When you download a PCAP file from a Security Analytics server, it uses what is called the "gauge path" which uses the meta data (index data) to locate the raw packets needed for the PCAP download. If there is ever a time where the index data is questionable or is missing information, you can bypass the index and pull the PCAP directly from the raw packet data.
NOTE: This method of pulling a PCAP from the "merge" path can be quite a bit slower and is limited to BPF filter syntax only, which uses packet-based criteria (e.g. ip address, port, protocol). Information that is flow-based such as DNS query or URL or social persona is not allowed in a BPF filter. This method of downloading a PCAP ignores flow boundaries.
You can generate this sort of PCAP file from the GUI or from the command line. The GUI method will generate an aggregated PCAP file from all capture ports. If you need to grab data from a specific capture interface, you must use the CLI method.
NOTE: If you are running Solera OS version 6.x or earlier, you must use the CLI method.