tcpdump mailing list archives
Re: When will a packet filter be ignored/unused?
From: Guy Harris <guy () alum mit edu>
Date: Thu, 18 Mar 2010 14:47:18 -0700
On Mar 18, 2010, at 8:02 AM, Jim Lloyd wrote:
Perhaps someone can clarify this point for me. When is filtering done?
If the packet capture mechanism supports BPF packet filtering in the kernel (and the filter isn't too complicated to
fit in the kernel or otherwise incapable of being handled by the kernel - "ip6 protochain {proto}" requires that the
BPF program loop, which is *NOT* supported by kernel BPF interpreters, so that you can't hand the kernel a BPF program
that loops infinitely), the filtering is done when the packet is handed to the packet capture mechanism.
If the packet capture mechanism doesn't support BPF packet filtering in the kernel (or the filter can't be handled by
the kernel), it's done when pcap_loop()/pcap_dispatch()/pcap_next()/pcap_next_ex() first looks at the packet.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- When will a packet filter be ignored/unused? Jim Lloyd (Mar 16)
- Re: When will a packet filter be ignored/unused? Darren Reed (Mar 16)
- Re: When will a packet filter be ignored/unused? Michael Richardson (Mar 16)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 17)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Jim Lloyd (Mar 18)
- Re: When will a packet filter be ignored/unused? Eloy Paris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 18)
- Re: When will a packet filter be ignored/unused? Guy Harris (Mar 17)