The bsd packet filter
Páginas: 27 (6717 palabras)
Publicado: 15 de marzo de 2010
Steven McCanne and Van Jacobson Lawrence Berkeley Laboratory One Cyclotron Road Berkeley, CA 94720 mccanne@ee.lbl.gov, van@ee.lbl.gov December 19, 1992
Abstract
Many versions of Unix provide facilities for user-level packet capture, making possible the use of general purpose workstations for network monitoring. Because network monitors run as user-level processes, packets must be copiedacross the kernel/user-space protection boundary. This copying can be minimized by deploying a kernel agent called a packet filter, which discards unwanted packets as early as possible. The original Unix packet filter was designed around a stack-based filter evaluator that performs sub-optimally on current RISC CPUs. The BSD Packet Filter (BPF) uses a new, registerbased filter evaluator that is up to 20times faster than the original design. BPF also uses a straightforward buffering strategy that makes its overall performance up to 100 times faster than Sun’s NIT running on the same hardware.
SunOS, the Ultrix Packet Filter[2] in DEC’s Ultrix and Snoop in SGI’s IRIX. These kernel facilities derive from pioneering work done at CMU and Stanford to adapt the Xerox Alto ‘packet filter’ to a Unixkernel[8]. When completed in 1980, the CMU/Stanford Packet Filter, CSPF, provided a much needed and widely used facility. However on today’s machines its performance, and the performance of its descendents, leave much to be desired — a design that was entirely appropriate for a 64KB PDP-11 is simply not a good match to a 16MB Sparcstation 2. This paper describes the BSD Packet Filter, BPF, a newkernel architecture for packet capture. BPF offers substantial performance improvement over existing packet capture facilities—10 to 150 times faster than Sun’s NIT and 1.5 to 20 times faster than CSPF on the same hardware and traffic mix. The performance increase is the result of two architectural improvements: BPF uses a re-designed, register-based ‘filter machine’ that can be implemented efficiently ontoday’s register based RISC CPU. CSPF used a memory-stack-based filter machine that worked well on the PDP-11 but is a poor match to memory-bottlenecked modern CPUs.
¤
1 Introduction
Unix has become synonymous with high quality networking and today’s Unix users depend on having reliable, responsive network access. Unfortunately, this dependence means that network trouble can make itimpossible to get useful work done and increasingly users and system administrators find that a large part of their time is spent isolating and fixing network problems. Problem solving requires appropriate diagnostic and analysis tools and, ideally, these tools should be available where the problems are—on Unix workstations. To allow such tools to be constructed, a kernel must contain some facility thatgives user-level programs access to raw, unprocessed network traffic.[7] Most of today’s workstation operating systems contain such a facility, e.g., NIT[10] in
This is a preprint of a paper to be presented at the 1993 Winter USENIX conference, January 25–29, 1993, San Diego, CA. This work was supported by the Director, Office of Energy Research, Scientific Computing Staff, of the U.S. Department ofEnergy under Contract No. DE-AC03-76SF00098.
£ ¢
BPF uses a simple, non-shared buffer model made possible by today’s larger address spaces. The model is very efficient for the ‘usual cases’ of packet capture.1
¤
In this paper, we present the design of BPF, outline how it interfaces with the rest of the system, and describe the new approach to the filtering mechanism. Finally, we presentperformance measurements of BPF, NIT, and CSPF which show why BPF performs better than the other approaches.
1 As opposed to, for example, the AT&T STREAMS buffer model used by NIT which has enough options to be Turing complete but appears to be a poor match to any practical problem.
1
The BSD Packet Filter: A New Architecture for User-level Packet Capture
¡ ¡
2
BPF – The BSD Packet...
Abstract
Many versions of Unix provide facilities for user-level packet capture, making possible the use of general purpose workstations for network monitoring. Because network monitors run as user-level processes, packets must be copiedacross the kernel/user-space protection boundary. This copying can be minimized by deploying a kernel agent called a packet filter, which discards unwanted packets as early as possible. The original Unix packet filter was designed around a stack-based filter evaluator that performs sub-optimally on current RISC CPUs. The BSD Packet Filter (BPF) uses a new, registerbased filter evaluator that is up to 20times faster than the original design. BPF also uses a straightforward buffering strategy that makes its overall performance up to 100 times faster than Sun’s NIT running on the same hardware.
SunOS, the Ultrix Packet Filter[2] in DEC’s Ultrix and Snoop in SGI’s IRIX. These kernel facilities derive from pioneering work done at CMU and Stanford to adapt the Xerox Alto ‘packet filter’ to a Unixkernel[8]. When completed in 1980, the CMU/Stanford Packet Filter, CSPF, provided a much needed and widely used facility. However on today’s machines its performance, and the performance of its descendents, leave much to be desired — a design that was entirely appropriate for a 64KB PDP-11 is simply not a good match to a 16MB Sparcstation 2. This paper describes the BSD Packet Filter, BPF, a newkernel architecture for packet capture. BPF offers substantial performance improvement over existing packet capture facilities—10 to 150 times faster than Sun’s NIT and 1.5 to 20 times faster than CSPF on the same hardware and traffic mix. The performance increase is the result of two architectural improvements: BPF uses a re-designed, register-based ‘filter machine’ that can be implemented efficiently ontoday’s register based RISC CPU. CSPF used a memory-stack-based filter machine that worked well on the PDP-11 but is a poor match to memory-bottlenecked modern CPUs.
¤
1 Introduction
Unix has become synonymous with high quality networking and today’s Unix users depend on having reliable, responsive network access. Unfortunately, this dependence means that network trouble can make itimpossible to get useful work done and increasingly users and system administrators find that a large part of their time is spent isolating and fixing network problems. Problem solving requires appropriate diagnostic and analysis tools and, ideally, these tools should be available where the problems are—on Unix workstations. To allow such tools to be constructed, a kernel must contain some facility thatgives user-level programs access to raw, unprocessed network traffic.[7] Most of today’s workstation operating systems contain such a facility, e.g., NIT[10] in
This is a preprint of a paper to be presented at the 1993 Winter USENIX conference, January 25–29, 1993, San Diego, CA. This work was supported by the Director, Office of Energy Research, Scientific Computing Staff, of the U.S. Department ofEnergy under Contract No. DE-AC03-76SF00098.
£ ¢
BPF uses a simple, non-shared buffer model made possible by today’s larger address spaces. The model is very efficient for the ‘usual cases’ of packet capture.1
¤
In this paper, we present the design of BPF, outline how it interfaces with the rest of the system, and describe the new approach to the filtering mechanism. Finally, we presentperformance measurements of BPF, NIT, and CSPF which show why BPF performs better than the other approaches.
1 As opposed to, for example, the AT&T STREAMS buffer model used by NIT which has enough options to be Turing complete but appears to be a poor match to any practical problem.
1
The BSD Packet Filter: A New Architecture for User-level Packet Capture
¡ ¡
2
BPF – The BSD Packet...
Leer documento completo
Regístrate para leer el documento completo.