Many versions of Unix provide facilities for user-level packet capture, making possible the use of general purpose workstations for network monitoring. Because network monitors run as user-level processes, packets must be copiedacross the kernel/user-space protection boundary. This copying can be minimized by deploying a kernel agent called a packet ﬁlter, which discards unwanted packets as early as possible. The original Unix packet ﬁlter was designed around a stack-based ﬁlter evaluator that performs sub-optimally on current RISC CPUs. The BSD Packet Filter (BPF) uses a new, registerbased ﬁlter evaluator that is up to 20times faster than the original design. BPF also uses a straightforward buffering strategy that makes its overall performance up to 100 times faster than Sun’s NIT running on the same hardware.
SunOS, the Ultrix Packet Filter in DEC’s Ultrix and Snoop in SGI’s IRIX. These kernel facilities derive from pioneering work done at CMU and Stanford to adapt the Xerox Alto ‘packet ﬁlter’ to a Unixkernel. When completed in 1980, the CMU/Stanford Packet Filter, CSPF, provided a much needed and widely used facility. However on today’s machines its performance, and the performance of its descendents, leave much to be desired — a design that was entirely appropriate for a 64KB PDP-11 is simply not a good match to a 16MB Sparcstation 2. This paper describes the BSD Packet Filter, BPF, a newkernel architecture for packet capture. BPF offers substantial performance improvement over existing packet capture facilities—10 to 150 times faster than Sun’s NIT and 1.5 to 20 times faster than CSPF on the same hardware and trafﬁc mix. The performance increase is the result of two architectural improvements: BPF uses a re-designed, register-based ‘ﬁlter machine’ that can be implemented efﬁciently ontoday’s register based RISC CPU. CSPF used a memory-stack-based ﬁlter machine that worked well on the PDP-11 but is a poor match to memory-bottlenecked modern CPUs.
Unix has become synonymous with high quality networking and today’s Unix users depend on having reliable, responsive network access. Unfortunately, this dependence means that network trouble can make itimpossible to get useful work done and increasingly users and system administrators ﬁnd that a large part of their time is spent isolating and ﬁxing network problems. Problem solving requires appropriate diagnostic and analysis tools and, ideally, these tools should be available where the problems are—on Unix workstations. To allow such tools to be constructed, a kernel must contain some facility thatgives user-level programs access to raw, unprocessed network trafﬁc. Most of today’s workstation operating systems contain such a facility, e.g., NIT in
This is a preprint of a paper to be presented at the 1993 Winter USENIX conference, January 25–29, 1993, San Diego, CA. This work was supported by the Director, Ofﬁce of Energy Research, Scientiﬁc Computing Staff, of the U.S. Department ofEnergy under Contract No. DE-AC03-76SF00098.
BPF uses a simple, non-shared buffer model made possible by today’s larger address spaces. The model is very efﬁcient for the ‘usual cases’ of packet capture.1
In this paper, we present the design of BPF, outline how it interfaces with the rest of the system, and describe the new approach to the ﬁltering mechanism. Finally, we presentperformance measurements of BPF, NIT, and CSPF which show why BPF performs better than the other approaches.
1 As opposed to, for example, the AT&T STREAMS buffer model used by NIT which has enough options to be Turing complete but appears to be a poor match to any practical problem.
The BSD Packet Filter: A New Architecture for User-level Packet Capture
BPF – The BSD Packet...