[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-dev
Subject:    Re: [Wireshark-dev] Are Capture Filters Implemented in Software or the Network Card?
From:       Guy Harris <gharris () sonic ! net>
Date:       2021-11-21 19:41:24
Message-ID: CB7E8C14-76D9-4016-93EE-C68CE75E7C6E () sonic ! net
[Download RAW message or body]

On Nov 21, 2021, at 11:06 AM, Guy Harris <gharris@sonic.net> wrote:

> In the capture mechanisms in most UN*Xes (*BSD, macOS, Linux, Solaris, AIX, and \
> Tru64 UNIX), and in the capture mechanism provided by the WinPcap and Npcap \
> drivers, all packets received by an interface on which capturing is being done are \
> delivered to the capture mechanism in the kernel.  That capture mechanism applies \
> the filter, and only packets that pass the filter are put in a buffer to be \
> delivered to user mode.  The libpcap user-mode code then just sees only the packets \
> that pass the filter, and provides those packets to the program using it, such as \
> tcpdump or dumpcap.  In the case of dumpcap, it writes batches of packets to a \
> capture file as they arrive, and notifies Wireshark or TShark that a batch of \
> packets has arrived.

Solaris *11* - in previous versions, and in HP-UX, the capturing mechanism supports \
filtering, but it's an incompatible filtering mechanism that's not capable of \
supporting all the capabilities of the filtering mechanism used in the other OSes, \
and libpcap doesn't try to use it.

(And in IRIX, there is an even more limited filtering mechanism, which libpcap \
doesn't support.) ___________________________________________________________________________
 Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe


[prev in list] [next in list] [prev in thread] [next in thread]