Tag data structure for maintaining relational data over captured objects
First Claim
1. A data structure to index an object captured during transmission from an origination address to a destination address, the data structure comprising:
- a source address field to indicate an origination address of the object;
a destination address field to indicate a destination address of the object;
a source port field to indicate an origination port of the object;
a destination port field to indicate a destination port of the object;
a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object; and
a time field to indicate when the object was captured.
11 Assignments
0 Petitions
Accused Products
Abstract
Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.
-
Citations
25 Claims
-
1. A data structure to index an object captured during transmission from an origination address to a destination address, the data structure comprising:
-
a source address field to indicate an origination address of the object;
a destination address field to indicate a destination address of the object;
a source port field to indicate an origination port of the object;
a destination port field to indicate a destination port of the object;
a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object; and
a time field to indicate when the object was captured. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A tag storing relational data over an object captured by a capture system, the relational data comprising:
-
an Ethernet controller MAC address of the capture system that captured the object;
a source Ethernet IP address of the object;
a destination Ethernet IP address of the object;
a source TCP/IP port number of the object;
a destination TCP/IP port number of the object;
an IP protocol that carried the object when captured by the capture system;
a canonical count of a number of the object within a TCP/IP connection;
a content type of the object;
an encoding that was used on the object;
the size of the object;
a timestamp indicating when the capture system captured the object;
a user who requested capture of the object;
a capture rule that directed capture of the object;
a hash signature of the object; and
a hash signature of the tag. - View Dependent Claims (15, 16, 17)
-
-
18. A method comprising:
searching a plurality of tags, each tag indexing an object captured during transmission from an origination address to a destination address, the search using one or more of a plurality of tag fields, the tag fields comprising a source address field to indicate an origination address of the object, a destination address field indicating a destination address of the object, a source port field indicting an origination port of the object, a destination port field indicating a destination port of the object, a content field indicating a content type from a plurality of content types identifying a type of content contained in the object, and a time field indicating when the object was captured. - View Dependent Claims (19, 20)
-
21. A method comprising:
-
searching a tag database using one or more search criteria, the search resulting in at least one tag;
verifying the tag using a cryptographic tag signature;
retrieving an object indexed by the tag;
verifying the object using a cryptographic signature of the object; and
- View Dependent Claims (22, 23, 24, 25)
-
Specification