bpf, FreeBSD Manual Pages
The BSD Packet Filter: A New Architecture for User-level Packet Capture, (PDF)
Using FreeBSD’s BPF device with C/C++
struct sock_filter filter[] = {
/* Make sure this is an IP packet... */
/* 1 */ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12), /**< Copy absolute (BPF_ABS) half-word (BPF_H) value 12 to accumulator: packet offset, 6 Dest. MAC + 6 Src. MAC = 12 */
/* 2 */ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_IP, 0, 8), /**< Jump to offset if accumulator equals (BPF_JEQ) to constant (BPF_K) ETHERTYPE_IP:
* pc = 2, if true: offset 0, otherwise: offset 8 (pc += (A == k) ? jt : jf) */
/* Make sure it's a UDP packet... */
/* 3 */ BPF_STMT(BPF_LD + BPF_B + BPF_ABS, 23), /**< Copy absolute byte (BPF_B) value 23 to accumulator: packet offset */
/* 4 */ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 6), /**< Jump to offset if accumulator equals (BPF_JEQ) to constant (BPF_K) IPPROTO_UDP:
* pc = 4, if true: 4 + 0 = 4, otherwise: 4 + 6 = 10 */
/* Make sure this isn't a fragment... */
/* 5 */ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 20), /**< Copy absolute half-word value 20 to accumulator: packet offset */
/* 6 */ BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 4, 0), /**< Jump to offset if accumulator bitwise AND (BPF_JSET) to constant (BPF_K) BPF_JSET:
/* Get the IP header length... */
/* 7 */ BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, 14),
/* Make sure it's to the right port... */
/* 8 */ BPF_STMT(BPF_LD + BPF_H + BPF_IND, 16),
/* 9 */ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, UDP_PACKET_PORT_PTP2_GENERAL, 0, 1),
/* If we passed all the tests, ask for the whole packet. */
/* 10 */ BPF_STMT(BPF_RET+BPF_K, (u_int)-1),
/* Otherwise, drop it. */
/* 11 */ BPF_STMT(BPF_RET+BPF_K, 0),
};