Wireshark mailing list archives
Re: capture filter
From: Guy Harris <guy () alum mit edu>
Date: Tue, 7 Feb 2012 11:21:46 -0800
On Feb 7, 2012, at 4:19 AM, Sake Blok wrote:
Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks without having to discard packets. That's why they use the BPF engine which runs in the kernel.
...so that as little work can be done on the packet in the capture path if it doesn't pass the packet filter - for example, so that it won't be copied up to userland or into a buffer shared between the kernel and userland if the capturing program would just discard it afterwards. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- capture filter julius (Feb 07)
- Re: capture filter Sake Blok (Feb 07)
- Re: capture filter Guy Harris (Feb 07)
- Re: capture filter Guy Harris (Feb 07)
- Re: capture filter julius (Feb 08)
- Re: capture filter Sake Blok (Feb 07)