@(#) $Header: /afs/sipb/project/tcpdump/repository/bpf/README,v 1.1.1.4 1996/12/16 07:37:06 jhawk Exp $ (LBL)

BPF 1.1
Lawrence Berkeley Laboratory
Network Research Group
bpf@ee.lbl.gov
ftp://ftp.ee.lbl.gov/bpf-*.tar.Z

This directory contains the files necessary to install the Berkeley
Packet Filter (BPF) in a BSD (or BSD-like) kernel. BPF is derived from
the Stanford/CMU enet packet filter that was distributed with 4.3BSD.
We have made no efforts to keep the two interfaces compatible.

BPF is described in the 1993 Winter USENIX paper ``The BSD Packet
Filter: A New Architecture for User-level Packet Capture''.  A
compressed postscript version is in:

	ftp://ftp.ee.lbl.gov/papers/bpf-usenix93.ps.Z.

BPF has been tested on hp300's running BSD Tahoe/Reno, Sparcstations
running SunOS 4, Sparcstations running BSD Reno, and Sun 3's running
SunOS 3.  We have configured it into the BSD Lance ethernet driver, the
Sun LANCE and Intel drivers, and our CSLIP driver (BSD, SunOS 3 and
4).  The modified BSD driver is included in this distribution. Due to
source license restrictions, the Sun drivers cannot be made available.
If you have full SunOS source, you can apply the context diffs in sunif to
if_le.c and if_levar.h SunOS 4 lance source. Already compiled .o's can
be found in SUNOS4. For more information see the INSTALL file.

There are patches for various flavors of loopback interface in
{net,netinet}/if_loop.c*.

BPF is standard in 4.4BSD, BSD/386, NetBSD, and FreeBSD.  DEC OSF/1
uses the packetfilter interface but has been extended to accept BPF
filters (which libpcap utilizes).  Also, you can add BPF filter support
to Ultrix using the kernel source and/or object patches available in:

	 ftp://gatekeeper.dec.com/pub/DEC/net/bpfext43.tar.Z.

A new feature of the BPF release is kernel port filters which provide
the functionality of tcp_wrappers but at the kernel level. Basically,
the system administrator can load a bpf filters into the kernel, one
for UDP and and for TCP using the setbpfilter(8) program (included in
this package). In the case of TCP, new connection attempts that match
the filter are refused as if there was no server listening on the port.
In the case of UDP, packets that that match the filter are rejected
with an ICMP "port unreachable." Obviously the UDP case is more
expensive since the filter must be applied to all packets.

See the setbpfilter(8) man page for more information.

Please send bugs and comments to bpf@ee.lbl.gov.

 - Steve McCanne
   Craig Leres
   Van Jacobson