2004-05-19 20:39:22 +00:00
|
|
|
.\" Copyright (c) 2004 FreeBSD Inc.
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL [your name] OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
|
|
|
.\" $FreeBSD$
|
|
|
|
.\"
|
|
|
|
.Dd May 19, 2004
|
|
|
|
.Dt BPF 9
|
|
|
|
.Os
|
|
|
|
.\"
|
|
|
|
.Sh NAME
|
|
|
|
.Nm bpf
|
|
|
|
.Nd "Berkeley Packet Filter"
|
|
|
|
.\"
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.In net/bpf.h
|
|
|
|
.\"
|
|
|
|
.Ft void
|
|
|
|
.Fn bpfattach "struct ifnet *ifp" "u_int dlt" "u_int hdrlen"
|
|
|
|
.Ft void
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fo bpfattach2
|
|
|
|
.Fa "struct ifnet *ifp" "u_int dlt" "u_int hdrlen" "struct bpf_if **driverp"
|
|
|
|
.Fc
|
2004-05-19 20:39:22 +00:00
|
|
|
.Ft void
|
|
|
|
.Fn bpfdetach "struct ifnet *ifp"
|
|
|
|
.Ft void
|
|
|
|
.Fn bpf_tap "struct ifnet *ifp" "u_char *pkt" "u_int *pktlen"
|
|
|
|
.Ft void
|
|
|
|
.Fn bpf_mtap "struct ifnet *ifp" "struct mbuf *m"
|
|
|
|
.Ft void
|
|
|
|
.Fn bpf_mtap2 "struct ifnet *bp" "void *data" "u_int dlen" "struct mbuf *m"
|
|
|
|
.Ft u_int
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fo bpf_filter
|
|
|
|
.Fa "const struct bpf_insn *pc " "u_char *pkt" "u_int *wirelen" "u_int *buflen"
|
|
|
|
.Fc
|
2004-05-19 20:39:22 +00:00
|
|
|
.Ft int
|
|
|
|
.Fn bpf_validate "const struct bpf_insn *fcode" "int flen"
|
|
|
|
.\"
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The Berkeley Packet Filter provides a raw interface,
|
|
|
|
that is protocol independent,
|
|
|
|
to data link layers.
|
|
|
|
It allows all packets on the network,
|
|
|
|
even those destined for other hosts,
|
|
|
|
to be passed from a network interface to user programs.
|
|
|
|
Each program may specify a filter,
|
2005-01-14 20:23:58 +00:00
|
|
|
in the form of a
|
|
|
|
.Nm
|
|
|
|
filter machine program.
|
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Xr bpf 4
|
2005-01-14 20:23:58 +00:00
|
|
|
man page
|
2004-05-19 20:39:22 +00:00
|
|
|
describes the interface used by user programs.
|
|
|
|
This man page describes the functions used by interfaces to pass packets to
|
2005-01-02 18:20:29 +00:00
|
|
|
.Nm
|
2004-05-19 20:39:22 +00:00
|
|
|
and the functions for testing and running
|
|
|
|
.Nm
|
|
|
|
filter machine programs.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpfattach
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
2004-05-19 20:39:22 +00:00
|
|
|
attaches a network interface to
|
|
|
|
.Nm .
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
|
|
|
.Fa ifp
|
|
|
|
argument
|
2004-05-19 20:39:22 +00:00
|
|
|
is a pointer to the structure that defines the interface to be
|
|
|
|
attached to an interface.
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
|
|
|
.Fa dlt
|
|
|
|
argument
|
2004-05-19 20:39:22 +00:00
|
|
|
is the data link-layer type:
|
2005-01-14 20:23:58 +00:00
|
|
|
.Dv DLT_NULL
|
|
|
|
(no link-layer encapsulation),
|
|
|
|
.Dv DLT_EN10MB
|
|
|
|
(Ethernet),
|
|
|
|
.Dv DLT_IEEE802_11
|
|
|
|
(802.11 wireless networks),
|
2004-05-19 20:39:22 +00:00
|
|
|
etc.
|
|
|
|
The rest of the link layer types can be found in
|
2005-01-14 20:23:58 +00:00
|
|
|
.In net/bpf.h .
|
|
|
|
The
|
|
|
|
.Fa hdrlen
|
|
|
|
argument
|
2004-05-19 20:39:22 +00:00
|
|
|
is the fixed size of the link header;
|
|
|
|
variable length headers are not yet supported.
