Here where we make CloudShark, we have a pile of dev op and admin tools we use every day to make our lives easier: Jenkins, Capybara, and Nagios are some absolutely wonderful additions to our environment this year. One of the most powerful tools we use here is a combination of VMware Workstation and the powerful Vagrant API interface. With Vagrant, we can test every permutation of CloudShark via a barrage of automated testing.
This article is the full text of our white paper on the same topic
Packet Capture Files: Valuable but Vulnerable Packet capture files - files that record network traffic—are invaluable resources for network administrators, help desk staff, and IT security experts. Filled with application data and protocols, timestamps, and error codes, these files provide IT engineers with a detailed view of what took place on a network during a specific period of time.
One of the easiest ways to get captures into CloudShark is through the Import from URL feature. This lets you just pass an https URL to CloudShark and have it import the file at that location. It’s even better when our integrators use it.
The folks over at WebPageTest, an open source and public tool for evaluating the speed and performance of your website, have CloudShark functionality built into their system.
This challenge is complete! Try it yourself or scroll to the solution below.
It’s been awhile since we’ve had a good old fashioned packet capture challenge here at CloudShark. In preparation for our upcoming webinar on packet capture and analysis in wireless networks, we thought we’d throw out a challenge involving a would-be malicious attacker trying to gain access to a secured wifi network.
The Challenge Take a look at this capture.
Wireless networks are the most ubiquitous type of network modern IT departments need to deal with. There are many tools for troubleshooting them, but what happens when you need to go to the packet level? How do you capture at the point you need, and how do you get those captures to a place you can analyze them?
Join the CloudShark team as we show you:
Performing packet captures on Meraki and OpenWRT based devices, and using their native CloudShark support to upload to a CloudShark Appliance Organizing those captures in CloudShark Collaborating using CloudShark’s web-based analysis environment Watch the video.
Chances are, if you’ve started a free trial of CloudShark, you’ve interacted with someone on our support team. To put text to face, here’s Tom, from our QA/Support team, explaining what he loves about working on CloudShark:
Watch the video.
There are a plethora of cloud applications for nearly all traditionally IT services that were managed in-house. One of the most interesting is JumpCloud, which provides a cloud-based solution for LDAP and Active Directory user management systems.
What’s even more interesting is that JumpCloud can work seamlessly with CloudShark’s ability to use external LDAP/AD authentication and user management. If you are using LDAP, it’s as simple as enabling it in the CloudShark admin console and creating an sssd.
There’s not too many good books on computer networking, or on Wireshark and packet analysis in general. The one we definitely keep on our shelf is Practical Packet Analysis, “Using Wireshark to Solve Real-World Network Problems, by Chris Sanders of chrissanders.org. A self described “packet ninja”, Chris has, obviously, literally wrote the book on using packet captures in network troubleshooting.
We also like it because it mentions a certain really awesome web-based packet analysis platform - Chris has been an enthusiastic supporter of CloudShark since it first came out in 2010.
You look at packets every day to do your job. Isn’t it time to apply the concepts that make all of our modern apps - portability, organization, and collaboration - to packet analysis?
If you are new to CloudShark Appliance or diving into our 30-day free trial, or even just curious about how you can organize, analyze, and collaborate on packet captures in your browser, please join the CloudShark support team on Thursday, September 25, 2014 as we show you the basics:
Each summer, we here at QA Cafe (the makers of CloudShark) like to take a few days to flex our programming and problem solving skills with what we call the “Summer Coding Challenge”.
This year, our developer’s challenge was to create a Battleship bot intended to play against other bots. Our devs were allowed to use any language, script or OS that they desired, to accomplish the following tasks:
Read the map.
We’re very excited to see CloudShark in use at the r00tz Asylum event this week in Las Vegas. r00tz Asylum is a nonprofit dedicated to teaching kids around the world how to love being white-hat hackers: those who enjoy thinking of innovative new ways to make, break and use computing and networking technology to make a better world. Formerly DEFCON Kids, the event is an important part of the constant task of filling the technology pipeline with the next generation of experts and gurus.
We’ve already been geeking out over the multitude of things you can do with the new packet capture and CloudShark upload support in the popular open source OS for embedded devices, OpenWrt.
In addition to the ability to troubleshoot packet-level detail on home gateways, or monitoring wireless traffic, OpenWrt’s packet capture feature can turn any embedded device to a packet capture node that can instantly upload its data to CloudShark.
Have you ever wanted to capture and analyze what network traffic your smartphone or tablet is sending? Maybe you are developing a new app and need to debug a network issue, or maybe you are just curious about what network traffic an app is sending. Using a wireless router running OpenWrt with the CloudShark package makes capturing this traffic easy!
Once you have the OpenWrt CloudShark package installed connect your device to your OpenWrt wireless network and browse to the Status page of the OpenWrt router.
Have you ever wanted to embed a packet trace right into the blog post you were writing? We know you have. You’ve told us you want that! When a screenshot of the decode won’t do, you can use your CloudShark Appliance to share individual frame decodes in blog posts, documentation, help forums, and pretty much anywhere else you can write HTML.
Let’s see it in action!
Here’s packet #2 from our TCP Fast open example.
Defense.net in the business of DDoS mitigation. The task of capturing, detecting, and filtering such massive attacks means they often go directly to raw packet data to root out customer problems.
We recently sat down with Defense.net to learn how CloudShark’s collaboration tools have changed the way they deal with packet captures, saving them valuable time in an industry where seconds matter.
Read the case study
The pcap capture file format has been the universal packet capture format since the early days of computer networking. Almost all capture tools support the pcap format. And while vendors have created new formats over the years, most tools support conversion into the pcap format.
While pcap continues to be used today, it does have some limitations that make other formats more attractive. A new format called “pcapng” has been under development for a number of years.
As many are aware (as it’s now become national news), a vulnerability was recently discovered in OpenSSL dubbed Heartbleed. The attack centers around the implementation of the Heartbeat extension in OpenSSL which causes a server to return the contents of memory that should be protected. This blogpost by Troy Hunt describes the vulnerability in detail: Everything you need to know about the Heartbleed SSL bug.
Being packet geeks, naturally we wanted to get a capture of the Heartbleed attack in action.
Hello CloudShark fans!
As you may have heard, a serious vulnerability in OpenSSL was recently uncovered. OpenSSL is a popular open-source cryptography platform used around the world.
Known popularly as the Heartbleed Bug, this new vulnerability impacts a large number of servers and services and has the ability to expose a wide range of sensitive system information to nefarious individuals.
CloudShark runs on CentOS or RedHat Enterprise Linux (RHEL) 6. Recent versions of these distributions shipped with a version of OpenSSL containing the Heartbleed Bug.
One of CloudShark’s most unique features is SSL stream viewing and rsa key management.
Watch the video. What do you do when you have certificates that you need to distribute to your team to look at encrypted data? How do you troubleshoot encrypted network traffic without having to give users access to your keys on their local machines?
CloudShark contains a unique key management system in addition to its packet capture repository.
We thought we’d revisit this key piece of the capture analysis puzzle that we
added to CloudShark soon after its creation. Since then, CloudShark users like
have used the plug-in and its tshark counterpart to integrate CloudShark
into their network environment.
While CloudShark’s packet capture holding capacity is limited only by the size of the disks available to it, many of our CloudShark users are curious about what to do if they want to automatically delete captures after a certain period of time. Some may have certain security requirements about capture contents, or others want to make sure that sensitive data isn’t used for nefarious purposes later.
Whatever the reason, automatically deleting captures is possible with a little scripting and the CloudShark API.
CloudShark 2.0 added a lot of cool new features to CloudShark, but perhaps the most powerful (and most complex) was the addition of search capability to the CloudShark API. The search API function takes the already robust search features of CloudShark that were available through the user interface and brings them to anyone who wants to integrate CloudShark with their existing tools or work CloudShark seamlessly into their automation environment.
In CloudShark 1.9 we added the ability to play back RTP streams so that you can replay voice data embedded in packet captures for call quality analysis. When we launched this feature, CloudShark supported G.711, G.729, and GSM voice codecs, used by many voice and mobile providers.
Since then, we’ve gotten a lot of calls (ha!) for the addition of other audio codecs to the system to be able to play them back as well.
If you don’t already know, one of CloudShark’s main features is the ability to manage RSA keys and allow those keys to be used to decrypt SSL traffic, allowing users to view encrypted data without ever having to give out your RSA keys.
But what about other types of encryption? We were recently approached about support for Kerberos in CloudShark captures. CloudShark can actually support the decryption of Kerberos encrypted data using the Wireshark preferences file that we showed you before for fixing your RTP decode settings.
It’s no secret that CloudShark uses tshark to generate the data we use in the CloudShark database, resulting in what you see when you view a capture in the CloudShark viewer. CloudShark sorts and caches this information to make it faster and easier for you to get to the information you need, when you need it.
The added advantage of using tshark is that all of the most recent dissectors published in the latest versions of Wireshark can be used in CloudShark immediately without any additional work.
We’ve been talking a whole lot about integration lately. From our recent bout at Cisco Toolapalooza, to the great work that’s being done with Meraki, we’re finding that the best way people get comfortable with CloudShark is by incorporating it into their existing tools. There are a great many tools out there that can produce packet captures, and each one can find a different way to get those captures into CloudShark for easier collaboration and management.
We know how life can be when someone else drives your car, and all of your “preferences” - the seat position, mirror views, and your “greatest hits of 1991” satellite radio station are all modified. Or worse, imagine if you had to set them every time you got in the car! We can see how that would be super annoying (like the greatest hits of 1991*).
Fortunately for CloudShark, you can actually configure certain packet capture view preferences and save them so that you’ll see things the way you want to every time you look at a capture.
