Berkeley Packet Filter

The Berkeley filters, also Berkeley Packet Filter ( BPF) provides on Unix-like computer systems at an interface to data link layer, which allows data packets to send the data link layer and to receive. If the driver of the network interface supports promiscuous mode, the interface can be connected in this mode, so that all packets of the network, even those destined for other network adapters that can be received.

The BPF also supports filtering of data packets so that only interesting packets are processed and thus processing power is saved.

The Berkeley - filter functionality is implemented as an interpreter into machine language for the BPF VM. Computer programs can thus read data from the packet, perform arithmetic operations on it, compare the result to the filter definition, and then accept or reject the packet. On some systems, including FreeBSD and WinPcap, just- in-time compilation ( conversion of the virtual machine instructions into machine language ) is supported in order to improve the performance of the system.

The interpreter can run in kernel mode or user mode. Kernel - mode interpreter for example be used for socket filter on Linux or WinPcap mechanisms. A user - mode interpreter provides the libpcap-/WinPcap-Implementierung the pcap API. On systems without kernel - mode support for the filter mechanism so that packets can be filtered in user mode.

In 2007, the Zero -copy buffer extensions added by Robert Watson and Christian Peron to BPF implementation. This can sensed by the device driver packages are written directly to the memory from user mode programs, and it eliminates an additional copy of the data.