Quarry, part of the Vantage Platform, is a virtual filesystem for packet captures. Turn a 10 TB capture into manageable 1 GB files that Wireshark can read. Indexes, sidecars, metadata, and security-bound projections — all virtual, all on demand.
Virtual projections break massive captures into files any tool can open. No copying. No splitting. No storage overhead.
Quarry wraps raw capture files with a virtual filesystem layer. Mount a directory of .pcapng files and Quarry projects a navigable time hierarchy, companion indexes, and on-demand virtual files — all computed from the original data with nothing copied or moved.
BACKING STORE (flat) QUARRY VIRTUAL FILESYSTEM PROJECTION dco-backbone.pcapng (10 TB) Mounts a flat directory of /mnt/captures/ dco-backbone.index raw .pcapng files and README.txt dco-backbone.events companion data .meta/ dco-backbone.metrics mount.yml registry.yml dco-backbone-config.yml Projects a virtual directory dco-backbone.index tree on demand — no data dco-backbone-config.yml live-perimeter.pcapng (live) is copied or moved dco-backbone.pcapng (10 TB) live-perimeter.index dco-backbone/ live-perimeter-config.yml Every directory has a .meta/ computed README.txt explaining README.txt exactly what it contains year=2026/ month=03/ Time hierarchy at every level day=15/ Companion data hidden in .meta/ .meta/ All files are valid PCAPNG day=15.index hour=00.pcapng (2.1 GB) hour=14.pcapng (841 MB, live)
Use Vantage Query to define exactly what you want to see. The virtual filesystem engine generates files on demand — filtered by any protocol field, sliced to headers, time-bounded, reassembled, and security-level enforced.
Results land as named directories in the filesystem. Wireshark, tcpdump, Zeek, and any standard tool opens them directly — without knowing they're virtual. Set an expiry and they clean themselves up.
-- Project 10 TB capture into hourly files show packets from dco-backbone dir 'by-hour' -- Filter by port — only TLS traffic show packets where tcp.port == 443 from dco-backbone during last 24 hours dir 'tls-traffic' -- Incident view with auto-expiry show packets where suricata.alert is present from dco-backbone during last 7 days dir 'incident-view' expire after 48 hours -- Security-bound analyst projection show packets where ip.src == 10.0.0.0/8 from dco-backbone security level 12 dir 'internal-traffic'
Use Vantage Query to define exactly what you want to see. The virtual filesystem engine generates files on demand — filtered by any protocol field, sliced to headers, time-bounded, reassembled, and security-level enforced.
Results land as named directories in the filesystem. Wireshark, tcpdump, Zeek, and any standard tool opens them directly — without knowing they're virtual. Set an expiry and they clean themselves up.
-- Project 10 TB capture into hourly files show packets from dco-backbone dir 'by-hour' -- Filter by port — only TLS traffic show packets where tcp.port == 443 from dco-backbone during last 24 hours dir 'tls-traffic' -- Incident view with auto-expiry show packets where suricata.alert is present from dco-backbone during last 7 days dir 'incident-view' expire after 48 hours -- Security-bound analyst projection show packets where ip.src == 10.0.0.0/8 from dco-backbone security level 12 dir 'internal-traffic'
Quarry starts as single-node storage with virtual projections. When you outgrow a single server, the Vantage Platform provides distributed storage — scaling seamlessly across multiple nodes with the same API, same projections, and same sidecar format. No rewrite required.
| Capability | Quarry (Standalone) | Vantage Platform (Distributed) |
|---|---|---|
| Scope | Single node, local storage | Multi-node cluster, distributed |
| Storage | Local disks | Distributed block storage |
| Virtual filesystem projections | Full support | Full support, spanning nodes |
| Sidecars & indexes | SIX, DIX, tokens, metadata | Same, distributed |
| Security levels | 0–20 | 0–20 with federation |
| Capacity | Single server limits | Exabyte-scale across cluster |
| Redundancy | Local RAID only | Distributed redundancy, geo-redundant |
Same virtual filesystem API. Same projections. Same sidecar format. Start with Quarry on a single server. Scale to distributed storage with the Vantage Platform when you need multi-node capacity.
Lynx reads from Quarry Analysis UI ←————————→ Virtual filesystem Virtual projections Sentinel writes to Sidecar indexes Capture daemon ←————————→ Analysis tokens Security binding Wireshark reads projected tcpdump files directly Any tool that reads Zeek from virtual mount PCAPNG works here │ ▼ Vantage Platform (2026) Quarry → Distributed Storage Local → Multi-node scale Same API, same format
Schedule a demo to see Quarry projections in action.