Aqua Security today unveiled Traceeshark, an innovative plugin for Wireshark that enables security practitioners to quickly investigate security incidents. Traceeshark enhances the capabilities of Aqua Tracee, an open-source runtime security and forensics tool for Linux, and empowers users to analyze kernel-level event and behavioral detection alongside network traffic, offering a seamless and interactive analysis experience.
Aqua Tracee leverages eBPF technology to trace systems and applications at runtime and detect suspicious behaviors. However, analyzing the vast amount of data generated by Tracee has traditionally been a manual and labor-intensive process. Traceeshark revolutionizes this process by integrating with Wireshark, a network protocol analyzer, and leveraging its advanced investigation and filtering capabilities.
With Traceeshark, users can now visually and interactively analyze system activity alongside network traffic events, providing insights into both system and network activities. Traceeshark simplifies complex security investigations by merging Tracee's system event data with network packet analysis with full context of the container and process.
“Traceeshark opens up a whole new world of capabilities for dynamic analysis of Linux malware, forensics, kernel hacking and more,” said Idan Revivo, VP Cyber Security Research of Aqua Security. “We are excited to provide security practitioners and developers with this new tool as part of our ongoing commitment to open source innovation and community collaboration. By providing powerful and accessible tools like Traceeshark, we can continue to drive the security industry forward."
Key features of Traceeshark include:
- Unified Analysis: Allow users to view and filter events side by side with network packets.
- Enhanced Context: Analyze system events alongside network packets with rich contextual information about system processes and containers, enabling deeper correlations and insights.
- Live Capture: Perform live captures of Tracee events, streaming them directly into Wireshark, whether locally or remotely over SSH.
- Customizable Filters: Utilize Wireshark's advanced filtering capabilities to focus on events of interest, with quick filter buttons for common analysis tasks.