Chapter 31. BPF: BSD Packet Filter

Introduction

The BSD Packet Filter (BPF) is a software device that “taps” network interfaces. A process accesses a BPF device by opening /dev/bpf0, /dev/bpf1, and so on. Each BPF device can be opened only by one process at a time.

Since each BPF device allocates 8192 bytes of buffer space, the system administrator typically limits the number of BPF devices. If open returns EBUSY, the device is in use, and a process tries the next device until the open succeeds.

The device is configured with several ioctl commands that associate the device with a network interface and install filters to receive incoming packets selectively. Packets are received by reading from the device, and packets are queued on the network interface ...

Get TCP/IP Illustrated now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.