Talk:Berkeley Packet Filter

Importance of BPF
There are really two parts. One is the packet capture mechanism, which is supported by most BSD-derived Unix operating systems, as well as a few other Unix variants (AIX, SunOS (as a patch), maybe OSF/1). Much more significant is the BPF packet filtering virtual machine; largely compatible versions are implemented in many different operating systems, including Linux and even Windows (in several different driver implementations). Derivative versions of it are implemented in other operating systems (Solaris) and I think, even some hardware products, like specialized network monitoring NICs. Finally, the libpcap portable packet capture library includes a user-level filtering implementation of BPF, so that it can be used even on systems where the OS and drivers do not support it natively or are not present (Solaris, HP-UX, Windows, and others).

Because of this prevalence, BPF has become somewhat of a common denominator for network traffic filtering; just as the x86 instruction set is for PCs, the BPF filter instruction set is the de facto standard for network monitoring and management applications. Just as most PC applications are written in high-level languages that are compiled into x86 instructions, most network traffic filters are written in the more human-readable filter expressions implemented in libpcap (notably in the ubiquitous tcpdump program) and compiled into BPF instructions.

@alex 02:22, 14 September 2006 (UTC)


 * The "BPF as capture mechanism" and "BPF as filtering mechanism" split is now discussed in the lede and the article. Guy Harris (talk) 23:21, 29 May 2022 (UTC)

Outdated?
Could somebody indicate what they consider to be out-of-date in the article? Guy Harris (talk) 18:37, 24 August 2012 (UTC)

For example: "SCO has not explained or acknowledged the mistake but the ongoing legal action may eventually force an answer." pointing to a gnu.org article from 2003. If this is still going on, more sources and more recent sources are necessary. Ngzero (talk) 00:01, 14 September 2019 (UTC)

eBPF: the next Linux firewall
It appears that extended BPF (eBPF), not nftables, will replace iptables in Linux.


 * https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
 * https://www.littleman.co/articles/coming-to-grips-with-ebpf/

-- ScratchMonkey (talk) 11:16, 24 October 2019 (UTC)


 * Feel free to update Berkeley Packet Filter to mention that eBPF will be replacing iptables. Guy Harris (talk) 11:54, 24 October 2019 (UTC)

Does eBPF deserve its own page?
At this point, the "BPF" in "eBPF" is somewhat historic, as it's being used for purposes having nothing to do with packet filtering"; it's more like DTrace in that regard. (One of the purposes for which it's used is packet filtering during packet captures, although the main kernel in which it's used for that purpose has a packet capture mechanism (PF_PACKET sockets) very different from the BPF capture mechanism.) Guy Harris (talk) 19:29, 13 May 2021 (UTC)


 * Hi @Guy Harris, yes, it's very different. We recently wrote an initial draft for an eBPF page https://en.wikipedia.org/wiki/Draft:EBPF, but it's stuck in waiting for review at this point. If you have a chance, would be great if you could take a look. Thanks for your help! Jasonbar3121 (talk) 09:13, 16 November 2022 (UTC)