https://blog.wireshark.org/categories/tools/ Recent content in Tools on The Official Wireshark Blog Hugo -- gohugo.io en-us Mon, 29 Jan 2024 17:13:42 +0000 https://blog.wireshark.org/2024/01/from-network-packets-to-log-data-how-logray-built-upon-falcos-foundation/ Mon, 29 Jan 2024 17:13:42 +0000 https://blog.wireshark.org/2024/01/from-network-packets-to-log-data-how-logray-built-upon-falcos-foundation/ <p>In the ever-evolving landscape of network security, a new star has emerged – Logray. The name comes from “log” (as in event logs) and “ray” (the closest zoological cousin to sharks, similar to “wire” and “shark” for network packets. Logray represents a significant leap in network security tools. Premiering at <a href="https://www.youtube.com/watch?v=7bfUSXJPHPs" data-type="link" data-id="https://www.youtube.com/watch?v=7bfUSXJPHPs">SharkFest ’22</a>, it takes the best of Wireshark and innovates further by focusing on log data analysis. While Wireshark focuses on scrutinizing network traffic, Logray delves into system calls, Amazon Cloudtrail logs, and other log data, offering new vistas for network security professionals.</p> <p>At its core, Logray retains the user-friendly aspects of Wireshark, including the familiar filter engine, intuitive colouring, and context menus. Yet, it goes beyond by accommodating the reading of <a href="https://wiki.wireshark.org/Development/PcapNg" data-type="link" data-id="https://wiki.wireshark.org/Development/PcapNg">PcapNG</a> files embedded with log data and facilitating the integration of third-party plugins using Falco’s powerful plugin API. System call and log data is saved using the PCAP Next Generation Dump File Format (pcapng), which provides a powerful and versatile shared foundation which broadens the scope of data capture and analysis.</p> <p>A notable innovation within Logray is ‘<a href="https://www.wireshark.org/docs/man-pages/falcodump.html" data-type="link" data-id="https://www.wireshark.org/docs/man-pages/falcodump.html">falcodump</a>‘, a component enabling the dumping of log data via a Falco source plugin. As an external capture (<a href="https://www.wireshark.org/docs/man-pages/extcap.html" data-type="link" data-id="https://www.wireshark.org/docs/man-pages/extcap.html">extcap</a>) tool, falcodump captures log messages from cloud providers, presenting each plugin as a distinct interface.</p> <p>For instance, the below command is run under the hood to capture AWS CloudTrail events from an S3 bucket. The end user does not have to type it themselves.</p> <p class="has-background" style="background-color:#ffffff"> <code>falcodump --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs…/CloudTrail/us-east-2/… --capture</code> </p> <p>Logray’s choice to support Falco plugins allows security practitioners to harness the falcodump capabilities to potentially bridge the gap between sporadic data sources such as cloud services and identity providers.</p> <p>The true value of Logray lies in its ability to synthesise information from system calls and log data into a unified recording format. This cohesive approach offers analysts a panoramic view of relevant events, transcending the limitations of examining network, system, and log contexts in isolation or through disjointed SIEM tooling. Logray embodies a holistic solution, using the power of Falco to enrich data from otherwise disjointed event sources, providing profound contextual analysis for system introspection.</p> <p>In conclusion, Logray isn’t just another tool; it’s a paradigm shift in network security, enabling professionals to connect the dots across multiple data sources seamlessly. This unified vision provides a clearer, more comprehensive understanding of security events, marking a significant advancement in the field of network security analysis.</p> https://blog.wireshark.org/2010/01/shark-appliance-preview/ Fri, 22 Jan 2010 23:56:00 +0000 https://blog.wireshark.org/2010/01/shark-appliance-preview/ <p>Things have been pretty busy at CACE Technologies over the last few months. As a result, we have a nice pipeline of cool products that will hit the market over the course of the next year or so.</p> <p>A product that we are going to announce very soon is the Shark Appliance. Think about a rack-mountable system that can do long term 24/7 recording of multiple Gigabit links without dropping packets. Now add:</p> <p>– An extremely slick user interface, based on Pilot, which allows you to remotely navigate across terabytes of data and pinpoint issues in a few mouse clicks.<br> – Full integration with Wireshark. Not as in “we can save in .pcap so Wireshark can read it”, but as in “highlight a conversation IN THE REMOTE BOX and instantly see the relevant packets in Wireshark ON YOUR LAPTOP”.<br> – Remote control on multiple appliances from a single console.<br> – The possibility to buy the product as a Kit: card + OS + software. I find this quite revolutionary, because it will make it possible to configure the hardware (disk type and size, CPU…) for your specific needs, and at the same time save money.</p> <p>Give a look at <a href="http://www.cacetech.com/media/appl_intro/">http://www.cacetech.com/media/appl_intro/</a> for some UI nuggets (apologies for the soundtrack, but I like that song). And stay tuned if you want more information.</p>