Deep Search
DeepSearch gives you the ability to search through captures for packets matching a standard display filter. CloudShark takes the responsibility of checking each file to see if any packets match, and presents the results back to you.
Combined with our existing metadata filters, this becomes a very powerful tool for digging through your capture files to identify specific packets that matter most to you.
Watch this video to see DeepSearch in action!
Selecting files and Searching
From the main capture index, apply index filters to first narrow down your search pool. Your search pool is the list of all the captures that a display filter will be tested against. If at least one packet in a given file matches the display filter, then that file will be returned as part of the results.
We recommend using a combination of tags, date, and other filters to narrow down the pool before you start your search.
Select a number of captures by clicking their corresponding checkbox, and click the DeepSearch button in the tool bar. A popup will appear allowing you to enter a display filter. Previous DeepSearch filters will also be presented in the popup if you’d like to revisit a prior search. Either type in the input box, or click a previous filter.
Click the Search button to launch your DeepSearch.
Viewing Results
The DeepSearch view is the same as the capture index view with the addition of the search bar at the top of the table. The search bar provides feedback about your current DeepSearch:
- Close button to exit the DeepSearch
- Display Filter being used
- Progress bar / status of the current
- DeepSearch Results view selector
Choosing what you see.
The view selector on the right of the search bar has 3 views to choose from:
- DeepSearch Results displays the entire search pool, but files that do not match the display filter are disabled.
- Matching Captures Only are only the files that match the display filter are shown the rest are hidden.
- Original Search Pool shows and enables all of the capture files in the pool to be selected again, regardless if they were included in the results. This is useful if you need to modify your original search.
Drilling Down
Display Filters are limited by matching a single packet. Consider trying
to find a file that contains DNS and HTTP in it. The naive approach
would be to search with the display filter: dns and http
However that
describes only a single packet, which would never have both protocols!
To perform this kind of boolean AND expression, do two consecutive
DeepSearches. First, search on the dns
filter. When that is complete,
use the Select-All checkbox to mark all the matched files for a second
DeepSearch of http
.
The results of this second search will be the set of files that have both DNS and HTTP in them!
Opening DeepSearch results
While the search bar is visible, clicking on a row will open that capture with the current DeepSearch display filter applied.
To return to your DeepSearch results, use the browser’s Back button, or Command+Click (Mac) or Control-Click (Windows) to open the capture in a new browser tab.
Multiple DeepSearches
CloudShark DeepSearch is limited to a single search per user at a time. Think of this as your “current search”. When you launch a new DeepSearch, it will replace the previous one.
CloudShark does its best to cache any work that has been already done, so if you go back and search for something across files you’ve already searched, the results will appear very quickly because they are read from the cache. The DeepSearch popup contains the list of the last 5 unique searches that you performed.