Split PCAP

Overview

Split PCAP allows you to break up large capture files into smaller, more manageable pieces. Very large captures can be slow to navigate and analyze, making it difficult to work efficiently. The Split PCAP feature solves this problem by creating smaller files that are faster to load and easier to work with.

Split PCAP maintains complete fidelity to the original capture. Unlike tools that summarize traffic or reduce data to flow patterns, CloudShark’s splits contain all the original packets with no loss of information. You get the full-fidelity network data that PCAPs provide, just divided into more manageable pieces.

Only in CloudShark Enterprise: After you split, CloudShark automatically takes you to the Deep Search tool, where you can search across all the splits simultaneously. This means you get the performance benefits of smaller files while maintaining the ability to search across the entire original capture.

Accessing Split PCAP

The Split PCAP feature is available in two places:

  • From the Export menu when viewing a capture file
  • Automatically suggested in the Large File Preview dialog when you open a file with a large number of packets

Split Methods

CloudShark offers two ways to split your capture files, depending on your needs.

Extract a Time Slice

Extract a Time Slice allows you to select a specific time range from your capture and create a new session containing only the packets within that range.

Use the time sliders to select the portion of the capture you want to extract. Drag the sliders to define the start and end times, and CloudShark will create a new capture session containing only the packets within that time window.

This is particularly useful when you need to isolate a specific incident or problem period, narrow down bandwidth spikes or network dropouts, or exclude irrelevant portions of a long capture to focus your analysis.

Split into Multiple PCAPs

Split into Multiple PCAPs divides your capture file into multiple equal-sized files automatically. You can choose how to split the file:

  • Packets per file: Create new files with a specified number of packets in each file
  • Seconds per file: Create new files with a specified duration in seconds

Enter the number of packets or seconds you want in each file, and CloudShark will automatically create as many splits as needed to cover the entire original capture.

This method is ideal when you want to break up extremely large captures into consistent segments for systematic review, distribute analysis work across multiple team members, or create time-based segments for periodic analysis.

After Splitting: Deep Search Workflow

After you create splits, CloudShark automatically takes you to the Deep Search tool configured to search across all your newly created splits. This is the key advantage of using Split PCAP instead of manually splitting files with other tools.

Deep Search lets you search across all splits in parallel, allowing you to find packets across the entire original capture even though it’s now divided into smaller files. You can use any display filter expression to search, and CloudShark will return all the split files that contain packets matching your filter.

This workflow combines the performance benefits of smaller, faster-loading files with the search power of having access to the entire original capture. You get the best of both worlds: manageable file sizes with full search capabilities.

Important Notes

  • CloudShark packet annotations are not copied to the new split sessions, but tags and sharing settings are
  • Each split becomes its own independent session that can be analyzed, shared, or searched individually
  • Use Deep Search to search across all splits when you need to find packets across the entire original capture
  • The original capture file remains on disk after splitting, so ensure adequate disk space is available

Viewing Previous Splits

CloudShark provides a “View previous splits” link that allows you to see splits you’ve already created. This makes it easy to return to your split sessions and continue your analysis or run additional Deep Search queries across the splits.

Use Cases

Why Split Large Captures?

The Split PCAP feature is designed to solve the performance challenges of working with very large capture files:

  • Break up slow captures: Very large captures can be slow to navigate, making analysis frustrating and time-consuming
  • Improve performance: Smaller files load faster and are more responsive when scrolling through packets or applying filters
  • Maintain complete fidelity: All original packets are preserved with no summarization or data loss, unlike tools that reduce captures to flow patterns
  • Maintain search capability: Only in CloudShark Enterprise, you can still use Deep Search across all splits to search the entire original capture
  • Best of both worlds: Get manageable file sizes with full search capabilities across the complete dataset

When to Extract a Time Slice

Use Extract a Time Slice when you need to focus on a specific portion of a capture:

  • Isolating a specific incident or problem period from a long capture
  • Narrowing down or excluding bandwidth spikes or network dropouts that you’ve identified in the traffic graph
  • Focusing analysis on a particular time window of interest
  • Sharing just the relevant portion of a capture with colleagues or support teams
  • Creating a smaller file for detailed packet-by-packet analysis

When to Split into Multiple PCAPs

Use Split into Multiple PCAPs when you need to systematically divide a large capture:

  • Creating consistent time-based or size-based segments for periodic analysis
  • Distributing analysis work across multiple files or team members
  • Working around file size limitations in other analysis tools
  • Breaking captures into manageable chunks for systematic review
  • Processing extremely large captures that are too slow to work with as a single file