1 | initial version |
From what I understand, libpcap attaches to a NIC and sniffs all packets on that NIC, even when using capture filters, all packets are sniffed and only then discarded right? This means, capture filters have no impact if we're trying to increase the performance of our monitoring.
On most platforms, the OS kernel (or, in the case of Windows, the OS kernel plus the WinPcap/Npcap driver) offers a packet capture mechanism, connected to the device driver for the network adapter. All packets that arrive are delivered by the driver to the capture mechanism, which runs them through a filter "program" (machine language for a simulated special "computer"), and packets that aren't matched by the filter are discarded, not put into the capture mechanism's buffer, and not provided to libpcap.
So, in that case, while the capture filter doesn't cause packets to be discarded by the NIC, it does mean they get discarded soon enough after they arrive that there is a performance benefit to filtering.
However, if we use a virtual NIC and have our ports behind this NIC (Not 100% sure if this is the right terminology), like for instance Docker, which has the docker0 interface and all packets to and from docker flow through it, does this work as a "filter" for the packets sniffed by libpcap or does it still attach to the physical interface?
At least on Linux, the discarding probably happens after the docker interface processes the packet.
Here's an example for better understanding. Let's say I have an interface eth0 where all packets go through, and I create another virtual interface called virt0 and behind this interface I have two programs listening on port 8080 and 80. If I have no capture filters, in practice will libpcap sniff all packets flowing through eth0 or only virt0?
If you capture on eth0, the packets will be received by the NIC and passed to the Linux kernel "packet tap" mechanism by the NIC driver; the "packet tap" mechanism will run the filter, discard packets that don't match, and pass other packets to libpcap.
If you capture on virt0, the packets will be received by the NIC, passed to whatever mechanism causes them to arrive on virt0, and the virt0 driver will pass them to the "packet tap" mechanism; the "packet tap" mechanism will run the filter, discard packets that don't match, and pass other packets to libpcap.