Embodiments are directed to a packet capture ring that provides a single network tap for packet capture and a series of processors (or appliances) for handling serialization and search request processing in a confederated and highly scalable manner. One such appliance (a “primary” appliance) maintains a tap port to the network. Each packet capture appliance has a locally attached repository that stores raw packets and a juxtaposed index that allows for retrieval of those packets. The primary appliance sends a single copy of encapsulated packets in opposite directions around the ring to its descendants. A designation is made across the system as to a “currently designated” appliance for servicing requests for indexing and storage of captured packets. This current designation shifts from appliance to appliance in the system, as a “previously designated” appliance has its storage capacity filled.