Pretty much. It's part of the same ecosystem as Sysdig OSS[1], which works much like strace. It uses the same underlying libraries as sysdig and Falco, and you can move capture files between them.
It'd be interesting to see if we can integrate more fully with strace as well, but that might require updating strace itself.
Long, long time user of Wireshark and I instantly recognize your name. Thank you for all the great work over the years :-)
Looks really awesome! I didn't see Linux installation instructions so clicked on the link to the source code, but it links to the Wireshark source[1]. Is Stratoshark part of the same repo as Wireshark? Is Linux supported by Stratoshark?
Thanks! It's part of the same code base (and therefore open source), and Linux is definitely supported. It adds libscap and libsinsp as dependencies, and you can find basic build instructions at https://gitlab.com/wireshark/wireshark/-/blob/master/doc/str....
The first section on the homepage doesn’t give me a good sense of what the application does. The references to Wireshark suggest it has something to do with network traffic but that doesn’t seem to be the case. It also talks about cloud but nothing seems to be cloud-specific?
Thanks for the feedback! I'll see if we can make the top of the site more descriptive.
Update: Changed the first sentence to "Stratoshark lets you explore and analyze applications at the system call level using a mature, proven interface based on Wireshark.
We don't share any code with DTrace, but it's not a bad analogy. As with my other reply about strace, it'd be interesting to see if we can more closely integrate Stratoshark, strace, and DTrace in the same way that Wireshark integrates with tcpdump.
Thanks for your work! Been using Wireshark for many years after it was used for a network course in university.
Why do you focus on "what happens in your cloud" when we talk about system calls? It'd seem it's useful for any machine, is it just bad marketing copy or am I missing something?
You're welcome! It was initially developed as part of my day job at Sysdig, a cloud security company. The initial feature set and use cases focus on getting .scaps (system call and log captures) from cloud environments, but you're entirely correct -- this has much more general applications including troubleshooting and education just like Wireshark does on the networking side.
It is not clear what the architecture for system-call capture is. Is it ptrace, ebpf or some custom thing or some combo? What is the overhead of running this?
The tool looks really cool, hopefully it moves ui state of art beyond windows xperf
It uses Falco libs[1] underneath, which supports capture using eBPF or a kmod. I work with the Falco libs team and they go to great lengths to minimize overhead.
The OP URL has been flagged as grayware by Palo Alto and is thus inaccessible to a large number of people, possibly indicating typosquatting, or being miscategorized?
https://wiki.wireshark.org/Stratoshark is a good link for those who can't reach the stratoshark URL directly. The OP link may get recategorized and become accessible in the meantime.
It's currently only passive, but that'd be an interesting feature. In order for that to happen we'd have to add that functionality to https://github.com/falcosecurity/libs/ along with the necessary plumbing in the UI.
Right now the UI runs on Windows, macOS, and Linux but you can only capture system calls on Linux via Falco libs[1]. Expanding local capture to include macOS and Windows is definitely something we'd love to do!
Wireshark is to tcpdump as stratoshark is to strace.
Did I get the analogy right?
Pretty much. It's part of the same ecosystem as Sysdig OSS[1], which works much like strace. It uses the same underlying libraries as sysdig and Falco, and you can move capture files between them.
It'd be interesting to see if we can integrate more fully with strace as well, but that might require updating strace itself.
[1]https://github.com/draios/sysdig
Long, long time user of Wireshark and I instantly recognize your name. Thank you for all the great work over the years :-)
Looks really awesome! I didn't see Linux installation instructions so clicked on the link to the source code, but it links to the Wireshark source[1]. Is Stratoshark part of the same repo as Wireshark? Is Linux supported by Stratoshark?
[1]: https://gitlab.com/wireshark/wireshark
Thanks! It's part of the same code base (and therefore open source), and Linux is definitely supported. It adds libscap and libsinsp as dependencies, and you can find basic build instructions at https://gitlab.com/wireshark/wireshark/-/blob/master/doc/str....
