中文摘要：

已有的网络行为审计软件没有针对即时通讯软件（IM）的文件传输记录模块。通过搭建协议分析环境，根据主流即时通讯软件通信数据明文传输的特点，利用网络捕包工具，并采用逆推方法，对多种即时通讯软件（IM）（QQ，Fetion，MSN和雅虎通等、文件传输协议进行深入分析，设计并实现一个IM文件传输审计系统（fAudit）。FAudit系统基于Libpcap库捕获数据包，提取应用层数据，应用特有的文件重组算法，通过计算网络数据包的ACK和SEQ数，对数据包进行过滤、排序、解压、重组和写入，最后还原出用户传输的文件。测试结果表明：FAudit系统可在不同网络环境特别是网络环境突变、网络状况异常恶劣的情况下，有效地审计各类IM传输的各种类型（DOC，PDF，TXT和视频等）和大小的文件，同时还可解决即时通讯软件版本升级带来的系统升级问题。

英文摘要：

Since most network behavior audit software cannot record files sent by instant messenger （IM）, based on the exoteric communication data between popular instant messenger client softwares, using sniffer tools, the unopened and non-uniform file transmitting protocols of those software were analyzed in converse way. And a new network behavior audit system （FAudit） was presented on the base of analysis on IMs files transmission protocol. As IMs file packets were captured based on Libpcap database, application layer data was extracted, the ACK number and SEQ number were analyzed, and then the packets were recovered from the original file by filtering ordering, decompression, reassembling and writing. The simulation results show that FAudit can audit all formats of files （such as DOC, PDF, TXT and videos） with arbitrary size in different network environments no matter however bad it is. At the same time FAudit can be extended to other kinds of IMs.