Lars Ruoff said:
> The question is basically wether the capture filter is applied at a low
> enough level to not let the packet i'm not interested in pass to a level
> were it encouters system's limitations.
That depends on
1) what OS you're using
and
2) what the limitation is.
It doesn't happen before the packet is received from the NIC, so if the
NIC is the limitation, or the amount of bus bandwidth available for
accepting packets from the bus is the limitation, or the NIC driver's
ability to accept a lot of packets from the NIC is the limitation, it
won't help.
In:
Linux systems with the "socket filter" mechanism;
systems using BPF (the BSDs, including OS X, and AIX if libpcap was
configured to use BPF);
Windows;
Digital UNIX;
the OS has a packet filtering mechanism that uses BPF programs, so the
filtering is done before the packets are copied to userland, so if copying
to userland is the limitation, it'll help. It's also done, I think,
before the packets are inserted into the capture mechanism's buffer, so if
the size of that buffer is the limitation, it'll help.
On other platforms, the OS has no packet filtering mechanism, or it has
one that doesn't use BPF programs, so the filtering is done in libpcap, so
all packets have to be copied to userland. If, on one of those platforms,
the limitation is anything in the code path in the kernel, it doesn't
help.
It's done in all cases, on all platforms, before the packet is handed to
Ethereal, so if what Ethereal does with the packet once it's handed the
packet is the limitation, it'll help.
