FUSE-based virtual filesystem for packet captures. Turn a 10 TB capture into manageable 1 GB files that Wireshark can read. Indexes, sidecars, metadata, and security-bound projections — all virtual, all on demand.
Virtual projections break massive captures into files any tool can open. No copying. No splitting. No storage overhead.
ExaVolume is a local storage volume that wraps raw capture files with sidecars, indexes, statistics, and metadata. ExaFS mounts the volume and projects virtual directories and files on demand.
RAW STORAGE EXAVOLUME EXAFS PROJECTIONS capture-2025.pcapng (10 TB) ExaVolume mounts raw files /mnt/exafs/ with indexes, tokens, and README.txt All metadata hidden in: statistics .exafs/ .exafs/ exa.yaml, stats.json exa.yaml SDK modules read/write stats.json through the volume API scope=capture/ indexes/ year=2025/ capture-2025.six ExaFS (FUSE) projects month=02/ capture-2025.dix virtual directories with day=24/ tokens/ explicit key=value naming hour=08.pcapng (1 GB) capture-2025.tokens hour=09.pcapng (1 GB) metadata/ Every directory has an hour=10.pcapng (1 GB) flows.jsonl auto-generated README.txt scope=ids/ All projections are virtual severity=critical/ No data is copied or moved year=2025/month=02/alerts.eve.json Files are 100% valid PCAPNG severity=high/ ...
ExaFS projects your capture data as virtual directories organized by time, protocol, query, or any dimension you define. Each projected file is a 100% correct PCAPNG capture file that Wireshark, tcpdump, Zeek, or any standard tool can open directly.
Nothing is copied. Nothing is stored. The projections are computed at runtime from indexes and metadata. A 10 TB capture becomes ten thousand 1 GB files — with zero additional storage.
Projections are driven by ExaQL queries. Create a projection once, and it appears as a directory. Update the underlying capture, and the projection updates automatically.
-- Project by time (hourly chunks) create projection "by-hour" from /captures/global-2025 shard by time[hour] -- Project by customer traffic create projection "customer-A" from /captures/global-2025 where ip.addr == 203.0.113.0/24 shard by time[hour] security level 12 -- Security-bound view for external audit create projection "pii-safe-export" from "customer-traffic-2025" where customer-journey obfuscate imsi, creditcard encrypt level 12 -- Results on the filesystem (key=value naming): -- /mnt/exafs/customer-A/ -- README.txt (auto-generated description) -- .exafs/ (hidden metadata) -- year=2025/ -- month=02/ -- day=24/ -- hour=14.pcapng -- hour=15.pcapng
ExaVolume stores indexes as sidecar files alongside your captures. Two index types serve different access patterns, and both are generated inline during capture or as a post-capture pass.
Sparse Indexes (SIX) — Beacons placed at configurable intervals (e.g., every 1 million packets). Logarithmic seek into large captures. Jump to any time range without scanning from the beginning.
Dense Indexes (DIX) — Complete index for O(1) random packet access. Jump directly to packet #847,293,102 in a multi-terabyte capture. Essential for ExaFS projections that need to serve arbitrary slices.
-- Generate sparse index index /captures/perimeter-2025 six -- Generate dense index index /captures/perimeter-2025 dix -- Generate both index /captures/perimeter-2025 full -- Check index status show indexes NAME TYPE SIZE PACKETS perimeter-2025 SIX 48 MB 142M perimeter-2025 DIX 1.2 GB 142M incident-1217 SIX 128 KB 1.2M -- Sidecar files hidden in .exafs/: -- perimeter-2025.pcapng (raw capture) -- .exafs/ -- indexes/ -- perimeter-2025.six (sparse index) -- perimeter-2025.dix (dense index) -- tokens/ -- perimeter-2025.tokens -- metadata/ -- flows.jsonl -- exa.yaml, stats.json
All metadata, indexes, analysis tokens, and statistics live in a hidden
.exafs/
directory alongside the capture — invisible to normal
ls
but accessible when needed. Move the capture, move everything.
No external databases. No state to lose.
Raw packet capture. Standard PCAPNG format with nanosecond timestamps, multiple interface support, and custom blocks for inline tokens.
Sparse and dense index files stored in .exafs/indexes/. Logarithmic seek (SIX) and O(1) random access (DIX). Generated inline during capture or as a post-capture pass.
Serialized analysis results from ExaCapture. Flow markers, protocol events, IDS alerts, anomaly detections. ExaViewer renders them instantly.
