1. Is there is a limit in the length of filter string
afaik 256 BPF instructions
2. What will be the performance impact because of having a huge filter
string.
linear performance impact
3. Will PCAP automatically reduce the the filter string for performance.
not for a chain of explicit hostanmes
4. Else, can some one provide with a logic to reduce the filter string
(from
a lot of host address to a simple net address if possible).
you way wnat to have a look what BPF filtercode your expression produces
to get an idea about the processing complexity.
(simply run tcpdump with the -d flag and you'll see the BPF filtercode as
executed by BPF capable kernels).
[EMAIL PROTECTED] ~ $ tcpdump -ndi eth0 "ip && src host 192.168.1.1"
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 5
(002) ld [26]
(003) jeq #0xc0a80101 jt 4 jf 5
(004) ret #96
(005) ret #0
/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
