CloudShark Support

CloudShark Administration Menu

CloudShark Administration Menu

The admin user and other members of the Admin group are the only users with access to the ‘Administration’ drop-down menu available in the top right corner of the CloudShark appliance web interface. This section contains a description of all system level preferences and administration options available in the Administration menu, including:

  • Overview
  • Settings
  • Users
  • Groups
  • Tags
  • RSA Keys (added in release 1.7)
  • Auto-Imports
  • API Tokens
  • Activity
  • License Info

The Administration menu will also be displayed in the left margin when viewing other admin-related pages.

Overview

The Overview page can be accessed by clicking Overview in the Administration menu. This page provides a quick summary of the CloudShark system and includes various status and activity indicators.

The chart on the Overview page is interactive. Clicking on an upload or view data point in the chart will open a filtered File Index or Activity page, respectively, showing only the uploads or views for that particular date.

Settings

The Settings page can be accessed by clicking Settings in the Administration menu. This page allows different system wide settings to be modified, including:

  • System Name: the system name is initially inherited from the Linux hostname. The system name is useful for uniquely identifying a CloudShark system, and is displayed in the top left corner of the user interface and in the browser title bar.

  • Guest Access: is disabled by default. A guest is a visitor without a CloudShark user account. With guest access disabled, all users must log in to view or upload capture files. When guest access is enabled, guests are allowed to view and optionally upload capture files based on the Guest Upload option.

  • Public Files: Capture files and tags are indexed by CloudShark in the capture index page for all users by default. Setting this value to Hide public captures will hide captures that are not owned by the user or their group. This allows a CloudShark administrator to have unrelated groups of users without exposing their capture files to each other. Set to Hide, capture files from unrelated users and groups will not be listed in the capture index. Attention: A public file, that is one that does not require CloudShark authentication to view, is still viewable when the URL is known. This setting is only for changing whether or not users can see each others files in the index.

  • Guest Upload: by default guests are only allowed to view capture files that have been shared by other CloudShark users. In this mode guests are not allowed to upload capture files. When enabled guests are allowed to upload capture files in addition to viewing capture files that have been shared by CloudShark users.

  • Maximum File Size: by default CloudShark will allow captures up to 2 GB in size to be uploaded and viewed. This file size limit may effect performance. Please see our system requirements for more information on tuning this setting based on your system.

  • Download Original: by default CloudShark users are able to download the original source capture files directly from the decoder window. In certain situations it may be desirable to prevent users from downloading the original source capture files. This setting globally enables or disables original source file download functionality with CloudShark.

  • Blocked Types: You can specify file types that you do not wish users to upload. This is convenient in the scenario where CloudShark is on a public network. Frame based audio, image, and movie files such as MP3, JPEG, and MPEG are supported for decoding by CloudShark and so are valid files to upload. Because of the “Download Original” features of CloudShark, this can allow it to be used as a repository for sharing these files. With this Blocked Types option, you can control the type of files CloudShark will accept in the manner that best suits your needs. You can learn the file type CloudShark expects by using the ‘capinfos’ tool on a file you wish to block and inspecting the “File type” output.

External Authentication

CloudShark supports a hybrid of local and external user authentication. By default external authentication is disabled and all users are authenticated against CloudShark’s local database. More information on configuring CloudShark for external user authentication can be found in our External Authentication article.

Users

A user is a discrete entity that can log into CloudShark and own capture files. A capture file is always owned by a single user. Files cannot be orphaned – they are deleted or reassigned if a user is deleted.

To add a new user to the CloudShark appliance, click Users in the Administration menu and then click the Create a new user button. A pop-up box will ask for the following information associated with that user:

  • Login
  • Full name
  • Enabled (yes or no)
  • Authentication (local or external)
  • Password and password confirmation
  • Groups
  • Upload (controls whether or not the user can upload files)

Users can be deleted by clicking and confirming the ‘delete’ link for a specific user in the Users table. All of the capture files owned by a user must be either deleted or reassigned to another user when that user is deleted.

