Definition/Description of packet pre filters

October 13, 2009 at 07:32:12
Specs: Windows XP, Unknown
I am learning more about the cPacket deep packet analyzer/packet sniffer. The device uses an output filter, which I understand can filter incoming IP packets based on IP source address, destination address, keyword, phone number, etc. The device also has a pre filter, which I understand is used to speed up the entire packet sniffing process.

My question is, what is a packet pre filter? As far as I can tell, it is the exact same thing as an output filter. Is this true? If so, why have two of the same filters?

If possible, can someone define and/or describe what is a pre filter in the context of packet sniffers?

Thanks.


See More: Definition/Description of packet pre filters

Report •


#1
October 13, 2009 at 07:34:15
Unless someone here uses that device and can tell you, your best bet is to contact the manufacturer and ask them.

Report •

#2
October 13, 2009 at 07:38:06
Unfortunately, cPacket is very, very slow to respond (typically, at least 3-4 days). I believe packet pre filtering is a common feature of packet sniffers and other network devices. So, I'm hoping someone knows that this is, even if it the definition/description doesn't apply to this specific device.

Thanks.


Report •

#3
October 13, 2009 at 07:44:25
Well, I don't use a device to packet sniff. I use wireshark. So I can't help you.

I'm surprised the documentation doesn't explain. It makes no sense to build a device and then not document all the features.

Are you sure you've read the doc's thoroughly?


Report •

Related Solutions

#4
October 13, 2009 at 07:48:41
I have read the document thoroughly. It's actually only 16 pages and only discusses the output filter. You'd think they would also discuss pre filters, but unfortunately, they don't

So, I'm posting my question on a number of forums, hoping that someone will know the answer. Otherwise, I'll just have to keep asking cPacket until I can get an answer.

Thanks.


Report •

#5
October 13, 2009 at 07:50:26
I was about to say the same thing. Most IT people use WinPCap and the software that works with WinPCap like WireShark. In WireShark there is the ability to filter packets by type like if you only wanted to get ARP packets then you can setup a filter.

My best guess is that your sniffers pre-packet filtering is the same thing. Not sure though.


Report •

#6
October 13, 2009 at 07:59:44
I just received a reply on another forum that I think explains what the pre filter and output filter are.

A pre filter (capture filter) affects what is captured and recorded. The output filter, however, determines what is displayed to the user.

This makes sense, is straightfoward, and explains why adding a pre filter speeds up the entire packet sniffing/analyzing process.


Report •

#7
October 13, 2009 at 09:00:06
A pre filter (capture filter) affects what is captured and recorded. The output filter, however, determines what is displayed to the user.

Makes sense and aligns with what Ace said:

In WireShark there is the ability to filter packets by type like if you only wanted to get ARP packets then you can setup a filter.

My best guess is that your sniffers pre-packet filtering is the same thing. Not sure though.

I never bother with filtering beforehand. I usually search the capture for specific types when I'm going through the it later. I find this beneficial if I end up running it through tcpdump on my unix box or have to send the capture to our security guy who uses only unix.

I'm really curious what this packet sniffing device you bought is worth. Any chance you'd give me a ballpark figure on the cost of this 'not properly documented' device?


Report •

#8
October 13, 2009 at 09:04:15
Unfortunately, though it's a commercial product, I can't provide any information. The only recommendation I can make is that you contact the company directly for more information. Their web site is:

http://www.cpacket.com


Report •

#9
October 13, 2009 at 10:28:50
Well, I'm not interested in the sense of wanting to purchase one (wireshark is free) so I was just curious as to how much $$$ you guys wasted......errrr......spent on it.

Report •

#10
October 13, 2009 at 10:36:38
I understand. But, I really can't share that information. You can probably contact cPacket and ask them for a ballpark figure without asking for a price quote, just for informational purposes. I don't think they sell through distributors, so the only alternative I can think of is to search online to see if any magazine/journal articles mentions the price range.

The best I can say is that it is an appliance, uses their propriatary chips, and their bottom-line model has a 1 Gbit/s throughput. They also sell a 10 GBit/s throughout model, and are starting to sell a 40 GBit/s model. They also allow you to customize units with different modules and also sell a card version that you can plug into a server. Based on that info., you can probably guess they aren't cheap. In fact, I'd say that the 40 GBit/s model may be somewhere between $75k and $100k before you add support. But beyond that, I'd have to refer you to the company or the Internet for more information.


Report •

#11
October 13, 2009 at 12:11:06
I understand. But, I really can't share that information

Oh, you signed a non-disclosure contract with the vendor? LOL

I'm sorry, I don't mean to laugh but I have a hard time believing you can't say what it cost (ballpark). I understand not wanting to.

No worries, you can keep your state secret safe, I'm not that interested.


Report •

#12
October 13, 2009 at 12:11:40
It might have not been a waist. Wireshark still has no Intrusion Prevention built-in just Intrusion Detection. If your system came with triggers for specific packet patterns to allow you to do Intrusion Prevention then it may have been forth. With Wireshark you still need to sift through the logs to identify hacks on the system which if you don't have a red-team can take painful amount of time.

That being said Wireshark still has its place in Pen. Testing. I use it in conjunction with Cane and Able which also uses the WinPCap suite, when trying pen testing on my system.


Report •


Ask Question