As a network forensic investigator, if I were to upload packet captures to a third-party, I'd almost certainly lose my job - and rightfully so. Now, the appliance looks interesting for collaboration, as long as it stays in my protected environment, but I'm not sure that's necessarily the best way to go about this general task.
Other questions I'd ask: how well does it integrate with SIEMs like ArcSight? What about larger bandwidth needs, like for 10-gig networks? Can I extend the storage? How quickly does it actually search?
Good point - I'm not sure what else would make me feel more comfortable, however. Having control of the appliance (VM or otherwise) is good enough for me.
Why would I want this? When I'm doing protocol analysis I'm usually doing packet capture at the same time, which a web app can't do for me since it's not in my lan. I've never been in a situation where I ran pcap by itself and then did offline analysis on the data.
I could see a large number of possibilities: remotely debugging network issues, collaboratively reversing a protocol, collaborative forensic analysis, etc.
The ability to make this into a collaborative tool is great -- I'd love to turn this into a protocol reversing tool where I can work with people in real time to figure things out.
Edit: Just noticed it's not open source. That's a real shame, but hopefully someone will use this as inspiration for an open, flexible tool with the same concept.
I think its strength is definitely when you are collaborating with other folks. Like a call center of engineers working on a ticket. They could leave little sticky notes per packet. It's definitely meant for a shared environment.
I'm not 100% sure a call-center environment is the best use-case example for this application. I can see it being valuable in extremely small development teams, but the amount of tech that goes into a call center (especially one that makes use of call monitoring/recording systems for QA and KPI refinement/enhancement), having worked in one almost entirely negates the need to store capture files in the cloud.
Caveat: of course, my comment itself is negated in the case of a call-center that's has a poorly designed storage network.
But isn't wireshark fugly and clunky on all platforms? I love the tool, but the UI has a lot to be desired. I'm frankly a bit surprised that they opted for copying it instead of remaking it.
Agreed. I use it on Linux and OSX and my only real beef with it on OSX is that it runs under X11. Id rather the mildly clunky OSX interface where I know where everything is than a total new foreign web interface. I guess its just a matter of taste.
For those interested in this type of app, there is also pcapr.net (for example http://pcapr.net/view/4l1c3.b0b/2009/6/4/8/Microsoft-Office-...). The visualization may not as good as cloudshark.org, but they already have a big community, and a very good search feature. You have to create a free account to enable all features.
this does not capture packets. from the homepage: "CloudShark brings your CAPTURE FILES to the cloud." presumably so you can link to them, any other uses aren't immediately obvious.
At the other hand, if one can come up a wireshark fork that outputs a nice web UI to you local browser, will that be useful to anyone?
I found modern web UI is really much more advance than what existing desktop UI implementation. I was thinking of making a wrapper app around tcpdump/pcap app and generates a nice Web UI for localhost user.
At the other hand, if one can come up a wireshark fork that outputs a nice web UI to you local browser, will that be useful to anyone?
Only if you have a better idea on how to display the data, and then I as a user don't care about the technology you use to implement it. Implementing the same UI in HTML/CSS is not more useful than implementing it in a native toolkit.
Oh, and writing it using web technologies might be easier, but there's nothing you can do with them that you can't do with a native desktop implementation, for the simple fact that browsers themselves are native desktop applications.
This is a great tool to use with Android smartphones. I can run wireshark on my phone but all I end up with is a pcap dump file and you can't watch it in real time. There are viewers for Android, but this could make quick uploading and viewing very easy. Going to upload from my phone now to test it out.
Edit: Seems to work really well as viewer for Shark for Android. Although I do agree with the security concerns it's still a very cool product.
The bandwidth over time visualization is what makes this most valuable to me vs. normal wireshark. It made debugging the differences between two different "internet speed test" sites a lot easier (higher latency = slow-start takes longer = lower bandwidth on a new connection):
That being said, I wish it had a demo dataset to work with. I'm kind of regretting uploading packet dumps (even restricted to one remote IP / port) given that they contain my mac address / my router's mac address. I don't think I'll use this for much in the future just because pcaps usually contain private data. I guess that's why they charge for the on-site software / device.
Love the UI! I particularly like how intuitive the range slider is at the top. I see that it's the standard jQuery UI Slider control... how is the chart being generated? I can see it's a dynamic base64 PNG from the server but is that work you did yourselves or is there a library that's doing that? Nice work!
They need a Security story other than "run it on an appliance inside your network." I would also appreciate a single page (unless I missed it) that explains the Analysis value-adds.
Wireshark is too low level unless you are doing hardcore network experiments. Most of the time I found out tcpflow or mitmproxy is more than enough, of coz YMMV.
Other questions I'd ask: how well does it integrate with SIEMs like ArcSight? What about larger bandwidth needs, like for 10-gig networks? Can I extend the storage? How quickly does it actually search?
I've bookmarked their site for later review.