Steven McCanne and Van Jacobson - The BSD Packet Filter: A New Architecture for User-level Packet Capture
Quote from the section 2
BPF has two main components: the network tap and the
packet filter. The network tap collects copies of packets from
the network device drivers and delivers them to listening applications
BPF is Berkery Packet Filter, from the statement above, the packet is tap from the network device. Okay which part of the network interface?
When a packet arrives at a network interface the link
level device driver normally sends it up the system protocol
stack. But when BPF is listening on this interface, the driver
first calls BPF.BPF feeds the packet to each participating process’
filter. This user-defined filter decides whether a packet
is to be accepted and how many bytes of each packet should
From here we know, the packet its been duplicated and a copy of the packet is feed to user-defined filter. My question is did the filter discard "unwanted" bits?
Because network monitors often want only a small subset of
network traffic, a dramatic performance gain is realized by filtering out unwanted packets in interrupt context.
From the Ns Manual, chapter 16 Mobile Node, refers to the scematic, there is an tap agent inside the MAC module, which it been described as
Tap Agents Agents that subclass themselves as class Tap defined in mac.h can register themselves with the mac object using method installTap(). If the particular Mac protocol permits it, the tap will promiscuously be given all packets received by the mac layer, before address filtering is done.