Stratoshark analyzes cloud applications at a syscall level



Using Stratoshark to analyze Azure syscalls

Once you’ve got Stratoshark up and running, you’ll see the familiar Wireshark user interface, though now with new options. Like Wireshark, Stratoshark is designed to give you what Wireshark creator Gerald Combs calls “a ground-level truth.” By capturing syscalls you can see when your code opens files, makes network connections, uses key system libraries, and much more.

For now, the capture tool requires Linux, but as the community starts to develop around Stratoshark, it’s likely to gain support for other OSes, including Windows. Windows’ support for eBPF should help here, though with a considerable number of Azure workloads running on Linux, it will be useful anyway.

Captures are made using Falco’s libscap and libsinsp tools, as well as the command-line sysdig tools via SSH. Libscap captures and stores the syscalls from monitored systems, with libsinsp providing tools for parsing events, filtering, and formatting outputs for use in applications like Stratoshark. Underneath the libraries are kernel modules (where you can install them) and eBPF probes. Cloud services like Azure don’t let you install your own kernel modules—unless, of course, you’re hosting services in your own custom VM builds.



Source link