When using Scapy's sniff method, what is the difference between using a filter at the sniff call level and filtering in the callback method passed to the sniff call ? Is a filter more performant, for instance because it is passed to libpcap, but does that make a significant difference? Or are both more or less the same and more a question of personal preference?
Note: I'm using Scapy 2.45 on Linux with Python3 to sniff wireless packets.
Thank you !
If you're using the filter= keyword argument from sniff, you're passing a BPF filter. This string filter is compiled into a C object by libpcap, then passed to the socket. It is then used by the kernel directly, i.e. it is much, much more performant than filtering in the callback.
This actually matters a lot when you're on heavy-loads: if you receive for instance 1 Go/s of packets, Scapy can't dissect that fast enough, so the socket it is using to receive those packets will have its buffer filled, and tons of packets will be dropped. On the other hand, if you're using a BPF "kernel-level" filter, only the filtered packets reach Scapy: that is a much more manageable packet stream.
If you are not experiencing issues with packet drops though (low rates... etc), it comes down to preference.