Wireshark's little brother: the future of the cloud analysis tool Stratoshark

Contents

Like Wireshark for networks, Stratoshark is designed to create transparency for operating systems and apps by analyzing system calls and logs. The open source tool is largely based on the Wireshark source code. It is backed by Wireshark inventor Gerald Combs, whose employer Sysdig also supplies the associated tools Falco and Sysdig for recording activities and logs.

In mid-May, Sysdig decided to place Stratoshark in the hands of the non-profit Wireshark Foundation. The iX editorial team spoke to Wireshark inventor Gerald Combs and Alexander Lawrence, Director of Cloud Security Strategy at Sysdig, about the background to this decision.

iX: Gerald, what's the story behind Stratoshark's donation to the Wireshark Foundation?

Gerald Combs: The Wireshark Foundation is a non-profit organization in the US that aims to educate people in the use of network analysis. With Stratoshark's donation, we are expanding our mission: so far our focus has been on packet analysis, but in the future we also want to be able to look deep into operating system events.

iX: What was the motivation behind the development of Stratoshark and how does it differ conceptually from Wireshark?

Combs: Wireshark breaks down packets into all protocol components with its dissection engine, enabling filtering, drill-down and detailed analysis. Stratoshark, on the other hand, does not work on the basis of network packets, but on the basis of system calls and protocol messages. It allows similar filtering and analysis options – only in the system call and cloud world. The user interface is very similar to that of Wireshark so that users can get to grips with it straight away. Under the hood, we use many common libraries, but have extended them so that they can interpret system calls and cloud logs. We mainly focus on the cloud systems, but you could also use this to really fix up any Linux system.

iX: What is the main use of Stratoshark? More as a debugging tool or as a security analysis tool?

Combs: Right now the focus is on security analysis. We originally developed Stratoshark as a supplement to Falco – a host-based IDS(Intrusion Detection System, editor's note) for system calls. Falco detects and reports suspicious events; Stratoshark allows these events to be tracked in detail. As in the networking world, you often want to get a deeper insight into what is going on in the system.

iX: What percentage of code does Stratoshark share with Wireshark? We have dissection engines, tree structures for analysis, like in Wireshark. But what percentage of code do the two tools share?

Combs: I don't have a specific percentage, but there is a lot of code that is shared. That's by design. We have this really powerful analytics engine that was kind of just waiting to be used. So we adapted it to use it for system calls as well. The UI code looks very familiar again. That is intentional. We want to have that familiar workflow that you already know from Wireshark. If you are used to working with Wireshark, you can quickly get started with Stratoshark and vice versa. There are a few differences in the elements of some of the UI widgets.

The other big difference is the way we analyze the events that come in. We have different code for incoming events: It's a plug-in called Falco, more specifically Falco Bridge. We will probably change the name to Falco Events.

iX: For which operating systems is Stratoshark available?

Combs: Officially, we offer packages for Windows and macOS on the Wireshark pages. For Linux distributions, the story is a little more complex. The various Linux distributions have traditionally offered their own Wireshark packages. My hope is that they will do the same with Stratoshark. I know this is in the works for Debian and Ubuntu. But I would have to check if this is the case for Fedora as well. System call capture currently only works on Linux.

iX: How does Stratoshark get the relevant data?

Combs: We use the libsinsp and libscap libraries used by Falco and the Sysdig CLI tool to capture system calls. Sysdig was, I believe, the first tool to use these two libraries. The capture is done either via a kernel module or eBPF as a kind of newer standard technology. I think we will focus on eBPF in the future. There is also a plug-in interface that can be used to feed in data from GCP or Kubernetes monitoring protocols and from AWS Cloud Trail, for example.

iX: What's next on the Stratoshark roadmap?

Combs: The current public release is 0.9 and we need to get everything in shape first. We are currently working on version 1.0, especially on advanced log analysis features. This will probably be followed by the final release in late summer.