2023_03_stevenmccanneBSDPacketFilter1992_Reading_Notes

---

title: “The BSD Packet Filter: ANew Architecture for User-level Packet Capture”
authors: “Steven McCanne”
citekey: stevenmccanneBSDPacketFilter1992

imported: 2023-03-31 08-51 pm

zoterolink: bpf-usenix93.pdf

Reading Notes

%% begin notes %%%% end notes %%

Annotations

%% begin annotations %%

Imported: 2023-03-31 8:51 pm

background which discards unwanted packets as early as possible

results BPF offers substantial performance improvement over existing packet capture facilities—10 to150 times faster than Sun’sNIT and 1.5 to20 times faster than CSPF on the same hardware and traffic mix.

methods BPF uses are-designed, register-based ‘filter machine’ that can be implemented efficiently on today’sregister based RISC CPU. CSPF used amemory-stack-based filter machine that worked well on the PDP-11but isa poor match to memory-bottlenecked modern CPUs.

methods BPF uses asimple, non-shared buffer model made possible by today’slar ger address spaces. The model is very efficient for the ‘usual cases’ of packet capture.1

methods the network tap and the packet filter

methods network tap collects copies of packets from the network device drivers and delivers them to listening applications

methods When apacket arrives at anetwork interface the link level device driver normally sends itup the system protocol stack.

methods But when BPF islistening on this interface, the driver first calls BPF

methods BPF feeds the packet toeach participating process’ filter.

methods user-defined filter decides whether apacket isto be accepted and how many bytes of each packet should be saved

methods SunOS’sSTREAMS NIT [10]copies the packets before filtering and as aresult suffers aperformance degradation.

methods acopy of each packet isalways made

other a“reject all” filter and pushed directly on top of the NIT interface module (the NIT buffering module was not used). Since the filter discards all packets, the processing time should be constant, independent of the packet size

methods A packet filter is simply aboolean valued function on a packet. Ifthe value ofthe function is true the kernel copies the packet for the application; ifitis false the packet isignored.

methods aboolean expression tree (used by CSPF)

methods adirected acyclic control flow graph or CFG

results BPF isnow about two years old and has been put to work in several applications. The most widely used is tcpdump

%% end annotations %%

Summary

The Problem

Many versions of Unix provide facilities for user-level packet capture, making possible the use of general purpose workstations for network monitoring. But the user-level monitoring takes a lot of resources.

Key Ideas & Key insights

Discards the unwanted packets as early as possible.

Key Mechanisms

Network Tap + Packet Filter

Network Tap: collects copies of packets from the network device drivers and delivers them to listening applications

Packet Filter: To minimize memory traffic, the major bottleneck in most modern workstations, the packet should be filtered ‘in place’ (e.g., where the network interface DMA engine put it) rather than copied to some other kernel buffer before filtering.

Implementation

The CSPF (Tree) Model

Key Results

Key Conclusions

BPF has proven to be an efficient, extensible, and portable interface for network monitoring.

Strengths

Solid work on BPF package filter design and the fantastic designing.

Weaknesses

eBPF!?

Can I do better?

Takeaways

Other comments

%% Import Date: 2023-03-31T20:52:03.801+08:00 %%