Re: Filtering based on multiple IP address.

[Hannes Gredler <hannes () juniper net>]

> 1. Is there is a limit in the length of filter string

afaik 256 BPF instructions

> 2. What will be the performance impact because of having a huge filter
> string.

linear performance impact

> 3. Will PCAP automatically reduce the the filter string for performance.

not for a chain of explicit hostanmes

> 4. Else, can some one provide with a logic to reduce the filter string 
> (from
> a lot of host address to a simple net address if possible).

you way wnat to have a look what BPF filtercode your expression produces
to get an idea about the processing complexity.

(simply run tcpdump with the -d flag and you'll see the BPF filtercode as
executed by BPF capable kernels).

hannes@t40 ~ $ tcpdump -ndi eth0 "ip && src host 192.168.1.1"
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 5
(002) ld       [26]
(003) jeq      #0xc0a80101      jt 4    jf 5
(004) ret      #96
(005) ret      #0

/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.