misc: classifier-based packet trace filter

See .../src/vnet/classify/trace_classify.h for the business end
of the scheme.

It would be best to hash pkts, prefetch buckets, and do the primary
table lookups two at a time. The inline as given works, but perf
tuning will be required. "At least it works..."

Add "classify filter" debug cli, for example:
classify filter mask l3 ip4 src dst \
  match l3 ip4 dst 192.168.2.10 src 192.168.1.10

Add "pcap rx | tx trace ... filter" to use the current classify filter chain

Patch includes sphinx documentation and doxygen tags.

Next step: device-driver integration

Type: feature

Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I05b1358a769f61e6d32470e0c87058f640486b26

10 files changed, 559 insertions, 8 deletions

diff --git a/docs/gettingstarted/developers/vnet.md b/docs/gettingstarted/developers/vnet.md
index 79d539676b9..b8f878c2cd7 100644
--- a/docs/gettingstarted/developers/vnet.md
+++ b/docs/gettingstarted/developers/vnet.md
@@ -469,3 +469,111 @@ metadata changes, header checksum changes, and so forth.
 This should be of significant value when developing new vpp graph
 nodes. If new code mispositions b->current_data, it will be completely
 obvious from looking at the dispatch trace in wireshark.
+
+## pcap rx and tx tracing
+
+vpp also supports rx and tx packet capture in pcap format, through the
+"pcap rx trace" and "pcap tx trace" debug CLI commands
+
+This command is used to start or stop a packet capture, or show
+the status of packet capture. Note that both "pcap rx trace" and
+"pcap tx trace" are implemented. The command syntax is identical,
+simply substitute rx for tx as needed.
+
+These commands have the following optional parameters:
+
+on|off- Used to start or stop a packet capture.
+
+- <b>max _nnnn_</b> - file size, number of packet captures. Once
+  <nnnn> packets have been received, the trace buffer buffer is flushed
+  to the indicated file. Defaults to 1000. Can only be updated if packet
+  capture is off.
+
+- <b>intfc _interface_ | _any_</b> - Used to specify a given interface,
+  or use '<em>any</em>' to run packet capture on all interfaces.
+  '<em>any</em>' is the default if not provided. Settings from a previous
+  packet capture are preserved, so '<em>any</em>' can be used to reset
+  the interface setting.
+
+- <b>file _filename_</b> - Used to specify the output filename. The
+  file will be placed in the '<em>/tmp</em>' directory.  If _filename_
+  already exists, file will be overwritten. If no filename is
+  provided, '<em>/tmp/rx.pcap or tx.pcap</em>' will be used, depending
+  on capture direction. Can only be updated when pcap capture is off.
+
+- <b>status</b> - Displays the current status and configured
+  attributes associated with a packet capture. If packet capture is in
+  progress, '<em>status</em>' also will return the number of packets
+  currently in the buffer. Any additional attributes entered on
+  command line with a '<em>status</em>' request will be ignored.
+
+- <b>filter</b> - Capture packets which match the current packet
+  trace filter set. See next section. Configure the capture filter
+  first.
+
+## packet trace capture filtering
+
+The "classify filter" debug CLI command constructs an arbitrary set of
+  packet classifier tables for use with "pcap rx | tx trace," and
+  (eventually) with the vpp packet tracer
+
+Packets which match a rule in the classifier table chain will be
+traced. The tables are automatically ordered so that matches in the
+most specific table are tried first.
+
+It's reasonably likely that folks will configure a single table with
+one or two matches. As a result, we configure 8 hash buckets and 128K
+of match rule space by default. One can override the defaults by
+specifiying "buckets <nnn>" and "memory-size <xxx>" as desired.
+
+To build up complex filter chains, repeatedly issue the classify
+filter debug CLI command. Each command must specify the desired mask
+and match values. If a classifier table with a suitable mask already
+exists, the CLI command adds a match rule to the existing table.  If
+not, the CLI command add a new table and the indicated mask rule
+
+### Configure a simple classify filter
+
+```
+    classify filter mask l3 ip4 src match l3 ip4 src 192.168.1.11"
+    pcap rx trace on max 100 filter
+```
+
+### Configure another fairly simple filter
+
+```
+   classify filter mask l3 ip4 src dst match l3 ip4 src 192.168.1.10 dst 192.168.2.10
+   pcap tx trace on max 100 filter
+```
+
+### Clear all current classifier filters
+
+```
+    classify filter del
+```
+
+### To inspect the classifier tables
+
+```
+   show classify table [verbose]
+```
+
+The verbose form displays all of the match rules, with hit-counters.
+
+### Terse description of the "mask <xxx>" syntax:
+
+```
+    l2 src dst proto tag1 tag2 ignore-tag1 ignore-tag2 cos1 cos2 dot1q dot1ad
+    l3 ip4 <ip4-mask> ip6 <ip6-mask>
+    <ip4-mask> version hdr_length src[/width] dst[/width]
+               tos length fragment_id ttl protocol checksum
+    <ip6-mask> version traffic-class flow-label src dst proto
+               payload_length hop_limit protocol
+    l4 tcp <tcp-mask> udp <udp_mask> src_port dst_port
+    <tcp-mask> src dst  # ports
+    <udp-mask> src_port dst_port
+```
+
+To construct **matches**, add the values to match after the indicated
+keywords in the mask syntax. For example: "... mask l3 ip4 src" ->
+"... match l3 ip4 src 192.168.1.11"
diff --git a/src/vlib/main.h b/src/vlib/main.h
index 05687a8c987..88ce98bb405 100644
--- a/src/vlib/main.h
+++ b/src/vlib/main.h
@@ -63,6 +63,7 @@ typedef struct
   int pcap_enable;
   u32 pcap_sw_if_index;
   pcap_main_t pcap_main;
+  u32 filter_classify_table_index;
 } vnet_pcap_t;
 
