Re: Are Capture Filters Implemented in Software or the Network Card?

[Guy Harris <gharris () sonic net>]

On Nov 21, 2021, at 11:06 AM, Guy Harris <gharris () sonic net> wrote:

> In the capture mechanisms in most UN*Xes (*BSD, macOS, Linux, Solaris, AIX, and Tru64 UNIX), and in the capture 
> mechanism provided by the WinPcap and Npcap drivers, all packets received by an interface on which capturing is being 
> done are delivered to the capture mechanism in the kernel.  That capture mechanism applies the filter, and only 
> packets that pass the filter are put in a buffer to be delivered to user mode.  The libpcap user-mode code then just 
> sees only the packets that pass the filter, and provides those packets to the program using it, such as tcpdump or 
> dumpcap.  In the case of dumpcap, it writes batches of packets to a capture file as they arrive, and notifies 
> Wireshark or TShark that a batch of packets has arrived.

Solaris *11* - in previous versions, and in HP-UX, the capturing mechanism supports filtering, but it's an incompatible 
filtering mechanism that's not capable of supporting all the capabilities of the filtering mechanism used in the other 
OSes, and libpcap doesn't try to use it.

(And in IRIX, there is an even more limited filtering mechanism, which libpcap doesn't support.)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe