El dom, 21 de nov. de 2021 a la(s) 13:27, X Q (xq1xq1xq1@xxxxxxxxx) escribió:
>
> This is a question fairly deep in the guts of Wireshark that I could not find an answer to.
>
> When a capture filter is implemented are ALL packets sent to Wireshark/Dumpcap/TShark at the software level for filtering
>
> or
>
> are the packets not matching the filter shedded/ignored by the Network Interface card itself thus reducing strain on the CPU/Network Fabric?
On Linux, using pcap, the packets would be filtered by the operating
system; so that's neither Wireshark nor the hardware. Wireshark gives
the kernel a BPF filter, the kernel filters packets when they arrive
from the network card, and only gives Wireshark the packets that
matched the filter.
I don't know how it works with other packet capturing backends.
--
Nicolás