2023_03_stevenmccanneBSDPacketFilter1992_Reading_Notes
title: “The BSD Packet Filter: ANew Architecture for User-level Packet Capture”
authors: “Steven McCanne”
citekey: stevenmccanneBSDPacketFilter1992
imported: 2023-03-31 08-51 pm
zoterolink: bpf-usenix93.pdf
Reading Notes
%% begin notes %%%% end notes %%
Annotations
%% begin annotations %%
Imported: 2023-03-31 8:51 pm
background which discards unwanted packets as early as possible
results BPF offers substantial performance improvement over existing packet capture facilities—10 to150 times faster than Sun’sNIT and 1.5 to20 times faster than CSPF on the same hardware and traffic mix.
methods BPF uses are-designed, register-based ‘filter machine’ that can be implemented efficiently on today’sregister based RISC CPU. CSPF used amemory-stack-based filter machine that worked well on the PDP-11but isa poor match to memory-bottlenecked modern CPUs.
methods BPF uses asimple, non-shared buffer model made possible by today’slar ger address spaces. The model is very efficient for the ‘usual cases’ of packet capture.1
methods the network tap and the packet filter
methods network tap collects copies of packets from the network device drivers and delivers them to listening applications
methods When apacket arrives at anetwork interface the link level device driver normally sends itup the system protocol stack.
methods But when BPF islistening on this interface, the driver first calls BPF
methods BPF feeds the packet toeach participating process’ filter.
methods user-defined filter decides whether apacket isto be accepted and how many bytes of each packet should be saved
methods SunOS’sSTREAMS NIT [10]copies the packets before filtering and as aresult suffers aperformance degradation.
methods acopy of each packet isalways made
other a“reject all” filter and pushed directly on top of the NIT interface module (the NIT buffering module was not used). Since the filter discards all packets, the processing time should be constant, independent of the packet size
methods A packet filter is simply aboolean valued function on a packet. Ifthe value ofthe function is true the kernel copies the packet for the application; ifitis false the packet isignored.
methods aboolean expression tree (used by CSPF)
methods adirected acyclic control flow graph or CFG
results BPF isnow about two years old and has been put to work in several applications. The most widely used is tcpdump
%% end annotations %%
Summary
The Problem
Many versions of Unix provide facilities for user-level packet capture, making possible the use of general purpose workstations for network monitoring. But the user-level monitoring takes a lot of resources.
Key Ideas & Key insights
Discards the unwanted packets as early as possible.
Key Mechanisms
Network Tap + Packet Filter
Network Tap: collects copies of packets from the network device drivers and delivers them to listening applications
Packet Filter: To minimize memory traffic, the major bottleneck in most modern workstations, the packet should be filtered ‘in place’ (e.g., where the network interface DMA engine put it) rather than copied to some other kernel buffer before filtering.
Implementation
The CSPF (Tree) Model
Key Results
Key Conclusions
BPF has proven to be an efficient, extensible, and portable interface for network monitoring.
Strengths
Solid work on BPF package filter design and the fantastic designing.
Weaknesses
eBPF!?
Can I do better?
Takeaways
Other comments
%% Import Date: 2023-03-31T20:52:03.801+08:00 %%