Don Lafontaine wrote:
>
> A discussion was going on a while back on pcap and filters.
>
> My thought is: Why not do POST filtering of our own. Trap all packets,
> but filter the display. That way, we could theoretically reshow the same
> data under different filters without having to restart a trace. The NG
> Sniffer does this I believe. (I'm pretty sure).
Refiltering the captured file is already implemented.
Capturing all packets and only filtering the display is a bad idea since
you have a lot of overhead (particularly with user-space packet sniffing)
and since kernel filtering allows to minimize the rate of packet losts.
Laurent.
--
Laurent DENIEL | E-mail: deniel@xxxxxxxxxxx
Paris, FRANCE | deniel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
| WWW : http://www.worldnet.fr/~deniel
All above opinions are personal, unless stated otherwise.
