Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are Capture Filters Implemented in Software or the Network Card?

From: Nicolás Alvarez <nicolas.alvarez () gmail com>
Date: Sun, 21 Nov 2021 15:42:53 -0300
El dom, 21 de nov. de 2021 a la(s) 13:27, X Q (xq1xq1xq1 () gmail com) escribió:


This is a question fairly deep in the guts of Wireshark that I could not find an answer to.

When a capture filter is implemented are ALL packets sent to Wireshark/Dumpcap/TShark at the software level for 
filtering

or

are the packets not matching the filter shedded/ignored by the Network Interface card itself thus reducing strain on 
the CPU/Network Fabric?


On Linux, using pcap, the packets would be filtered by the operating
system; so that's neither Wireshark nor the hardware. Wireshark gives
the kernel a BPF filter, the kernel filters packets when they arrive
from the network card, and only gives Wireshark the packets that
matched the filter.

I don't know how it works with other packet capturing backends.

-- 
Nicolás
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: