1.\" Copyright (c) 2004 FreeBSD Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL [your name] OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd May 19, 2004 28.Dt BPF 9 29.Os 30.\" 31.Sh NAME 32.Nm bpf 33.Nd "Berkeley Packet Filter" 34.\" 35.Sh SYNOPSIS 36.In net/bpf.h 37.\" 38.Ft void 39.Fn bpfattach "struct ifnet *ifp" "u_int dlt" "u_int hdrlen" 40.Ft void 41.Fo bpfattach2 42.Fa "struct ifnet *ifp" "u_int dlt" "u_int hdrlen" "struct bpf_if **driverp" 43.Fc 44.Ft void 45.Fn bpfdetach "struct ifnet *ifp" 46.Ft void 47.Fn bpf_tap "struct ifnet *ifp" "u_char *pkt" "u_int *pktlen" 48.Ft void 49.Fn bpf_mtap "struct ifnet *ifp" "struct mbuf *m" 50.Ft void 51.Fn bpf_mtap2 "struct bpf_if *bp" "void *data" "u_int dlen" "struct mbuf *m" 52.Ft u_int 53.Fo bpf_filter 54.Fa "const struct bpf_insn *pc " "u_char *pkt" "u_int *wirelen" "u_int *buflen" 55.Fc 56.Ft int 57.Fn bpf_validate "const struct bpf_insn *fcode" "int flen" 58.\" 59.Sh DESCRIPTION 60The Berkeley Packet Filter provides a raw interface, 61that is protocol independent, 62to data link layers. 63It allows all packets on the network, 64even those destined for other hosts, 65to be passed from a network interface to user programs. 66Each program may specify a filter, 67in the form of a 68.Nm 69filter machine program. 70The 71.Xr bpf 4 72manual page 73describes the interface used by user programs. 74This manual page describes the functions used by interfaces to pass packets to 75.Nm 76and the functions for testing and running 77.Nm 78filter machine programs. 79.Pp 80The 81.Fn bpfattach 82function 83attaches a network interface to 84.Nm . 85The 86.Fa ifp 87argument 88is a pointer to the structure that defines the interface to be 89attached to an interface. 90The 91.Fa dlt 92argument 93is the data link-layer type: 94.Dv DLT_NULL 95(no link-layer encapsulation), 96.Dv DLT_EN10MB 97(Ethernet), 98.Dv DLT_IEEE802_11 99(802.11 wireless networks), 100etc. 101The rest of the link layer types can be found in 102.In net/bpf.h . 103The 104.Fa hdrlen 105argument 106is the fixed size of the link header; 107variable length headers are not yet supported. 108The 109.Nm 110system will hold a pointer to 111.Fa ifp->if_bpf . 112This variable will set to a 113.Pf non- Dv NULL 114value when 115.Nm 116requires packets from this interface to be tapped using the functions below. 117.Pp 118The 119.Fn bpfattach2 120function 121allows multiple 122.Nm 123instances to be attached to a single interface, 124by registering an explicit 125.Fa if_bpf 126rather than using 127.Fa ifp->if_bpf . 128It is then possible to run 129.Xr tcpdump 1 130on the interface for any data link-layer types attached. 131.Pp 132The 133.Fn bpfdetach 134function detaches a 135.Nm 136instance from an interface, 137specified by 138.Fa ifp . 139The 140.Fn bpfdetach 141function 142should be called once for each 143.Nm 144instance attached. 145.Pp 146The 147.Fn bpf_tap 148function 149is used by an interface to pass the packet to 150.Nm . 151The packet data (including link-header), 152pointed to by 153.Fa pkt , 154is of length 155.Fa pktlen , 156which must be a contiguous buffer. 157The 158.Fa ifp 159argument 160is a pointer to the structure that defines the interface to be tapped. 161The packet is parsed by each processes filter, 162and if accepted, 163it is buffered for the process to read. 164.Pp 165The 166.Fn bpf_mtap 167function is like 168.Fn bpf_tap 169except that it is used to tap packets that are in an 170.Vt mbuf 171chain, 172.Fa m . 173The 174.Fa ifp 175argument 176is a pointer to the structure that defines the interface to be tapped. 177Like 178.Fn bpf_tap , 179.Fn bpf_mtap 180requires a link-header for whatever data link layer type is specified. 181Note that 182.Nm 183only reads from the 184.Vt mbuf 185chain, 186it does not free it or keep a pointer to it. 187This means that an 188.Vt mbuf 189containing the link-header 190can be prepended to the chain if necessary. 191A cleaner interface to achieve this is provided by 192.Fn bpf_mtap2 . 193.Pp 194The 195.Fn bpf_mtap2 196function 197allows the user to pass a link-header 198.Fa data , 199of length 200.Fa dlen , 201independent of the 202.Vt mbuf 203.Fa m , 204containing the packet. 205This simplifies the passing of some link-headers. 206.Pp 207The 208.Fn bpf_filter 209function 210executes the filter program starting at 211.Fa pc 212on the packet 213.Fa pkt . 214The 215.Fa wirelen 216argument 217is the length of the original packet and 218.Fa buflen 219is the amount of data present. 220.Pp 221The 222.Fn bpf_validate 223function 224checks that the filter code 225.Fa fcode , 226of length 227.Fa flen , 228is valid. 229.\" 230.Sh RETURN VALUES 231The 232.Fn bpf_filter 233function returns \-1 234(cast to an unsigned integer) 235if there is no filter. 236Otherwise, it returns the result of the filter program. 237.Pp 238The 239.Fn bpf_validate 240function 241returns 0 when the program is not a valid filter program. 242.\" 243.Sh SEE ALSO 244.Xr tcpdump 1 , 245.Xr bpf 4 246.\" 247.Sh HISTORY 248The Enet packet filter was created in 1980 by Mike Accetta and 249Rick Rashid at Carnegie-Mellon University. 250Jeffrey Mogul, 251at Stanford, 252ported the code to 253.Bx 254and continued its development from 1983 on. 255Since then, 256it has evolved into the Ultrix Packet Filter at 257.Tn DEC , 258a 259.Tn STREAMS 260.Tn NIT 261module under 262.Tn SunOS 2634.1, and 264.Tn BPF . 265.\" 266.Sh AUTHORS 267.An -nosplit 268.An Steven McCanne , 269of Lawrence Berkeley Laboratory, implemented BPF in Summer 1990. 270Much of the design is due to 271.An Van Jacobson . 272This manpage was written by 273.An Orla McGann . 274