tcpdump mailing list archives
Re: Filter complexity and performance
From: Jonathan Gruenhut <jonathan () zetapoint com>
Date: Mon, 15 Jan 2007 15:51:01 +0200
Dmitry Rubinstein wrote:
Greetings, everyone!We are trying to capture stuff using a relatively simple filter (onLinux, using Phil Wood's PCAP with ssldump on top of it). What we want is basically to capture the traffic to and from a specific port of a specific host (say, 10.0.0.1:80). So far we did it using the filter 'host 10.0.0.1 and port 80', but obviously that means we also see traffic originating from 10.0.0.1 to port 80 of other hosts. The simple way to prevent that would be to use a bit more elaborate filter: '(dst host 10.0.0.1 and dst port 80) or (src host 10.0.0.1 and src port 80)'. This means the filter has grown two fold in the number of clauses. What will be the implications upon the performance of the filtering code? Will we be able to capture twice as few packets (hopefully not)? I was hoping to kinda avoid the need to do this test if anyone has already didsome sort of evaluation...
I've used this format before, to no ill effect. I saw all the packets I had expected to see. I don't think it was slower than anything else, but I didn't do timing tests.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Filter complexity and performance Dmitry Rubinstein (Jan 15)
- Re: Filter complexity and performance Jonathan Gruenhut (Jan 15)
- Re: Filter complexity and performance Fabian Schneider (Jan 15)
- Re: Filter complexity and performance Jefferson Ogata (Jan 16)