Ethereal-dev: Re: [ethereal-dev] filters in capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 1 Sep 1999 11:09:00 -0700 (PDT)
> I think the way this would happen is that we'd have the same display
> filter language for capture filtering as well, and just translate
> it.

Umm, I'm not sure BPF is capable of doing stuff as fancy as what the
display filters can do; I suppose you *could* run the display filter
stuff on packets as you capture them, but using an in-kernel display
filter reduces the CPU requirements of filtered captures (as discarding
packets in the kernel means the discarded packets don't even get copied
up to userland, and don't wake up the capturing process).

I think what we have in mind is using a syntax for capture filters
that's a *subset* of the display filter syntax, capable of being
compiled into BPF (or, if, as, and when we make Wiretap capable of doing
packet capture, compiled into the CMU/Stanford stack-machine filtering
language, at least in some cases, on those platforms that lack a BPF
engine, e.g. Solaris).

We could, for now, possibly translate such a subset into a "libpcap"
filter expression, and run that through "libpcap"s compiler.