Re: PF or BPF

Mon, 13 Feb 2006 16:56:19 -0800 

Hey,
BPF is a really cool pseudo device (software that's access like a device, you'll see it in /dev). It is programmed with a assembly like load/store instruction set. This is a very efficient way of filtering incoming packets. 


It used  by tcpdump, pcap  and ppp. Its neat but it doesn't know  
about state which PF does. BPF is used (or can be used ) on a lot  of  
systems but its is a BSD Native as the named indicates. There has  
been some research on adding state and performance enhancement  in  
projects named BPF+ and DBPF.



I'm looking at the tradeoff of porting bpf with states from linux to  
OpenBSD from linux. Daniel Hartmeier in Design and Performance of  
the  "OpenBSD Stateful Packet Filter (pf)" says  that pf is more  
efficient than bpf, so it may be pointless. On the other hand having  
this facility would increase the richness of our toolkit.






BTW tcpdump can be used to produce a bpf program and pcap is a  
convent way of using BPF. Here's an example.


mail# tcpdump -d host 192.142.1.1 and dst port 80
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 15
(002) ld       [26]
(003) jeq      #0xc08e0101      jt 6    jf 4
(004) ld       [30]
(005) jeq      #0xc08e0101      jt 6    jf 15
(006) ldb      [23]
(007) jeq      #0x6             jt 9    jf 8
(008) jeq      #0x11            jt 9    jf 15
(009) ldh      [20]
(010) jset     #0x1fff          jt 15   jf 11
(011) ldxb     4*([14]&0xf)
(012) ldh      [x + 16]
(013) jeq      #0x50            jt 14   jf 15
(014) ret      #96
(015) ret      #0
mail#


Respectfully,
Tony Sterrett

[EMAIL PROTECTED]
Consultant in Open Source Software, featuring OpenBSD and Linux.
www.sterrett.net
(858) 433-1467 San Diego
(408) 705-2135 San Jose


On Feb 13, 2006, at 3:17 PM, Ray Lai wrote:


On Mon, Feb 13, 2006 at 05:28:22PM -0500, Jason Crawford wrote:

Well in the case of /usr/src, I think you must MIGHT hit the maximum

argument length for the shell by using xargs, unless you did it  
inside
of each directory in /usr/src. That and well, explaining xargs to  
Dave

will end up leading to another 20+ mail thread....


xargs runs the command multiple times when it hits this limit:

        [EMAIL PROTECTED] jot 0 | xargs echo | sed 's/ .*//'
        1
        5001
        10001
        15001
        20001
        25001
        ^C

The manual tries to describe this behavior:


	Any arguments specified on the command line are given to the  
utility upon
	each invocation, followed by some number of the arguments read  
from stan-
	dard input.  The utility is repeatedly executed one or more times  
until

        standard input is exhausted.

-Ray-
























					Reply via email to