Wireshark mailing list archives

Re: Will capturing packets with tcpdump/tshark affect traffic processing?

From: Guy Harris <guy () alum mit edu>
Date: Tue, 9 Aug 2016 12:05:47 -0700

On Aug 9, 2016, at 9:39 AM, Rayne <hjazz6 () ymail com> wrote:

1) Wouldn't using a capture filter add more load to the processing, since the capturing program now also has to 
decode the packets?


A capture filter doesn't do much decoding; it's compiled into a program in a pseudo-machine language for an 
accumulator-based processor:

        http://www.tcpdump.org/papers/bpf-usenix93.pdf

and that is either interpreted in a module in the kernel or translated to machine code and executed in the kernel.  If 
the program rejects the packet, the packet's data is not copied to a capture buffer in the kernel, and thus not copied 
up to the program doing the capture; the CPU time saved not doing that more than outweighs the small amount of CPU time 
spent interpreting or running a capture filter program.

2) Does tcpdump use less CPU than tshark?


Yes.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Will capturing packets with tcpdump/tshark affect traffic processing? Rayne (Aug 08)
- Re: Will capturing packets with tcpdump/tshark affect traffic processing? Guy Harris (Aug 08)
  - Re: Will capturing packets with tcpdump/tshark affect traffic processing? Rayne (Aug 09)
    - Re: Will capturing packets with tcpdump/tshark affect traffic processing? Guy Harris (Aug 09)
    - Re: Will capturing packets with tcpdump/tshark affect traffic processing? Jaap Keuter (Aug 09)