Utilizing Stratoshark to research Azure syscalls
When you’ve obtained Stratoshark up and operating, you’ll see the acquainted Wireshark consumer interface, although now with new choices. Like Wireshark, Stratoshark is designed to offer you what Wireshark creator Gerald Combs calls “a ground-level fact.” By capturing syscalls you’ll be able to see when your code opens information, makes community connections, makes use of key system libraries, and rather more.
For now, the seize instrument requires Linux, however because the neighborhood begins to develop round Stratoshark, it’s more likely to acquire assist for different OSes, together with Home windows. Home windows’ assist for eBPF ought to assist right here, although with a substantial variety of Azure workloads operating on Linux, it will likely be helpful anyway.
Captures are made utilizing Falco’s libscap and libsinsp instruments, in addition to the command-line sysdig instruments by way of SSH. Libscap captures and shops the syscalls from monitored methods, with libsinsp offering instruments for parsing occasions, filtering, and formatting outputs to be used in functions like Stratoshark. Beneath the libraries are kernel modules (the place you’ll be able to set up them) and eBPF probes. Cloud providers like Azure don’t allow you to set up your personal kernel modules—until, after all, you’re internet hosting providers in your personal customized VM builds.
