Berkeley Packet Filter - /dev/bpf Question

[bnyec]

Hello,

I have done some searching and I can't for the life of me remember/find this info. Running a FreeBSD 8.x system and I see that /dev/bpf0 is symlinked to /dev/bpf.

#ls -al /dev/bpf*
crw-r-----  1 root  wheel    0,  13 Dec  8 13:51 /dev/bpf
lrwxr-xr-x  1 root  wheel         3 Dec  8 13:51 /dev/bpf0 -> bpf
#

On an older system running FreeBSD 7.x system I see /dev/bpf[0-9].

# ls -al /dev/bpf*
crw-------  1 root  wheel    0, 110 May 17  2010 /dev/bpf0
crw-------  1 root  wheel    0, 111 May 17  2010 /dev/bpf1
crw-------  1 root  wheel    0, 119 Dec  7 16:59 /dev/bpf2
crw-------  1 root  wheel    0, 108 Dec  7 16:57 /dev/bpf3
crw-------  1 root  wheel    0, 121 May 17  2010 /dev/bpf4
#

Why the change? Is /dev/bpf[0-9] no longer required?

Thanks for the info.

 

[bnyec]

Ok, after further searching, I think I found the answer. Please correct me if I'm wrong.
It is now a "cloning device"?

Berkeley Packet Filter

The Berkeley Packet Filter (BPF) (sys/net/bpf.c) provides link layer access to data available on the network through interfaces attached to the system. BPF is used by opening a device node, /dev/bpf and issuing ioctl's to control the operation of the device. A popular example of a tool using BPF is tcpdump.

The device /dev/bpf is a cloning device, meaning it can be opened multiple times. It is in principle similar to a cloning interface, except BPF provides no network interface, only a method to open the same device multiple times.

To capture network traffic, a BPF device must be attached to an interface. The traffic on this interface is then passed to BPF for evaluation. For attaching an interface to an open BPF device, the ioctl BIOCSETIF is used. The interface is identified by passing a struct ifreq, which contains the interface name in ASCII encoding. This is used to find the interface from the kernel tables. BPF registers itself to the interfaces struct ifnet field if_bpf to inform the system that it is interested about traffic on this particular interface. The listener can also pass a set of filtering rules to capture only certain packets, for example ones matching a given host and port combination.