Re: Will capturing packets with tcpdump/tshark affect traffic processing?

[Jaap Keuter <jaap.keuter () xs4all nl>]

On 09-08-16 21:05, Guy Harris wrote:
> On Aug 9, 2016, at 9:39 AM, Rayne <hjazz6 () ymail com> wrote:
>
> > 1) Wouldn't using a capture filter add more load to the processing, since the capturing program now also has to 
> > decode the packets?
>
> A capture filter doesn't do much decoding; it's compiled into a program in a pseudo-machine language for an 
> accumulator-based processor:
>
>       http://www.tcpdump.org/papers/bpf-usenix93.pdf
>
> and that is either interpreted in a module in the kernel or translated to machine code and executed in the kernel.  
> If the program rejects the packet, the packet's data is not copied to a capture buffer in the kernel, and thus not 
> copied up to the program doing the capture; the CPU time saved not doing that more than outweighs the small amount of 
> CPU time spent interpreting or running a capture filter program.

... and subsequent load on the IO system writing the packet to disk is also saved.

> > 2) Does tcpdump use less CPU than tshark?
>
> Yes.

So does dumpcap (the Wirehshark / Tshark capture engine).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe