bpf, FreeBSD Manual Pages
The BSD Packet Filter: A New Architecture for User-level Packet Capture, (PDF)
Using FreeBSD’s BPF device with C/C++
struct sock_filter filter[] = { /* Make sure this is an IP packet... */ /* 1 */ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12), /**< Copy absolute (BPF_ABS) half-word (BPF_H) value 12 to accumulator: packet offset, 6 Dest. MAC + 6 Src. MAC = 12 */ /* 2 */ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_IP, 0, 8), /**< Jump to offset if accumulator equals (BPF_JEQ) to constant (BPF_K) ETHERTYPE_IP: * pc = 2, if true: offset 0, otherwise: offset 8 (pc += (A == k) ? jt : jf) */ /* Make sure it's a UDP packet... */ /* 3 */ BPF_STMT(BPF_LD + BPF_B + BPF_ABS, 23), /**< Copy absolute byte (BPF_B) value 23 to accumulator: packet offset */ /* 4 */ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 6), /**< Jump to offset if accumulator equals (BPF_JEQ) to constant (BPF_K) IPPROTO_UDP: * pc = 4, if true: 4 + 0 = 4, otherwise: 4 + 6 = 10 */ /* Make sure this isn't a fragment... */ /* 5 */ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 20), /**< Copy absolute half-word value 20 to accumulator: packet offset */ /* 6 */ BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 4, 0), /**< Jump to offset if accumulator bitwise AND (BPF_JSET) to constant (BPF_K) BPF_JSET: /* Get the IP header length... */ /* 7 */ BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, 14), /* Make sure it's to the right port... */ /* 8 */ BPF_STMT(BPF_LD + BPF_H + BPF_IND, 16), /* 9 */ BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, UDP_PACKET_PORT_PTP2_GENERAL, 0, 1), /* If we passed all the tests, ask for the whole packet. */ /* 10 */ BPF_STMT(BPF_RET+BPF_K, (u_int)-1), /* Otherwise, drop it. */ /* 11 */ BPF_STMT(BPF_RET+BPF_K, 0), };