Stratoshark: Sysdig takes Wireshark into the cloud

Published: January 31st, 2025

The Wireshark open source network protocol analyzer was developed in the 1990s as a way to capture and analyze network packets. And recently, a cloud-native version of Wireshark, called Stratoshark, was launched by CNAPP company Sysdig to extend Wireshark’s capabilities into analyzing system calls and log messages, to provide deep insights into container and system behavior.

ITOps Times news editor Jenna Barron recently spoke with creators Gerald Combs and Loris Degioanni of Sysdig to discuss the history of Wireshark and how that evolved into Stratoshark. The conversation, recorded on the ITOps Times “Get With IT” podcast, has been edited for context and length.

ITOPS: Can you paint a picture of what the technology landscape looked like in the 1990s, and what led you to create Wireshark?

COMBS: I got my start in troubleshooting networks when I was attending university, and we had a thing called a sniffer, which was what you used to troubleshoot networks at the time. It was this really heavy computer that cost about as much as a luxury car, and I would just lug that around campus and plug it into the network and do troubleshooting. And that was the early 90s.

As the 90s progressed, though, a couple of things happened. One, computers got cheaper and more powerful, and open source became more of a viable thing, and I moved on to an ISP that just didn’t have the budget for a sniffer so in order to troubleshoot the network, I just started writing my own. And because of open source, I released the initial version of Ethereal (which became Wireshark) and announced it, and immediately started getting contributions from people around the world, and it grew because of that.

Loris pointed out in the past that Wireshark is kind of the perfect open source project, because you can have so many people who are experts in their various domains developing protocol dissectors for Wireshark. That really contributed to the project’s growth. But we didn’t really have a lot of users until WinPcap, which was the component that Loris contributed, and that allowed us to run on Windows. It kind of caught me by surprise how quickly it became popular, as soon as we were able to run on Windows.

DEGIOANNI: My introduction to this project was that I was still a university student and I was tasked by our computer networks professor to be the network analyzer, because he believed that the best way to learn networks is just to observe what’s happening on the network. And as Gerald was saying, we had Windows machines in our labs and you want to give a network analyzer to every student, so we needed to have one on every machine. But network analyzers were very expensive and typically hardware-based during those times, so I was asked to essentially convert a Windows machine into something that could collect the network traffic and display it.

And that’s when I saw that there was this guy in the United States (Combs) that had a network analyzer that was really nice and open source, but not working on Windows – and by Windows at the time, going back to the technology landscape we’re talking about, my initial contribution was Windows 95 and Windows NT.

ITOPS: Let’s jump forward in time a bit and talk about this new tool. You say that Stratoshark builds on the features of Wireshark as well as Sysdig’s other open source tool, Falco, which is used for cloud native threat detection. So can you give a brief overview of Stratoshark and what its use is?

COMBS: Stratoshark lets you look at system calls and log messages in much the same way Wireshark lets you look at packets, and I say in much the same way, because both tools are built around the same code base and have the same user interface. The only difference is that Stratoshark, instead of pulling in network packets, pulls in system calls and log messages from a couple of libraries, Libsyn and libscap, which are the same libraries that Falco uses, which Sysdig produces, and so we have this nice little ecosystem based around being able to pull in sys calls and inspect them at a very low level. The neat thing about that is that you can get a really good handle on what all the programs that are running in a container or on your bus are doing, and get a really good characterization of how they’re behaving and maybe misbehaving.

ITOPS: What led to the process of building Stratoshark?

DEGIOANNI: Wireshark is not designed for high-level, CEO, kind of metrics. Wireshark is designed for the very technical person to go down in the details. And the use cases are typically, troubleshooting security investigations, these kinds of things that require you to really understand the minutia or the fine details, and the workflows that have been developed by all of the contributors.

What we’ve done is we’ve essentially taken the same source code, the same tool, but we applied it to different data sources. In particular, we are starting with two new data sources. One is system calls. So, you have the ability to go and introspect what’s happening in the internals of the Linux machine and understand what every single application and process is doing by capturing this data source. And the other one is cloud logs – in particular, cloud trail logs. The workflows are the same, but the data is different. And so essentially, what we’re doing is we’re amplifying the reach of Wireshark.

ITOPS: Do you consider this to be like an evolution of Wireshark, so that you can just use Stratoshark? Or is there still a use case for using both tools?

DEGIOANNI: Absolutely. They’ve been designed as companion tools that very much complement each other. They share not only the same user interface, but also the same file format, so you can easily interchange files across the same filtering system, so that when you need to operate them, you can switch from one to another.

They are also being designed to reflect the nuances of the different data sources that they support. So there’s customizations, there’s specific pieces of functionality in each data that make them shine for specific use cases. So we envision, essentially, people to install both on their machine and use them essentially for a specific type of troubleshooting.

ITOPS: Can you share what users can look forward to in the future as this tool continues to evolve?

COMBS: Right now, we’re still early days with Stratoshark and so one of the reactions from people when we made the announcement was, wait a minute, you’re giving us installers for Windows and Mac OS, but I can only capture on Linux. And the general goal of the project is that we grow in both directions. We definitely plan on making Linux installers available, because we do support that platform within Wireshark, and eventually hope to be able to provide local syscall capture on macOS and Windows. Not sure how we’re going to get there, but there are definite paths we can take to get there on both of those platforms.

One of the things that excites me about Stratoshark is that we kind of have this blank slate. There’s nothing more exciting than having this green field area to fill in features as time goes on. I have a few features in mind that I’d like to add. But the cool thing about Wireshark and its community, and something that speaks to the power and cleverness of the community, is that they keep adding all these neat features as time goes on. And I fully expect that to happen to Stratoshark as well.

DEGIOANNI: I just want to add at the strategic level, Wireshark is almost like an act of love toward the troubleshooter. The guys that very often need to do the dirty job of really figuring stuff out, and that very often are left with tools that are optimized more for the enterprise than for the practitioner. Wireshark and Stratoshark are tools for the nerdy practitioner. And the thing that I’m excited about is bringing more and more data sources into workflows so that people can attach application logs, operating system information events, and security events to Stratoshark.

This also is a call to action for the community, for these nerds that I was talking about. It’s your tool, it’s extendable, it’s based on plugins. Contribute yours, and you will be able to easily make this much more useful and really suitable to what you exactly need to do.

Article Tags

Stratoshark, sysdig, wireshark

About David Rubinstein

David Rubinstein is editor-in-chief of ITOps Times and SD Times.

View all posts by David Rubinstein

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_WTGVKVXEZJ	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_107693958_2	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
_heatmaps_g2g_101137905	10 minutes	No description
cf_7167_id	20 years	No description
cf_7167_person_last_update	session	No description
GoogleAdServingTest	session	No description
prism_252377639	1 month	No description
querylyvid	3 months	No description
xtc	1 year 1 month	No description

Stratoshark: Sysdig takes Wireshark into the cloud

Article Tags

Subscribe to SDTimes

About David Rubinstein

Related Articles

Sysdig launches Stratoshark, a “Wireshark for the Cloud”

Sysdig Cloud Identity Insights automatically detects compromised user accounts

Sysdig: Attackers are moving quickly and steathily in the cloud

Sysdig adds detection and response to CNAPP