Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Libpcap behavior on virtual NIC


I'm working on a project using texshark to monitor a set of machines, and I have some questions about libpcap.

From what I understand, libpcap attaches to a NIC and sniffs all packets on that NIC, even when using capture filters, all packets are sniffed and only then discarded right? This means, capture filters have no impact if we're trying to increase the performance of our monitoring.

However, if we use a virtual NIC and have our ports behind this NIC (Not 100% sure if this is the right terminology), like for instance Docker, which has the docker0 interface and all packets to and from docker flow through it, does this work as a "filter" for the packets sniffed by libpcap or does it still attach to the physical interface?

Here's an example for better understanding. Let's say I have an interface eth0 where all packets go through, and I create another virtual interface called virt0 and behind this interface I have two programs listening on port 8080 and 80. If I have no capture filters, in practice will libpcap sniff all packets flowing through eth0 or only virt0?