Wireshark-users: Re: [Wireshark-users] capture filter
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: julius <mycommercials.79@xxxxxx>
Date: Wed, 08 Feb 2012 12:00:03 +0100
Am 07.02.2012 20:21, schrieb Guy Harris:

On Feb 7, 2012, at 4:19 AM, Sake Blok wrote:


Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks without having to discard packets. That's why they use the BPF engine which runs in the kernel.

...so that as little work can be done on the packet in the capture path if it doesn't pass the packet filter - for example, so that it won't be copied up to userland or into a buffer shared between the kernel and userland if the capturing program would just discard it afterwards.

Thank you for the information.