DETAILED ACTION
This Office Action is in response to the communication filed on 02/11/2021.
Claims 1-28 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/11/2021 has been entered.
Response to Arguments
Applicant's Remarks filed on 02/11/2021 have been fully considered.
The rejections of claims 1-28 under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, presented in the previous final Office action have been withdrawn in view of amendments of the claims. 
In response to Applicant's argument on pages 7-9 of Remarks that the cited references do not teach the newly added limitation as recited in the amended independent claims, this argument is moot in view of the new grounds of rejection presented below and in view of newly found prior art. Examiner also notes that Pope teaches a controller that configures how the snoop logic selects for capturing only the certain data (e.g. [0031], [0089]) as explained in the examiner's answer.  
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-28 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor 
Claim 1 recites the limitation "a controller that configures how the snoop logic selects for capturing only the certain data by the controller accessing registers in the snoop logic via a register interface" (similarly recited in claim 12), however, the disclosure does not provide adequate support for the above claimed limitation.
Upon further review of the specification, the specification at most suggests elements including a controller that can be implemented as a CPU running embedded software or can be implemented entirely in hardware (specification [0041]) and a register access interface that may provide access to registers of I/O bridge(s) and I/O snoop logic by the controller (specification [0037]), however, there is no disclosure in the specification, either implicitly or explicitly of the controller configuring how the snoop logic selects for capturing only the certain data by accessing registers in the snoop logic, the specification does not disclose the controller accessing registers in the snoop logic to configure how the snoop logic selects for capturing only the certain data. Note that the specification also does not have support for the registers being in the snoop logic.  

Thus, claims 1, and 12 failed to comply with the written description requirement. The remaining dependent claims are also rejected for inheriting the deficiencies of the claims from which they depend on.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-12, 14-16, 18-21, and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Pope et al. (US 2014/0355613) in view of O'Toole, Jr. (US 7,467,408) further in view of Obkircher (US 8,135,881).
Claim 1, Pope teaches:
A computer system, comprising:
a network interface for sending and receiving data over a network; (e.g. figs. 2-3, [0085], "FIG. 2 schematically illustrates packet capture on the receive path of a network interface device (NIC)…NIC 100 receives network data flows 210 at physical interface 201 (e.g. a network PHY)")
a host computer processor that executes an operating system and applications that generate and utilize the data sent and received over the network; and (e.g. [0075], "Data processing device 101 preferably supports a software environment comprising kernel space 104 and user level space 105. The kernel would typically support a network protocol stack 118 for performing processing of network data packets communicated over the network interface device, along with communication queues 111and112 for receiving incoming data and/or holding data for transmission over the network. User space 105 supports at least one application 106 arranged to communicate data over the network 
a secure subsystem interposed between the host computer processor and the network interface for capturing certain of the data sent and received via the network interface, wherein the secure subsystem includes: (e.g. figs. 2-3 , [0085]-[0086], "FIG. 2 schematically illustrates packet capture on the receive path of a network interface device (NIC)…NIC 100 receives network data flows 210 at physical interface 201 (e.g. a network PHY)…Packet capture unit 114 captures one or more specified data flows received from the network through the use of a packet inspector 203, a duplication engine 204 and a packet capture engine 205" [0100], "FIG. 2 relates to the capture of incoming data flows on the receive path of a NIC. The packet capture unit can be additionally or alternatively configured to perform packet capture on outgoing data flows")
snoop logic that selects for capturing into a buffer a local copy of only the certain data, the local copy being a duplicate subset of the data that is also sent and received over the network and less than all of the data sent and received over the network via the network interface, and (e.g. [0086]-[0087], "Packet capture unit 114 captures one or more specified data flows received from the network through the use of a packet inspector 203, a duplication engine 204 and a packet typo, should be 113] for delivery in the conventional manner to their respective endpoints at the host device. Data packets that are identified as belonging to one of the specified data flows are passed in stream 212 to duplication engine 204 which duplicates the specified data flows, passing the first of each data packet over stream 216 to be delivered to its respective endpoint at the host device and the second of each data packet onto packet capture engine 205" [0090], "The stream of packet capture data generated at the packet capture engine is stored at a packet capture buffer. In the example shown in FIG. 2, capture streams 217 are delivered to buffer 115")
a controller that configures how the snoop logic selects for capturing only the certain data. (see e.g. [0031], "the packet capture unit is a reconfigurable logic device such as an FPGA…the packet inspector, duplication engine and packet capture engine are defined by one or more firmware modules installed at the reconfigurable logic device" [0089], "Packet capture unit 114 is preferably a reconfigurable logic device, such as an FPGA, with packet inspector 203, 
Pope teaches the local copy of the data that has been captured into the buffer based on the selecting and all of the data that is sent and received via the network interface, the snoop logic, and the network interface (see above) and does not appear to explicitly teach but O'Toole, Jr. teaches:
a ratio is controlled in accordance with at least a bandwidth. (e.g. col. 7 ll. 5-12, "The filter module 215 applies filter criteria important in ensuring good traffic flow to the monitor 250. The flytrap 200 buffers filtered packets in the memory 210 for transmission to the monitor 250 as described below. Filtering criteria includes, but is not limited to the rate, quantity, bandwidth, and size of packets. The filtering rules of the flytrap filter 215 implement the goal of forwarding a bandwidth-limited arbitrary subset of the data traffic received by the flytrap 200 to the monitor 250" ll. 17-22, "For example, the filter 200 is configured, in one embodiment, by a small number of packet filter rules of the form: size N, truncate at K, limit P pps and B bps, meaning that received packets of size N or greater shall be truncated to their first K bytes, and only P packets per 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by O'Toole, Jr. into the invention of Pope, and the motivation for such an implementation would be for the purpose of providing captured data with a high likelihood of reaching a monitoring system (O'Toole, Jr. col. 7 ll. 33-36).
Pope-O'Toole, Jr. combination teaches a controller that configures how the snoop logic selects for capturing only the certain data, the controller, and the snoop logic (see above) and does not appear to explicitly teach but Obkircher teaches: 
by a controller accessing registers in a logic via a register interface. (e.g. col. 23, ll. 45-48, "registers REG2 through REGj are those that SPI master controller 44 can write to or read from for the purpose of controlling the operation of logic blocks 40, 42, etc.")
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Obkircher into the invention of Pope-O'Toole, Jr. combination, and the motivation for such an implementation would be for the purpose of allowing 
Claim 3, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the secure subsystem further includes: 
a bridge logic module in a communication path between the network interface and the host computer processor that provides the sent and received data to the snoop logic. (e.g. Pope figs. 2-3, [0087])   
Claim 4, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the snoop logic includes a trigger engine that identifies the certain data based on an event associated with the sent and received data. (e.g. Pope [0086])
Claim 5, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the snoop logic includes a filter engine that identifies the certain data by filtering out certain of the sent and received data. (e.g. Pope [0087])
Claim 6, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the controller configures how the trigger engine identifies the certain data. (e.g. Pope [0086]-[0087], [0089])