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
system will hold a pointer to
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa ifp->if_bpf .
|
|
|
|
This variable will set to a
|
|
|
|
.Pf non- Dv NULL
|
|
|
|
value when
|
2004-05-19 20:39:22 +00:00
|
|
|
.Nm
|
|
|
|
requires packets from this interface to be tapped using the functions below.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpfattach2
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
|
|
|
allows multiple
|
|
|
|
.Nm
|
|
|
|
instances to be attached to a single interface,
|
2004-05-19 20:39:22 +00:00
|
|
|
by registering an explicit
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa if_bpf
|
2005-01-02 18:20:29 +00:00
|
|
|
rather than using
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa ifp->if_bpf .
|
2004-05-19 20:39:22 +00:00
|
|
|
It is then possible to run
|
|
|
|
.Xr tcpdump 1
|
|
|
|
on the interface for any data link-layer types attached.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpfdetach
|
2005-01-14 20:23:58 +00:00
|
|
|
function detaches a
|
2004-05-19 20:39:22 +00:00
|
|
|
.Nm
|
|
|
|
instance from an interface,
|
|
|
|
specified by
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa ifp .
|
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpfdetach
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
2004-05-19 20:39:22 +00:00
|
|
|
should be called once for each
|
2005-01-14 20:23:58 +00:00
|
|
|
.Nm
|
2004-05-19 20:39:22 +00:00
|
|
|
instance attached.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_tap
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
2004-05-19 20:39:22 +00:00
|
|
|
is used by an interface to pass the packet to
|
|
|
|
.Nm .
|
|
|
|
The packet data (including link-header),
|
|
|
|
pointed to by
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa pkt ,
|
2004-05-19 20:39:22 +00:00
|
|
|
is of length
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa pktlen ,
|
2004-05-19 20:39:22 +00:00
|
|
|
which must be a contiguous buffer.
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
|
|
|
.Fa ifp
|
|
|
|
argument
|
2004-05-19 20:39:22 +00:00
|
|
|
is a pointer to the structure that defines the interface to be tapped.
|
|
|
|
The packet is parsed by each processes filter,
|
|
|
|
and if accepted,
|
|
|
|
it is buffered for the process to read.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_mtap
|
2005-01-14 20:23:58 +00:00
|
|
|
function is like
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_tap
|
2005-01-14 20:23:58 +00:00
|
|
|
except that it is used to tap packets that are in an
|
|
|
|
.Vt mbuf
|
|
|
|
chain,
|
|
|
|
.Fa m .
|
|
|
|
The
|
|
|
|
.Fa ifp
|
|
|
|
argument
|
2004-05-19 20:39:22 +00:00
|
|
|
is a pointer to the structure that defines the interface to be tapped.
|
|
|
|
Like
|
|
|
|
.Fn bpf_tap ,
|
|
|
|
.Fn bpf_mtap
|
|
|
|
requires a link-header for whatever data link layer type is specified.
|
|
|
|
Note that
|
|
|
|
.Nm
|
2005-01-14 20:23:58 +00:00
|
|
|
only reads from the
|
|
|
|
.Vt mbuf
|
|
|
|
chain,
|
2004-05-19 20:39:22 +00:00
|
|
|
it does not free it or keep a pointer to it.
|
2005-01-14 20:23:58 +00:00
|
|
|
This means that an
|
|
|
|
.Vt mbuf
|
|
|
|
containing the link-header
|
2004-05-19 20:39:22 +00:00
|
|
|
can be prepended to the chain if necessary.
|
|
|
|
A cleaner interface to achieve this is provided by
|
|
|
|
.Fn bpf_mtap2 .