The first section on the homepage doesn’t give me a good sense of what the application does. The references to Wireshark suggest it has something to do with network traffic but that doesn’t seem to be the case. It also talks about cloud but nothing seems to be cloud-specific?
Thanks for the feedback! I'll see if we can make the top of the site more descriptive.
Update: Changed the first sentence to "Stratoshark lets you explore and analyze applications at the system call level using a mature, proven interface based on Wireshark.
So, DTrace with Wireshark UI?
We don't share any code with DTrace, but it's not a bad analogy. As with my other reply about strace, it'd be interesting to see if we can more closely integrate Stratoshark, strace, and DTrace in the same way that Wireshark integrates with tcpdump.
The blog article is a bit more descriptive : https://sysdig.com/blog/stratoshark-extending-wiresharks-leg...
tl;dr version: system calls, but in the wireshark ui. (I've probably oversimplified that!)
Thanks for your work! Been using Wireshark for many years after it was used for a network course in university.
Why do you focus on "what happens in your cloud" when we talk about system calls? It'd seem it's useful for any machine, is it just bad marketing copy or am I missing something?
You're welcome! It was initially developed as part of my day job at Sysdig, a cloud security company. The initial feature set and use cases focus on getting .scaps (system call and log captures) from cloud environments, but you're entirely correct -- this has much more general applications including troubleshooting and education just like Wireshark does on the networking side.
Hey Gerald, It's Chris from the CACE days. Nice to hear from you. I see this is part of wireshark proper, I'll look into getting this into debian
Thanks for confirming and thanks again for the amazing work.
Would I be right in assuming this is like Sysinternals procmon but with a better interface and for Linux?
It is not clear what the architecture for system-call capture is. Is it ptrace, ebpf or some custom thing or some combo? What is the overhead of running this?
The tool looks really cool, hopefully it moves ui state of art beyond windows xperf
It uses Falco libs[1] underneath, which supports capture using eBPF or a kmod. I work with the Falco libs team and they go to great lengths to minimize overhead.
[1]https://github.com/falcosecurity/libs/
Does sysdig (and stratoshark by extension) still require custom out-of-tree kernel module to function?
clickable link: https://stratoshark.org
I found its man page in the repo which I found insightful https://gitlab.com/wireshark/wireshark/-/blob/ssv0.9.0/doc/m...
and don't overlook this neato thing: https://gitlab.com/wireshark/wireshark/-/blob/ssv0.9.0/doc/m...
The OP URL has been flagged as grayware by Palo Alto and is thus inaccessible to a large number of people, possibly indicating typosquatting, or being miscategorized?
https://wiki.wireshark.org/Stratoshark is a good link for those who can't reach the stratoshark URL directly. The OP link may get recategorized and become accessible in the meantime.
Well, crap. The domain and site are still fairly new, so maybe that's the issue? Is there anyone here from Palo Alto that can take a look?
Going through their URL filtering site and requesting a recategorization is the best option for now, unless someone from the company sees it.
https://urlfiltering.paloaltonetworks.com/
Can this program do more than just observe and trace what happens?
Can one use it to set up some rule to suppress some of the syscalls sent to a specific process? Or alter them by some logic on the go?
It's currently only passive, but that'd be an interesting feature. In order for that to happen we'd have to add that functionality to https://github.com/falcosecurity/libs/ along with the necessary plumbing in the UI.
How does it trace syscalls on macos? Do you need to disable SIP?
Right now the UI runs on Windows, macOS, and Linux but you can only capture system calls on Linux via Falco libs[1]. Expanding local capture to include macOS and Windows is definitely something we'd love to do!
[1]https://github.com/falcosecurity/libs
Being able to use Wireshark in Kubernetes is super exciting. I can't wait to get started!
having used wireshark since i was a kid... this looks really promising
Do you have any wildly good Wireshark resources to reference -- I know I'm barely scratching the surface.
https://www.youtube.com/@ChrisGreer if you are into video format.
Re: custom fields in pcap traces and retis https://github.com/retis-org/retis