An analysis of data packets in a datastream is performed in many areas, for example in order to filter or categorize the data with respect to their content. An analysis of the content of individual data packets and network sessions is required particularly when monitoring datastreams. With known methods, copies are produced of the data packets that are transmitted via a data line and these are either stored for later processing, or the data packets are analyzed in real time.
However, the storage of all data packets in a datastream requires very large and powerful data memories. In addition, high processing power is required for the subsequent analysis of the stored data. However, systems of this kind are usually unsuitable for permanent monitoring, because over a longer period of time, such a large amount of data is usually stored in the data memory that timely analysis of this data can no longer be ensured. Memory overflow can also occur.
Real-time capable analysis systems provide for immediate analysis of data transmitted via the data line and are fundamentally suitable for permanent monitoring of data traffic, however when using these systems, it is usually not possible to reconstruct the entire content of a network session, because the data packets are often transmitted twice or not in chronological order via the network. This occurs particularly in load-balanced and redundant networks. These kinds of real-time capable analysis systems therefore cannot guarantee completely secure monitoring, because for example, key words whose common occurrence in a message or a network session is searched for, may be distributed among different data packets, so that these key words are then untraceable.