A storage system includes network monitoring device having NIC coupled to network and configured to capture raw data packets. The system further includes 4 data repositories. A first repository stores captured packets. A second repository stores captured packets' metadata. A third repository stores captured packets' and metadata's timestamp indexed data. A fourth repository stores captured packets' data flow. The storage system further includes a storage engine coupled to the repositories. The storage engine receives packet search criteria specifying at least a first time range. Data flow information associated with the search criteria is retrieved from the fourth repository. The retrieved data flow information is associated with a second, narrower, time range. Metadata information associated with the second time range is retrieved from the second repository using corresponding timestamp indexed data. Captured packets associated with the retrieved metadata are retrieved from the first repository using corresponding timestamp indexed data.