Wireshark-users: Re: [Wireshark-users] capture filter
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 7 Feb 2012 11:13:47 -0800
On Feb 7, 2012, at 4:19 AM, Sake Blok wrote:

> Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks without having to discard packets. That's why they use the BPF engine which runs in the kernel. The BPF engine is limited in its possibilities in favor of being very fast.

*And* in favor of not being capable of doing anything that involves loops, as that could allow an infinite loop to be stuffed into a kernel code path (without a lot of extra checking in the kernel that would, I think, require dataflow analysis and detection of run-time checks in the BPF code in cases where that's the *only* way to avoid an infinite loop).