[Gene Cumm <gene.cumm@xxxxxxxxx>]

On Sun, Nov 21, 2021, 11:27 AM X Q <xq1xq1xq1@xxxxxxxxx> wrote:

This is a question fairly deep in the guts of Wireshark that I could not find an answer to.

When a capture filter is implemented are ALL packets sent to Wireshark/Dumpcap/TShark at the software level for filtering 

or 

are the packets not matching the filter shedded/ignored by the Network Interface card itself thus reducing strain on the CPU/Network Fabric?

I look forward to hearing from you!

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Iirc, implemented in the capture library. If you're using npcap on a traditional card, pure software.  That said, I can recall doing a 1Gbps capture of mostly full size frames on an Intel card with 0 issues.  Promiscuous mode drops the hardware filter (presumably still present) for destination broadcast or self to all frames.

What's the goal?  How much traffic are you really capturing?  Is there really a CPU constraint?

--Gene