 typedef struct vlib_main_t
diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt
index 2a783810fdd..1e51f3d7102 100644
--- a/src/vnet/CMakeLists.txt
+++ b/src/vnet/CMakeLists.txt
@@ -384,6 +384,7 @@ list(APPEND VNET_API_FILES lldp/lldp.api)
 ##############################################################################
 list(APPEND VNET_SOURCES
   classify/vnet_classify.c
+  classify/trace_classify.h
   classify/ip_classify.c
   classify/in_out_acl.c
   classify/policer_classify.c
@@ -400,6 +401,7 @@ list(APPEND VNET_MULTIARCH_SOURCES
 
 list(APPEND VNET_HEADERS
   classify/vnet_classify.h
+  classify/trace_classify.h
   classify/in_out_acl.h
   classify/policer_classify.h
   classify/flow_classify.h
diff --git a/src/vnet/classify/trace_classify.h b/src/vnet/classify/trace_classify.h
new file mode 100644
index 00000000000..bc25ecd0ff7
--- /dev/null
+++ b/src/vnet/classify/trace_classify.h
@@ -0,0 +1,100 @@
+/*
+ * trace_classify.h - Use the classifier to decide if a packet is traced
+ *
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <vlib/vlib.h>
+#include <vnet/vnet.h>
+#include <vppinfra/error.h>
+#include <vnet/classify/vnet_classify.h>
+
+/** @file trace_classify.h
+ * Use the vpp classifier to decide whether to trace packets
+ */
+
+/** @brief vnet_is_packet_traced
+ * @param vlib_buffer_t *b - packet to classify
+ * @param int func - 0 => use classifier w/ supplied table index
+ * @param u32 classify_table_index - classifier table index
+ * @return 0 => no trace, 1 => trace, -1 => error
+ */
+
+static inline int
+vnet_is_packet_traced_inline (vlib_buffer_t * b,
+			      u32 classify_table_index, int func)
+{
+  vnet_classify_main_t *vcm = &vnet_classify_main;
+  vnet_classify_table_t *t;
+  vnet_classify_entry_t *e;
+  u64 hash;
+
+  /*$$$ add custom classifiers here, if any */
+  if (func != 0)
+    return -1;
+
+  /* This will happen... */
+  if (pool_is_free_index (vcm->tables, classify_table_index))
+    return -1;
+
+  /* Get the table */
+  t = pool_elt_at_index (vcm->tables, classify_table_index);
+
+  /* Hash the packet */
+  hash = vnet_classify_hash_packet (t, vlib_buffer_get_current (b));
+
+  /* See if there's a matching entry */
+  e = vnet_classify_find_entry (t, vlib_buffer_get_current (b), hash,
+				0 /* time = 0, disables hit-counter */ );
+  /* Hit means trace the packet... */
+  if (e)
+    {
+      /* Manual hit accounting */
+      e->hits++;
+      return 1;
+    }
+
+  /*
+   * Look for a hit in a less-specific table.
+   * Performance hint: for this use-case, don't go there.
+   */
+  while (1)
+    {
+      /* Most likely, we're done right now */
+      if (PREDICT_TRUE (t->next_table_index == ~0))
+	return 0;
+      t = pool_elt_at_index (vcm->tables, t->next_table_index);
+
+      /* Compute hash for this table */
+      hash = vnet_classify_hash_packet (t, vlib_buffer_get_current (b));
+
+      /* See if there's a matching entry */
+      e = vnet_classify_find_entry (t, vlib_buffer_get_current (b), hash,
+				    0 /* time = 0, disables hit-counter */ );
+      if (e)
+	{
+	  /* Manual hit accounting */
+	  e->hits++;
+	  return 1;
+	}
+    }
+  /* NOTREACHED */
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/vnet/classify/vnet_classify.c b/src/vnet/classify/vnet_classify.c
index b807a2679a7..94cc2419775 100755
--- a/src/vnet/classify/vnet_classify.c
+++ b/src/vnet/classify/vnet_classify.c
@@ -20,6 +20,11 @@
 #include <vnet/fib/fib_table.h>
 #include <vppinfra/lock.h>
 