wherein controller configures how the filter engine identifies the certain data. (e.g. Pope [0086]-[0087], [0089])
Claim 8, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the secure subsystem includes a remote management network interface for sending the certain data from the buffer to a remote management system. (e.g. Pope [0091]-[0092])
Claim 9, Pope-O'Toole, Jr.-Obkircher combination teaches:
further comprising a compression block for compressing the certain data before sending to the remote management system. (e.g. Pope [0030], [0088], [0092])
Claim 10, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the secure subsystem includes a memory controller for storing the certain data. (e.g. Pope [0090], [0097])
Claim 11, Pope-O'Toole, Jr.-Obkircher combination teaches:
further comprising a compression block for compressing the certain data before storing. (e.g. Pope [0030], [0088], [0090])

Claim 14, Pope-O'Toole, Jr.-Obkircher combination teaches: 
wherein capturing includes: 
analyzing the sent and received data according to a configuration; and (e.g. Pope [0086]-[0087])
identifying the certain data based on the analyzing. (e.g. Pope [0086]-[0087])
Claim 15, this claim is directed to a method containing similar limitations as recited in claim 4 and is rejected using the same rationale to combine the references. 
Claim 16, this claim is directed to a method containing similar limitations as recited in claim 5 and is rejected using the same rationale to combine the references. 
Claim 18, this claim is directed to a method containing similar limitations as recited in claim 8 and is rejected using the same rationale to combine the references.

