xref: /freebsd/share/man/man9/bpf.9 (revision 84ee9401a3fc8d3c22424266f421a928989cd692)
1.\" Copyright (c) 2004 FreeBSD Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL [your name] OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd May 19, 2004
28.Dt BPF 9
29.Os
30.\"
31.Sh NAME
32.Nm bpf
33.Nd "Berkeley Packet Filter"
34.\"
35.Sh SYNOPSIS
36.In net/bpf.h
37.\"
38.Ft void
39.Fn bpfattach "struct ifnet *ifp" "u_int dlt" "u_int hdrlen"
40.Ft void
41.Fo bpfattach2
42.Fa "struct ifnet *ifp" "u_int dlt" "u_int hdrlen" "struct bpf_if **driverp"
43.Fc
44.Ft void
45.Fn bpfdetach "struct ifnet *ifp"
46.Ft void
47.Fn bpf_tap "struct ifnet *ifp" "u_char *pkt" "u_int *pktlen"
48.Ft void
49.Fn bpf_mtap "struct ifnet *ifp" "struct mbuf *m"
50.Ft void
51.Fn bpf_mtap2 "struct bpf_if *bp" "void *data" "u_int dlen" "struct mbuf *m"
52.Ft u_int
53.Fo bpf_filter
54.Fa "const struct bpf_insn *pc " "u_char *pkt" "u_int *wirelen" "u_int *buflen"
55.Fc
56.Ft int
57.Fn bpf_validate "const struct bpf_insn *fcode" "int flen"
58.\"
59.Sh DESCRIPTION
60The Berkeley Packet Filter provides a raw interface,
61that is protocol independent,
62to data link layers.
63It allows all packets on the network,
64even those destined for other hosts,
65to be passed from a network interface to user programs.
66Each program may specify a filter,
67in the form of a
68.Nm
69filter machine program.
70The
71.Xr bpf 4
72manual page
73describes the interface used by user programs.
74This manual page describes the functions used by interfaces to pass packets to
75.Nm
76and the functions for testing and running
77.Nm
78filter machine programs.
79.Pp
80The
81.Fn bpfattach
82function
83attaches a network interface to
84.Nm .
85The
86.Fa ifp
87argument
88is a pointer to the structure that defines the interface to be
89attached to an interface.
90The
91.Fa dlt
92argument
93is the data link-layer type:
94.Dv DLT_NULL
95(no link-layer encapsulation),
96.Dv DLT_EN10MB
97(Ethernet),
98.Dv DLT_IEEE802_11
99(802.11 wireless networks),
100etc.
101The rest of the link layer types can be found in
102.In net/bpf.h .
103The
104.Fa hdrlen
105argument
106is the fixed size of the link header;
107variable length headers are not yet supported.
108The
109.Nm
110system will hold a pointer to
111.Fa ifp->if_bpf .
112This variable will set to a
113.Pf non- Dv NULL
114value when
115.Nm
116requires packets from this interface to be tapped using the functions below.
117.Pp
118The
119.Fn bpfattach2
120function
121allows multiple
122.Nm
123instances to be attached to a single interface,
124by registering an explicit
125.Fa if_bpf
126rather than using
127.Fa ifp->if_bpf .
128It is then possible to run
129.Xr tcpdump 1
130on the interface for any data link-layer types attached.
131.Pp
132The
133.Fn bpfdetach
134function detaches a
135.Nm
136instance from an interface,
137specified by
138.Fa ifp .
139The
140.Fn bpfdetach
141function
142should be called once for each
143.Nm
144instance attached.
145.Pp
146The
147.Fn bpf_tap
148function
149is used by an interface to pass the packet to
150.Nm .
151The packet data (including link-header),
152pointed to by
153.Fa pkt ,
154is of length
155.Fa pktlen ,
156which must be a contiguous buffer.
157The
158.Fa ifp
159argument
160is a pointer to the structure that defines the interface to be tapped.
161The packet is parsed by each processes filter,
162and if accepted,
163it is buffered for the process to read.
164.Pp
165The
166.Fn bpf_mtap
167function is like
168.Fn bpf_tap
169except that it is used to tap packets that are in an
170.Vt mbuf
171chain,
172.Fa m .
173The
174.Fa ifp
175argument
176is a pointer to the structure that defines the interface to be tapped.
177Like
178.Fn bpf_tap ,
179.Fn bpf_mtap
180requires a link-header for whatever data link layer type is specified.
181Note that
182.Nm
183only reads from the
184.Vt mbuf
185chain,
186it does not free it or keep a pointer to it.
187This means that an
188.Vt mbuf
189containing the link-header
190can be prepended to the chain if necessary.
191A cleaner interface to achieve this is provided by
192.Fn bpf_mtap2 .
193.Pp
194The
195.Fn bpf_mtap2
196function
197allows the user to pass a link-header
198.Fa data ,
199of length
200.Fa dlen ,
201independent of the
202.Vt mbuf
203.Fa m ,
204containing the packet.
205This simplifies the passing of some link-headers.
206.Pp
207The
208.Fn bpf_filter
209function
210executes the filter program starting at
211.Fa pc
212on the packet
213.Fa pkt .
214The
215.Fa wirelen
216argument
217is the length of the original packet and
218.Fa buflen
219is the amount of data present.
220.Pp
221The
222.Fn bpf_validate
223function
224checks that the filter code
225.Fa fcode ,
226of length
227.Fa flen ,
228is valid.
229.\"
230.Sh RETURN VALUES
231The
232.Fn bpf_filter
233function returns \-1
234(cast to an unsigned integer)
235if there is no filter.
236Otherwise, it returns the result of the filter program.
237.Pp
238The
239.Fn bpf_validate
240function
241returns 0 when the program is not a valid filter program.
242.\"
243.Sh SEE ALSO
244.Xr tcpdump 1 ,
245.Xr bpf 4
246.\"
247.Sh HISTORY
248The Enet packet filter was created in 1980 by Mike Accetta and
249Rick Rashid at Carnegie-Mellon University.
250Jeffrey Mogul,
251at Stanford,
252ported the code to
253.Bx
254and continued its development from 1983 on.
255Since then,
256it has evolved into the Ultrix Packet Filter at
257.Tn DEC ,
258a
259.Tn STREAMS
260.Tn NIT
261module under
262.Tn SunOS
2634.1, and
264.Tn BPF .
265.\"
266.Sh AUTHORS
267.An -nosplit
268.An Steven McCanne ,
269of Lawrence Berkeley Laboratory, implemented BPF in Summer 1990.
270Much of the design is due to
271.An Van Jacobson .
272This manpage was written by
273.An Orla McGann .
274