Cloudflare Company
The xdpcap utility is compatible with tcpdump/libpcap filtering expressions and allows you to process significantly larger amounts of traffic on the same hardware. Xdpcap can also be used for debugging under conditions where normal tcpdump is not applicable, such as filtering, DoS protection, and load balancing systems that use the XDP Linux kernel subsystem, which processes packets in a stage before they are processed by the Linux kernel networking stack (tcpdump does not see packets dropped by the XDP handler).
High performance is achieved through the use of eBPF and XDP subsystems. eBPF is a bytecode interpreter built into the Linux kernel that allows you to create high-performance incoming/outgoing packet handlers with a decision to forward or discard them. With the help of a JIT compiler, eBPF bytecode is translated into machine instructions on the fly and executed with the performance of native code. The XDP (eXpress Data Path) subsystem complements eBPF with the ability to run BPF programs at the network driver level, with support for direct access to the DMA packet buffer and work at the stage before the network stack allocates the skbuff buffer.
Like tcpdump, the xdpcap utility first translates high-level traffic filtering rules into the classic BPF representation (cBPF) using the standard libpcap library, and then converts them into the form of eBPF routines using the compiler
Source: opennet.ru