274 lines
6.1 KiB
Groff
Raw Normal View History

.\" Copyright (c) 2004 FreeBSD Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL [your name] OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd May 19, 2004
.Dt BPF 9
.Os
.\"
.Sh NAME
.Nm bpf
.Nd "Berkeley Packet Filter"
.\"
.Sh SYNOPSIS
.In net/bpf.h
.\"
.Ft void
.Fn bpfattach "struct ifnet *ifp" "u_int dlt" "u_int hdrlen"
.Ft void
2005-01-14 20:23:58 +00:00
.Fo bpfattach2
.Fa "struct ifnet *ifp" "u_int dlt" "u_int hdrlen" "struct bpf_if **driverp"
.Fc
.Ft void
.Fn bpfdetach "struct ifnet *ifp"
.Ft void
.Fn bpf_tap "struct ifnet *ifp" "u_char *pkt" "u_int *pktlen"
.Ft void
.Fn bpf_mtap "struct ifnet *ifp" "struct mbuf *m"
.Ft void
.Fn bpf_mtap2 "struct ifnet *bp" "void *data" "u_int dlen" "struct mbuf *m"
.Ft u_int
2005-01-14 20:23:58 +00:00
.Fo bpf_filter
.Fa "const struct bpf_insn *pc " "u_char *pkt" "u_int *wirelen" "u_int *buflen"
.Fc
.Ft int
.Fn bpf_validate "const struct bpf_insn *fcode" "int flen"
.\"
.Sh DESCRIPTION
The Berkeley Packet Filter provides a raw interface,
that is protocol independent,
to data link layers.
It allows all packets on the network,
even those destined for other hosts,
to be passed from a network interface to user programs.
Each program may specify a filter,
2005-01-14 20:23:58 +00:00
in the form of a
.Nm
filter machine program.
The
.Xr bpf 4
2005-01-14 20:23:58 +00:00
man page
describes the interface used by user programs.
This man page describes the functions used by interfaces to pass packets to
.Nm
and the functions for testing and running
.Nm
filter machine programs.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpfattach
2005-01-14 20:23:58 +00:00
function
attaches a network interface to
.Nm .
2005-01-14 20:23:58 +00:00
The
.Fa ifp
argument
is a pointer to the structure that defines the interface to be
attached to an interface.
2005-01-14 20:23:58 +00:00
The
.Fa dlt
argument
is the data link-layer type:
2005-01-14 20:23:58 +00:00
.Dv DLT_NULL
(no link-layer encapsulation),
.Dv DLT_EN10MB
(Ethernet),
.Dv DLT_IEEE802_11
(802.11 wireless networks),
etc.
The rest of the link layer types can be found in
2005-01-14 20:23:58 +00:00
.In net/bpf.h .
The
.Fa hdrlen
argument
is the fixed size of the link header;
variable length headers are not yet supported.
The
.Nm
system will hold a pointer to
2005-01-14 20:23:58 +00:00
.Fa ifp->if_bpf .
This variable will set to a
.Pf non- Dv NULL
value when
.Nm
requires packets from this interface to be tapped using the functions below.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpfattach2
2005-01-14 20:23:58 +00:00
function
allows multiple
.Nm
instances to be attached to a single interface,
by registering an explicit
2005-01-14 20:23:58 +00:00
.Fa if_bpf
rather than using
2005-01-14 20:23:58 +00:00
.Fa ifp->if_bpf .
It is then possible to run
.Xr tcpdump 1
on the interface for any data link-layer types attached.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpfdetach
2005-01-14 20:23:58 +00:00
function detaches a
.Nm
instance from an interface,
specified by
2005-01-14 20:23:58 +00:00
.Fa ifp .
The
.Fn bpfdetach
2005-01-14 20:23:58 +00:00
function
should be called once for each
2005-01-14 20:23:58 +00:00
.Nm
instance attached.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpf_tap
2005-01-14 20:23:58 +00:00
function
is used by an interface to pass the packet to
.Nm .
The packet data (including link-header),
pointed to by
2005-01-14 20:23:58 +00:00
.Fa pkt ,
is of length
2005-01-14 20:23:58 +00:00
.Fa pktlen ,
which must be a contiguous buffer.
2005-01-14 20:23:58 +00:00
The
.Fa ifp
argument
is a pointer to the structure that defines the interface to be tapped.
The packet is parsed by each processes filter,
and if accepted,
it is buffered for the process to read.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpf_mtap
2005-01-14 20:23:58 +00:00
function is like
.Fn bpf_tap
2005-01-14 20:23:58 +00:00
except that it is used to tap packets that are in an
.Vt mbuf
chain,
.Fa m .
The
.Fa ifp
argument
is a pointer to the structure that defines the interface to be tapped.
Like
.Fn bpf_tap ,
.Fn bpf_mtap
requires a link-header for whatever data link layer type is specified.
Note that
.Nm
2005-01-14 20:23:58 +00:00
only reads from the
.Vt mbuf
chain,
it does not free it or keep a pointer to it.
2005-01-14 20:23:58 +00:00
This means that an
.Vt mbuf
containing the link-header
can be prepended to the chain if necessary.
A cleaner interface to achieve this is provided by
.Fn bpf_mtap2 .
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpf_mtap2
2005-01-14 20:23:58 +00:00
function
allows the user to pass a link-header
2005-01-14 20:23:58 +00:00
.Fa data ,
of length
2005-01-14 20:23:58 +00:00
.Fa dlen ,
independent of the
.Vt mbuf
.Fa m ,
containing the packet.
This simplifies the passing of some link-headers.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpf_filter
2005-01-14 20:23:58 +00:00
function
executes the filter program starting at
2005-01-14 20:23:58 +00:00
.Fa pc
on the packet
2005-01-14 20:23:58 +00:00
.Fa pkt .
The
.Fa wirelen
argument
is the length of the original packet and
2005-01-14 20:23:58 +00:00
.Fa buflen
is the amount of data present.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpf_validate
2005-01-14 20:23:58 +00:00
function
checks that the filter code
2005-01-14 20:23:58 +00:00
.Fa fcode ,
of length
2005-01-14 20:23:58 +00:00
.Fa flen ,
is valid.
.\"
.Sh RETURN VALUES
2005-01-14 20:23:58 +00:00
The
.Fn bpf_filter
2005-01-14 20:23:58 +00:00
function returns \-1
(cast to an unsigned integer)
if there is no filter.
Otherwise, it returns the result of the filter program.
.Pp
2005-01-14 20:23:58 +00:00
The
.Fn bpf_validate
2005-01-14 20:23:58 +00:00
function
returns 0 when the program is not a valid filter program.
.\"
.Sh SEE ALSO
.Xr tcpdump 1 ,
2005-01-12 21:48:25 +00:00
.Xr bpf 4
.\"
.Sh HISTORY
The Enet packet filter was created in 1980 by Mike Accetta and
Rick Rashid at Carnegie-Mellon University.
Jeffrey Mogul,
at Stanford,
ported the code to
.Bx
and continued its development from 1983 on.
Since then,
it has evolved into the Ultrix Packet Filter at
.Tn DEC ,
a
.Tn STREAMS
.Tn NIT
module under
2005-01-14 20:23:58 +00:00
.Tn SunOS
4.1, and
.Tn BPF .
.\"
.Sh AUTHORS
.An -nosplit
.An Steven McCanne ,
of Lawrence Berkeley Laboratory, implemented BPF in Summer 1990.
Much of the design is due to
.An Van Jacobson .
2005-01-14 20:23:58 +00:00
This manpage was written by
.An Orla McGann .