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_mtap2
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
2004-05-19 20:39:22 +00:00
|
|
|
allows the user to pass a link-header
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa data ,
|
2004-05-19 20:39:22 +00:00
|
|
|
of length
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa dlen ,
|
|
|
|
independent of the
|
|
|
|
.Vt mbuf
|
|
|
|
.Fa m ,
|
2004-05-19 20:39:22 +00:00
|
|
|
containing the packet.
|
|
|
|
This simplifies the passing of some link-headers.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_filter
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
2004-05-19 20:39:22 +00:00
|
|
|
executes the filter program starting at
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa pc
|
2004-05-19 20:39:22 +00:00
|
|
|
on the packet
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa pkt .
|
|
|
|
The
|
|
|
|
.Fa wirelen
|
|
|
|
argument
|
2004-05-19 20:39:22 +00:00
|
|
|
is the length of the original packet and
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa buflen
|
2004-05-19 20:39:22 +00:00
|
|
|
is the amount of data present.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_validate
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
2004-05-19 20:39:22 +00:00
|
|
|
checks that the filter code
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa fcode ,
|
2004-05-19 20:39:22 +00:00
|
|
|
of length
|
2005-01-14 20:23:58 +00:00
|
|
|
.Fa flen ,
|
2004-05-19 20:39:22 +00:00
|
|
|
is valid.
|
|
|
|
.\"
|
|
|
|
.Sh RETURN VALUES
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_filter
|
2005-01-14 20:23:58 +00:00
|
|
|
function returns \-1
|
|
|
|
(cast to an unsigned integer)
|
2004-05-19 20:39:22 +00:00
|
|
|
if there is no filter.
|
|
|
|
Otherwise, it returns the result of the filter program.
|
|
|
|
.Pp
|
2005-01-14 20:23:58 +00:00
|
|
|
The
|
2004-05-19 20:39:22 +00:00
|
|
|
.Fn bpf_validate
|
2005-01-14 20:23:58 +00:00
|
|
|
function
|
2004-05-19 20:39:22 +00:00
|
|
|
returns 0 when the program is not a valid filter program.
|
|
|
|
.\"
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr tcpdump 1 ,
|
2005-01-12 21:48:25 +00:00
|
|
|
.Xr bpf 4
|
2004-05-19 20:39:22 +00:00
|
|
|
.\"
|
|
|
|
.Sh HISTORY
|
|
|
|
The Enet packet filter was created in 1980 by Mike Accetta and
|
|
|
|
Rick Rashid at Carnegie-Mellon University.
|
|
|
|
Jeffrey Mogul,
|
|
|
|
at Stanford,
|
|
|
|
ported the code to
|
|
|
|
.Bx
|
|
|
|
and continued its development from 1983 on.
|
|
|
|
Since then,
|
|
|
|
it has evolved into the Ultrix Packet Filter at
|
|
|
|
.Tn DEC ,
|
|
|
|
a
|
|
|
|
.Tn STREAMS
|
|
|
|
.Tn NIT
|
|
|
|
module under
|
2005-01-14 20:23:58 +00:00
|
|
|
.Tn SunOS
|
|
|
|
4.1, and
|
2004-05-19 20:39:22 +00:00
|
|
|
.Tn BPF .
|
|
|
|
.\"
|
|
|
|
.Sh AUTHORS
|
|
|
|
.An -nosplit
|
|
|
|
.An Steven McCanne ,
|
|
|
|
of Lawrence Berkeley Laboratory, implemented BPF in Summer 1990.
|
|
|
|
Much of the design is due to
|
|
|
|
.An Van Jacobson .
|
2005-01-14 20:23:58 +00:00
|
|
|
This manpage was written by
|
2004-05-19 20:39:22 +00:00
|
|
|
.An Orla McGann .
|