Wireshark-users: Re: [Wireshark-users] dumpcap and bpf assembler
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 28 May 2015 14:52:03 -0700
On May 27, 2015, at 4:26 PM, Sake Blok <sake@xxxxxxxxxx> wrote:

> I believe that anything the BPF engine can do can be accomplished by using a capture filter expression

No.

For one thing, a BPF program can return different non-zero values based on the packet contents, so that, for example, somebody could have a bigger snapshot length for some packet types than others (somebody asked about that somewhere - they wanted a bigger snapshot length for DNS packets).  That's not supported in capture filter expressions - those expressions evaluate to a Boolean value, so they either match (returning a single snapshot length) or fail to match.

For another thing, as Richard noted, there are some special tests in the Linux BPF engine that aren't currently supported by capture filter expressions.