+/**
+ * @file
+ * @brief N-tuple classifier
+ */
+
 vnet_classify_main_t vnet_classify_main;
 
 #if VALIDATION_SCAFFOLDING
@@ -939,6 +944,10 @@ unformat_ip4_mask (unformat_input_t * input, va_list * args)
   u8 *mask = 0;
   u8 found_something = 0;
   ip4_header_t *ip;
+  u32 src_prefix_len = 32;
+  u32 src_prefix_mask = ~0;
+  u32 dst_prefix_len = 32;
+  u32 dst_prefix_mask = ~0;
 
 #define _(a) u8 a=0;
   foreach_ip4_proto_field;
@@ -953,6 +962,18 @@ unformat_ip4_mask (unformat_input_t * input, va_list * args)
 	version = 1;
       else if (unformat (input, "hdr_length"))
 	hdr_length = 1;
+      else if (unformat (input, "src/%d", &src_prefix_len))
+	{
+	  src_address = 1;
+	  src_prefix_mask &= ~((1 << (32 - src_prefix_len)) - 1);
+	  src_prefix_mask = clib_host_to_net_u32 (src_prefix_mask);
+	}
+      else if (unformat (input, "dst/%d", &dst_prefix_len))
+	{
+	  dst_address = 1;
+	  dst_prefix_mask &= ~((1 << (32 - dst_prefix_len)) - 1);
+	  dst_prefix_mask = clib_host_to_net_u32 (dst_prefix_mask);
+	}
       else if (unformat (input, "src"))
 	src_address = 1;
       else if (unformat (input, "dst"))
@@ -982,6 +1003,12 @@ unformat_ip4_mask (unformat_input_t * input, va_list * args)
   foreach_ip4_proto_field;
 #undef _
 
+  if (src_address)
+    ip->src_address.as_u32 = src_prefix_mask;
+
+  if (dst_address)
+    ip->dst_address.as_u32 = dst_prefix_mask;
+
   ip->ip_version_and_header_length = 0;
 
   if (version)
@@ -1577,7 +1604,7 @@ classify_table_command_fn (vlib_main_t * vm,
   if (!is_add && table_index == ~0)
     return clib_error_return (0, "table index required for delete");
 
-  rv = vnet_classify_add_del_table (cm, mask, nbuckets, memory_size,
+  rv = vnet_classify_add_del_table (cm, mask, nbuckets, (u32) memory_size,
 				    skip, match, next_table_index,
 				    miss_next_index, &table_index,
 				    current_data_flag, current_data_offset,
@@ -1595,7 +1622,8 @@ classify_table_command_fn (vlib_main_t * vm,
 }
 
 /* *INDENT-OFF* */
-VLIB_CLI_COMMAND (classify_table, static) = {
+VLIB_CLI_COMMAND (classify_table, static) =
+{
   .path = "classify table",
   .short_help =
   "classify table [miss-next|l2-miss_next|acl-miss-next <next_index>]"
@@ -1607,6 +1635,268 @@ VLIB_CLI_COMMAND (classify_table, static) = {
 };
 /* *INDENT-ON* */
 
