Wireshark mailing list archives
Re: dumpcap and bpf assembler
From: Guy Harris <guy () alum mit edu>
Date: Thu, 28 May 2015 14:52:03 -0700
On May 27, 2015, at 4:26 PM, Sake Blok <sake () euronet nl> wrote:
I believe that anything the BPF engine can do can be accomplished by using a capture filter expression
No. For one thing, a BPF program can return different non-zero values based on the packet contents, so that, for example, somebody could have a bigger snapshot length for some packet types than others (somebody asked about that somewhere - they wanted a bigger snapshot length for DNS packets). That's not supported in capture filter expressions - those expressions evaluate to a Boolean value, so they either match (returning a single snapshot length) or fail to match. For another thing, as Richard noted, there are some special tests in the Linux BPF engine that aren't currently supported by capture filter expressions. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- dumpcap and bpf assembler Richard Stearn (May 26)
- Re: dumpcap and bpf assembler Sake Blok (May 27)
- Re: dumpcap and bpf assembler Richard Stearn (May 27)
- Re: dumpcap and bpf assembler Sake Blok (May 27)
- Re: dumpcap and bpf assembler Richard Stearn (May 28)
- Re: dumpcap and bpf assembler Guy Harris (May 28)
- Re: dumpcap and bpf assembler Sake Blok (May 29)
- Re: dumpcap and bpf assembler Richard Stearn (May 27)
- Re: dumpcap and bpf assembler Sake Blok (May 27)