{"id":2352,"date":"2014-05-15T08:49:02","date_gmt":"2014-05-15T08:49:02","guid":{"rendered":"http:\/\/blog.bachi.net\/?p=2352"},"modified":"2014-06-14T19:29:22","modified_gmt":"2014-06-14T19:29:22","slug":"berkeley-packet-filter-bpf","status":"publish","type":"post","link":"https:\/\/blog.bachi.net\/?p=2352","title":{"rendered":"Berkeley Packet Filter (BPF)"},"content":{"rendered":"<p><a href=\"http:\/\/www.freebsd.org\/cgi\/man.cgi?bpf%284%29\">bpf<\/a>, FreeBSD Manual Pages<br \/>\n<a href=\"http:\/\/bachi.te-clan.ch\/bpf\/bpf-usenix93-1.pdf\">The BSD Packet Filter: A New Architecture for User-level Packet Capture<\/a>, (PDF)<br \/>\n<a href=\"http:\/\/bastian.rieck.ru\/howtos\/bpf\/\">Using FreeBSD&#8217;s BPF device with C\/C++<\/a><\/p>\n<pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\r\nstruct sock_filter filter&#x5B;] = {\r\n            \/* Make sure this is an IP packet... *\/\r\n\/*  1 *\/    BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12),                     \/**&lt; Copy absolute (BPF_ABS) half-word (BPF_H) value 12 to accumulator: packet offset, 6 Dest. MAC + 6 Src. MAC = 12 *\/\r\n\/*  2 *\/    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_IP, 0, 8),    \/**&lt; Jump to offset if accumulator equals (BPF_JEQ) to constant (BPF_K) ETHERTYPE_IP:\r\n                                                                         *   pc = 2, if true: offset 0, otherwise: offset 8 (pc += (A == k) ? jt : jf) *\/\r\n            \/* Make sure it's a UDP packet... *\/\r\n\/*  3 *\/    BPF_STMT(BPF_LD + BPF_B + BPF_ABS, 23),                     \/**&lt; Copy absolute byte (BPF_B) value 23 to accumulator: packet offset *\/\r\n\/*  4 *\/    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 6),     \/**&lt; Jump to offset if accumulator equals (BPF_JEQ) to constant (BPF_K) IPPROTO_UDP:\r\n                                                                         *   pc = 4, if true: 4 + 0 = 4, otherwise: 4 + 6 = 10 *\/\r\n\r\n            \/* Make sure this isn't a fragment... *\/\r\n\/*  5 *\/    BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 20),                     \/**&lt; Copy absolute half-word value 20 to accumulator: packet offset *\/\r\n\/*  6 *\/    BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 4, 0),         \/**&lt; Jump to offset if accumulator bitwise AND (BPF_JSET) to constant (BPF_K) BPF_JSET:\r\n\r\n            \/* Get the IP header length... *\/\r\n\/*  7 *\/    BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, 14),\r\n\r\n            \/* Make sure it's to the right port... *\/\r\n\/*  8 *\/    BPF_STMT(BPF_LD + BPF_H + BPF_IND, 16),\r\n\/*  9 *\/    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, UDP_PACKET_PORT_PTP2_GENERAL, 0, 1),\r\n\r\n            \/* If we passed all the tests, ask for the whole packet. *\/\r\n\/* 10 *\/    BPF_STMT(BPF_RET+BPF_K, (u_int)-1),\r\n\r\n            \/* Otherwise, drop it. *\/\r\n\/* 11 *\/    BPF_STMT(BPF_RET+BPF_K, 0),\r\n};\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>bpf, FreeBSD Manual Pages The BSD Packet Filter: A New Architecture for User-level Packet Capture, (PDF) Using FreeBSD&#8217;s BPF device with C\/C++ struct sock_filter filter&#x5B;] = { \/* Make sure this is an IP packet&#8230; *\/ \/* 1 *\/ BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 12), \/**&lt; Copy absolute (BPF_ABS) half-word (BPF_H) value 12 to accumulator: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2352","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/2352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2352"}],"version-history":[{"count":7,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/2352\/revisions"}],"predecessor-version":[{"id":2535,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/2352\/revisions\/2535"}],"wp:attachment":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}