+static int
+filter_table_mask_compare (void *a1, void *a2)
+{
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  u32 *ti1 = a1;
+  u32 *ti2 = a2;
+  u32 n1 = 0, n2 = 0;
+  vnet_classify_table_t *t1, *t2;
+  u8 *m1, *m2;
+  int i;
+
+  t1 = pool_elt_at_index (cm->tables, *ti1);
+  t2 = pool_elt_at_index (cm->tables, *ti2);
+
+  m1 = (u8 *) (t1->mask);
+  m2 = (u8 *) (t2->mask);
+
+  for (i = 0; i < vec_len (t1->mask) * sizeof (u32x4); i++)
+    {
+      n1 += count_set_bits (m1[0]);
+      m1++;
+    }
+
+  for (i = 0; i < vec_len (t2->mask) * sizeof (u32x4); i++)
+    {
+      n2 += count_set_bits (m2[0]);
+      m2++;
+    }
+
+  /* Reverse sort: descending number of set bits */
+  if (n1 < n2)
+    return 1;
+  else if (n1 > n2)
+    return -1;
+  else
+    return 0;
+}
+
+static clib_error_t *
+classify_filter_command_fn (vlib_main_t * vm,
+			    unformat_input_t * input,
+			    vlib_cli_command_t * cmd)
+{
+  u32 nbuckets = 8;
+  vnet_main_t *vnm = vnet_get_main ();
+  uword memory_size = (uword) (128 << 10);
+  u32 skip = ~0;
+  u32 match = ~0;
+  u8 *match_vector;
+  int is_add = 1;
+  int del_chain = 0;
+  u32 table_index = ~0;
+  u32 next_table_index = ~0;
+  u32 miss_next_index = ~0;
+  u32 current_data_flag = 0;
+  int current_data_offset = 0;
+  int i;
+  vnet_classify_table_t *t;
+  u8 *mask = 0;
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  int rv = 0;
+
+  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (input, "del"))
+	is_add = 0;
+      else if (unformat (input, "buckets %d", &nbuckets))
+	;
+      else if (unformat (input, "mask %U", unformat_classify_mask,
+			 &mask, &skip, &match))
+	;
+      else if (unformat (input, "memory-size %U", unformat_memory_size,
+			 &memory_size))
+	;
+      else
+	break;
+    }
+
+  if (is_add && mask == 0 && table_index == ~0)
+    return clib_error_return (0, "Mask required");
+
+  if (is_add && skip == ~0 && table_index == ~0)
+    return clib_error_return (0, "skip count required");
+
+  if (is_add && match == ~0 && table_index == ~0)
+    return clib_error_return (0, "match count required");
+
+  if (!is_add)
+    {
+      if (vec_len (vnm->classify_filter_table_indices) == 0)
+	return clib_error_return (0, "No classify filter set...");
+
+      del_chain = 1;
+      table_index = vnm->classify_filter_table_indices[0];
+      vec_reset_length (vnm->classify_filter_table_indices);
+    }
+
+  /* see if we already have a table for that... */
+
+  if (is_add)
+    {
+      for (i = 0; i < vec_len (vnm->classify_filter_table_indices); i++)
+	{
+	  t = pool_elt_at_index (cm->tables, i);
+	  /* classifier geometry mismatch, can't use this table */
+	  if (t->match_n_vectors != match || t->skip_n_vectors != skip)
+	    continue;
+	  /* Masks aren't congruent, can't use this table */
+	  if (vec_len (t->mask) != vec_len (mask))
+	    continue;
+	  /* Masks aren't bit-for-bit identical, can't use this table */
+	  if (memcmp (t->mask, mask, vec_len (mask)))
+	    continue;
+
+	  /* Winner... */
+	  table_index = i;
+	  goto found_table;
+	}
+    }
+
+  rv = vnet_classify_add_del_table (cm, mask, nbuckets, memory_size,
+				    skip, match, next_table_index,
+				    miss_next_index, &table_index,
+				    current_data_flag, current_data_offset,
+				    is_add, del_chain);
+  vec_free (mask);
+
+  switch (rv)
+    {
+    case 0:
+      break;
+
+    default:
+      return clib_error_return (0, "vnet_classify_add_del_table returned %d",
+				rv);
+    }
+
+  if (is_add == 0)
+    return 0;
+
+  /* Remember the table */
+  vec_add1 (vnm->classify_filter_table_indices, table_index);
+
+found_table:
+
+  /* Now try to parse a session */
+  if (unformat (input, "match %U", unformat_classify_match,
+		cm, &match_vector, table_index) == 0)
+    return 0;
+
+
+  /*
+   * We use hit or miss to determine whether to trace or pcap pkts
