[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-dev
Subject:    Re: [Wireshark-dev] Are Capture Filters Implemented in Software or the Network Card?
From:       Nicolás_Alvarez <nicolas.alvarez () gmail ! com>
Date:       2021-11-21 18:42:53
Message-ID: CANPC-ttF6rkOGRd4hVA5ys_18RU4yXLK3Py4m0AxDoqaz4+8uA () mail ! gmail ! com
[Download RAW message or body]

El dom, 21 de nov. de 2021 a la(s) 13:27, X Q (xq1xq1xq1@gmail.com) escribió:
> 
> This is a question fairly deep in the guts of Wireshark that I could not find an \
> answer to. 
> When a capture filter is implemented are ALL packets sent to \
> Wireshark/Dumpcap/TShark at the software level for filtering 
> or
> 
> are the packets not matching the filter shedded/ignored by the Network Interface \
> card itself thus reducing strain on the CPU/Network Fabric?

On Linux, using pcap, the packets would be filtered by the operating
system; so that's neither Wireshark nor the hardware. Wireshark gives
the kernel a BPF filter, the kernel filters packets when they arrive
from the network card, and only gives Wireshark the packets that
matched the filter.

I don't know how it works with other packet capturing backends.

-- 
Nicolás
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe


[prev in list] [next in list] [prev in thread] [next in thread]