Stratoshark remote capture tutorial

Introduction

Today 22/jan/2025, Sysdig announced STRATOSHARK.

As they describe it:

“With Stratoshark, you can capture the activity of your Linux machine — including what happens inside containers — and analyze it using the same Wireshark UI you know and love. File I/O, command executions, network activity, interprocess communication? It’s all there. Whether you’re troubleshooting performance issues or investigating security events, Stratoshark provides everything you need in a single capture.”

A quick tutorial on how to remotely capture a trace

Using Stratoshark is as easy as using Wireshark, but let’s look at how we can obtain a remote trace from a Linux box on our Mac.

Open a few terminals on your local machine (in my case, a simple mac).
The idea is base on a previous article I wrote on remotely capturing TCPDUMP traces some time ago.

In Terminal_1

capture the dump of the trace (demo.scap)

nc -l 6666 >demo.scap

Terminal_2

SSH into the box where you want to obtain the trace and setup a reverse SSH tunnel. Once you have a shell, run the sysdig command.

ssh  ubuntu@x.x.x.x -R 6666:127.0.0.1:6666

sudo sysdig  --unbuffered -w - | nc 127.0.0.1 6666

Or with a filter

sudo sysdig "proc.name!=sshd and proc.name!=nc" --unbuffered -w - | nc 127.0.0.1 6666

Terminal_1

Once you want to terminate the capture, cancel nc (netcat) you can review the file locally (if sysdig is installed)

sysdig -r ./demo.scap

or open in Stratoshark (on Mac in my case)

/Applications/Stratoshark.app/Contents/MacOS/Stratoshark ./demo.scap

Voila !!