+   * so the session setup is very limited
+   */
+  rv = vnet_classify_add_del_session (cm, table_index,
+				      match_vector, 0 /* hit_next_index */ ,
+				      0 /* opaque_index */ ,
+				      0 /* advance */ ,
+				      0 /* action */ ,
+				      0 /* metadata */ ,
+				      1 /* is_add */ );
+
+  vec_free (match_vector);
+
+  /* Sort filter tables from most-specific mask to least-specific mask */
+  vec_sort_with_function (vnm->classify_filter_table_indices,
+			  filter_table_mask_compare);
+
+  ASSERT (vec_len (vnm->classify_filter_table_indices));
+
+  /* Setup next_table_index fields */
+  for (i = 0; i < vec_len (vnm->classify_filter_table_indices); i++)
+    {
+      t = pool_elt_at_index (cm->tables,
+			     vnm->classify_filter_table_indices[i]);
+
+      if ((i + 1) < vec_len (vnm->classify_filter_table_indices))
+	t->next_table_index = vnm->classify_filter_table_indices[i + 1];
+      else
+	t->next_table_index = ~0;
+    }
+
+  return 0;
+}
+
+/*?
+ * Construct an arbitrary set of packet classifier tables for use with
+ * "pcap rx | tx trace," and (eventually) with the vpp packet
+ * tracer
+ *
+ * Packets which match a rule in the classifier table chain
+ * will be traced. The tables are automatically ordered so that
+ * matches in the most specific table are tried first.
+ *
+ * It's reasonably likely that folks will configure a single
+ * table with one or two matches. As a result, we configure
+ * 8 hash buckets and 128K of match rule space. One can override
+ * the defaults by specifiying "buckets <nnn>" and "memory-size <xxx>"
+ * as desired.
+ *
+ * To build up complex filter chains, repeatedly issue the
+ * classify filter debug CLI command. Each command must specify the desired
+ * mask and match values. If a classifier table with a suitable mask
+ * already exists, the CLI command adds a match rule to the existing table.
+ * If not, the CLI command add a new table and the indicated mask rule
+ *
+ * Here is a terse description of the "mask <xxx>" syntax:
+ *
+ * l2 src dst proto tag1 tag2 ignore-tag1 ignore-tag2 cos1 cos2 dot1q dot1ad
+ *
+ * l3 ip4 <ip4-mask> ip6 <ip6-mask>
+ *
+ * <ip4-mask> version hdr_length src[/width] dst[/width]
+ *            tos length fragment_id ttl protocol checksum
+ *
+ * <ip6-mask> version traffic-class flow-label src dst proto
+ *            payload_length hop_limit protocol
+ *
+ * l4 tcp <tcp-mask> udp <udp_mask> src_port dst_port
+ *
+ * <tcp-mask> src dst  # ports
+ *
+ * <udp-mask> src_port dst_port
+ *
+ * To construct matches, add the values to match after the indicated keywords:
+ * in the match syntax. For example:
+ * mask l3 ip4 src -> match l3 ip4 src 192.168.1.11
+ *
+ * @cliexpar
+ * Configuring the classify filter
+ *
+ * Configure a simple classify filter, and configure pcap rx trace to use it:
+ *
+ * <b><em>classify filter mask l3 ip4 src match l3 ip4 src 192.168.1.11"</em></b><br>
+ * <b><em>pcap rx trace on max 100 filter</em></b>
+ *
+ * Configure another fairly simple filter
+ *
+ * <b><em>classify filter mask l3 ip4 src dst match l3 ip4 src 192.168.1.10 dst 192.168.2.10"</em></b>
+ *
+ * Clear all current classifier filters
+ *
+ * <b><em>classify filter del</em></b>
+ *
+ * To inspect the classifier tables, use
+ *
+ * <b><em>show classify table [verbose]</em></b>
+ * The verbose form displays all of the match rules, with hit-counters
+ * @cliexend
+ ?*/
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (classify_filter, static) =
+{
+  .path = "classify filter",
+  .short_help =
+  "classify filter mask <mask-value> match <match-value> [del]"
+  "[buckets <nn>] [memory-size <n>]",
+  .function = classify_filter_command_fn,
+};
+/* *INDENT-ON* */
+
 static u8 *
 format_vnet_classify_table (u8 * s, va_list * args)
 {
@@ -2442,7 +2732,7 @@ vnet_classify_init (vlib_main_t * vm)
 
