5.3. Berkeley Packet Filter (BPF)

The BPF process accesses the /dev/bpfn devices, and reads inbound packets, building up an internal flow cache and writing flows as they expire to the ring buffer.

BPF is only available on BSD systems (e.g. FreeBSD). For packet capture on other systems, the packet capture library (libpcap) interface should be used.

5.3.1. Setting up BPF on BSD systems

pseudo-device   bpf             #Berkeley packet filter

If it is commented out or missing, one should re-insert it and recompile and re-install the kernel.

Note that the standard generic kernel, defined on FreeBSD in /usr/src/sys/i386/conf/GENERIC, should not be modified; create a new kernel with a new name. See your distribution documentation for information on compiling and installing kernels.

There should also be BPF devices in /dev:

# ls -l /dev/bpf*
crw-------  1 root  wheel   23,   0 Jan  7 15:36 /dev/bpf0
crw-------  1 root  wheel   23,   1 Jan  7 15:36 /dev/bpf1
crw-------  1 root  wheel   23,   2 Jan  7 15:36 /dev/bpf2
crw-------  1 root  wheel   23,   3 Jan  7 15:36 /dev/bpf3

Note that unless the collector process is run as root, these will not be accessible under their default permissions. The access modes must be changed to permit access to the user that ipacc processes will be run as. To do this, the ipacc user can be added to the wheel group, by changing /etc/group so that the line:

wheel:*:0:root

reads:

wheel:*:0:root,ipacc

and then the BPF devices can be made group read/writable:

# chmod 660 /dev/bpf*

Alternatively, an additional group may be created to allow ipacc to access the BPF devices without adding ipacc to the wheel group.

Under FreeBSD version 5, the devfs file system is used for the /dev directory tree, creating device entries dynamically. Such dynamic assignments can't be relied on to keep manually set ownership and permissions, and must be set using the devfs configuration tools. The easiest way to set this up is to add to /etc/devfs.conf:

perm bpf0 660

and run the command /etc/rc.d/devfs start to put it into effect. (The latter command will be automatically run on system startup.) An own bpf0 owner:group line in /etc/devfs.conf can be used to set the owner and group if that is required.

5.3.2. Configuring BPF collection

flags can be:

promiscuous	Place interface in promiscuous mode, i.e. the interface will receive all traffic seen on the interface, regardless of whether the traffic was directed at the collector host; this is useful in configurations which passively "sniff" passing traffic, and are not directly involved in routing. Note that if another program puts the same interface into promiscuous mode, the collector may see traffic not intended for it.
inbound	Ignore all outbound traffic, i.e. traffic with a source MAC address matching the interface MAC address, should be ignored. By default, traffic in both directions is counted, which may result in traffic being counted twice.
outbound	Ignore inbound traffic, i.e. traffic with a source MAC address that does not match that of the interface.
broadcasts	Include traffic sent to (or from) the broadcast MAC address (FF:FF:FF:FF:FF:FF). By default, broadcasts are ignored.
multicasts	Include traffic sent to or from a multicast MAC address. By default, multicast traffic is ignored.
address mac-address
	Specify the MAC address of the interface for inbound and outbound checks, in xx:xx:xx:xx:xx:xx format (whare x is a hex digit). This is required on Debian Woody or other Linux systems where the old glibc version supplied does not include the getifaddrs() routine to obtain MAC addresses of interfaces.

The size of the BPF buffer is set by the bpf bufsize size statement, and defaults to 64k. Heavy or highly bursty traffic patterns may require a larger buffer size, e.g. 1 megabyte. Note that large buffers may also be needed if the collector system is often heavily loaded, as scheduling delays may mean that a burst of traffic may overflow the buffer before the collector can run again to process it. The size parameter is in bytes, and may be specified as a quantity.

For example, a BPF configuration, with interface dc1 listening to a shared hub might read:

source hub
	collect bpf dc1 inbound promiscuous
end source

An example of a BPF configuration where the collector is acting as a router, with three interfaces, under heavy load:

source bsdrtr
	collect bpf dc0 outbound
	collect bpf dc1 outbound
	collect bpf dc2 outbound
	bpf bufsize 1m
	flow-cache size 64k
end source

5.3.3. Flow cache tuning

The flow-cache size entries statement determines the maximum number of active flows that can be cached in memory at any time, and should be sized on realistic values. The default is 1024. The parameter is treated as a quantity.

The flow-cache active time and flow-cache inactive time statements determine how long active and inactive flows are retained. An active flow is defined as one that has received data within the inactive timeout, whereas an inactive flow is one where both timeouts have expired. Note that ipacc uses a rolling expiry algorithm, so the flow expiry times are approximate. Times are specified as intervals. The defaults are 60 seconds for an active flow and 20 seconds for an inactive flow.

The flow-cache search count specifies the number of flows that are searched when looking for a cache slot to insert a new entry into. A higher number means that if cache slots are tight, there is a better chance of finding an inactive flow slot to add a new flow into (at the expense of a longer search), whereas a lower number means a shorter search but may require flushing an active flow to make room for the new flow. The default is 8. The parameter is treated as a quantity.