doc: expand on bpf

doc/userguide/performance/ignoring-traffic.rst

@@ -1,9 +1,10 @@
 Ignoring Traffic
 ================
 
-In some cases there are reasons to ignore certain traffic. Maybe a
+In some cases there are reasons to ignore certain traffic. Certain hosts
-trusted host or network, or a site. This document lists some
+may be trusted, or perhaps a backup stream should be ignored.
-strategies for ignoring traffic.
+
+This document lists some strategies for ignoring traffic.
 
 capture filters (BPF)
 ---------------------
@@ -15,6 +16,25 @@ filter 'tcp' will only send tcp packets.
 If some hosts and or nets need to be ignored, use something like "not
 (host IP1 or IP2 or IP3 or net NET/24)".
 
+Example::
+
+    not host 1.2.3.4
+
+Capture filters are specified on the commandline after all other options::
+
+    suricata -i eth0 -v not host 1.2.3.4
+    suricata -i eno1 -c suricata.yaml tcp or udp
+
+Capture filters can be set per interface in the pcap, af-packet, netmap
+and pf_ring sections. It can also be put in a file::
+
+    echo "not host 1.2.3.4" > capture-filter.bpf
+    suricata -i ens5f0 -F capture-filter.bpf
+
+Using a capture filter limits what traffic Suricata processes. So the
+traffic not seen by Suricata will not be inspected, logged or otherwise
+recorded.
+
 pass rules
 ----------
 
@@ -28,7 +48,7 @@ Example:
 
   pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1;)
 
-A big difference with capture filters is that logs such as http.log
+A big difference with capture filters is that logs such as Eve or http.log
 are still generated for this traffic.
 
 suppress