This tool, BPF Exam, illustrates the theory of Berkeley Packet Filter compilation and the practice of its reference implementation in libpcap. It can be used for troubleshooting and debugging as well. To understand what it does, just press the "examine" button below, see some outputs and continue reading.

Compilation of a BPF expression consists of several steps. The first step translates the expression string into a control flow graph (CFG). The second step is conditional, as specified using the optimize argument to pcap_compile(3PCAP); it optimizes the CFG as discussed in detail in this document. The third step translates the CFG into binary bytecode, which can be used by the OS kernel.

Given a set of input parameters below, BPF Exam displays the compiled filter (also known as "filter program" or "packet-matching code") as a sequence of BPF instructions in two formats: an output of tcpdump -d (which is explained in detail in this document) and a disassembly produced by Radare2. It also tries to reconstruct the final CFG using Radare2 and Graphviz. All these outputs stand for the unoptimized compilation of the filter.

Then, if the optimization attempt has not failed (which can happen, for example, because the filter rejects all packets), BPF Exam displays respective outputs for the optimized compilation plus a snapshot of the CFG for every step of the optimization procedure. The procedure may be internally skipped by libpcap code for some link-layer header types or filter keywords, in which case the unoptimized and the optimized outputs are exactly the same and there are no step-by-step CFG snapshots.

The default filter expression is simple, but representative of everyday BPF usage. You are welcome to experiment with different filter expressions and link-layer header types. If you have any feedback about this tool, please send it to the mailing list.

Input parameters