 VLIB_INIT_FUNCTION (vnet_classify_init);
 
-#define TEST_CODE 1
+#define TEST_CODE 0
 
 #if TEST_CODE > 0
 
diff --git a/src/vnet/ethernet/node.c b/src/vnet/ethernet/node.c
index 9bfaf182eb2..fb706551719 100755
--- a/src/vnet/ethernet/node.c
+++ b/src/vnet/ethernet/node.c
@@ -44,6 +44,7 @@
 #include <vnet/devices/pipe/pipe.h>
 #include <vppinfra/sparse_vec.h>
 #include <vnet/l2/l2_bvi.h>
+#include <vnet/classify/trace_classify.h>
 
 #define foreach_ethernet_input_next		\
   _ (PUNT, "error-punt")			\
@@ -1000,15 +1001,29 @@ ethernet_input_trace (vlib_main_t * vm, vlib_node_runtime_t * node,
   if (PREDICT_FALSE (vlib_global_main.pcap[VLIB_RX].pcap_enable))
     {
       u32 bi0;
+      vnet_main_t *vnm = vnet_get_main ();
 
       from = vlib_frame_vector_args (from_frame);
       n_left = from_frame->n_vectors;
       while (n_left > 0)
 	{
+	  int classify_filter_result;
 	  vlib_buffer_t *b0;
 	  bi0 = from[0];
 	  from++;
+	  n_left--;
 	  b0 = vlib_get_buffer (vm, bi0);
+	  if (vec_len (vnm->classify_filter_table_indices))
+	    {
+	      classify_filter_result =
+		vnet_is_packet_traced_inline
+		(b0, vnm->classify_filter_table_indices[0],
+		 0 /* full classify */ );
+	      if (classify_filter_result)
+		pcap_add_buffer (&vlib_global_main.pcap[VLIB_RX].pcap_main,
+				 vm, bi0, 512);
+	      continue;
+	    }
 
 	  if (vlib_global_main.pcap[VLIB_RX].pcap_sw_if_index == 0 ||
 	      vlib_global_main.pcap[VLIB_RX].pcap_sw_if_index
@@ -1017,7 +1032,6 @@ ethernet_input_trace (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      pcap_add_buffer (&vlib_global_main.pcap[VLIB_RX].pcap_main, vm,
 			       bi0, 512);
 	    }
-	  n_left--;
 	}
     }
 }
diff --git a/src/vnet/interface.h b/src/vnet/interface.h
index 42aada453c1..0c273c6c7d2 100644
--- a/src/vnet/interface.h
+++ b/src/vnet/interface.h
@@ -901,6 +901,7 @@ typedef struct
   u32 packets_to_capture;
   vlib_rx_or_tx_t rxtx;
   u32 sw_if_index;
+  int filter;
 } vnet_pcap_dispatch_trace_args_t;
 
 int vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t *);
diff --git a/src/vnet/interface_cli.c b/src/vnet/interface_cli.c
index 95e1684be8b..8f1fde7e852 100644
--- a/src/vnet/interface_cli.c
+++ b/src/vnet/interface_cli.c
@@ -1699,13 +1699,14 @@ int
 vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t * a)
 {
   vlib_main_t *vm = vlib_get_main ();
+  vnet_main_t *vnm = vnet_get_main ();
   vlib_rx_or_tx_t rxtx = a->rxtx;
   vnet_pcap_t *pp = &vm->pcap[rxtx];
   pcap_main_t *pm = &pp->pcap_main;
 
   if (a->status)
     {
-      if (pp->pcap_enable == 0)
+      if (pp->pcap_enable)
 	{
 	  vlib_cli_output
 	    (vm, "pcap %s dispatch capture enabled: %d of %d pkts...",
@@ -1734,6 +1735,10 @@ vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t * a)
       && (pm->n_packets_to_capture != a->packets_to_capture))
     return VNET_API_ERROR_INVALID_VALUE_2;
 
