I want to capture concurrently and save it as multiple files where each file has its own distinct capture filter?

edit

My understanding is that you want to:

1. Capture with minimal risk of dropped packets
2. Create one pcap file per unique IP address
3. Do this really fast without using much CPU or memory

My recommendation would be this:

1. Sniff with something fast, like netsniff-ng, and put all packets in one big pcap file. Tcpdump or dumpcap are okay too.
2. Use SplitCap to split the big pcap file based on IP addresses like this: SplitCap.exe -r dump.pcap -s host

You will now have a bunch of PCAP files, one for each observed unique IP address.

Please note that disk-IO is the main factor in being able to successfully capture and save all packets. If you want to capture the same packets to multiple files, you will increase the IOPS needed to save all packets without any discards. So performance implication is you need more striped disks to be able to save the data multiple times.

You are better of using dumpcap directly (dumpcap is used by tshark to do the capture-to-disk). As there is nothing currently available in dumpcap to dynamically determine which file to save to (or even which files (multiple) to save to), you will need to run dumpcap multiple times. This will increase the memory footprint in some degree, but as no state is being kept by dumpcap, it is just the memory needed to run multiple instances of dumpcap.

CPU wise, multiple captures, each with a different capture filter, will impact the CPU as it needs to process each packet multiple times.

What is the use-case for this setup, compared to capturing everything to disk once and then do the filtering later?