Wireshark-users: Re: [Wireshark-users] Will capturing packets with tcpdump/tshark affect traffic

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Tue, 9 Aug 2016 23:27:40 +0200
On 09-08-16 21:05, Guy Harris wrote:
> On Aug 9, 2016, at 9:39 AM, Rayne <hjazz6@xxxxxxxxx> wrote:
> 
>> 1) Wouldn't using a capture filter add more load to the processing, since the capturing program now also has to decode the packets?
> 
> A capture filter doesn't do much decoding; it's compiled into a program in a pseudo-machine language for an accumulator-based processor:
> 
> 	http://www.tcpdump.org/papers/bpf-usenix93.pdf
> 
> and that is either interpreted in a module in the kernel or translated to machine code and executed in the kernel.  If the program rejects the packet, the packet's data is not copied to a capture buffer in the kernel, and thus not copied up to the program doing the capture; the CPU time saved not doing that more than outweighs the small amount of CPU time spent interpreting or running a capture filter program.
> 

... and subsequent load on the IO system writing the packet to disk is also saved.

>> 2) Does tcpdump use less CPU than tshark?
> 
> Yes.
>

So does dumpcap (the Wirehshark / Tshark capture engine).