Those Aren't Packets: How Stratoshark Brings the Power of Wireshark to the Cloud
Categories:
Announcement
For over 25 years, network professionals have relied on Wireshark packet captures (pcaps) to analyze and troubleshoot network system behavior. But packets are scarce in the cloud. Is it possible to get the same level of visibility and granularity there? And if so, is there an opportunity to leverage the same principles that have made Wireshark so ubiquitous?
Well, the answer to both questions is yes. We’ve named this new tool Stratoshark, and it’s powered by system calls.
One of the things that has contributed to Wireshark’s success is that it is part of the pcap ecosystem, which is centered around libpcap and the pcap and pcapng file formats. It all started with tcpdump, and over time other tools appeared. The ecosystem now includes Zeek (formerly Bro), Snort, WinPcap, nmap, nTop, Kismet, Suricata, and many others.
Each tool focuses on its specific job but together form a collective powerhouse. A common file format means that you can pivot between each tool with little to no effort. For example, you can take a capture file from Zeek or Snort and load it into Wireshark for detailed analysis.
What’s New In Wireshark 4.4?
Categories:
Announcement
Wireshark 4.4.0 has been released and it includes a lot of improvements and updates since version 4.2.0 was released last November. I’ll cover some highlights here, but you will definitely want to check out the release notes1 for details.
Graph Dialogs 🔗Many bugs have been fixed in the graph dialogs (I/O Graphs, Sequence Diagrams, and TCP Stream Graphs), and performance has been improved.
The following improvements have been made to the I/O Graphs dialog:
The minimum interval is now 1 microsecond. The Y axis now uses SI prefixes. Bar graphs are rendered more sensibly. The graph list can be reordered by dragging and dropping items. Graph legends and layer orders always match the graph list order. The legend can be moved by right-clicking on it. The new bar graphs and intervalsThe Sequence Diagram (Flow Graphs and VoIP Calls) dialog has been improved as well:
The entire graph can be exported as an image. Previously, only the items on screen were exported. Endpoints with the same address are now displayed correctly. The TCP Stream Graphs dialog does a better job of identifying the client and server sides of connections.
From Network Packets to Log Data: How Logray built upon Falco’s foundation
In the ever-evolving landscape of network security, a new star has emerged – Logray. The name comes from “log” (as in event logs) and “ray” (the closest zoological cousin to sharks, similar to “wire” and “shark” for network packets. Logray represents a significant leap in network security tools. Premiering at SharkFest ’22, it takes the best of Wireshark and innovates further by focusing on log data analysis. While Wireshark focuses on scrutinizing network traffic, Logray delves into system calls, Amazon Cloudtrail logs, and other log data, offering new vistas for network security professionals.
At its core, Logray retains the user-friendly aspects of Wireshark, including the familiar filter engine, intuitive colouring, and context menus. Yet, it goes beyond by accommodating the reading of PcapNG files embedded with log data and facilitating the integration of third-party plugins using Falco’s powerful plugin API. System call and log data is saved using the PCAP Next Generation Dump File Format (pcapng), which provides a powerful and versatile shared foundation which broadens the scope of data capture and analysis.
A notable innovation within Logray is ‘falcodump‘, a component enabling the dumping of log data via a Falco source plugin.
Recent Posts
- Those Aren't Packets: How Stratoshark Brings the Power of Wireshark to the Cloud
- What’s New In Wireshark 4.4?
- From Network Packets to Log Data: How Logray built upon Falco’s foundation
- The evolution of system introspection from BPF to Wireshark to Falco
- Wireshark Is 25: The email that started it all and the lessons learned along the way