| 摘要 |
A system and method for the capture and archival of electronic communication is disclosed. A network interface card in promiscuous mode connects the invention to an electronic communications network. Network packets are received on the network interface card and sent to a pseudo TCP/IP stack, which reconstructs the network packets into the original electronic message. The reconstructed electronic message is transferred to the traffic capture component in chunks until the entire message is captured. The traffic capture component forwards the electronic message to the message analysis component, which hashes, parses, analyzes and formats for storage the electronic message. The electronic message, in a structured format, is then sent to the storage manager component. The storage manager component selects a storage unit from the available network storage based on the message hash. The storage manager component then compresses, encrypts and writes the structured version of the electronic message to the selected storage unit. The message analysis component also writes Meta Data information and keywords from the electronic message to the index database. Once an electronic message is captured and archived, it can be later retrieved using the message query/retrieval component. To retrieve a previously archived electronic message, a user first sends a query specifying the messages desired to the message query/retrieval component using the user interface. The message query/retrieval component formats the query in SQL and runs it against the index database. The message query/retrieval component also sends the query to any other instances of the invention in the electronic communications network via the communications interface. The results of the query from the index database and the other c instances of the invention are combined, formatted for display and returned to the user via the user interface. From the query results, the user can select one or more archived electronic messages to be viewed by sending a list of messages to the message query/retrieval component using the user interface. The message query/retrieval component forwards this list to the storage manager component, which reads, decrypts and decompresses each message from the list in turn and writes the structured message formatted for display to a disk file. When complete, the storage manager component informs the message query/retrieval component, which in turn notifies the user via the user interface. The policy component is used to modify the behavior of the traffic capture, message analysis and message query/retrieval components. Within the traffic capture component, the policy is used to determine whether a particular electronic message is captured or not. Within the message analysis component, the policy is used to determine what type of message analysis to perform and what the storage attributes of the message should be. Within the message query/retrieval component the policy is used to determine whether a user can access the message archive and to filter the query results. |