Claim 20, this claim is directed to a method containing similar limitations as recited in claim 10 and is rejected using the same rationale to combine the references. 
Claim 21, this claim is directed to a method containing similar limitations as recited in claim 11 and is rejected using the same rationale to combine the references. 
Claim 25, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the secure subsystem further includes a capture block builder for encapsulating the local copy of the certain data into data blocks for storing in the buffer. (e.g. Pope [0099])
Claim 26, Pope-O'Toole, Jr.-Obkircher combination teaches:
wherein the capture block builder includes timestamps in the data blocks. (e.g. Pope [0088])
Claims 2, 13, 17, and 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over Pope et al. (US 2014/0355613) in view of O'Toole, Jr. (US .
Claim 2, Pope-O'Toole, Jr.-Obkircher combination teaches the network interface (see above) and does not appear to explicitly teach but Wiederin teaches:
one of Firewire (IEEE 1394) and Ethernet. (e.g. [0023])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Wiederin into the invention of Pope-O'Toole, Jr.-Obkircher combination, and the motivation for such an implementation would be for the purpose of enabling interface device to communicate with other devices and systems (Wiederin [0023]).
Claim 13, this claim is directed to a method containing similar limitations as recited in claim 2 and is rejected using the same rationale to combine the references. 
Claim 17, Pope-O'Toole, Jr.-Obkircher combination teaches the configuration (see above) and does not appear to explicitly teach but Wiederin teaches:

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Wiederin into the invention of Pope-O'Toole, Jr.-Obkircher combination, and the motivation for such an implementation would be for the purpose of providing cost-effective mechanisms to update and maintain security for users as new security threats are identified (Wiederin [0052]).
Claim 22, Pope-O'Toole, Jr.-Obkircher combination teaches analyzing the certain data, and the remote management system (see above) and does not appear to explicitly teach but Wiederin teaches:
analyzing certain data at a remote management system. (e.g. [0049]) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Wiederin into the invention of Pope-O'Toole, Jr.-Obkircher combination, and the motivation for such an implementation would be for the purpose of providing cost-effective mechanisms to update and maintain security for users as new security threats are identified and providing a service point of 
Claim 23, Pope-O'Toole, Jr.-Obkircher-Wiederin combination teaches:
wherein analyzing includes cross-correlating the certain data with data obtained from a plurality of different computer systems. (e.g. Pope [0091]-[0092]; Wiederin [0039], [0049])
Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Pope et al. (US 2014/0355613) in view of O'Toole, Jr. (US 7,467,408) in view of Obkircher (US 8,135,881) in view of Wiederin et al. (US 2004/0268147) further in view of Ahuja et al. (US 2013/0254838).
Claim 24, Pope-O'Toole, Jr.-Obkircher-Wiederin combination teaches the analysis, and the host processor (see above) and does not appear to explicitly teach but Ahuja teaches:
taking remedial action based on an analysis, the remedial action including one or more of notifying an administrator, modifying a security policy for one or more computer systems, and disabling one or more devices associated with interfaces of a host processor. (e.g. [0066])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings .
Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Pope et al. (US 2014/0355613) in view of O'Toole, Jr. (US 7,467,408) in view of Obkircher (US 8,135,881) further in view of Chan et al. (US 7,636,653).
Claim 27, Pope-O'Toole, Jr.-Obkircher combination teaches wherein the data sent and received over the network comprises network packets, and wherein the snoop logic forms the local copy of the certain data (see above) and does not appear to explicitly teach but Chan teaches:
stripping out headers of network packets. (e.g. col. 8 ll. 19-31)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Chan into the invention of Pope-O'Toole, Jr.-Obkircher combination, and the motivation for such an implementation would be for the purpose of further packetizing data and overcoming the challenge of maintaining the speed of in fabric packet processing at the same level as the speed of IP connection (Chan col. 2 ll. 21-25, col. 8 ll. 31).
Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Pope et al. (US 2014/0355613) in view of O'Toole, Jr. (US 7,467,408) in view of Obkircher (US 8,135,881) further in view of Choi et al. (US 2013/0160122).
Claim 28, Pope-O'Toole, Jr.-Obkircher combination teaches wherein the data sent and received over the network comprises network packets, and wherein the snoop logic identifies the certain data (see above) and does not appear to explicitly teach but Choi teaches:
performing deep packet inspection on payloads of network packets. (e.g. [0046]-[0047])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Choi into the invention of Pope-O'Toole, Jr.-Obkircher combination, and the motivation for such an implementation would be for the purpose of performing intrusion detection and detecting network intrusion without leakage of packets (Choi [0006], [0046]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following reference is cited but not been replied upon for this Office action: US 9,331,915 discloses a system for monitoring or . 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752.  The examiner can normally be reached on M-F 9:00AM -5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public 






/AMIE C. LIN/Examiner, Art Unit 2436