IJCSNS International Journal of Computer Science and Network Security, VOL.14 No.7, July 2014 116 Manuscript received July 5, 2014 Manuscript revised July 20, 2014 Performance Improvement of a Packet Filter by Filtering Compressed Packet Archita Dad1, Anil Saroliya2 Student, Computer Science, Amity University, Rajasthan, India 1 Assistant Professor, Computer Science, Amity University, Rajasthan, India 2 Abstract: Internet is used as an extensive source for communication. It has also growths the unlawful activities by terrorist and criminals to communicate information. For crime detection and prevention, law enforcement agencies need to keep up with the rising trends in these areas and needs a tool to monitor network traffic. This tool is not a need of only law enforcement agencies but also commercial sector so that companies can prevent their valuable data from falling into hands of their competitor. Now day’s these tools are provided with network devices and also available in market such as PickPacket, PKTD, JPCAP, NetXMS, etc. Data can be filtered at 3 levels in these tools by network parameters, application specific and content specific Filter. To speed up the transaction and for security reasons data is used in compressed form on internet. In content specific level it is difficult to apply sting searching algorithm on compressed data. This paper presents a solution to decompress HTTP data on network. Keywords: Pick-Packet, HTTP, TELNET, FTP, Compressed Data, gzip. 1. Introduction In last few decades internet has an exponential growth. Large volume of data can be exchanged on internet. This has resulted in an ever increasing need for effective tools that can monitor the network. Basic goal of network monitoring is to read packets from network and analyze its content. Introduction part of this paper contains the basic idea about Network monitoring tool and pick- packet. Second point describes the architecture and levels of pick-packet. It also describes the working of Pick-Packet. Third section of this paper describes the application protocol supported by Pick-Packet specially HTTP protocol. After that need of compressed data and processed of filtering compressed data is discussed. In fifth section how we can filter compressed data on fly is shows and what are the modifications needed after filtering data compression on fly is shown in last section. After that conclusion of this paper is describe. Network monitoring tools are also known as Sniffer. Sniffers have used in law enforcement agencies for crime detection and prevention and in unlawful activities to break the computer. Generally sniffers work by putting the Network Interface Card into promiscuous mode. In this mode the Ethernet card listens to “all the traffic which is coming in”. If the Network Interface Card is not in promiscuous mode, it ignores all traffic which is not intended for it. Filtering can be done in two modes, on- line filtering and off-line filtering. On-line filtering is implemented in kernel while capturing the traffic. Off- line filtering is done after the captured data is stored on disk. However sniffers can be rendered useless through the use of encryption mechanisms. Several tools exist that can monitor network traffic. Usually such tools put the network card of a computer into the “promiscuous mode”. This enables the computer to listen to the entire traffic on that subsection of the network. There can be an additional level of filtering of these packets based on the IP related header data present in the packet. Usually such filtering specifies simple criteria for the IP addresses and ports present in the packet. Filtered packets are written on to the disk. And after that offline analysis is done on these packets to gather the required information from these packets. [1] Pick-Packet is a monitoring tool that can filter packets across the network layer and application layer of the OSI network stack for selected applications. Criteria for filtering can be specified in Pick-Packet Configuration File Generator for network layer and application layer for applications like TELNET, SMTP, HTTP, FTP etc. It also supports real- time searching for text string in application and packet content. Pick-Packet filter the packet according to specified criteria in configuration file and store them to some for further processing. A special provision has been made in the tool for two modes of capturing packets depending on the amount of granularity with which data has to be captured. These are the “PEN” mode and the “FULL” mode of operations. In the first mode it is only established that a packet corresponding to a particular criterion specified by the user was encountered and minimal information required for further detailed investigation is captured. In the second mode the data of such a packet is also captured. Judiciously using these features can help protect the privacy of innocent users. The packets dumped to the disk are analyzed in the offline mode. Post dump analysis makes available to the