How to capture an SCAP for Stratoshark
Every action invoked on a Linux server, container, or process running on those systems generates a system call (syscall). Syscalls, originating directly from the kernel, can be recorded in System Capture (SCAP) files. These files can then be read and analysed using open-source tools like Sysdig and Stratoshark to gain insights into system behaviour.
Installing Sysdig
To get started, install Sysdig on your Linux server by running the following command:
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash
The installation completes in a few seconds. Please note that this demo applies exclusively to Linux servers, as syscall collection is not supported on Windows or macOS.
Reading Live System Calls
To stream live system calls, simply run:
sudo sysdig
If you’re interested in monitoring system calls generated specifically within containers (excluding host processes), use:
sudo sysdig -p "%evt.time %container.name %proc.name %evt.args" container.name!=host
Capturing SCAP Files
To capture system call activity for a set duration, use the timeout
command. For example, to capture data for 5 seconds and save it to an SCAP file:
sudo timeout 5 sysdig -w <file-name>.scap
To capture specific event types or monitor particular processes, you can filter the capture like this:
sudo timeout 5 sysdig -w <file-name>.scap evt.type=epoll_pwait and proc.name=kube-apiserver
Reading SCAP Files with Sysdig
Once you have an SCAP file, you can filter and analyse it using Sysdig’s CLI. For instance, to filter events for specific processes such as sandbox-agent
or peira
, run:
sysdig -r <file-name>.scap proc.name=sandbox-agent or proc.name=peira
Visualising SCAP Files with Stratoshark
Stratoshark provides an intuitive graphical interface for exploring SCAP files, offering insights into application-level behaviour. Combining Wireshark’s powerful analysis and filtering capabilities with Falco’s data collection and enrichment, Stratoshark supports the same file format as Sysdig and Falco, ensuring seamless workflow transitions.
- If you prefer analysing SCAP files directly in the Linux terminal, the Sysdig CLI remains your go-to solution.
- For a GUI experience resembling Wireshark, Stratoshark is the ideal tool for your team. It’s available on Windows and macOS. You can also build Stratoshark on Linux using Make, allowing you to explore SCAP files interactively.
If you are not in a position to record your own .scap capture, the Sysdig team have provided example trace files for 502 Error in HAProxy, as well as a 404 Error for troubleshooting a leaky file.