On Nov 21, 2021, at 11:06 AM, Guy Harris <gharris@xxxxxxxxx> wrote:
> In the capture mechanisms in most UN*Xes (*BSD, macOS, Linux, Solaris, AIX, and Tru64 UNIX), and in the capture mechanism provided by the WinPcap and Npcap drivers, all packets received by an interface on which capturing is being done are delivered to the capture mechanism in the kernel. That capture mechanism applies the filter, and only packets that pass the filter are put in a buffer to be delivered to user mode. The libpcap user-mode code then just sees only the packets that pass the filter, and provides those packets to the program using it, such as tcpdump or dumpcap. In the case of dumpcap, it writes batches of packets to a capture file as they arrive, and notifies Wireshark or TShark that a batch of packets has arrived.
Solaris *11* - in previous versions, and in HP-UX, the capturing mechanism supports filtering, but it's an incompatible filtering mechanism that's not capable of supporting all the capabilities of the filtering mechanism used in the other OSes, and libpcap doesn't try to use it.
(And in IRIX, there is an even more limited filtering mechanism, which libpcap doesn't support.)