Chris Sanders

I’ve been a huge fan of CloudShark ever since it was launched by QA Café back in 2010. I even wrote about CloudShark here when it was first released. I’m always finding unique uses for the web-based service. This includes everything from sharing PCAP files on my blog to viewing PCAPs on my iPad. CloudShark has the potential to make life much better anywhere you don’t have Wireshark but you do have an Internet connection.

The only real downside to CloudShark is that there is no guarantee of privacy for uploaded PCAP files. I recently spoke with Joe at QA Café and this is an issue they are aware of, and as a result they’ve developed the CloudShark appliance. This is a standalone instance of CloudShark that you can deploy within your organization so that you can get all of the benefits of CloudShark while keeping sensitive data contained within your packet captures private to only those who need access.

I wanted to briefly mention a few of my favorite CloudShark features:

View

This may sound a bit odd, but my absolutely favorite thing about CloudShark is the ability for me to view PCAP files on my iPad. Quite honestly, I’ve wanted an iPad for a while but could never talk myself into buying one until I figured out I could use it to view PCAP files. Now I use it for that purpose on a daily basis. CloudShark is compatible with a variety of smartphones and tablets.

Annotate

I work in a network security monitoring environment so we look at a LOT of PCAP data. Typically, this involves keeping track of a lot of notebooks where I’ve scribbled notes about the contents of capture files. One of the cooler things about CloudShark is the ability to annotate within the capture files. You can even use these annotations to link to other captures.

Share

I hate sending PCAP files around via e-mail. People rename things, filter things out and then save them, and do other weird things that may result in multiple people looking at different data thinking they may be looking at the same thing. When you upload a PCAP into CloudShark it generates a hyperlink that you can use to share your PCAPs.

Organize

When you deal with a lot of PCAP files it’s easy to lose track of what you are looking for. CloudShark has a very “Web 2.0” system for tagging packet captures so that they can be easily searched. This feature can be used for organizing in a lot of way, so you can organize your PCAPs by tagged by protocol, vulnerability, system, or even investigation case.

There are a lot of different use cases for the CloudShark appliance depending on the needs of your organization. It can be purchased as hardware with the platform pre-installed on to it, or as software that you can install on your own hardware running a Linux based OS. I saw recently that it was also updated to allow for integration with external LDAP authentication, so that adds some more flexibility to the system overall.

You can read more about it at http://appliance.cloudshark.org/.