The open-source Wireshark network protocol analyzer has been a standard tool for networking professionals for decades. In recent years, organizations have increasingly moved workloads to the cloud, where they have not had the same network visibility. Sysdig, the lead commercial sponsor behind Wireshark, wants to change that with the new Stratoshark tool. Launched today, Stratoshark applies the Wireshark user interface and workflow to system-level data, allowing users to analyze system calls, inter-process communication, networking, command execution and user activity in the cloud.
“Stratoshark lets you look into systems at the application level, much like Wireshark lets you look at networks at the packet level,” Gerald Combs, Stratoshark and Wireshark co-creator and director of open source projects at Sysdig, told Network World. “It takes captures made by the Sysdig command line tool and by Falco, and takes all that system call information and displays it in a way that lets humans analyze and examine to figure out what’s going on.”
Why Stratoshark matters for cloud operations
There are many different ways to get visibility into the cloud today. Amazon has multiple tools including CloudTrail and CloudWatch for cloud logs and metrics. The Cloud Native Computing Foundation (CNCF) has projects like the widely used Prometheus for high-level metrics.
Loris Degioanni, Sysdig founder and CTO, Stratoshark and Wireshark co-creator, argued that debugging complex issues often requires deeper system visibility. Stratoshark fills this crucial gap by providing detailed system-level information that’s essential for both security analysis and performance troubleshooting.
“It’s a little bit like the difference between looking at your high-level network statistics using something like NetFlow and going deep into the single package using Wireshark,” Degioanni said.
He emphasized that both things are important. The high-level network statistics provide insights into utilization, visibility and bandwidth utilization. When it comes time to troubleshoot and figure out root cause analysis, there is also a need to go down to the level of the single packet.
Degioanni noted that cloud networking, especially in Kubernetes environments, can be very complex with various approaches like service mesh, ingress, and gateways. Stratoshark is designed to be agnostic to the specific cloud networking approach, focusing on collecting data at the endpoint level rather than relying on the networking layer.
One particular issue that Combs said is common in Kubernetes is the CrashLoopBackOff issue that can be difficult to diagnose and resolve. Combs said that Stratoshark provides the ability to capture and analyze system-level data to help identify the root causes of such issues.
What’s inside Stratoshark? eBPF
At its core, Stratoshark uses Falco libraries developed by Sysdig. Those Falco libraries are based on eBPF (Enhanced Berkeley Packet Filter) technology to collect system-level data efficiently and safely from the Linux kernel.
This approach mirrors how Wireshark uses libpcap for network packet capture, creating a familiar architectural pattern for networking professionals. The libpcap library is an open-source tool for network traffic capture.
Degioanni explained that the eBPF libraries connect to trace points in the Linux kernel to access and collect data from various kernel-level events, such as system calls, inter-process communication, networking, command execution and user activity. Stratoshark takes the raw system-level data collected by the eBPF libraries and decodes it, providing a user interface similar to Wireshark for analyzing and troubleshooting the captured events.
Open-source community and future development
Following Wireshark’s successful open-source model, Stratoshark is being released under the same open-source license as the Wireshark codebase.
“It’s part of the Wireshark code base, which means it is definitely open source and it’s always going to be that way,” Combs said. “Over the years working on Wireshark, I have been able to work with a bunch of really talented and clever developers, and that’s just due to its open-source nature.”
Source:: Network World