Traceeshark is a plugin for Wireshark that enables security practitioners to quickly investigate security incidents. It enhances the capabilities of Aqua Tracee, an open-source runtime security and forensics tool, and allows users to analyze kernel-level event and behavioral detection alongside network traffic.
With Traceeshark, users can now visually and interactively analyze system activity alongside network traffic events. The tool simplifies complex security investigations by merging Tracee’s system event data with network packet analysis with the full context of the container and process.
“Traceeshark is the first runtime eBPF-based tool for security and forensics. It can capture network activity and syscalls, providing detailed information about cloud-native environments in runtime. Unique features include the ability to analyze system and network activity in one place while enriching network traffic with context from the process that created or received it. Another unique feature is the ability to capture system activity in real-time while allowing simultaneous inspection and analysis. For security practitioners, it provides a great advantage, like a Swiss army knife that offers all-in-one functionality,” Assaf Morag, Lead Data Analyst at Aqua Nautilus, told Help Net Security.
Traceeshark key features
- Unified analysis: Allow users to view and filter events side by side with network packets.
- Enhanced context: Analyze system events alongside network packets with rich contextual information about system processes and containers, enabling deeper correlations and insights.
- Live capture: Perform live captures of Tracee events, streaming them directly into Wireshark, locally or remotely, over SSH.
- Customizable filters: Utilize Wireshark’s advanced filtering capabilities to focus on events of interest, with quick filter buttons for common analysis tasks.
Future plans and download
Morag told us that they aim to accomplish the following:
- Enrich all events with extra process information (executable image, command line, etc.) taken from other events of the process.
- Track process relations and allow filtering based on common ancestor processes and other types of process tree paths.
- Add more advanced statistics and data aggregations.
- Track related events (file operations, process lifecycle) with the ability to interactively jump from one event to a related one.
- Allow forensic artifacts created during a remote live capture to be written directly to the recording host.
Traceeshark is available for free on GitHub.
Must read: