Thursday, June 24, 2010

CloudShark, Another Packet Repository in the Cloud

I've been interested in online packet tools for several years, dating back to my idea for OpenPacket.org, then continuing with Mu Dynamics' cool site Pcapr.net, which I profiled in Traffic Talk 10.

Yesterday I learned of CloudShark, which looks remarkably similar to Wireshark but appears as a Web application.

I generated the picture at right by downloading a trace showing FTP traffic from pcapr.net, then uploading it to CloudShark. Apparently CloudShark renders the trace by invoking Tshark, then building the other Wireshark-like components separately. You can access the trace at this link. CloudShark says:

While the URLs to your decode session are not publicly shared, we make no claims that you data is not viewable by other CloudShark users. For now, if you want to protect sensitive data in your capture files, don't use CloudShark.

Using Tshark is pretty clever, though it exposes the CloudShark back end to the variety of vulnerabilities that get fixed with every new Wireshark release. This is the same concern I had with OpenPacket.org, which limited that site's effectiveness. Incidentally, I have nothing to do with OpenPacket.org now, although there have been rumors that the site will get some attention at some point.

For comparison's sake, I took a screen capture of the same FTP pcap as rendered by Pcapr.net. Personally I think it's a great idea to use a front end that everyone should understand -- i.e., something that looks like Wireshark.

At this point I think CloudShark is more of a novelty and maybe an educational tool. It would be cool if various packet capture repositories joined forces, but I don't see that happening.

3 comments:

Rodrigo "Sp0oKeR" Montoro said...

When I saw Cloudshark I imagined how many people will send pcap with password or personal information to there =)

stretch said...

I think it's worth noting that CloudShark itself is not a repository (at least, not at the moment). Although certainly not a secure resource, the site isn't intended to catalog and archive uploaded captures, just to display them. I love it.

Martin said...

Wireshark/Tshark both output in PDML, (packet description markup language) and even ship with an XML stylesheet to display the XML nicely. If you check out the tshark command line options, you'll see the --stylesheet switch for rendering the XML header with a custom stylesheet. For years now, I've vowed to spend a weekend and use this to write a quick web interface around as it wouldn't require that much work. Because while these cloud sites are nice, I need an open-source version to host locally for IR.