Abstract: A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

Abstract: A file system can be provided in a capture system to efficiently read and write captured objects. In one embodiment, such a file system includes a plurality of queues to queue captured objects to be written to a disk, each queue being associated with one of a plurality of object types, and each queue containing captured objects of the type associated with each queue. A scheduler can be provided to select one of the plurality of queues, and a block manager to select a partition of a disk, the partition being associated with the object type of the captured objects in the selected queue. A disk controller configured to write contiguous blocks of data from the selected queue to the selected partition is connected to the block manager to enable writing to a disk.

Abstract: Packets can be read from a network interface into an application using a single kernel copy. In one embodiment, the invention includes a receiver packet memory to store captured packets, and a network interface driver operating in a kernel of a device to read packets captured by network interface hardware into the kernel by storing captured packets in the receiver packet memory. Then, an application interface can expose the receiver packet memory to an application executing on the device by representing the receiver packet memory as a virtual file.

Abstract: Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.

Abstract: Objects can be extracted from data flows captured by a capture device. Each captured object can then be classified according to content. Meta-data about captured objects can be stored in a tag. In one embodiment, the present invention includes receiving a request to present a previously captured object to a user, accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature, and verifying that the object has not been altered since capture using the object signature before presenting the object to the user.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures, each signature being associated with one of a plurality of registered documents, intercepting an object being transmitted over a network, calculating a set of signatures associated with the intercepted object, and comparing the set of signatures with the plurality of stored signatures. In one embodiment, the invention can further include detecting registered content from the registered document being contained in the intercepted object, if the comparison results in a match of at least one of the signatures in the set of signatures with one or more of the plurality of stored signatures.

Abstract: Objects can be extracted from data flows captured by a capture device. Each captured object can then be classified according to content. Meta-data about captured objects can be stored in a tag. In one embodiment, the present invention includes receiving a request to present a previously captured object to a user, accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature, and verifying that the object has not been altered since capture using the object signature before presenting the object to the user.

Abstract: A tag database storing tags indexing captured object can be searched efficiently. In one embodiment, such a search begins by receiving a query for one or more objects captured by a capture system, and determining whether a query time range exceeds a time range of a set of fast tables. In one embodiment, the invention further includes searching the set of fast tables if the query time range does not exceed the time range of the fast tables, the set of fast tables containing tags having meta-data related to captured objects. In one embodiment, the invention further includes searching a set of hourly tables if the query time range does exceed the time range of the fast tables. In one embodiment, the present invention further includes searching a set of daily tables if the query time range also exceeds the time range of the hourly tables.

Abstract: A tag database storing tags indexing captured object can be searched efficiently. In one embodiment, such a search begins by receiving a query for one or more objects captured by a capture system, and determining whether a query time range exceeds a time range of a set of fast tables. In one embodiment, the invention further includes searching the set of fast tables if the query time range does not exceed the time range of the fast tables, the set of fast tables containing tags having meta-data related to captured objects. In one embodiment, the invention further includes searching a set of hourly tables if the query time range does exceed the time range of the fast tables. In one embodiment, the present invention further includes searching a set of daily tables if the query time range also exceeds the time range of the hourly tables.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures over a registered document. In one embodiment, the plurality of stored signatures are generated by extracting content from the document, normalizing the extracted content, and generating the plurality of signatures using the normalized content.

Abstract: A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

Abstract: Packets can be read from a network interface into an application using a single kernel copy. In one embodiment, the invention includes a receiver packet memory to store captured packets, and a network interface driver operating in a kernel of a device to read packets captured by network interface hardware into the kernel by storing captured packets in the receiver packet memory. Then, an application interface can expose the receiver packet memory to an application executing on the device by representing the receiver packet memory as a virtual file.

Abstract: A file system can be provided in a capture system to efficiently read and write captured objects. In one embodiment, such a file system includes a plurality of queues to queue captured objects to be written to a disk, each queue being associated with one of a plurality of object types, and each queue containing captured objects of the type associated with each queue. A scheduler can be provided to select one of the plurality of queues, and a block manager to select a partition of a disk, the partition being associated with the object type of the captured objects in the selected queue. A disk controller configured to write contiguous blocks of data from the selected queue to the selected partition is connected to the block manager to enable writing to a disk.

Abstract: A tag database storing tags indexing captured object can be searched efficiently. In one embodiment, such a search begins by receiving a query for one or more objects captured by a capture system, and determining whether a query time range exceeds a time range of a set of fast tables. In one embodiment, the invention further includes searching the set of fast tables if the query time range does not exceed the time range of the fast tables, the set of fast tables containing tags having meta-data related to captured objects. In one embodiment, the invention further includes searching a set of hourly tables if the query time range does exceed the time range of the fast tables. In one embodiment, the present invention further includes searching a set of daily tables if the query time range also exceeds the time range of the hourly tables.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures over a registered document. In one embodiment, the plurality of stored signatures are generated by extracting content from the document, normalizing the extracted content, and generating the plurality of signatures using the normalized content.

Abstract: Objects can be extracted from data flows captured by a capture device. Each captured object can then be classified according to content. Meta-data about captured objects can be stored in a tag. In one embodiment, the present invention includes receiving a request to present a previously captured object to a user, accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature, and verifying that the object has not been altered since capture using the object signature before presenting the object to the user.

Abstract: Content leaving a local network can be captured and indexed so that queries can be performed on the captured data. In one embodiment, the present invention comprises an apparatus that connects to a network. In one embodiment, this apparatus includes a network interface module to connect the apparatus to a network, a packet capture module to intercept packets being transmitted on the network, an object assembly module to reconstruct objects being transmitted on the network from the intercepted packets, an object classification module to determine the content in the reconstructed objects, and an object store module to store the objects. This apparatus can also have a user interface to enable a user to search objects stored in the object store module.

Abstract: Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures in a signature database, each signature being associated with one of a plurality of registered documents. In one embodiment, the invention further includes maintaining the signature database by de-registering documents by removing the signatures associated with de-registered documents. In one embodiment, the invention further includes maintaining the database by removing redundant and high detection rate signatures. In one embodiment, the invention also includes maintaining the signature database by removing signatures based on the source text used to generate the signature.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures, each signature being associated with one of a plurality of registered documents, intercepting an object being transmitted over a network, calculating a set of signatures associated with the intercepted object, and comparing the set of signatures with the plurality of stored signatures. In one embodiment, the invention can further include detecting registered content from the registered document being contained in the intercepted object, if the comparison results in a match of at least one of the signatures in the set of signatures with one or more of the plurality of stored signatures.