On Mar 18, 2010, at 8:02 AM, Jim Lloyd wrote:
> Perhaps someone can clarify this point for me. When is filtering done?
If the packet capture mechanism supports BPF packet filtering in the kernel
(and the filter isn't too complicated to fit in the kernel or otherwise
incapable of being handled by the kernel - "ip6 protochain {proto}" requires
that the BPF program loop, which is *NOT* supported by kernel BPF interpreters,
so that you can't hand the kernel a BPF program that loops infinitely), the
filtering is done when the packet is handed to the packet capture mechanism.
If the packet capture mechanism doesn't support BPF packet filtering in the
kernel (or the filter can't be handled by the kernel), it's done when
pcap_loop()/pcap_dispatch()/pcap_next()/pcap_next_ex() first looks at the
packet.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
