Traceeshark: Linux Runtime Security Monitoring Meets Wireshark
What is Traceeshark?
Traceeshark brings the world of Linux runtime security monitoring and advanced system tracing to the familiar and ubiquitous network analysis tool Wireshark.
Using Traceeshark, you can load Tracee captures in JSON format into Wireshark, and analyze them using Wireshark’s advanced display and filtering capabilities.
Traceeshark also provides the ability to analyze system events side by side with network packets generated by Tracee that contain rich context about the system process and container they belong to.
Another feature of Traceeshark is the ability to capture events using Tracee directly from Wireshark and have them stream in like a network capture. This can be done either locally on a Linux machine running Wireshark, semi-locally using docker desktop’s VM on Windows and Mac, or even remotely over SSH.
For an overview of Traceeshark and an example of how it can be used for malware analysis, you can read Go deeper: Linux runtime visibility meets Wireshark.
Basic usage
When using Traceeshark for the first time, the Tracee configuration profile should be applied. The profile defines the custom column view, the event colors and some quick-filter buttons. Go to Edit -> Configuration Profiles… and select the Tracee profile.
After that, any file containing Tracee events in JSON format can be loaded into Wireshark, or the live capture feature can be used to capture Tracee events directly from Wireshark.
If you know how to use Wireshark, using Traceeshark should be natural. If you don’t have experience with Wireshark, you can read the User Guide, in particular Chapter 3. User Interface and Chapter 6. Working With Captured Packets are useful.
To use Traceeshark effectively, it is recommended to familiarize yourself with Tracee. If you are only planning to use Traceeshark’s live capture feature, there is no need to learn how to use Tracee’s command line.
Most of Traceeshark’s features are easy to explore by yourself. For a comprehensive explanation about all features, see docs/features.md.
