NAME
     bpfnull -- Process packets from BPF

SYNOPSIS
     bpfnull [-IwptTvz] [-i interface] [-f pcap out file]

DESCRIPTION
     Process packets from BPF using new zerocopy or regular buffer method. A
     number of options exist which touch packet headers or data, and write
     out complete packets to files.  This is symbolic of common BPF work loads
     and can be used in conjunction with netstat to identify bottle necks.

    -I Use immediate mode (BIOCIMMEDIATE)

    -w Write packet data. If -f is not specified use stdout

    -t After packet has been received in packet buffer, touch BPF headers
       associated with EACH packet

    -p Prefetch packet data into cache lines prior to processing it

    -T Touch each byte associated with the packet for EACH packet

    -v Print debug or diagnostic messages to stderr

    -z Implement zero copy. By default regular buffering is used

EXAMPLES
    Process data from BPF device using zerocopy method

	bpfnull -i em0 -z -w | tcpdump -r - -nn -l

    Process packets and touch each byte

        bpfnull -i em0 -z -T

    Simply read packets without processing them (symbolic of IDS or
    network analysis software that introduces zero latency into the
    BPF pipeline

       bpfnull -i em0

SEE ALSO
    netstat, tcpreplay (port)

TESTING

    +------------------+              +---------------+
    | packet generator |              | IDS box       |
    | using tcpreplay  |--------------| using bpfnull |
    |                  | X-OVER CABLE |               |
    +------------------+              +---------------+

    In some cases, for "sustained" testing, we go through a Catalyst 2950
    so we can monitor Tx/Rx packets, packet per second rates (over five
    minnute samplings) to look at what is being transmitted and received.

   tcpreplay -l 5000 -R -i bge0 icmp.10.byte.packets.pcap

   Cycle through every packet in icmp.10.byte.packets.pcap (generated using
   tcpdump -w) 5000 times, sending as fast as you can.
