debugging: slides: move libpcap internals details to eBPF section

While discussing how libpcap processes user filters into bpf programs is very useful to introduce bpf/ebpf, it may be too advanced for the section where it is currently located (common debugging tools), and so feel a little bit off topic. Move it to the eBPF section as an introduction. While at it, fix the userspace<->kernel interface: original BPF does not use the bpf() syscall interface, but the socket()/setsockopt() interface. That makes another reason to use it as an introduction to extended BPF rather than an example. Signed-off-by: Alexis Lothoré <[email protected]>
bootlin · Jun 24, 2024 · 9fc0dbb · 9fc0dbb
1 parent cf105b3
commit 9fc0dbb
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 36 deletions.
diff --git a/slides/debugging-common-tools/bpf-setup.dia b/slides/debugging-common-tools/bpf-setup.dia
diff --git a/slides/debugging-common-tools/debugging-common-tools.tex b/slides/debugging-common-tools/debugging-common-tools.tex
@@ -594,40 +594,6 @@ \subsection{Networking observability tools}
     \end{block}
 \end{frame}
 
-\begin{frame}{Packet filtering: BPF --- setup phase}
-  \begin{columns}
-    \column{0.75\textwidth}
-    \begin{itemize}
-    \item tcpdump passes the capture filter string from the user to libpcap
-    \item libpcap compiles the capture filter into a binary program
-      \begin{itemize}
-      \item This program uses the instruction set of an abstract machine
-        (the ``BPF instruction set'')
-      \end{itemize}
-    \item libpcap sends the binary program to the kernel via the
-      \code{bpf()} syscall
-    \end{itemize}
-    \column{0.25\textwidth}
-      \includegraphics[height=0.85\textheight]{slides/debugging-common-tools/bpf-setup.pdf}
-  \end{columns}
-\end{frame}
-
-\begin{frame}{Packet filtering: BPF --- capture phase}
-  \begin{columns}
-    \column{0.55\textwidth}
-    \begin{itemize}
-    \item The kernel implements the BPF ``virtual machine''
-    \item The BPF virtual machine executes the program for every packet
-    \item The program inspects the packet data and returns a non-zero value
-      if the packet must be captured
-    \item If the return value is non-zero, the packet is captured in
-      addition to regular packet processing
-    \end{itemize}
-    \column{0.45\textwidth}
-      \includegraphics[height=0.80\textheight]{slides/debugging-common-tools/bpf-capture.pdf}
-  \end{columns}
-\end{frame}
-
 \begin{frame}{Wireshark}
   \begin{itemize}
   \item Similar to tcpdump, but with a GUI

diff --git a/...es/debugging-common-tools/bpf-capture.dia → ...ing-system-wide-profiling/bpf-capture.dia b/...es/debugging-common-tools/bpf-capture.dia → ...ing-system-wide-profiling/bpf-capture.dia
diff --git a/slides/debugging-system-wide-profiling/bpf-setup.dia b/slides/debugging-system-wide-profiling/bpf-setup.dia
diff --git a/slides/debugging-system-wide-profiling/debugging-system-wide-profiling.tex b/slides/debugging-system-wide-profiling/debugging-system-wide-profiling.tex
@@ -797,11 +797,54 @@ \subsection{ftrace and trace-cmd}
 
 \subsection{eBPF}
 
+\begin{frame}{The ancestor: Berkeley Packet filter}
+  \begin{itemize}
+    \item BPF stands for Berkeley Packet Filter and was initially used
+    for network packet filtering
+    \item BPF is implemented and used in Linux to perform Linux Socket
+    Filtering (see \kdochtml{networking/filter})
+    \item tcpdump and Wireshark heavily rely on BPF (through libpcap) for
+    packet capture
+  \end{itemize}
+\end{frame}
+
+\begin{frame}{BPF in libpcap: setup}
+  \begin{columns}
+    \column{0.75\textwidth}
+    \begin{itemize}
+    \item tcpdump passes the capture filter string from the user to libpcap
+    \item libpcap translates the capture filter into a binary program
+      \begin{itemize}
+      \item This program uses the instruction set of an abstract machine
+        (the ``BPF instruction set'')
+      \end{itemize}
+    \item libpcap sends the binary program to the kernel via the
+      \code{setsockopt()} syscall
+    \end{itemize}
+    \column{0.25\textwidth}
+      \includegraphics[height=0.85\textheight]{slides/debugging-system-wide-profiling/bpf-setup.pdf}
+  \end{columns}
+\end{frame}
+
+\begin{frame}{BPF in libpcap: capture}
+  \begin{columns}
+    \column{0.55\textwidth}
+    \begin{itemize}
+    \item The kernel implements the BPF ``virtual machine''
+    \item The BPF virtual machine executes the program for every packet
+    \item The program inspects the packet data and returns a non-zero value
+      if the packet must be captured
+    \item If the return value is non-zero, the packet is captured in
+      addition to regular packet processing
+    \end{itemize}
+    \column{0.45\textwidth}
+      \includegraphics[height=0.80\textheight]{slides/debugging-system-wide-profiling/bpf-capture.pdf}
+  \end{columns}
+\end{frame}
+
 \begin{frame}
   \frametitle{eBPF (1/2)}
   \begin{itemize}
-    \item BPF stands for Berkeley Packet Filter and was initially used
-          for network packet filtering
     \item \href{https://ebpf.io/}{eBPF} framework in the kernel allows running
           user-written BPF programs within the kernel in a safe and efficient
           way (Added in kernel 3.15)