This tool, BPF Exam, illustrates the theory of Berkeley Packet Filter compilation and the practice of its reference implementation in libpcap. It can be used for troubleshooting and debugging as well. To understand what it does, just press the "examine" button below, see some outputs and continue reading.

Compilation of a BPF expression consists of several steps. The first step translates the expression string into a control flow graph (CFG). The second step is conditional, as specified using the optimize argument to pcap_compile(3PCAP); it optimizes the CFG as discussed in detail in this document. The third step translates the CFG into binary bytecode, which can be used by the OS kernel.

Given a set of input parameters below, BPF Exam tries to produce a number of outputs. The first output is a filter expression that should have the same effect as the input filter expression, but includes all the implied predicates explicitly as determined using Caper, which implements the theory set out in this document. Then follows the compiled filter (also known as "filter program" or "packet-matching code") as a sequence of BPF instructions in two formats: an output of tcpdump -d (which is explained in detail in this document) and a disassembly produced by Radare2. It also tries to reconstruct the final CFG using Radare2 and Graphviz. All these outputs stand for the unoptimized compilation of the filter.

Then, if the optimization attempt has not failed (which can happen, for example, because the filter rejects all packets), BPF Exam displays respective outputs for the optimized compilation plus a snapshot of the CFG for every step of the optimization procedure. The procedure may be internally skipped by libpcap code for some link-layer header types or filter keywords, in which case the unoptimized and the optimized outputs are exactly the same and there are no step-by-step CFG snapshots.

The default filter expression is simple, but representative of everyday BPF usage. You are welcome to experiment with different filter expressions and link-layer header types. If you have any feedback about this tool, please send it to the mailing list.

libpcap version (?):	git master snapshot (with optimizer debugging) 1.10.1 (with optimizer debugging) 1.9.1 (with optimizer debugging) 1.8.1 1.7.4 1.6.2 1.5.3 random (OS default)
Link-layer header type (?):	0: DLT_NULL (BSD loopback encapsulation) 1: DLT_EN10MB (Ethernet) 6: DLT_IEEE802 (802.5 Token Ring) 7: DLT_ARCNET (ARCNET, with BSD-style header) 8: DLT_SLIP (Serial Line IP) 9: DLT_PPP (Point-to-point Protocol) 10: DLT_FDDI (Fiber Distributed Data Interface) 19: DLT_ATM_CLIP (Linux Classical IP over ATM) 50: DLT_PPP_SERIAL (PPP over serial with HDLC encapsulation) 51: DLT_PPP_ETHER (PPP over Ethernet) 99: DLT_SYMANTEC_FIREWALL 100: DLT_ATM_RFC1483 (LLC-encapsulated ATM) 101: DLT_RAW (Raw IP) 104: DLT_C_HDLC (Cisco HDLC) 105: DLT_IEEE802_11 (IEEE 802.11 WLAN) 108: DLT_LOOP (OpenBSD loopback encapsulation) 107: DLT_FRELAY (Frame Relay) 113: DLT_LINUX_SLL (Linux cooked) 114: DLT_LTALK (Apple LocalTalk) 119: DLT_PRISM_HEADER (Prism monitor mode + 802.11) 122: DLT_IP_OVER_FC (IP-over-Fibre Channel) 123: DLT_SUNATM (ATM with SunATM encapsulation) 127: DLT_IEEE802_11_RADIO (Radiotap + IEEE 802.11 WLAN) 129: DLT_ARCNET_LINUX (ARCNET, with Linux-style header) 138: DLT_APPLE_IP_OVER_IEEE1394 163: DLT_IEEE802_11_RADIO_AVS 165: DLT_BACNET_MS_TP (BACnet MS/TP frames) 166: DLT_PPP_PPPD (Point-to-point Protocol) 192: DLT_PPI (Per Packet Information encapsulated packets) 226: DLT_IPNET (Solaris ipnet pseudo-header) 228: DLT_IPV4 (raw IPv4) 229: DLT_IPV6 (raw IPv6) 240: DLT_NETANALYZER 241: DLT_NETANALYZER_TRANSPARENT 276: DLT_LINUX_SLL2 (Linux cooked v2)
Snapshot length (?):
Filter expression (?):
Make a cBPF savefile (?):	no yes, without optimization yes, with optimization