Tag data structure for maintaining relational data over captured objects
First Claim
1. A computer readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- generating a tag describing an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block, wherein the tag includes,a source address field to indicate an origination address of the object,a destination address field to indicate a destination address of the object,a source port field to indicate an origination port of the object,a destination port field to indicate a destination port of the object,a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, anda time field to indicate when the object was captured; and
storing the tag in a database, wherein the tag indexes the object in the memory block, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the fields are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for a capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.
11 Assignments
0 Petitions
Accused Products
Abstract
Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.
-
Citations
19 Claims
-
1. A computer readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
generating a tag describing an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block, wherein the tag includes, a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured; and storing the tag in a database, wherein the tag indexes the object in the memory block, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the fields are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for a capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
storing data associated with an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block by a capture system to create a tag that indexes the object in the memory block, the data comprising; an Ethernet controller MAC address of the capture system that captured the object; a source Ethernet IP address of the object; a destination Ethernet IP address of the object; a source TCP/IP port number of the object; a destination TCP/IP port number of the object. an IP protocol that carried the object when captured by the capture system; a canonical count of a number of the object within a TCP/IP connection; a content type of the object; an encoding that was used on the object; a size of the object; a timestamp indicating when the capture system captured the object; a user who requested capture of the object; a capture rule that directed capture of the object; a hash signature of the object; and a hash signature of the tag, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the IP addresses are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document. - View Dependent Claims (15, 16, 17)
-
18. A method to index a captured object, comprising:
-
generating for storage of objects of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block; a source address field to indicate an origination address of the object; a destination address field to indicate a destination address of the object; a source port field to indicate an origination port of the object; a destination port field to indicate a destination port of the object; a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object; and a time field to indicate when the object was captured; and storing data in the fields to create a tag, the tag indexing the objects in the memory block, the tag being stored to allow subsequent searching for the objects based on one or more of the fields, wherein the fields are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for a capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.
-
-
19. A method to index a captured object, comprising:
storing data associated with an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block by a capture system to create a tag indexing the object in the memory block, the data comprising; an Ethernet controller MAC address of the capture system that captured the object; a source Ethernet IP address of the object; a destination Ethernet IP address of the object; a source TCP/IP port number of the object; a destination TCP/IP port number of the object; an IP protocol that carried the object when captured by the capture system; a canonical count of a number of the object within a TCP/IP connection; a content type of the object; an encoding that was used on the object; a size of the object; a timestamp indicating when the capture system captured the object; a user who requested capture of the object; a capture rule that directed capture of the object; a hash signature of the object; and a hash signature of the tag, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the IP addresses are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.
Specification