DeepSearch was launched as part of CloudShark 3.0.
DeepSearch gives you the ability to search through captures for packets matching a standard display filter. CloudShark takes the responsibility of checking each file to see if any packets match, and presents the results back to you.
Combined with our existing metadata filters, this becomes a very powerful tool for digging through your capture files to identify specific packets that matter most to you.
From the main capture index, apply filters to first narrow down your search pool. Your search pool is the list of all the captures that a display filter will be tested against. If at least one packet in a given file matches the display filter, then that file will be returned as part of the results.
We recommend using a combination of tags, date, and other filters to narrow down the pool before you start your search.
Select a number of captures by clicking their corresponding checkbox, and click the DeepSearch button in the tool bar. A popup will appear allowing you to enter a display filter. Previous DeepSearch filters will also be presented in the popup if you’d like to revisit a prior search. Either type in the input box, or click a previous filter.
Click the Search button to launch your DeepSearch.
The DeepSearch view is the same as the capture index view with the addition of the search bar at the top of the table. The search bar provides feedback about your current DeepSearch:
The view selector on the right of the search bar has 3 views to choose from:
Display Filters are limited by matching a single packet. Consider trying to find
a file that contains DNS and HTTP in it. The naive approach would be to search with the
dns and http However that describes only a single packet, which would never have both
To perform this kind of boolean AND expression, do two consecutive DeepSearches. First, search on
dns filter. When that is complete, use the Select-All checkbox to mark all the matched files
for a second DeepSearch of
The results of this second search will be the set of files that have both DNS and HTTP in them!
While the search bar is visible, clicking on a row will open that capture with the current DeepSearch display filter applied.
To return to your DeepSearch results, use the browser’s Back button, or
CloudShark DeepSearch is limited to a single search per user at a time. Think of this as your “current search”. When you launch a new DeepSearch, it will replace the previous one.
CloudShark does its best to cache any work that has been already done, so if you go back and search for something across files you’ve already searched, the results will appear very quickly because they are read from the cache. The DeepSearch popup contains the list of the last 5 unique searches that you performed.
DeepSearch is available to CloudShark-Hosted customers
as well as CloudShark Enterprise.
If you are running an older version of CloudShark Solo, or CloudShark Professional, please contact email@example.com about upgrading to CloudShark Enterprise.