I know I said come back Wednesday but hey, I had a spare few minutes and thought "why not!?". I've just noticed that the whole Internet monitoring thing has come up again. I've said before how unworkable I think it will be, and I stand by that. Even if you were only recording source, destination and protocol details (i.e. the remote TCP port someone accessed), you would have, literally millions and millions of records each day.
When you add in the requirement to have a rolling 12 months, you're talking about a data warehouse of insane proportions in administrative overhead and performance, and that assumes it isn't encrypted. If it were encrypted you then have the overhead required to not only run a query on it but also decrypt the data on the fly.
The usefulness of such a system would be next to pointless as a result, even if it did have masses of clever indexing. I wouldn't even like to hazard a guess on how long it would take to back the thing up either. The fundamental problem with this is that you'd have to record every single packet in order to make it hold data that you could easily pinpoint to something.
There are just over 65,000 TCP ports that one can connect to with a service. It is very unlikely that a terrorist is going to be using standard ports for network services as well, that would mean recording everything if you really wanted to have total scope of monitoring. It's nuts.