Stack Overflow
Stack Overflow

Questions tagged [bpf]

The Berkeley Packet Filter (BPF, or cBPF) was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, on BSD systems and then on Linux. More recently, it has been reworked on Linux to give birth to the extended BPF, or eBPF. The latter can be used for network processing at several levels, as well as for security applications, or even tracing and monitoring use cases. This tag is for all cBPF/eBPF questions.

The Berkeley Packet Filter was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, first on BSD systems in the early 90s, then on Linux a few years later. All packets on the network, even those destined for other hosts, would be accessible through this mechanism.

Since 2013, the older BPF subsystem (or cBPF, for classic BPF) has led to the creation to an extended BPF version, or eBPF, on Linux. eBPF has a different architecture. It is more efficient, more flexible, introduces new features (maps, tail calls, helper functions from kernel, etc.). And programs can be attached to a variety of hooks in the kernel, for networking (sockets, as before, but also TC (traffic control) interface, XDP…), for security (cgroups) or for tracing and monitoring the kernel (kprobes, tracepoints, …).

449 questions
0
votes
0 answers

debug bpf code on netlink messages

I am writing a bpf filter to prevent certain netlink messages. I am trying to debug the bpf code. Is there any debug tool that could help me? I was initially thinking of using nlmon to capture netlink messages: From…
rickest rick c132
  • 21
  • 3
0
votes
1 answer

Berkeley Packet Filter to high level filtering expression

I have a C program which sets the filter for a WinPcap session manually by Berkeley Filter. Now I want to transfer this tool in C# with Pcap.Net. Pcap.Net doesn't offer the raw berkeley filter as argument but the high level filtering expression…
Max R.
  • 811
  • 1
  • 13
  • 31
0
votes
1 answer

fail to attach eBPF blob

I've just compiled BPF examples from kernel tools/testing/selftests/bpf and tried to load as explained in http://cilium.readthedocs.io/en/v0.10/bpf/: % tc filter add dev enp0s1 ingress bpf \ object-file…
Mark
  • 6,052
  • 8
  • 61
  • 129
0
votes
0 answers

BPF: Tyring to map out memory to sock_filter struct

I have a binary file which runs a bpf server. The BPF is "loosely" defined as follows: struct bpf{ length = 0x64 code = &c } A snippet of the code portion is: 0x00000028 0x00000004 0x61000015 0x00000028 I am looking at this through…
John Conrad Geenty
  • 31
  • 1
  • 4
0
votes
0 answers

BPF write fails with 1514 bytes

I'm unable to write 1514 bytes (including the L2 information) via write to /dev/bpf. I can write smaller packets (meaning I think the basic setup is correct), but I see "Message too long" with the full-length packets. This is on Solaris 11.2. It's…
MattW
  • 783
  • 7
  • 11
0
votes
1 answer

When is memory scratch space 15 used in BPF (Berkeley Packet Filter) or tcpdump?

My question is regarding the tcpdump command.. The command "tcpdump -i eth1 -d" list out the assembly instructions involved in the filter.. I am curious to see that no instruction is accessing M[15] (memory slot 15). Can someone let me know , are…
Shabbir Hussain
  • 3
  • 1
0
votes
1 answer

Tcpdump BPF syntax ambiguity

Observe these lines of BPF filters in tcpdump/libpcap syntax: 1: not host x or host y 2: not (host x or host y) 3: not (host x or y) 4: not host x or y 5: (not host x) or host y 6: (not host x) or y It is my opinion that host z matches all of the…
Cheatah
  • 1,825
  • 2
  • 13
  • 21
0
votes
1 answer

Libpcap filter strings using "vlan" are behaving weirdly

I am getting some weird errors when using libpcap pcap_compile Please let me know if these are known issues or I am making some bpf formating/ordering mistakes For example: 1) if I pass (protocol_filter and vlan_filter), I see no packets: Like…
user3851499
0
votes
1 answer

Using libpcap to library sample dump files

Using libpcap has proven really easy, but, speed is always an issue with giant (in an arbitrary sense) .pcap dumps. Are there any common practices for just sampling a dump? Perhaps something that effectively says "Read every fifth frame" as the pcap…
Aage Torleif
  • 1,907
  • 1
  • 20
  • 37
0
votes
1 answer

Correct filter expression in libpcap for outgoing packets

I want to sniff only outgoing 'TCP-ACK' packet from my system. Hence I set my filter expression in my lib-pcap program as: char filter_exp[] = "src host 172.16.0.1 and tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst | tcp-psh) == 0"; But it's showing…
RatDon
  • 3,403
  • 8
  • 43
  • 85
0
votes
1 answer

Simple way to verify valid BPF filter

What is the simplest way to verify a BPF filter as a normal user? Easiest I have found is to run tcpdump with a small pcap file as input to the -r option. $ tcpdump -r one_packet.pcap -F invalid_bpf.conf 2> /dev/null ; echo $? 1 $ tcpdump -r…
RyPeck
  • 7,830
  • 3
  • 38
  • 58
0
votes
2 answers

reading a pcap file in c++

I'm trying to read a pcap file in c++ (I'm using VS 2008) and I'm having the following errors: 1) error C2011: 'bpf_program' : 'struct' type redefinition. 2) error C2011: 'bpf_insn' : 'struct' type redefinition I guess the problem is that in one…
M.R.M
  • 540
  • 1
  • 13
  • 30
-1
votes
2 answers

Not able to attach so_reuseport_cbpf in cpp

Below BPF prgram in cpp is throwing error when binding to udp socket using SO_ATTACH_REUSEPORT_CBPF struct sock_filter code[] = { {BPF_LD | BPF_MEM, 0, 0, 0x00000000}, // load memory to accumulator //{BPF_ALU | BPF_ADD, 0, 0,…
Upendra Kumar
  • 1
  • 3
-1
votes
1 answer

are bpf_probe_read's atomic?

Are bpf_probe_read functions etc, atomic ? And do they inc ref counts of the data structure they're are reading, because if the operation is not atomic while the read is going through the kernel deallocates that data structure can it not cause a…
vpidatala94
  • 1
-1
votes
1 answer

Is BPF_LOOP for Linkedlist iteration, viable?, if not what other way I can do it

I am trying to iterate a linked list in BPF, can I use bpf_loop for this?, if so how? Tried using bpf_loops, but it required a fixed number to bound the loops, what way I can do that?
vpidatala94
  • 1
1 2 3
29
30