Show HN: Stratoshark, a sibling application to Wireshark

freedomben · 2025-01-22T17:56:45 1737568605

Long, long time user of Wireshark and I instantly recognize your name. Thank you for all the great work over the years :-)

Looks really awesome! I didn't see Linux installation instructions so clicked on the link to the source code, but it links to the Wireshark source[1]. Is Stratoshark part of the same repo as Wireshark? Is Linux supported by Stratoshark?

[1]: https://gitlab.com/wireshark/wireshark

geraldcombs · 2025-01-22T18:08:08 1737569288

Thanks! It's part of the same code base (and therefore open source), and Linux is definitely supported. It adds libscap and libsinsp as dependencies, and you can find basic build instructions at https://gitlab.com/wireshark/wireshark/-/blob/master/doc/str....

observationist · 2025-01-22T18:51:03 1737571863

The OP URL has been flagged as grayware by Palo Alto and is thus inaccessible to a large number of people, possibly indicating typosquatting, or being miscategorized?

https://wiki.wireshark.org/Stratoshark is a good link for those who can't reach the stratoshark URL directly. The OP link may get recategorized and become accessible in the meantime.

geraldcombs · 2025-01-22T19:03:39 1737572619

Well, crap. The domain and site are still fairly new, so maybe that's the issue? Is there anyone here from Palo Alto that can take a look?

observationist · 2025-01-22T20:26:43 1737577603

Going through their URL filtering site and requesting a recategorization is the best option for now, unless someone from the company sees it.

https://urlfiltering.paloaltonetworks.com/

geraldcombs · 2025-01-22T21:35:16 1737581716

Done. We've been upgraded from medium-risk "grayware" to low-risk "generally do not contain content that is useful to the end user" which is technically better, I suppose.

Update: We're now Low-Risk / Computer-and-Internet-Info.

clbrmbr · 2025-01-22T19:13:45 1737573225

Wireshark is to tcpdump as stratoshark is to strace.

Did I get the analogy right?

geraldcombs · 2025-01-22T19:24:48 1737573888

Pretty much. It's part of the same ecosystem as Sysdig OSS[1], which works much like strace. It uses the same underlying libraries as sysdig and Falco, and you can move capture files between them.

It'd be interesting to see if we can integrate more fully with strace as well, but that might require updating strace itself.

[1]https://github.com/draios/sysdig

IshKebab · 2025-01-22T21:05:46 1737579946

Why is it talking about clouds and stratospheres then? strace is pretty far from "the cloud" isn't it?

uhei · 2025-01-22T21:20:39 1737580839

With the falco plugins [1] a broad range of "cloud native" services can be captured in Stratoshark. At the moment we have AWS cloudtrail and GCP Audit included in the macOS and Win installers.

[1] https://github.com/falcosecurity/plugins?tab=readme-ov-file#...

pimlottc · 2025-01-22T18:25:32 1737570332

The first section on the homepage doesn’t give me a good sense of what the application does. The references to Wireshark suggest it has something to do with network traffic but that doesn’t seem to be the case. It also talks about cloud but nothing seems to be cloud-specific?

geraldcombs · 2025-01-22T18:40:26 1737571226

Thanks for the feedback! I'll see if we can make the top of the site more descriptive.

Update: Changed the first sentence to "Stratoshark lets you explore and analyze applications at the system call level using a mature, proven interface based on Wireshark.

sesm · 2025-01-22T19:13:03 1737573183

So, DTrace with Wireshark UI?

geraldcombs · 2025-01-22T19:30:36 1737574236

We don't share any code with DTrace, but it's not a bad analogy. As with my other reply about strace, it'd be interesting to see if we can more closely integrate Stratoshark, strace, and DTrace in the same way that Wireshark integrates with tcpdump.

gertrunde · 2025-01-22T18:29:39 1737570579

The blog article is a bit more descriptive : https://sysdig.com/blog/stratoshark-extending-wiresharks-leg...

tl;dr version: system calls, but in the wireshark ui. (I've probably oversimplified that!)

vasco · 2025-01-22T18:44:50 1737571490

Thanks for your work! Been using Wireshark for many years after it was used for a network course in university.

Why do you focus on "what happens in your cloud" when we talk about system calls? It'd seem it's useful for any machine, is it just bad marketing copy or am I missing something?

geraldcombs · 2025-01-22T19:09:53 1737572993

You're welcome! It was initially developed as part of my day job at Sysdig, a cloud security company. The initial feature set and use cases focus on getting .scaps (system call and log captures) from cloud environments, but you're entirely correct -- this has much more general applications including troubleshooting and education just like Wireshark does on the networking side.

kristopolous · 2025-01-22T19:46:05 1737575165

Hey Gerald, It's Chris from the CACE days. Nice to hear from you. I see this is part of wireshark proper, I'll look into getting this into debian

geraldcombs · 2025-01-23T23:17:19 1737674239

Thanks! It's great to hear from you!

vasco · 2025-01-22T19:17:26 1737573446

Thanks for confirming and thanks again for the amazing work.

thesuitonym · 2025-01-22T20:46:37 1737578797

Would I be right in assuming this is like Sysinternals procmon but with a better interface and for Linux?

geraldcombs · 2025-01-22T21:27:04 1737581224

The tools are similar in many ways, but Stratoshark shares Wireshark's dissection, filtering, and UI code, which provides a more low-level details and a free-form filtering language. Stratoshark is currently limited to capture on Linux (we're hoping to expand to macOS and Windows in the future) and the UI runs on all three platforms. There's an enhancement request[1] to add Procmon file support but I haven't had a chance to investigate what that might require.

[1]https://gitlab.com/wireshark/wireshark/-/issues/20317

knowitnone · 2025-01-22T22:24:08 1737584648

yet there is a windows installer?

danparsonson · 2025-01-22T23:09:58 1737587398

Capture on Linux, analyse on Windows

RachelF · 2025-01-23T02:29:51 1737599391

OK, that makes more sense.

tarasglek · 2025-01-22T20:20:25 1737577225

It is not clear what the architecture for system-call capture is. Is it ptrace, ebpf or some custom thing or some combo? What is the overhead of running this?

The tool looks really cool, hopefully it moves ui state of art beyond windows xperf

geraldcombs · 2025-01-22T20:30:48 1737577848

It uses Falco libs[1] underneath, which supports capture using eBPF or a kmod. I work with the Falco libs team and they go to great lengths to minimize overhead.

[1]https://github.com/falcosecurity/libs/

mdaniel · 2025-01-22T15:34:57 1737560097

clickable link: https://stratoshark.org

I found its man page in the repo which I found insightful https://gitlab.com/wireshark/wireshark/-/blob/ssv0.9.0/doc/m...

and don't overlook this neato thing: https://gitlab.com/wireshark/wireshark/-/blob/ssv0.9.0/doc/m...

beaugunderson · 2025-01-25T02:24:13 1737771853

We have a Python application that we develop inside Docker on macOS using the `python:3.11-slim-bullseye` image that it would be great to generate scap files from for viewing with Stratoshark. I tried installing sysdig in that image but ran into kernel module errors when trying to run it. Should we expect that to work? Am I missing an easier method?

geraldcombs · 2025-01-25T18:19:09 1737829149

You might try passing `--modern-bpf` to sysdig. It has traditionally captured syscalls using a kernel module, and it sounds like that's where your errors are coming from. Newer versions have added eBPF support, which doesn't require a kmod but you have to pass in the `--modern-bpf` flag.

beaugunderson · 2025-01-25T18:33:56 1737830036

Absolutely nailed it, that worked! Thanks so much for the pointer.

idiotsecant · 2025-01-23T02:49:08 1737600548

I just want to thank you for wireshark. I use it almost every day when I'm troubleshooting why this or that piece of industrial controls hardware springs a leak in its bit plumbing.

You have the rare distinction of developing a tool that will probably outlive us all. So, thanks!

zokier · 2025-01-22T20:34:10 1737578050

Does sysdig (and stratoshark by extension) still require custom out-of-tree kernel module to function?

uhei · 2025-01-22T21:16:15 1737580575

No, with the parameter '--modern-bpf' you can use eBPF. So, no kmod required any more.

n1g3ld0uglas2 · 2025-01-22T15:33:28 1737560008

Being able to use Wireshark in Kubernetes is super exciting. I can't wait to get started!

imcritic · 2025-01-22T18:25:09 1737570309

Can this program do more than just observe and trace what happens?

Can one use it to set up some rule to suppress some of the syscalls sent to a specific process? Or alter them by some logic on the go?

geraldcombs · 2025-01-22T18:39:22 1737571162

It's currently only passive, but that'd be an interesting feature. In order for that to happen we'd have to add that functionality to https://github.com/falcosecurity/libs/ along with the necessary plumbing in the UI.

jcul · 2025-01-23T10:07:38 1737626858

Wow, I've been a wireshark user for many years, this is really exciting.

zxvkhkxvdvbdxz · 2025-01-23T03:47:19 1737604039

Here's a interview with Gerald about Stratoshark (9 min)

https://www.youtube.com/watch?v=VjsmfuIqo8Q

brutopia · 2025-01-22T19:51:10 1737575470

How does it trace syscalls on macos? Do you need to disable SIP?

geraldcombs · 2025-01-22T20:14:07 1737576847

Right now the UI runs on Windows, macOS, and Linux but you can only capture system calls on Linux via Falco libs[1]. Expanding local capture to include macOS and Windows is definitely something we'd love to do!

[1]https://github.com/falcosecurity/libs

SmellyPotato22 · 2025-01-23T20:40:11 1737664811

For macOS you all should look into integrating with the Endpoint Security API. It also provides larger subset of events than just syscalls. You can see them all with `eslogger --list-events`.

https://developer.apple.com/documentation/endpointsecurity

nikisweeting · 2025-01-22T21:53:55 1737582835

Awesome! Thanks for your work on this and everything else.

Once you add capture on macOS with something like dtrace, could you concievably capture a system call inside Docker on macOS and watch it trickle down through the linux hypervisor and then to the host darwin kernel and back?

How does it conceptually track the handoff of system calls between hypervisors/VMs/containers/etc?

geraldcombs · 2025-01-22T22:44:23 1737585863

In this case you would presumably have a capture file that contained syscall events at both the macOS boundary and at the Linux VM boundary. At the present time it would be like capturing traffic on either side of a firewall and loading it into Wireshark (which is something people do!) You'd have to correlate the events visually/manually but adding an automatic correlation feature is well within the realm of possibility.

westurner · 2025-01-22T16:03:10 1737561790

Re: custom fields in pcap traces and retis https://github.com/retis-org/retis

napolux · 2025-01-22T15:29:55 1737559795

having used wireshark since i was a kid... this looks really promising

Chihuahua0633 · 2025-01-22T17:53:38 1737568418

Do you have any wildly good Wireshark resources to reference -- I know I'm barely scratching the surface.

12bits · 2025-01-22T18:04:59 1737569099

https://www.youtube.com/@ChrisGreer if you are into video format.

geraldcombs · 2025-01-23T17:29:03 1737653343

Chris is definitely a good resource! We (the Wireshark Foundation) also have SharkFest session recordings up at https://www.youtube.com/@WireSharkFest