The network forensics is to analyze network packets with various network protocols. The methods, such as packet collecting, analyzing, filtering, comparing, are used to figure out the dubious packets to avoid the further-harm events. However, with the network-speed increasing rapidly, many network security problems are expanded. The searching and attacking time for crackers are shorten directly; moreover, the difficulty of network forensics is increasing, and the illegal network behavior cannot be traced and recorded exactly in time. In general, network forensics focuses on IP-level network forensics, but most internet applications are based on session communication. The characteristic of session applications is that the data channels are decided dynamically during the session communication. The media formats are exchanged dynamically, such as Session Descript Protocol (SDP). The network-packet class cannot be identified exactly according to its network-layer header and transport-layer header information. Therefore, the thesis design and implement a MSN/SIP session forensics system based on GPON with two-level classification. The heavy loading is distributed on GPON ONU by using stateless classification method. The few related packets of MSN and SIP applications are classified and forward to analyzer with an UDP tunnel. Finally, the information of session state is stored to the backend database management system. MSN/SIP session forensics system provides administrators to query and trace the users’ session state and behavior that can give a significant reference to define network security forensics and network security policies.The load test result of the paper shows that the accuracy rate is higher than 90% when the session forensics analyzer has a load within 43MB, which meets the GPON environment requirements.