+  if (a->enable && a->filter
+      && (vec_len (vnm->classify_filter_table_indices) == 0))
+    return VNET_API_ERROR_NO_SUCH_LABEL;
+
   if (a->enable)
     {
       /* Clean up from previous run, if any */
@@ -1754,6 +1759,11 @@ vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t * a)
       pm->packet_type = PCAP_PACKET_TYPE_ethernet;
       pm->n_packets_to_capture = a->packets_to_capture;
       pp->pcap_sw_if_index = a->sw_if_index;
+      if (a->filter)
+	pp->filter_classify_table_index =
+	  vnm->classify_filter_table_indices[0];
+      else
+	pp->filter_classify_table_index = ~0;
       pp->pcap_enable = 1;
     }
   else
@@ -1796,6 +1806,7 @@ pcap_trace_command_internal (vlib_main_t * vm,
   int rv;
   int enable = 0;
   int status = 0;
+  int filter = 0;
   u32 sw_if_index = 0;
 
   /* Get a line of input. */
@@ -1826,6 +1837,8 @@ pcap_trace_command_internal (vlib_main_t * vm,
 	;
       else if (unformat (line_input, "intfc any"))
 	sw_if_index = 0;
+      else if (unformat (line_input, "filter"))
+	filter = 1;
       else
 	{
 	  return clib_error_return (0, "unknown input `%U'",
@@ -1842,6 +1855,7 @@ pcap_trace_command_internal (vlib_main_t * vm,
   a->packets_to_capture = max;
   a->rxtx = rxtx;
   a->sw_if_index = sw_if_index;
+  a->filter = filter;
 
   rv = vnet_pcap_dispatch_trace_configure (a);
 
@@ -1866,6 +1880,10 @@ pcap_trace_command_internal (vlib_main_t * vm,
     case VNET_API_ERROR_NO_SUCH_ENTRY:
       return clib_error_return (0, "No packets captured...");
 
+    case VNET_API_ERROR_NO_SUCH_LABEL:
+      return clib_error_return
+	(0, "No classify filter configured, see 'classify filter...'");
+
     default:
       vlib_cli_output (vm, "WARNING: trace configure returned %d", rv);
       break;
@@ -1959,7 +1977,6 @@ VLIB_CLI_COMMAND (pcap_rx_trace_command, static) = {
 };
 /* *INDENT-ON* */
 
-
 /*
  * fd.io coding-style-patch-verification: ON
  *
diff --git a/src/vnet/interface_output.c b/src/vnet/interface_output.c
index f51e9a1f27d..1506db91ea9 100644
--- a/src/vnet/interface_output.c
+++ b/src/vnet/interface_output.c
@@ -43,6 +43,7 @@
 #include <vnet/ip/ip6.h>
 #include <vnet/udp/udp_packet.h>
 #include <vnet/feature/feature.h>
+#include <vnet/classify/trace_classify.h>
 
 typedef struct
 {
@@ -813,13 +814,29 @@ static_always_inline void vnet_interface_pcap_tx_trace
   else
     sw_if_index = ~0;
 
+  vnet_main_t *vnm = vnet_get_main ();
   n_left_from = frame->n_vectors;
   from = vlib_frame_vector_args (frame);
 
   while (n_left_from > 0)
     {
+      int classify_filter_result;
       u32 bi0 = from[0];
       vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0);
+      from++;
+      n_left_from--;
+
+      if (vec_len (vnm->classify_filter_table_indices))
+	{
+	  classify_filter_result =
+	    vnet_is_packet_traced_inline
+	    (b0, vnm->classify_filter_table_indices[0],
+	     0 /* full classify */ );
+	  if (classify_filter_result)
+	    pcap_add_buffer (&vlib_global_main.pcap[VLIB_TX].pcap_main, vm,
+			     bi0, 512);
+	  continue;
+	}
 
       if (sw_if_index_from_buffer)
 	sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_TX];
@@ -828,8 +845,6 @@ static_always_inline void vnet_interface_pcap_tx_trace
 	  vlib_global_main.pcap[VLIB_TX].pcap_sw_if_index == sw_if_index)
 	pcap_add_buffer (&vlib_global_main.pcap[VLIB_TX].pcap_main, vm, bi0,
 			 512);
-      from++;
-      n_left_from--;
     }
 }
 
diff --git a/src/vnet/vnet.h b/src/vnet/vnet.h
index 3b20f71917b..a726f0379ef 100644
--- a/src/vnet/vnet.h
+++ b/src/vnet/vnet.h
@@ -77,6 +77,9 @@ typedef struct vnet_main_t
    */
   vnet_api_error_t api_errno;
 
+  /* pcap rx/tx, packet tracer filter tables */
+  u32 *classify_filter_table_indices;
+
   vlib_main_t *vlib_main;
 } vnet_main_t;