Ethereal-users: Re: [Ethereal-users] NT 4 tethereal with filter -R memory leak

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Fri, 27 Oct 2000 15:17:40 -0700
On Fri, Oct 27, 2000 at 03:09:43PM -0700, Guy Harris wrote:
> (Capture filters have other advantages - they're much faster
> to check, and, on many platforms, they're checked in the OS kernel, and
> packets aren't even copied up to the application if they don't pass the
> filter, which can cut CPU usage significantly.)

Windows happens to be one of the platforms on which the filters are
checked in the kernel (the Windows 9x and Windows NT/2K drivers for
WinPcap include a BPF interpreter).

Other platforms I know of that do are

	the BSDs;

	Linux, *if* you have a version of libpcap that handles that (some
	Linux distributions do, and the current CVS tree version of
	libpcap from tcpdump.org does, although no released versions
	from LBL or tcpdump.org do) *and* you have a 2.2 or later kernel
	and have configured in the packet filter code (that's the
	CONFIG_FILTER option) and PF_PACKET sockets (that's the
	CONFIG_PACKET option);

	DEC OSF/1, sorry, make that "Digital UNIX", sorry, make that
	"Tru64 UNIX".

On other platforms, capture filters still work, but the kernel doesn't
support BPF filters (SunOS 4.x and 5.x support CMU/Stanford packet
filters, but libpcap doesn't generate code for them), so all packets are
copied up to the application and filtered in the libpcap library, which
isn't quite as efficient.