Flow records, protocol distribution statistics, and summary metadata. Machine-readable, greppable, and importable into any analytics pipeline.
Encryption keys, access policies, and security level assignments are stored with the volume. Security travels with the data, not separately.
Every directory has an auto-generated README.txt with plain text description of contents, sources, projections, security levels, and statistics. Always know what you're looking at.
This isn't theoretical. We've demonstrated a 100 EB virtual filesystem generated from a 16 MB template, reading at 3.1 GB/sec with standard Linux tools. The projected files are 100% valid PCAPNG — Wireshark opens them, tcpdump reads them, Zeek processes them.
ExaFS generates virtual capture files on demand. The template provides the structure. The indexes provide the access. The projections provide the view. Zero storage overhead beyond the original capture.
With optimization roadmap targeting 10–50X improvement over the current 3.1 GB/sec baseline, ExaVolume is designed to keep pace with the fastest capture infrastructure.
# Mount the ExaVolume $ exafs mount /data/captures /mnt/exafs # Browse — explicit key=value directories $ ls /mnt/exafs/ README.txt scope=capture/ scope=ids/ scope=metadata/ $ ls /mnt/exafs/scope=capture/year=2025/month=02/day=24/ README.txt hour=08.pcapng hour=09.pcapng hour=10.pcapng hour=11.pcapng hour=12.pcapng hour=13.pcapng # Wildcard navigation $ ls scope=capture/year=2025/month=02/day=*/hour=14* day=24/hour=14.pcapng day=25/hour=14.pcapng # README.txt at every level describes contents $ cat /mnt/exafs/scope=capture/year=2025/README.txt Projection: by-hour | Source: acme-global-2025 Packets: 142,847,293 | Duration: 14d 3h Security: Level 5 | Encryption: AES-256-GCM # Hidden metadata in .exafs/ $ ls -a /mnt/exafs/ .exafs/ README.txt scope=capture/ scope=ids/ ... # Open directly in Wireshark $ wireshark /mnt/exafs/scope=capture/year=2025/month=02/day=24/hour=08.pcapng
Every projection can enforce security levels, obfuscate PII, and encrypt output. Different analysts see different views of the same underlying data — enforced at the filesystem level before data ever leaves the volume.
-- Full access for senior analysts create projection "full-capture" from "acme-global-2025" security level 5 -- Obfuscated view for external audit create projection "audit-safe" from "acme-global-2025" where customer-traffic obfuscate ip.addr, eth.addr security level 15 -- GDPR-compliant export create projection "gdpr-export" from "eu-customer-2025" obfuscate imsi, imei, creditcard encrypt level 18
When an analyst opens a projected file, ExaFS checks their security level before serving any data. A Level 3 analyst sees obfuscated payloads. A Level 1 analyst sees metadata only. A Level 5 analyst sees everything.
The underlying data never changes. The projections apply obfuscation, encryption, and filtering at read time. One capture, many views, each security-appropriate.
Compliance-ready from day one. GDPR, HIPAA, PCI-DSS — define the policy in the projection, and every file served through that projection is automatically compliant.
ExaVolume is single-node storage with FUSE projections. When you outgrow a single server, ExaScale OS provides RIFT — a distributed block storage layer with RAID and RDMA across multiple network nodes, with ExaFS mounting volumes that span the entire cluster.
| Capability | ExaVolume (Standalone) | ExaScale OS + RIFT |
|---|---|---|
| Scope | Single node, local storage | Multi-node cluster, distributed |
| Storage | Local disks | RIFT block storage + RAID + RDMA |
| ExaFS projections | Full support | Full support, spanning nodes |
| Sidecars & indexes | SIX, DIX, tokens, metadata | Same, distributed |
| Security levels | 0–20 | 0–20 with federation |
| Capacity | Single server limits | Exabyte-scale across cluster |
| Redundancy | Local RAID only | Distributed RAID, geo-redundant |
Same ExaFS API. Same projections. Same sidecar format. Start with ExaVolume on a single server. Migrate to RIFT when you need multi-node scale. No rewrite required.
ExaViewer reads from ExaVolume Analysis UI ←————————→ Virtual filesystem FUSE projections ExaCapture writes to Sidecar indexes Capture daemon ←————————→ Analysis tokens Security binding Wireshark reads projected tcpdump files directly Any tool that reads Zeek from ExaFS mount PCAPNG works here │ ▼ ExaScale OS (2026) ExaVolume → RIFT Local → Distributed Same API, same format
Schedule a demo to see ExaVolume projections in action.