What is Stratoshark?

Stratoshark is a companion application to Wireshark, designed to analyze system calls and log messages from SCAP files. As cloud environments increasingly rely on Linux for containerized workloads and services, Stratoshark empowers users to troubleshoot, secure, and monitor hosts, containers, and processes by capturing system calls directly from the Linux kernel.

Just as Wireshark enables network teams to analyze packets from PCAP files, Stratoshark captures and interprets system calls using libsinsp and libscap, producing .scap files for in-depth inspection.

Beyond system calls, Stratoshark can ingest cloud audit logs through libscap, the same library used by Sysdig and Falco. With the Falco CloudTrail plugin, Stratoshark retrieves AWS CloudTrail logs from S3, SQS, or SNS for cloud security monitoring.

Capturing System Calls

You can generate SCAP files using the sysdig oss command-line tool or by running Stratoshark directly on a Linux system. Stratoshark supports various capture sources, including:

• Falcodump: Captures logs from multiple sources via Falco plugins and Linux syscalls.
• Sshdig: Enables remote system call capture over SSH using Sysdig.

Getting Stratoshark

Development packages for Windows and macOS can be downloaded from Wireshark’s automated builds. However, native system call captures are currently unsupported on these platforms. To use Stratoshark on Linux, you’ll need to build Stratoshark from source.

Stratoshark brings familiar packet analysis workflows to Linux and cloud environments — bridging the gap between network and system-level observability.

Learn more

• Official Stratoshark Wiki Page