Wireshark-users: Re: [Wireshark-users] capture filter
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 7 Feb 2012 11:21:46 -0800
On Feb 7, 2012, at 4:19 AM, Sake Blok wrote:

> Capture filters need to take as little (CPU) time as possible to be able to capture on high speed networks without having to discard packets. That's why they use the BPF engine which runs in the kernel.

...so that as little work can be done on the packet in the capture path if it doesn't pass the packet filter - for example, so that it won't be copied up to userland or into a buffer shared between the kernel and userland if the capturing program would just discard it afterwards.