Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are Capture Filters Implemented in Software or the Network Card?

From: Gene Cumm <gene.cumm () gmail com>
Date: Sun, 21 Nov 2021 11:50:38 -0500
On Sun, Nov 21, 2021, 11:27 AM X Q <xq1xq1xq1 () gmail com> wrote:


This is a question fairly deep in the guts of Wireshark that I could not
find an answer to.

When a capture filter is implemented are ALL packets sent to
Wireshark/Dumpcap/TShark at the software level for filtering

or

are the packets not matching the filter shedded/ignored by the Network
Interface card itself thus reducing strain on the CPU/Network Fabric?

I look forward to hearing from you!
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe



Iirc, implemented in the capture library. If you're using npcap on a
traditional card, pure software.  That said, I can recall doing a 1Gbps
capture of mostly full size frames on an Intel card with 0 issues.
Promiscuous mode drops the hardware filter (presumably still present) for
destination broadcast or self to all frames.

What's the goal?  How much traffic are you really capturing?  Is there
really a CPU constraint?

--Gene




___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: