Wireshark mailing list archives
Re: Will capturing packets with tcpdump/tshark affect traffic processing?
From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Tue, 9 Aug 2016 23:27:40 +0200
On 09-08-16 21:05, Guy Harris wrote:
On Aug 9, 2016, at 9:39 AM, Rayne <hjazz6 () ymail com> wrote:1) Wouldn't using a capture filter add more load to the processing, since the capturing program now also has to decode the packets?A capture filter doesn't do much decoding; it's compiled into a program in a pseudo-machine language for an accumulator-based processor: http://www.tcpdump.org/papers/bpf-usenix93.pdf and that is either interpreted in a module in the kernel or translated to machine code and executed in the kernel. If the program rejects the packet, the packet's data is not copied to a capture buffer in the kernel, and thus not copied up to the program doing the capture; the CPU time saved not doing that more than outweighs the small amount of CPU time spent interpreting or running a capture filter program.
... and subsequent load on the IO system writing the packet to disk is also saved.
2) Does tcpdump use less CPU than tshark?Yes.
So does dumpcap (the Wirehshark / Tshark capture engine). ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Will capturing packets with tcpdump/tshark affect traffic processing? Rayne (Aug 08)
- Re: Will capturing packets with tcpdump/tshark affect traffic processing? Guy Harris (Aug 08)
- Re: Will capturing packets with tcpdump/tshark affect traffic processing? Rayne (Aug 09)
- Re: Will capturing packets with tcpdump/tshark affect traffic processing? Guy Harris (Aug 09)
- Re: Will capturing packets with tcpdump/tshark affect traffic processing? Jaap Keuter (Aug 09)
- Re: Will capturing packets with tcpdump/tshark affect traffic processing? Rayne (Aug 09)
- Re: Will capturing packets with tcpdump/tshark affect traffic processing? Guy Harris (Aug 08)