Hacker Newsnew | past | comments | ask | show | jobs | submit | more geraldcombs's commentslogin

The tools are similar in many ways, but Stratoshark shares Wireshark's dissection, filtering, and UI code, which provides a more low-level details and a free-form filtering language. Stratoshark is currently limited to capture on Linux (we're hoping to expand to macOS and Windows in the future) and the UI runs on all three platforms. There's an enhancement request[1] to add Procmon file support but I haven't had a chance to investigate what that might require.

[1]https://gitlab.com/wireshark/wireshark/-/issues/20317


yet there is a windows installer?


Capture on Linux, analyse on Windows


OK, that makes more sense.


It uses Falco libs[1] underneath, which supports capture using eBPF or a kmod. I work with the Falco libs team and they go to great lengths to minimize overhead.

[1]https://github.com/falcosecurity/libs/


Right now the UI runs on Windows, macOS, and Linux but you can only capture system calls on Linux via Falco libs[1]. Expanding local capture to include macOS and Windows is definitely something we'd love to do!

[1]https://github.com/falcosecurity/libs


For macOS you all should look into integrating with the Endpoint Security API. It also provides larger subset of events than just syscalls. You can see them all with `eslogger --list-events`.

https://developer.apple.com/documentation/endpointsecurity


Awesome! Thanks for your work on this and everything else.

Once you add capture on macOS with something like dtrace, could you concievably capture a system call inside Docker on macOS and watch it trickle down through the linux hypervisor and then to the host darwin kernel and back?

How does it conceptually track the handoff of system calls between hypervisors/VMs/containers/etc?


In this case you would presumably have a capture file that contained syscall events at both the macOS boundary and at the Linux VM boundary. At the present time it would be like capturing traffic on either side of a firewall and loading it into Wireshark (which is something people do!) You'd have to correlate the events visually/manually but adding an automatic correlation feature is well within the realm of possibility.


Yeah I was imagining something like the TLS session tracing feature in Wireshark that lets you see all the packets related to a single TLS connection.

I currently struggle debugging opaque containers and VMs that run lots of concurrent async jobs, having some kind of tool to trace and group syscalls through the stack would be amazing.


Pretty much. It's part of the same ecosystem as Sysdig OSS[1], which works much like strace. It uses the same underlying libraries as sysdig and Falco, and you can move capture files between them.

It'd be interesting to see if we can integrate more fully with strace as well, but that might require updating strace itself.

[1]https://github.com/draios/sysdig


Why is it talking about clouds and stratospheres then? strace is pretty far from "the cloud" isn't it?


With the falco plugins [1] a broad range of "cloud native" services can be captured in Stratoshark. At the moment we have AWS cloudtrail and GCP Audit included in the macOS and Win installers.

[1] https://github.com/falcosecurity/plugins?tab=readme-ov-file#...


You're welcome! It was initially developed as part of my day job at Sysdig, a cloud security company. The initial feature set and use cases focus on getting .scaps (system call and log captures) from cloud environments, but you're entirely correct -- this has much more general applications including troubleshooting and education just like Wireshark does on the networking side.


Hey Gerald, It's Chris from the CACE days. Nice to hear from you. I see this is part of wireshark proper, I'll look into getting this into debian


Thanks! It's great to hear from you!


Thanks for confirming and thanks again for the amazing work.


Well, crap. The domain and site are still fairly new, so maybe that's the issue? Is there anyone here from Palo Alto that can take a look?


Going through their URL filtering site and requesting a recategorization is the best option for now, unless someone from the company sees it.

https://urlfiltering.paloaltonetworks.com/


Done. We've been upgraded from medium-risk "grayware" to low-risk "generally do not contain content that is useful to the end user" which is technically better, I suppose.

Update: We're now Low-Risk / Computer-and-Internet-Info.


Thanks for the feedback! I'll see if we can make the top of the site more descriptive.

Update: Changed the first sentence to "Stratoshark lets you explore and analyze applications at the system call level using a mature, proven interface based on Wireshark.


So, DTrace with Wireshark UI?


We don't share any code with DTrace, but it's not a bad analogy. As with my other reply about strace, it'd be interesting to see if we can more closely integrate Stratoshark, strace, and DTrace in the same way that Wireshark integrates with tcpdump.


It's currently only passive, but that'd be an interesting feature. In order for that to happen we'd have to add that functionality to https://github.com/falcosecurity/libs/ along with the necessary plumbing in the UI.


Thanks! It's part of the same code base (and therefore open source), and Linux is definitely supported. It adds libscap and libsinsp as dependencies, and you can find basic build instructions at https://gitlab.com/wireshark/wireshark/-/blob/master/doc/str....


We return 402 (payment required) for one of our affected sites. Seems more appropriate.


Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: