Deep Search Workers

The Deep Search feature in CloudShark Enterprise allows users to search multiple capture files for packets matching a display filter.

When a Deep Search is performed, CloudShark searches the list of capture files for packets matching the display filter. Multiple search workers are used to search these captures concurrently.

By default, CloudShark starts two search workers in the background. If your team frequently searches large capture libraries or has multiple analysts running concurrent searches, increasing the number of search workers can reduce total search time. This article provides instructions on how to increase the number of these processes and the estimated system resources needed to run them.

System Resources

Each search worker runs a separate process that loads the capture file into memory while searching for packets matching a display filter. As a guideline, expect each search worker to use approximately 1.5× the capture file size in system memory while performing a search.

This is a general guideline based on typical usage. To support additional search workers, consider deploying multiple instances of CloudShark to increase the resources available to users. See the following for more information:

For help sizing your deployment based on your specific workloads, contact support for assistance.

OVA

If you have installed CloudShark Enterprise using the OVA, the underlying RHEL-Based Linux operating system uses systemd to run each search worker. Each systemd service will be named cloudshark-search-worker@<#> with <#> replaced with the search worker instance number.

By default, CloudShark starts and enables two search worker processes. The following examples use @3 to use a third search worker. Replace this with the instance number when managing additional search workers.

You can use standard systemd commands to manage the number of search workers and view their status:

  • To start and enable an additional search worker:

    • systemctl enable --now cloudshark-search-worker@3

  • To list the running search worker processes

    • systemctl list-units 'cloudshark-search-worker@*' --state=running --no-legend

  • To view more detail on the status of each search worker:

    • systemctl status 'cloudshark-search-worker@*'

  • To stop and disable a search worker:

    • systemctl disable --now cloudshark-search-worker@3

Docker

The CloudShark Docker deployment does not use systemd to manage search worker processes. For customers deploying CloudShark using Docker who want to modify the number of search workers available, please contact support for assistance.