Utilizing Stratoshark to research Azure syscalls
When you’ve obtained Stratoshark up and operating, you’ll see the acquainted Wireshark consumer interface, although now with new choices. Like Wireshark, Stratoshark is designed to offer you what Wireshark creator Gerald Combs calls “a ground-level fact.” By capturing syscalls you may see when your code opens recordsdata, makes community connections, makes use of key system libraries, and far more.
For now, the seize device requires Linux, however because the neighborhood begins to develop round Stratoshark, it’s prone to achieve assist for different OSes, together with Home windows. Home windows’ assist for eBPF ought to assist right here, although with a substantial variety of Azure workloads operating on Linux, will probably be helpful anyway.
Captures are made utilizing Falco’s libscap and libsinsp instruments, in addition to the command-line sysdig instruments through SSH. Libscap captures and shops the syscalls from monitored programs, with libsinsp offering instruments for parsing occasions, filtering, and formatting outputs to be used in functions like Stratoshark. Beneath the libraries are kernel modules (the place you may set up them) and eBPF probes. Cloud providers like Azure don’t allow you to set up your individual kernel modules—until, after all, you’re internet hosting providers in your individual customized VM builds.