[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-dev
Subject: Re: [Wireshark-dev] Are Capture Filters Implemented in Software or the Network Card?
From: Gene Cumm <gene.cumm () gmail ! com>
Date: 2021-11-21 16:50:38
Message-ID: CAD0RxemFQUnS19-Z5fh6qA6GS7_9Jb_JC1eWd+YJOXoyUs3nQw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Sun, Nov 21, 2021, 11:27 AM X Q <xq1xq1xq1@gmail.com> wrote:
> This is a question fairly deep in the guts of Wireshark that I could not
> find an answer to.
>
> When a capture filter is implemented are ALL packets sent to
> Wireshark/Dumpcap/TShark at the software level for filtering
>
> or
>
> are the packets not matching the filter shedded/ignored by the Network
> Interface card itself thus reducing strain on the CPU/Network Fabric?
>
> I look forward to hearing from you!
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@wireshark.org
> ?subject=unsubscribe
>
Iirc, implemented in the capture library. If you're using npcap on a
traditional card, pure software. That said, I can recall doing a 1Gbps
capture of mostly full size frames on an Intel card with 0 issues.
Promiscuous mode drops the hardware filter (presumably still present) for
destination broadcast or self to all frames.
What's the goal? How much traffic are you really capturing? Is there
really a CPU constraint?
--Gene
>
[Attachment #5 (text/html)]
<div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Sun, Nov 21, 2021, 11:27 AM X Q <<a \
href="mailto:xq1xq1xq1@gmail.com">xq1xq1xq1@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">This is a question \
fairly deep in the guts of Wireshark that I could not find an answer \
to.<div><br></div><div>When a capture filter is implemented are ALL packets sent to \
Wireshark/Dumpcap/TShark at the software level for filtering \
</div><div><br></div><div>or </div><div><br></div><div>are the packets not matching \
the filter shedded/ignored by the Network Interface card itself thus reducing strain \
on the CPU/Network Fabric?</div><div><br></div><div>I look forward to hearing from \
you!</div></div> ___________________________________________________________________________<br>
Sent via: Wireshark-dev mailing list <<a \
href="mailto:wireshark-dev@wireshark.org" target="_blank" \
rel="noreferrer">wireshark-dev@wireshark.org</a>><br>
Archives: <a href="https://www.wireshark.org/lists/wireshark-dev" \
rel="noreferrer noreferrer" \
target="_blank">https://www.wireshark.org/lists/wireshark-dev</a><br>
Unsubscribe: <a href="https://www.wireshark.org/mailman/options/wireshark-dev" \
rel="noreferrer noreferrer" \
target="_blank">https://www.wireshark.org/mailman/options/wireshark-dev</a><br> \
mailto:<a href="mailto:wireshark-dev-request@wireshark.org" target="_blank" \
rel="noreferrer">wireshark-dev-request@wireshark.org</a>?subject=unsubscribe<br></blockquote></div></div><div \
dir="auto"><br></div><div dir="auto">Iirc, implemented in the capture library. If \
you're using npcap on a traditional card, pure software. That said, I can \
recall doing a 1Gbps capture of mostly full size frames on an Intel card with 0 \
issues. Promiscuous mode drops the hardware filter (presumably still present) for \
destination broadcast or self to all frames.</div><div dir="auto"><br></div><div \
dir="auto">What's the goal? How much traffic are you really capturing? Is \
there really a CPU constraint?</div><div dir="auto"><br></div><div \
dir="auto">--Gene</div><div dir="auto"><div class="gmail_quote"><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> </blockquote></div></div></div>
[Attachment #6 (text/plain)]
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic