Deep Search
Deep Search gives you the ability to search through captures for packets matching a standard display filter. CloudShark takes the responsibility of checking each file to see if any packets match, and presents the results back to you.
Combined with our existing metadata filters, this becomes a very powerful tool for digging through your capture files to identify specific packets that matter most to you.
Watch this video to see Deep Search in action!
If your team frequently searches a large number of capture files or has multiple analysts running concurrent searches, CloudShark can run additional processes to reduce total search time.
Work with your system administrator to increase the number of search workers, or contact support for assistance.
Selecting files and Searching
From the main capture index, apply index filters to first narrow down your search pool. Your search pool is the list of all the captures that a display filter will be tested against. If at least one packet in a given file matches the display filter, then that file will be returned as part of the results.
We recommend using a combination of tags, date, and other filters to narrow down the pool before you start your search.
Select a number of captures by clicking their corresponding checkbox, and click the Deep Search button in the tool bar. A popup will appear allowing you to enter a display filter. Previous Deep Search filters will also be presented in the popup if you’d like to revisit a prior search. Either type in the input box, or click a previous filter.
Click the Search button to launch your Deep Search.
Viewing Results
The Deep Search view is the same as the capture index view with the addition of the search bar at the top of the table. The search bar provides feedback about your current Deep Search:
- Close button to exit the Deep Search
- Display Filter being used
- Progress bar / status of the current
- Deep Search Results view selector
Choosing what you see.
The view selector on the right of the search bar has 3 views to choose from:
- Deep Search Results displays the entire search pool, but files that do not match the display filter are disabled.
- Matching Captures Only are only the files that match the display filter are shown the rest are hidden.
- Original Search Pool shows and enables all of the capture files in the pool to be selected again, regardless if they were included in the results. This is useful if you need to modify your original search.
Drilling Down
Display Filters are limited by matching a single packet. Consider trying
to find a file that contains DNS and HTTP in it. The naive approach
would be to search with the display filter: dns and http However that
describes only a single packet, which would never have both protocols!
To perform this kind of boolean AND expression, do two consecutive
Deep Searches. First, search on the dns filter. When that is complete,
use the Select-All checkbox to mark all the matched files for a second
Deep Search of http.
The results of this second search will be the set of files that have both DNS and HTTP in them!
Opening Deep Search results
While the search bar is visible, clicking on a row will open that capture with the current Deep Search display filter applied.
To return to your Deep Search results, use the browser’s Back button, or Command+Click (Mac) or Control-Click (Windows) to open the capture in a new browser tab.
Multiple Deep Searches
CloudShark Deep Search is limited to a single search per user at a time. Think of this as your “current search”. When you launch a new Deep Search, it will replace the previous one.
CloudShark does its best to cache any work that has been already done, so if you go back and search for something across files you’ve already searched, the results will appear very quickly because they are read from the cache. The Deep Search popup contains the list of the last 5 unique searches that you performed.
