This research was to design a distributed network event analyzing and recording system. It observed network activity by capturing and analyzing all packets flow on networks, and recorded data and reconstructed from the captured packets back to their original form as well. The distributed and modularized architecture were applied to the design. Three subsystems, Capture subsystem, Database subsystem and Analyzing subsystem, were cooperated through internet connection to reach a clear division of work loading and provide more flexibility on system provisioning. The design can also achieve high protocol extendibility, maintainability, and usability. By proposing a unified process, this work implemented protocol analysis and recording functions for FTP, HTTP, SIP and H.323 protocols, and suspected intrusion detection for ARP spoofing, SYN flood and PING attacks. The functionality and stability of the system have been verified through long term test in real laboratory network environment and pressure test by replay large amount of packets use packet generating software.