Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

What is the maximum filter length

There's no fixed maximum length; however:

  1. the filter is compiled into BPF pseudo-machine language and, on most platforms, handed to kernel-mode code, which probably imposes a maximum compiled-code size - if that's exceeded, the kernel-mode code will reject it, and libpcap/WinPcap/Npcap would have to do the filtering in user mode, with every received packet being copied up to user mode, which may cause more packet drops with high-volume traffic;
  2. the compiler's optimizer code path involves recursion, and a sufficiently complicated expression might cause a stack overflow.

can this be done through a file based method

tcpdump supports the -F command-line option, causing it to read the filter expression from a file.

TShark doesn't support that, although you could do

tshark -f `cat filter-file`

to insert the filter into a command-line from a file.

For Wireshark, you'd have to copy from the file and past into Wireshark.

What is the maximum filter length

There's no fixed maximum length; however:

  1. the filter is compiled into BPF pseudo-machine language and, on most platforms, handed to kernel-mode code, which probably imposes a maximum compiled-code size - if that's exceeded, the kernel-mode code will reject it, and libpcap/WinPcap/Npcap would have to do the filtering in user mode, with every received packet being copied up to user mode, which may cause more packet drops with high-volume traffic;
  2. the compiler's optimizer code path involves recursion, and a sufficiently complicated expression might cause a stack overflow.

can this be done through a file based method

tcpdump supports the -F command-line option, causing it to read the filter expression from a file.

TShark doesn't support that, although although, with a UN*X-style shell, you could do

tshark -f `cat filter-file`

to insert the filter into a command-line from a file.

For Wireshark, you'd have to copy from the file and past into Wireshark.