Stratoshark brings Wireshark-style analysis to cloud system calls

Degioanni noted that cloud networking, especially in Kubernetes environments, can be very complex with various approaches like service mesh, ingress, and gateways. Stratoshark is designed to be agnostic to the specific cloud networking approach, focusing on collecting data at the endpoint level rather than relying on the networking layer.

One particular issue that Combs said is common in Kubernetes is the CrashLoopBackOff issue that can be difficult to diagnose and resolve. Combs said that Stratoshark provides the ability to capture and analyze system-level data to help identify the root causes of such issues.

What’s inside Stratoshark? eBPF

At its core, Stratoshark uses Falco libraries developed by Sysdig. Those Falco libraries are based on eBPF (Enhanced Berkeley Packet Filter) technology to collect system-level data efficiently and safely from the Linux kernel.

This approach mirrors how Wireshark uses libpcap for network packet capture, creating a familiar architectural pattern for networking professionals. The libpcap library is an open-source tool for network traffic capture.

Degioanni explained that the eBPF libraries connect to trace points in the Linux kernel to access and collect data from various kernel-level events, such as system calls, inter-process communication, networking, command execution and user activity. Stratoshark takes the raw system-level data collected by the eBPF libraries and decodes it, providing a user interface similar to Wireshark for analyzing and troubleshooting the captured events.

Open-source community and future development

Following Wireshark’s successful open-source model, Stratoshark is being released under the same open-source license as the Wireshark codebase.