Please visit the article discussing Users & Groups for more detail.

Groups

Users can also be organized into groups. By default CloudShark is configured with a single Admin group containing a single user (the admin user, discussed in the previous section). CloudShark groups exist locally on the system and help define sets of users who want to share access to capture files.

Please visit the article discussing Users & Groups for more detail.

Tags

Tags are descriptive text strings that are associated with capture files. Their purpose is undefined, so users are able to create their own uses. Tags are useful for organizing capture files and highlighting specific characteristics.

Existing tags can be bulk-edited by clicking the Tags link in the left margin of the Administration menu. To globally modify a tag, click the tag name, and a dialog box will appear allowing the tag to be renamed or deleted. Note that renaming or deleting tags that are associated with a large number capture files may take some time to complete.

RSA Keys

RSA keys can be used to decrypt SSL traffic within a capture file.

RSA keys are imported and managed by admin users can be shared with other users and/or groups.

Auto-Imports

CloudShark includes a service called Auto-Imports. This service will monitor a list of local file directories for capture file uploads and automatically add them to CloudShark.

To set up a directory as an auto-import directory, click the Auto-Imports page in the left Administration menu. Up to five directories may be defined. Each directory can be configured with a default list of tags, which will be automatically applied to any capture file processed. An existing group and user may be selected as the owner of the capture file as well.

Directory requirements: Both the directory and the file to be imported must be readable by the ‘cloudshark’ system account. The permissions must be set on the file prior to copying/moving into the directory for CloudShark will process the file immediately upon creation. A subsequent command that fixes the permissions will fail because CloudShark will have already marked the file as unreadable.

These directories must be local to CloudShark. Remote file systems such as SMB and NFS will not trigger the Linux kernel’s inotify event, which the Auto-Imports service utilizes.

CloudShark can reprocess a capture file if the timestamp changes. The touch system command will perform this task. For example, to make CloudShark reprocess every capture file in /auto-imports:

cd /auto-imports
touch *.cap

Remove files after import

If the Auto-Import location is purely used to catch files as they are added to CloudShark, you may mark files to be deleted after they are imported. Internally this is implemented as a “move” command which has added performance benefits if the autoimport directory and internal capture storage directories are on the same physical disk.

If the cloudshark system account does not have write permissions on the directory itself, then the files will not be able to be removed. Starting in CloudShark 3.5 this no longer causes the upload to fail.

API Tokens

Please see the Web API Guide for more information on API Tokens.

Activity

The admin user can view event logs for the system by clicking on the Activity page in the Administration menu. The activity logs are useful for auditing purposes and can be filtered by:

  • Date: the date a certain event occurred
  • User: the CloudShark user associated with an event
  • Message: the event description
  • Location: the user’s IP address
  • Capture: the capture file ID Type
  • Annotation: annotation related events
  • Download: original source file download events
  • File: capture file upload or modify events
  • Info: generic system events
  • Tag: tag add or remove events
  • View: capture file view events

License Info

The License Info page displays licensing information for the CloudShark appliance, including the system ID, support expiration date, and registration details. This data is provided for information only. In some cases CloudShark Support may ask for some or all of the information provided on this page.

Capture File Index

After logging in, Admin users will have access to all capture files currently loaded on the CloudShark appliance, regardless of owner, through the capture file index. Admin users can navigate back to the capture file index at any time by clicking on the CloudShark Appliance link in the top left corner.

Clicking on a row in the capture file index will open the selected file in the decoder window, where it can be analyzed and annotated. Admin users, in addition to the file owner and other users with the necessary permissions, can also perform the following actions on one or multiple capture files:

  • Delete
  • Add or modify tags
  • Add or modify comments
  • Modify sharing and permissions attributes
  • Change owner
  • Change group
  • Change read/write permissions for group members
  • Make file public, if guest access is enabled

In addition, admin users can also import new capture files, search for existing capture files, and modify the capture file index table display options. Please see the User Guide article for more information.

About CloudShark

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: