I was just wondering about how filters process and can I do things more efficiently with one filter vs another. Example: 1) tcp.flags.syn == 1 && tcp.flags.rst == 1 2) tcp[13] == 12 Does one work better/same/worse than two? asked 19 Jun '17, 18:43 Antacus |
2 Answers:
It depends:
Therefore it's hard to say if one of the filter is better/worse than the other. It depends for what your're looking for. But one thing is clear: Both filters are not the same. answered 20 Jun '17, 02:54 Uli |
Others have already pointed out dftest and dumping BPF code for comparisons, but I'll give an answer from a different perspective... In my experience, I haven't seen much difference in efficiency...but I work in customer support, so I usually go with the most easily understood filter. Obviously, tcp.flags.syn==1 && tcp.flags.ack ==1 requires much less explanation on my part than would any filter like tcp[offset]==value. So, if I'm writing (say) a tshark script that I won't have to explain to others, I might use the offset test...but if I'm doing anything for public consumption, I go with what folks are more likely to understand at first glance. answered 22 Jun '17, 11:19 wesmorgan1 |
Guess I should not have written an off the hip question. My original was more of a concept question on how does the code of wireshark process filters. You got me on details, which I am usually a stickler on :) So let me rewrite my original question :)
A) (conditional test #1) && (conditional test #2)
B) (conditional test #3) * where B) provides the same answer as A)
Not being a hard core coder it seems to me that logically test B) would be twice as fast as A) so where you can take the time to optimize filters. Think of a script which you have setup to pre-parse capture files and generate a report before you even open the capture file for the first time. Filters run inside repeating scripts which can be optimized to run faster should, imho.
I assume this question has been asked before but I am unable to locate an answer. There is a Performance page on the Wiki but it does not address this question.
I realize this question was geared more for Wireshark display filters, but for capture filters, you can directly compare them by having
tcpdump
ordumpcap
generate the bpf code if you specify the-d
option. For example, if you run these two commands, you can see that they produce the exact same resulting bpf code:Here's the output in either case:
If you generate the bfp code, it can help you determine if one capture filter is more efficient than another or if they differ in any way.
Not surprising, given that, in effect, "tcpflags" is a macro for "13" , "tcp-syn" is a macro for "0x02", "tcp-rst" is a macro for "0x04", and libpcap's BPF compiler's optimizer evaluates some expressions at compile time.
For display filters, there's a program
dftest
, which is part of the Wireshark source, and may be installed if Wireshark is; if, for example, you rundftest 'tcp.flags.syn == 1 && tcp.flags.reset == 1'
, it printsFilter: "tcp.flags.syn == 1 && tcp.flags.reset == 1"
which is the code that’s interpreted at run time by the display filter code. So you could use
dftest
on the two filter expressions to see what test instructions are generated.Whether
(conditional test #3)
generates fewer instructions than(conditional test #1) && (conditional test #2)
and, if so, how many fewer instructions are generated, depends on what the three conditional tests are.Not surprising, given that, in effect, “tcpflags” is a macro for “13” , “tcp-syn” is a macro for “0x02”, “tcp-rst” is a macro for “0x04”,
Right, I was just illustrating the fact that tcp-syn|tcp-rst is equivalent to 6, and not 12, as Antacus originally wrote in the question. If the names are used instead of the number, then you can be assured of the correct value being used, so it’s generally better to use the names.
And thanks for mentioning
dftest
. I sometimes forget about it because for some unknown reason, it has never been packaged with the Wireshark Windows installer, and Windows is the platform I generally use.And to compare Guy’s
dftest
output for the“tcp.flags.syn == 1 && tcp.flags.reset == 1”
filter, here’s thedftest
output fortcp.flags == 6
:Filter: “tcp.flags == 6”
So clearly this filter is [slightly] more efficient.
I think Guy’s
dftest
portion of his comment should be the answer to this question.