Tải bản đầy đủ - 0 (trang)
Chapter 31. BPF: BSD Packet Filter

Chapter 31. BPF: BSD Packet Filter

Tải bản đầy đủ - 0trang

Chapter31.BPF:BSDPacket

Filter

Section31.1.Introduction

Section31.2.CodeIntroduction

Section31.3.bpf_ifStructure





Section31.4.bpf_dStructure

Section31.5.BPFInput

Section31.6.BPFOutput

Section31.7.Summary



Team-Fly









Top



Team-Fly











TCP/IPIllustrated,Volume2:The

ImplementationByGaryR.Wright,

W.RichardStevens

TableofContents



Chapter31.BPF:BSDPacketFilter



31.1Introduction

TheBSDPacketFilter(BPF)isasoftware

devicethat"taps"networkinterfaces.A

processaccessesaBPFdevicebyopening

/dev/bpf0,/dev/bpf1,andsoon.EachBPF

devicecanbeopenedonlybyoneprocess

atatime.

SinceeachBPFdeviceallocates8192

bytesofbufferspace,thesystem

administratortypicallylimitsthe

numberofBPFdevices.Ifopenreturns

EBUSY,thedeviceisinuse,anda

processtriesthenextdeviceuntilthe

opensucceeds.

Thedeviceisconfiguredwithseveralioctl



commandsthatassociatethedevicewitha

networkinterfaceandinstallfiltersto

receiveincomingpacketsselectively.

Packetsarereceivedbyreadingfromthe

device,andpacketsarequeuedonthe

networkinterfacebywritingtothedevice.

Wewillusethetermpacketeven

thoughframeismoreaccurate,since

BPFworksatthedata-linklayerand

includesthelink-layerheadersinthe

framesitsendsandreceives.

BPFworksonlywithnetworkinterfaces

thatbeenmodifiedtosupportBPF.In

Chapter3wesawthattheEthernet,SLIP,

andloopbackdriverscallbpfattach.This

callconfigurestheinterfaceforaccess

throughtheBPFdevices.Inthissectionwe

showhowtheBPFdevicedriveris

organizedandhowpacketsmovebetween

thedriverandthenetworkinterfaces.

BPFisnormallyusedasadiagnostictool

toexaminethetrafficonalocallyattached

network.Thetcpdumpprogramisthebest

exampleofsuchatoolandisdescribedin

AppendixAofVolume1.Normallytheuser







isinterestedinpacketsbetweenagiven

setofmachines,orforaparticular

protocol,orevenforaparticularTCP

connection.ABPFdevicecanbe

configuredwithafilterthatdiscardsor

acceptsincomingpacketsaccordingtoa

filterspecification.Filtersarespecifiedas

instructionstoapseudomachine.The

detailsofBPFfiltersarenotdiscussedin

thistext.Formoreinformationabout

filters,seebpf(4)and[McCanneand

Jacobson1993].



Team-Fly









Top



Team-Fly











TCP/IPIllustrated,Volume2:The

ImplementationByGaryR.Wright,

W.RichardStevens

TableofContents



Chapter31.BPF:BSDPacketFilter



31.2CodeIntroduction

ThecodefortheportionoftheBPFdevice

driverthatwedescriberesidesinthetwo

headersandoneCfilelistedinFigure

31.1.



Figure31.1.Filesdiscussedinthis

chapter.



GlobalVariables



Theglobalvariablesintroducedinthis

chapterareshowninFigure31.2.



Figure31.2.Globalvariablesintroduced

inthischapter.



Statistics

Figure31.3showsthetwostatistics

collectedinthebpf_dstructureforevery

activeBPFdevice.



Figure31.3.Statisticscollectedinthis

chapter.



Theremainderofthischapterisdivided

intofoursections:







BPFinterfacestructures,

BPFdevicedescriptors,

BPFinputprocessing,and

BPFoutputprocessing.



Team-Fly









Top







Team-Fly







TCP/IPIllustrated,Volume2:The

ImplementationByGaryR.Wright,

W.RichardStevens

TableofContents



Chapter31.BPF:BSDPacketFilter



31.3bpf_ifStructure

BPFkeepsalistofthenetworkinterfaces

thatsupportBPF.Eachinterfaceis

describedbyabpf_ifstructure,andthe

globalpointerbpf_iflistpointstothefirst

structureinthelist.Figure31.4showsa

BPFinterfacestructure.



Figure31.4.bpf_ifstructure.



67-69



bif_nextpointstothenextBPFinterface

structureinthelist.bif_dlistpointstoalist

ofBPFdevicesthathavebeenopenedand

configuredtotapthisinterface.

70

bif_driverppointstoabpf_ifpointerstored

intheifnetstructureofthetapped

interface.Whentheinterfaceisnot

tapped,*bif_driverpisnull.WhenaBPF

deviceisconfiguredtotapaninterface,

*bif_driverpischangedtopointbackto

thebif_ifstructureandtellstheinterface

tobeginpassingpacketstoBPF.

71

Thetypeofinterfaceissavedinbif_dlt.

Thevaluesforourexampleinterfacesare

showninFigure31.5.



Figure31.5.bif_dltvalues.



72-74

EachpacketacceptedbyBPFhasaBPF

headerprependedtoit.bif_hdrlenisthe

sizeoftheheader.Finally,bif_ifppointsto

theifnetstructurefortheassociated

interface.

Figure31.6showsthebpf_hdrstructure

thatisprependedtoeveryincoming

packet.



Figure31.6.bpf_hdrstructure.



122-128

bh_tstamprecordsthetimethepacket

wascaptured.bh_caplenisthenumberof

bytessavedbyBPF,andbh_datalenisthe

numberofbytesintheoriginalpacket.

bh_headlenisthesizeofthebpf_hdr

structureplusanypadding.Thisvalue

shouldmatchbif_hdrlenforthereceiving



interfaceandisusedbyprocessesto

interpretthepacketsreadfromtheBPF

device.

Figure31.7showshowbpf_ifstructures

areconnectedtotheifnetstructuresfor

eachofourthreesampleinterfaces

(le_softc[0],sl_softc[0],andloif).



Figure31.7.bpf_ifandifnetstructures.



Noticethatbif_driverppointstotheif_bpf

andsc_bpfpointersinthenetwork

interfacesandnottotheinterface

structures.

TheSLIPdeviceusessc_bpf,insteadof



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 31. BPF: BSD Packet Filter

Tải bản đầy đủ ngay(0 tr)

×