Questions tagged [bpf]

The Berkeley Packet Filter (BPF, or cBPF) was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, on BSD systems and then on Linux. More recently, it has been reworked on Linux to give birth to the extended BPF, or eBPF. The latter can be used for network processing at several levels, as well as for security applications, or even tracing and monitoring use cases. This tag is for all cBPF/eBPF questions.

The Berkeley Packet Filter was initially introduced to provide a raw interface to data link layers in a protocol independent fashion, first on BSD systems in the early 90s, then on Linux a few years later. All packets on the network, even those destined for other hosts, would be accessible through this mechanism.

Since 2013, the older BPF subsystem (or cBPF, for classic BPF) has led to the creation to an extended BPF version, or eBPF, on Linux. eBPF has a different architecture. It is more efficient, more flexible, introduces new features (maps, tail calls, helper functions from kernel, etc.). And programs can be attached to a variety of hooks in the kernel, for networking (sockets, as before, but also TC (traffic control) interface, XDP…), for security (cgroups) or for tracing and monitoring the kernel (kprobes, tracepoints, …).

449 questions

votes

1 answer

How to filter packets for a list of IP using Scapy

I am trying to filter packets of a particular website in Python (using Scapy). I have a list of possible IPs (used for load balancing) of the website. I want to filter packets for all those IPs. How can I do that? For a single IP, I am using the…

asked Aug 12 '17 at 04:00

tarun14110

votes

2 answers

BPF in python to sniff packets for multiple TCP ports

I got code from http://allanrbo.blogspot.in/2011/12/raw-sockets-with-bpf-in-python.html. It works fine, but I want to sniff the traffic on multiple TCP ports like port 9000, 80, 22... So I have modified the filter_list like blow filters_list = [ …

python sockets tcp bpf

asked Dec 27 '16 at 07:16

Veerendra K

2,145
7
32
61

votes

2 answers

how to use BPF filter to filter packet payload?

I need to do a homework about analysis some packets. I found that BPF filtering is a good thing for my homework, I want to filter all packet that have a payload that start with a specific string like "Test it". The packets are combination of…

networking bpf

asked Mar 26 '14 at 00:29

HomeworkGT

votes

1 answer

How to release a BPF map that was created by the bpftool?

I am a complete novice at anything ebpf but trying out some random ideas to get some knowledge. I've built the libbpf library downloaded from (https://github.com/libbpf/libbpf-bootstrap) and test bpftool at first. And then I tried to create a map by…

ebpf bpf libbpf

asked Aug 15 '23 at 16:39

Leo Lang

votes

1 answer

Kprobe BPF programs execution order

Is there a reliable way to explicitly specify BPF kprobe programs execution order (without kretprobes). For example, when I name programs like kprobe___1 and kprobe___2 I get an execution order like kprobe___2 -> kprobe___1,…

linux linux-kernel ebpf bpf kprobe

asked Apr 13 '23 at 12:02

Tim

votes

1 answer

How to get bpftool to attach a program to a tracepoint?

I have the following simple eBPF program: #include "vmlinux.h" #include struct sys_enter_execve_ctx { unsigned short common_type; unsigned char common_flags; unsigned char common_preempt_count; int common_pid; int…

perf ebpf bpf tracepoint

asked Feb 26 '23 at 10:15

metaphysicalmarty

votes

1 answer

What is the difference between BPF and eBPF?

I'm new to eBPF, and there are a lot of tutorials saying eBPF is just the extended BPF, but I cannot understand what extended mean? So what is the difference between BPF and eBPF? Are the samples resides in Linux source file [root]/samples/bpf…

linux-kernel ebpf bpf

asked May 19 '22 at 06:31

Nicholas

votes

2 answers

ebpf tail call didn't work even bpf code is loaded successfully

#include "bpf/bpf_helpers.h" #include char _license[] SEC("license") = "GPL"; struct bpf_map_def SEC("maps") jump_table = { .type = BPF_MAP_TYPE_PROG_ARRAY, .key_size = sizeof(__u32), .value_size = sizeof(__u32), …

c go ebpf bpf

asked May 09 '22 at 09:54

Cyc1ing1313

votes

0 answers

why bpf ringbuf can not use in uprobe of libbpf?

Recently, I am trying to use bpf ringbuf in uprobe example of libbpf. But when running, error occurred which is "libbpf: load bpf program failed: Invalid argument". I have no idea why this happened. Could anyone help? Below is my test code. Kernel…

bpf libbpf

asked Feb 07 '22 at 16:05

Hankin

votes

0 answers

Different byte order in BPF program

I have two different types of BPF programs where I am printing the ip address with bpf_printk("%pI4", &ipv4.s_addr);. The xdp program is loaded in the loopback dev and the other is a bpf socket filter; i have a server and a client program that sends…

c endianness ebpf bpf xdp-bpf

asked Jan 21 '22 at 22:16

rhoward

votes

1 answer

Accessing BPF maps from kernel space

I am beginning with XDP and BPF maps. I understand that to access a BPF map from userspace, we use bpf_* syscalls. For example, bpf_map_lookup_elem() is used to lookup an element of a BPF map in the userspace program. However, I noticed that the…

linux kernel ebpf bpf xdp-bpf

asked Jan 14 '22 at 08:30

diviquery

votes

1 answer

cannot read arguements properly from ebpf kprobe

I wrote a simple ebpf program (using libbpf) in which I hooked sendto syscall libbpf version: SEC("kprobe/sendto") int BPF_KPROBE(entry_sendto, int sockfd, char* buf, size_t len) { bpf_printk("libbpf - entry_sendto - 0 %p", ctx); …

linux-kernel system-calls bpf ebpf bcc-bpf

asked Nov 04 '21 at 16:31

Guy Arbitman

votes

1 answer

Why should userspace applications lock Ebpf maps?

When you create EBPF maps, memory is allocated in kernel space. And kernel memory never gets swapped out. Then, why is there a need for the userspace application to call setrlimit() with RLIMIT_MEMLOCK?

linux-kernel bpf ebpf

asked Oct 28 '21 at 05:42

joz

votes

1 answer

BPF verifier rejetcs the use of an inode ptr as a key

I'm attempting to implement an eBPF code where I have a BPF MAP with the key of type struct inode * and some value. Please see the below sample code struct value { char data[10]; }; struct bpf_map_def info SEC("maps") ={ …

bpf ebpf

asked Oct 02 '21 at 01:56

Igor Polevoy

votes

1 answer

How to read/understand the bpf kernel verifier analysis to debug the error?

I am new to XDP eBPF. I have a BPF program intended to Drop the UDP packets but it's unable to load since it gets rejected by the kernel verifier. Below is the code: #include #include #include #include…

c linux-kernel bpf xdp-bpf

asked Aug 12 '21 at 06:55

Zarrar

Prev 1 2 3

…

29 30 Next