Home    Product home page    Download    Order
Contents
Introduction
PSSDK basics
BPF programming
BPF instructions
BPF Assembler
FastBPF
Ethernet level BPF example
IP level BPF example
TCP/UDP level BPF example
HNPSManager
HNAdapter
HNFileAdapter
HNAdapterConfig
HNUserFilter
HNPacket
HNQueue
HNTcpManager
HNTcpSession
HNLBAdapter
HNLBSession
HNLBHosts
Constants_Enumerations
Structures
Error codes
FAQ
RFC
Packet Sniffer SDK VCL Edition

BPF programming

 Previous Next

What is BPF filter program?

A BPF Filter Program is an instructions array, with all branches forwardly directed, terminated by a return instruction. Each instruction performs some action on the pseudo-machine state, which consists of an accumulator (A, DWORD, 4 bytes), an index register (X, DWORD, 4 bytes), scratch memory store (DWORD M[16]), and an implicit program counter - pc.

BPF instructions allow you to create various rules for filtering network packets.

BPF instruction format is defined by HN_BPF_INSTRUCTION structure:

HN_BPF_INSTRUCTION = record
  Code : WORD;   // Instruction code
  jt   : BYTE;   // Jump if true
  jf   : BYTE;   // Jump if false
  k    : DWORD;  // Generic multiuse field
end;
PHN_BPF_INSTRUCTION = ^HN_BPF_INSTRUCTION;

The k field is used in different ways depending on different instructions, and the jt and jf fields are used as offsets by the jump instructions. The opcodes are encoded in a semi-hierarchical fashion. There are eight classes of instructions: BPF_LD, BPF_LDX, BPF_ST, BPF_STX, BPF_ALU, BPF_JMP, BPF_RET, and BPF_MISC. Other various mode and operator bits are added to the class to give the actual instructions.

In the Packet Sniffer SDK library a BPF Filter Program is defined in the HN_BPF_PROGRAMM structure.

To simplify the BPF Filter Programs creating the HNUserFilter component is implemented, which also alows to control HN_BPF_PROGRAMM and HN_BPF_INSTRUCTION structures.

Previous Next