Re: Filter complexity and performance

[Jonathan Gruenhut <jonathan () zetapoint com>]

Dmitry Rubinstein wrote:
> Greetings, everyone!
>  
> We are trying to capture stuff using a relatively simple filter (on
> Linux, using Phil Wood's PCAP with ssldump on top of it). What we want
> is basically to capture the traffic to and from a specific port of a
> specific host (say, 10.0.0.1:80). So far we did it using the filter
> 'host 10.0.0.1 and port 80', but obviously that means we also see
> traffic originating from 10.0.0.1 to port 80 of other hosts. The simple
> way to prevent that would be to use a bit more elaborate filter: '(dst
> host 10.0.0.1 and dst port 80) or (src host 10.0.0.1 and src port 80)'.
> This means the filter has grown two fold in the number of clauses. What
> will be the implications upon the performance of the filtering code?
> Will we be able to capture twice as few packets (hopefully not)? I was
> hoping to kinda avoid the need to do this test if anyone has already did
> some sort of evaluation... 
>   

I've used this format before, to no ill effect.  I saw all the packets I 
had expected to see.  I don't think it was slower than anything else, 
but I didn't do timing tests.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.