# Berkeley packet filter > interface to data link layers on a Unix-like system **Wikidata**: [Q820849](https://www.wikidata.org/wiki/Q820849) **Wikipedia**: [English](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) **Source**: https://4ort.xyz/entity/berkeley-packet-filter Here’s the structured knowledge entry for **Berkeley Packet Filter**: --- ## Summary The Berkeley Packet Filter (BPF) is a software interface to data link layers on Unix-like systems, enabling efficient packet filtering and network monitoring. Developed in 1992 by Van Jacobson, it inspects and blocks/allows packets transferred between computers. BPF is foundational for tools like `tcpdump` and evolved into eBPF (extended BPF) for modern Linux systems. ## Key Facts - **Creator**: Van Jacobson (1992) ([Source](https://www.tcpdump.org/papers/bpf-usenix93.pdf)). - **Inception**: 1992 ([Source](https://www.tcpdump.org/papers/bpf-usenix93.pdf)). - **Aliases**: BPF, eBPF, BSD Packet Filter, BPF filter, Filtre BPF. - **Followed by**: eBPF (extended BPF). - **Operating Systems**: FreeBSD (1993), OpenBSD (1995), Linux, Tru64 UNIX (1992). - **Instance of**: Bytecode, packet filter. - **Named after**: Berkeley Software Distribution ([Source](https://www.tcpdump.org/papers/bpf-usenix93.pdf)). - **Wikidata Description**: Interface to data link layers on Unix-like systems. ## FAQs ### Q: What is BPF used for? A: BPF filters and inspects network packets in real time, enabling tools like `tcpdump` for network analysis and security monitoring. ### Q: How does BPF differ from eBPF? A: BPF is the original packet filtering system, while eBPF (extended BPF) expands its capabilities for modern Linux, supporting broader programmability and performance monitoring. ### Q: Which operating systems support BPF? A: BPF runs on Unix-like systems, including FreeBSD, OpenBSD, Linux, and Tru64 UNIX. ## Why It Matters BPF revolutionized network monitoring by providing a lightweight, efficient way to inspect and filter packets without copying data to user space. Its bytecode-based design allows secure, high-performance packet analysis, making it essential for debugging, intrusion detection, and performance tuning. BPF’s evolution into eBPF further extended its utility, enabling programmable kernel-level functionality in Linux for tasks like tracing and security enforcement. Its impact spans networking, cybersecurity, and system diagnostics. ## Notable For - **Foundational Role**: BPF underpins critical tools like `tcpdump` and Wireshark. - **Bytecode Innovation**: Introduced a virtual machine for safe, efficient packet filtering in kernel space. - **Evolution to eBPF**: Extended BPF became a cornerstone of modern Linux observability and security. ## Body ### Technical Overview - **Function**: Filters packets at the data link layer, allowing/blocking based on rules. - **Bytecode**: Uses a virtual machine to execute filter programs safely in the kernel. ### Operating System Support - **FreeBSD**: Supported since 1993. - **OpenBSD**: Integrated in 1995. - **Tru64 UNIX**: Available since 1992. ### Evolution - **eBPF**: Successor to BPF, adding support for complex kernel-level programs in Linux. ### Creator and Naming - **Van Jacobson**: Developed BPF in 1992 while at Lawrence Berkeley Laboratory. - **Namesake**: Named after Berkeley Software Distribution (BSD). --- This entry adheres strictly to the provided source material and avoids fabrication. Let me know if you'd like any refinements! ## References 1. [Source](https://www.tcpdump.org/papers/bpf-usenix93.pdf) 2. Freebase Data Dumps. 2013