.
We must parse the IP header to reach the TCP header.
The
.Dv BPF_JSET
instruction checks that the IP fragment offset is 0 so we are sure that we
have a TCP header.
.Pp
.Bd -literal -offset indent
struct bpf_insn insns[] = {
	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 12),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ETHERTYPE_IP, 0, 10),
	BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 23),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_TCP, 0, 8),
	BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 20),
	BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, 0x1fff, 6, 0),
	BPF_STMT(BPF_LDX+BPF_B+BPF_MSH, 14),
	BPF_STMT(BPF_LD+BPF_H+BPF_IND, 14),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 2, 0),
	BPF_STMT(BPF_LD+BPF_H+BPF_IND, 16),
	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 79, 0, 1),
	BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
	BPF_STMT(BPF_RET+BPF_K, 0),
};
.Ed
.Sh SEE ALSO
.Xr ioctl 2 ,
.Xr read 2 ,
.Xr select 2 ,
.Xr signal 3 ,
.Xr tcpdump 8
.Rs
.%A McCanne, S., Jacobson V.
.%J "An efficient, extensible, and portable network monitor"
.Re
.Sh FILES
.Bl -tag -width /dev/bpf[0-9] -compact
.It Pa /dev/bpf[0-9]
BPF devices
.El
.Sh AUTHORS
Steve McCanne of Lawrence Berkeley Laboratory implemented BPF in Summer 1990.
Much of the design is due to Van Jacobson.
.Sh HISTORY
The Enet packet filter was created in 1980 by Mike Accetta and Rick Rashid
at Carnegie-Mellon University.
Jeffrey Mogul, at Stanford, ported the code to BSD and continued its
development from 1983 on.
Since then, it has evolved into the Ultrix Packet Filter at DEC, a STREAMS
NIT module under SunOS 4.1, and BPF.
.Sh BUGS
The read buffer must be of a fixed size (returned by the
.Dv BIOCGBLEN
ioctl).
.Pp
A file that does not request promiscuous mode may receive promiscuously
received packets as a side effect of another file requesting this mode on
the same hardware interface.
This could be fixed in the kernel with additional processing overhead.
However, we favor the model where all files must assume that the interface
is promiscuous, and if so desired, must utilize a filter to reject foreign
packets.
.Pp
Data link protocols with variable length headers are not currently supported.
.Pp