How to capture an SCAP for Stratoshark

Nigel Douglas
2 min readJan 13, 2025

--

Every action invoked on a Linux server, container, or process running on those systems generates a system call (syscall). Syscalls, originating directly from the kernel, can be recorded in System Capture (SCAP) files. These files can then be read and analysed using open-source tools like Sysdig and Stratoshark to gain insights into system behaviour.

Installing Sysdig

To get started, install Sysdig on your Linux server by running the following command:

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

The installation completes in a few seconds. Please note that this demo applies exclusively to Linux servers, as syscall collection is not supported on Windows or macOS.

Reading Live System Calls

To stream live system calls, simply run:

sudo sysdig

If you’re interested in monitoring system calls generated specifically within containers (excluding host processes), use:

sudo sysdig -p "%evt.time %container.name %proc.name %evt.args" container.name!=host

Capturing SCAP Files

To capture system call activity for a set duration, use the timeout command. For example, to capture data for 5 seconds and save it to an SCAP file:

sudo timeout 5 sysdig -w <file-name>.scap

To capture specific event types or monitor particular processes, you can filter the capture like this:

sudo timeout 5 sysdig -w <file-name>.scap evt.type=epoll_pwait and proc.name=kube-apiserver

Reading SCAP Files with Sysdig

Once you have an SCAP file, you can filter and analyse it using Sysdig’s CLI. For instance, to filter events for specific processes such as sandbox-agent or peira, run:

sysdig -r <file-name>.scap proc.name=sandbox-agent or proc.name=peira

Visualising SCAP Files with Stratoshark

Stratoshark provides an intuitive graphical interface for exploring SCAP files, offering insights into application-level behaviour. Combining Wireshark’s powerful analysis and filtering capabilities with Falco’s data collection and enrichment, Stratoshark supports the same file format as Sysdig and Falco, ensuring seamless workflow transitions.

  • If you prefer analysing SCAP files directly in the Linux terminal, the Sysdig CLI remains your go-to solution.
Screenshot of the Sysdig CLI Live Capture
  • For a GUI experience resembling Wireshark, Stratoshark is the ideal tool for your team. It’s available on Windows and macOS. You can also build Stratoshark on Linux using Make, allowing you to explore SCAP files interactively.
Screenshot of the Stratoshark User Interface

If you are not in a position to record your own .scap capture, the Sysdig team have provided example trace files for 502 Error in HAProxy, as well as a 404 Error for troubleshooting a leaky file.

--

--

Nigel Douglas
Nigel Douglas

No responses yet