Overview
This tool, BPF Exam, illustrates the theory of Berkeley Packet Filter compilation and the practice of its reference implementation in libpcap. It can be used for troubleshooting and debugging as well. To understand what it does, just press the "examine" button below, see some outputs and continue reading.
Compilation of a BPF expression consists of several steps. The first
step translates the expression string into a
control
flow graph (CFG). The second step is conditional, as specified
using the optimize
argument to
pcap_compile(3PCAP);
it optimizes the CFG as discussed in detail in
this
document. The third step translates the CFG into binary
bytecode, which can be used by the OS kernel.
Given a set of input parameters below,
BPF Exam displays the compiled filter
(also known as "filter program" or "packet-matching code") as a
sequence of BPF instructions in two formats: an output of
tcpdump -d
(which is explained in detail in
this document) and a
disassembly produced by Radare2. It also tries to reconstruct the
final CFG using Radare2 and Graphviz. All these outputs stand for
the unoptimized compilation of the filter.
Then, if the optimization attempt has not failed (which can happen, for example, because the filter rejects all packets), BPF Exam displays respective outputs for the optimized compilation plus a snapshot of the CFG for every step of the optimization procedure. The procedure may be internally skipped by libpcap code for some link-layer header types or filter keywords, in which case the unoptimized and the optimized outputs are exactly the same and there are no step-by-step CFG snapshots.
The default filter expression is simple, but representative of everyday BPF usage. You are welcome to experiment with different filter expressions and link-layer header types. If you have any feedback about this tool, please send it to the mailing list.