How to capture an SCAP for Stratoshark

1. How to capture an SCAP for Stratoshark
2. Nigel Douglas
3.  
4. Nigel Douglas
5. ·
6.  
7. Follow
8. 2 min read
9. ·
10. Jan 13, 2025
11.  
12. --
13.  
14. Every action invoked on a Linux server, container, or process running on those systems generates a system call (syscall). Syscalls, originating directly from the kernel, can be recorded in System Capture (SCAP) files. These files can then be read and analysed using open-source tools like Sysdig and Stratoshark to gain insights into system behaviour.
15. Installing Sysdig
16.  
17. To get started, install Sysdig on your Linux server by running the following command:
18.  
19. curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash
20.  
21. The installation completes in a few seconds. Please note that this demo applies exclusively to Linux servers, as syscall collection is not supported on Windows or macOS.
22. Reading Live System Calls
23.  
24. To stream live system calls, simply run:
25.  
26. sudo sysdig
27.  
28. If you’re interested in monitoring system calls generated specifically within containers (excluding host processes), use:
29.  
30. sudo sysdig -p "%evt.time %container.name %proc.name %evt.args" container.name!=host
31.  
32. Capturing SCAP Files
33.  
34. To capture system call activity for a set duration, use the timeout command. For example, to capture data for 5 seconds and save it to an SCAP file:
35.  
36. sudo timeout 5 sysdig -w <file-name>.scap
37.  
38. To capture specific event types or monitor particular processes, you can filter the capture like this:
39.  
40. sudo timeout 5 sysdig -w <file-name>.scap evt.type=epoll_pwait and proc.name=kube-apiserver
41.  
42. Reading SCAP Files with Sysdig
43.  
44. Once you have an SCAP file, you can filter and analyse it using Sysdig’s CLI. For instance, to filter events for specific processes such as sandbox-agent or peira, run:
45.  
46. sysdig -r <file-name>.scap proc.name=sandbox-agent or proc.name=peira
47.  
48. Visualising SCAP Files with Stratoshark
49.  
50. Stratoshark provides an intuitive graphical interface for exploring SCAP files, offering insights into application-level behaviour. Combining Wireshark’s powerful analysis and filtering capabilities with Falco’s data collection and enrichment, Stratoshark supports the same file format as Sysdig and Falco, ensuring seamless workflow transitions.
51.  
52. If you prefer analysing SCAP files directly in the Linux terminal, the Sysdig CLI remains your go-to solution.
53.  
54. Screenshot of the Sysdig CLI Live Capture
55.  
56. For a GUI experience resembling Wireshark, Stratoshark is the ideal tool for your team. It’s available on Windows and macOS. You can also build Stratoshark on Linux using Make, allowing you to explore SCAP files interactively.
57.  
58. Screenshot of the Stratoshark User Interface
59.  
60. If you are not in a position to record your own .scap capture, the Sysdig team have provided example trace files for 502 Error in HAProxy, as well as a 404 Error for troubleshooting a leaky file.
61. Linux
62. Kernel
63. Stratoshark
64. Sysdig
65. Syscalls
66.  
67. --
68. Nigel Douglas
69. Written by Nigel Douglas
70. 12 Followers
71. ·
72. 1 Following