One of the key features of CloudShark is the ability to share files with colleagues or customers by passing along the URL of the capture file. In the CloudShark Appliance, this is most often done to share files with specific users or groups of your CloudShark system - that is, people who have user accounts on the system.
What do you do in CloudShark Solo, which is built for a single user and doesn’t possess additional users or groups?
CloudShark 1.9 includes the ability to visualize RTP streams and play them back if they contain audio. For SIP calls, CloudShark will automatically decode the conversation as an RTP stream. However, for other protocols RTP will generally use a random port - not immediately apparent to CloudShark.
You can easily work around this using CloudShark’s “decode as” feature, which tells CloudShark to treat data on a given port as a particular protocol of your choice.
It’s been quite amazing so far watching CloudShark evolve from the first stages of CloudShark.org to the full fledged Appliance for private networks, and finally our Enterprise edition for IT teams, data centers, and service providers. Over that time, we’ve gotten a lot of requests for a private version of CloudShark for users who do not require group or user management, and can be offered to individuals such as consultants, or small IT teams at a lower price point.
One of CloudShark’s main and most useful features is the ability to add annotations to individual packets, or to import packet comments from the pcap-ng format into CloudShark annotations. Not only does this make your own note-taking on your analysis easier, but allows you to share your annotations with your colleagues or customers when sharing the capture file URL. They can see your notes and get to the root of the problem faster.
CloudShark 1.9 is here! The big news here is CloudShark’s support for RTP playback of VoIP calls. This is something we’ve been excited about adding to CloudShark for awhile - when looking to add tools to CloudShark, we always make sure they are something that can benefit from the power of web technology and aid our users in collaboration on networking problems.
You can see an example capture with all of our new functionality built in here: https://www.
Did you know you could start a 30 day trial of CloudShark for free?
A lot of people have approached us to get a feel for what the CloudShark appliance is like. We made this video to show some of the key features for those who are going through the trial to make sure they get the most out of their experience.
Key CloudShark Features to Try During Your Trial The Capture Management List After signing in, your first view will be the capture file list view.
Haven’t got one of our snazzy CloudShark P-Caps yet? Well, how good are your dissector skills?
One of the tools we added in CloudShark 1.7 is the protocol hierarchy tool. Similar to that found in Wireshark, the CloudShark protocol hierarchy tool also lets you click on a given protocol and automatically creates a filter for you based on the packets called out in the hierarchy.
Which, you got to admit, is pretty cool.
The CloudShark team is very pleased to announce CloudShark 1.7, our latest release.
First off, we’ve jazzed up the Protocol Hierarchy tool, letting you automatically create a filter by clicking on a protocol in the viewer. This was based on feedback from our users as it was one of their most often used tools for the first step in their analysis.
In addition, we are proud to launch the first ever “Key Management System”, that allows users to decrypt SSL data and perform analysis without ever needing to give them access to the keys in any way.
CloudShark version 1.6 is here!
In addition to the features you know and love from CloudShark, version 1.6 now supports seamless integration with pcapng, allowing you to import packet-level comments and export CloudShark sessions as pcapng files. We’re also using Tshark version 1.8 now on the back-end. Check out our video here on how to use the new pcapng features!
(And don’t forget, send us a capture challenge and if we choose it, you’ll win your own “p cap”)
This challenge is now finished! Read the solution below or scroll down to try the challenge for yourself! The Solution CloudShark lets you embed your filters directly in the URL. When we view this packet capture file, we are already brought to the view we want to see: in this case, only DNS and ICMP messages.
Why is that? The problem we’re looking to illustrate happens to be an ICMP packet that is tied to a particular DNS response.
Just in time for SHARKFest ‘12, today we’re releasing CloudShark 1.5. This latest release builds on CloudShark’s already powerful ability to let you collaborate on and securely store network captures, adding additional functionality to our upload API, the ability to further customize your view, and the ability to export graphs as images or pdf. Our biggest new feature is the HTTP Requests Analysis Tool, and we’re pretty excited about it!
With the advent of CloudShark Version 1.4, with many enhancements including new graphing features, CloudShark has announced CloudShark Enterprise edition, which includes all of the features of the CloudShark Appliance and adds several key features:
The ability to integrate with existing user management systems, including LDAP and Active Directory
The ability to create and use your own custom Wireshark compatible protocol decodes
Ability to upload from Cisco IOS devices through Cisco’s Embedded Packet Capture
HOMER SIP Capture Server, a robust, carrier grade, 100% open source scalable SIP Capture system and Monitoring Application, has become the first open source application to introduce native support for CloudShark! End users of the application now have the option to upload their captures to cloudshark.org, or to their own CloudShark appliance, where they can be viewed directly in a browser or shared with others via URL.
One of the great examples of how easily CloudShark can integrate with existing tools.
We’re happy to announce that the CloudShark plug-in for WireShark has been released! Download now and start securing, viewing, and sharing your WireShark captures as they are produced. Or, view our demo video to get a look at the plug-in in action. Happy packet surfing!