This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance.
[2] The original paper was written by Steven McCanne and Van Jacobson in 1992 while at Lawrence Berkeley Laboratory.
In 2007, Robert Watson and Christian Peron added zero-copy buffer extensions to the BPF implementation in the FreeBSD operating system,[4] allowing kernel packet capture in the device driver interrupt handler to write directly to user process memory in order to avoid the requirement for two copies for all packet data received via the BPF device.
Some platforms, including FreeBSD, NetBSD, and WinPcap, use a just-in-time compiler (JIT) to convert BPF instructions into native code in order to improve performance.
Kernel-mode interpreters for that same virtual machine language are used in raw data link layer mechanisms in other operating systems, such as Tru64 Unix, and for socket filters in the Linux kernel and in the WinPcap and Npcap packet capture mechanism.
[7] rBPF, a Rust rewrite of uBPF, is used by the Solana blockchain platform as the execution engine.
[8] Classic BPF is generally emitted by a program from some very high-level textual rule describing the pattern to match.
[9] Classic BPF and eBPF can also be written either directly as machine code, or using an assembly language for a textual representation.
[12] Chinese computer security group Pangu Lab said the NSA used BPF to conceal network communications as part of a complex Linux backdoor.
[13] Since version 3.18, the Linux kernel includes an extended BPF virtual machine with ten 64-bit registers, termed eBPF.