[ithkuil]

1) Performance. Zero copy ("The kernel writes them from the NIC to shared memory, then the kernel uses that same shared memory for O_DIRECT writes to disk. The packets transit the bus twice and are never copied from RAM to RAM."). Parallelism.

2) Disk management. Rotates old data, etc

3) Indexing and supports efficient retrieval while writing.

It allows to analyse the traffic after the fact, at 10Gbps line speed.

[akadien]

You can get zero-copy for tcpdump with PF_RING or netmap.

[ithkuil]

I'm aware of libpcap's ability to share memory with a user buffer, but I didn't find any mention that tcpdump utility is actually written to exploit it for extra fast writes.

Look here how they handle this in stenographer: https://github.com/google/stenographer/blob/65fb928e6bce276c...

I guess that in principle they could have patched tcpdump, but it's probably easier to have a smaller software written to do exactly what you want rather than extend a general purpose mature complex tool such as tcpdump.