On 09-08-16 21:05, Guy Harris wrote:
> On Aug 9, 2016, at 9:39 AM, Rayne <hjazz6@xxxxxxxxx> wrote:
>
>> 1) Wouldn't using a capture filter add more load to the processing, since the capturing program now also has to decode the packets?
>
> A capture filter doesn't do much decoding; it's compiled into a program in a pseudo-machine language for an accumulator-based processor:
>
> http://www.tcpdump.org/papers/bpf-usenix93.pdf
>
> and that is either interpreted in a module in the kernel or translated to machine code and executed in the kernel. If the program rejects the packet, the packet's data is not copied to a capture buffer in the kernel, and thus not copied up to the program doing the capture; the CPU time saved not doing that more than outweighs the small amount of CPU time spent interpreting or running a capture filter program.
>
... and subsequent load on the IO system writing the packet to disk is also saved.
>> 2) Does tcpdump use less CPU than tshark?
>
> Yes.
>
So does dumpcap (the Wirehshark / Tshark capture engine).