Wireshark mailing list archives
Re: capture filter
From: Guy Harris <guy () alum mit edu>
Date: Tue, 7 Feb 2012 11:13:47 -0800
On Feb 7, 2012, at 4:19 AM, Sake Blok wrote:
Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks without having to discard packets. That's why they use the BPF engine which runs in the kernel. The BPF engine is limited in its possibilities in favor of being very fast.
*And* in favor of not being capable of doing anything that involves loops, as that could allow an infinite loop to be stuffed into a kernel code path (without a lot of extra checking in the kernel that would, I think, require dataflow analysis and detection of run-time checks in the BPF code in cases where that's the *only* way to avoid an infinite loop). ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- capture filter julius (Feb 07)
- Re: capture filter Sake Blok (Feb 07)
- Re: capture filter Guy Harris (Feb 07)
- Re: capture filter Guy Harris (Feb 07)
- Re: capture filter julius (Feb 08)
- Re: capture filter Sake Blok (Feb 07)