Steven McCanne and Van Jacobson Lawrence Berkeley Laboratory One Cyclotron Road Berkeley, CA 94720 [email protected], [email protected] December 19, 1992
Abstract
Many versions of Unix provide facilities for user-level packet capture, making possible the use of general purpose workstations for network monitoring. Because network monitors run as user-level processes, packets must be copiedacross the kernel/user-space protection boundary. This copying can be minimized by deploying a kernel agent called a packet ?lter, which discards unwanted packets as early as possible. The original Unix packet ?lter was designed around a stack-based ?lter evaluator that performs sub-optimally on current RISC CPUs. The BSD Packet Filter (BPF) uses a new, registerbased ?lter evaluator that is up to 20times faster than the original design. BPF also uses a straightforward buffering strategy that makes its overall performance up to 100 times faster than Sun’s NIT running on the same hardware.
SunOS, the Ultrix Packet Filter[2] in DEC’s Ultrix and Snoop in SGI’s IRIX. These kernel facilities derive from pioneering work done at CMU and Stanford to adapt the Xerox Alto ‘packet ?lter’ to a Unixkernel[8]. When completed in 1980, the CMU/Stanford Packet Filter, CSPF, provided a much needed and widely used facility. However on today’s machines its performance, and the performance of its descendents, leave much to be desired — a design that was entirely appropriate for a 64KB PDP-11 is simply not a good match to a 16MB Sparcstation 2. This paper describes the BSD Packet Filter, BPF, a newkernel architecture for packet capture. BPF offers substantial performance improvement over existing packet capture facilities—10 to 150 times faster than Sun’s NIT and 1.5 to 20 times faster than CSPF on the same hardware and traf?c mix. The performance increase is the result of two architectural improvements: BPF uses a re-designed, register-based ‘?lter machine’ that can be implemented ef?ciently ontoday’s register based RISC CPU. CSPF used a memory-stack-based ?lter machine that worked well on the PDP-11 but is a poor match to memory-bottlenecked modern CPUs.
¤
1 Introduction
Unix has become synonymous with high quality networking and today’s Unix users depend on having reliable, responsive network access. Unfortunately, this dependence means that network trouble can make itimpossible to get useful work done and increasingly users and system administrators ?nd that a large part of their time is spent isolating and ?xing network problems. Problem solving requires appropriate diagnostic and analysis tools and, ideally, these tools should be available where the problems are—on Unix workstations. To allow such tools to be constructed, a kernel must contain some facility thatgives user-level programs access to raw, unprocessed network traf?c.[7] Most of today’s workstation operating systems contain such a facility, e.g., NIT[10] in
This is a preprint of a paper to be presented at the 1993 Winter USENIX conference, January 25–29, 1993, San Diego, CA. This work was supported by the Director, Of?ce of Energy Research, Scienti?c Computing Staff, of the U.S. Department ofEnergy under Contract No. DE-AC03-76SF00098.
£ ¢
BPF uses a simple, non-shared buffer model made possible by today’s larger address spaces. The model is very ef?cient for the ‘usual cases’ of packet capture.1
¤
In this paper, we present the design of BPF, outline how it interfaces with the rest of the system, and describe the new approach to the ?ltering mechanism. Finally, we presentperformance measurements of BPF, NIT, and CSPF which show why BPF performs better than the other approaches.
1 As opposed to, for example, the AT&T STREAMS buffer model used by NIT which has enough options to be Turing complete but appears to be a poor match to any practical problem.
1
The BSD Packet Filter: A New Architecture for User-level Packet Capture
¡ ¡
2
BPF – The BSD Packet…
