What is Stratoshark? The Wireshark companion app
Ephemeral cloud workloads, such as containers and VMs, can make it more difficult to monitor what is happening in your systems. This necessitates using a tool, such as Stratoshark, to capture and analyze system-level activity.
%201.svg){kind=logo}
Stratoshark definition
Stratoshark is a companion application to Wireshark, designed to analyze system calls and log messages from SCAP files. The open source tool was created by Sysdig and donated to the Wireshark Foundation in 2025.
As cloud environments increasingly rely on Linux for containerized workloads and services, Stratoshark empowers users to troubleshoot, secure, and monitor hosts, containers, and processes by capturing system calls directly from the Linux kernel.
Just as Wireshark enables network teams to analyze packets from PCAP files, Stratoshark captures and interprets system calls using libsinsp and libscap, producing .scap files for in-depth inspection.
Beyond system calls, Stratoshark can ingest cloud audit logs through libscap, the same library used by Sysdig and open source tool Falco. As an example, with the Falco CloudTrail plugin, Stratoshark retrieves AWS CloudTrail logs from S3, SQS, or SNS for cloud security monitoring.
Stratoshark key features
Some key features of Stratoshark include:
- Real-time system call monitoring: See and review syscalls in real time to see if systems are behaving as expected or if something suspicious is happening.
- Unified incident workflows: Security teams can use Falco for real-time threat detection and capture incident data in SCAP files for review in Stratoshark for post-incident analysis.
- Cloud log analysis: Review cloud audit logs for a holistic view into suspicious behavior in a container, host, etc.
Stratoshark use cases
Stratoshark is designed to capture system calls to help analyze whether your systems are operating as expected. It generates SCAP files using the sysdig oss command-line tool or by running Stratoshark directly on a Linux system. Stratoshark supports various capture sources, including:
- Falcodump: Captures logs from multiple sources via Falco plugins and Linux syscalls.
- Sshdig: Enables remote system call capture over SSH using Sysdig.
Other use cases include:
- Troubleshooting container or host behavior: Filter for exec/write events and determine why a container keeps crashing or why there is suspicious activity in a host.
- Incident investigations: Perform forensic analysis after an incident by using Stratoshark to review SCAP files generated by Falco or Sysdig CLI tool.
- Learning experience: Much like Wireshark enables users to understand how networks and protocols work, Stratoshark can help users learn about cloud, hosts, and workloads.
How does Stratoshark work?
If you’re familiar with using Wireshark, then the Stratoshark experience will be much the same. The three-panel UI returns as well as the ability for filtering and dissecting.
You will open a SCAP file, either generated by Falco or Sysdig tools or created directly in Stratoshark for supported platforms. You’ll be able to see the syscalls made during the capture period.
Each capture will include data about the syscalls made, including process name, container namespace, user ID, etc. Through filtering, you can drill down into specific events to understand what happened.
If Falco plugins are installed, you can correlate the events with cloud logs to get a holistic view into the syscall. Being able to see syscalls and cloud logs together in one tool makes it easier to conduct forensic analysis and better understand what happened.
Getting Stratoshark
Current releases for Windows and macOS can be downloaded from Stratoshark’s main website.
However, native system call captures are currently unsupported on these platforms, but you can still pull cloud logs. For instance, use the AWS CloudTrail plugin to collect logs from an S3 bucket or SQS/SNS.
To use Stratoshark on Linux, you'll need to build Stratoshark from source. Stratoshark uses the Wireshark build environment and needs libsinsp and libscap from falcosecurity/libs.
Use our getting started guide to get up and running with Stratoshark quickly.