|Release Type||Release Number||Release Date|
|Original||CloudShark 3.4||December 11th, 2017|
|Maintenance Release #1||CloudShark 3.4.1||December 18th, 2017|
We’ve been working on several new features to help with your packet analysis. Whether it’s finding out where in the world packets or malware traffic is coming from, or tracking bandwidth at the sub-millisecond level, or tweaking protocol decode preferences to fine tune your analysis, we’ve made big improvements!
As always, a HUGE thank you to our customers who suggest features, report bugs, and give us amazing feedback about how CloudShark helps them every day. Keep it up everybody!
If you’re tracing problems across a world-wide network, or just want to know where traffic and visitors are coming from, CloudShark’s new GeoIP maps will show you where in the world your packets are from.
The analysis tool gives you a map of the world shaded for the number of endpoints, packets, or bytes.
Changing what data is displayed on the map will update the table, and hovering over the graph or the table will highlight the corresponding entry. Clicking on a country will bring you right to the display filter for those packets. And, like everything else in CloudShark, can be accessed simply by URL.
See it in action on one of our example traces.
What started as a simple bug report from a customer turned into a minor overhaul of our graphs. CloudShark graphs now can display data to the microsecond level for short duration captures, and performs much better across a variety of intervals sub millisecond. Each series is able to generate a whopping 50,000 data points - much more than before.
Experts always need a way to get in under the hood and tinker with the decode engine in specific situations. CloudShark has always provided a mechanism to set system-wide preferences, but they were applied to every file on the system.
CloudShark 3.4 adds a new Custom Protocol Preference dialog box for setting specific low-level protocol preferences and persisting them along with the individual capture file. From within the capture view, click on the new “Profile” drop-down and choose “Protocol Preferences”.
These protocol preferences can be modified to affect behaviors like subdissector reassembly, de-segmenting TCP streams, or enabling the calculation of checksums. Any advanced dissector preference can be set. Preferences are easily searchable and there is documentation displayed for each field.
Building on top of improvements in the latest tshark, CloudShark has simplified the RSA decryption dialog box for capture files. Only the key name needs to be specified in order to decrypt packets. The IP/Port/Protocol is not needed.
This should speed up adding decryption rules to capture files.
CloudShark 3.4 includes the latest protocols and dissectors from the most recent Wireshark 2.4 release. You can read the Wireshark release notes here.
CloudShark Threat Assessment has new GeoIP features built in as well. Threat Maps have been added to highlight which countries resolve back to IP address included in alerts. The vectors can be filtered by clicking on the map to zero in on what malware is communicating with what country.
Take a look at this example of a Threat Map.
An issue was also identified where certain alerts were not being correlated with a packet number by Suricata. This would cause the threat vectors from being displayed out of order. CloudShark 3.4 is able to handle this better now.
Any “Threat Details” URL’s that have been saved from an earlier version of CloudShark will need to be updated.
Enterprise customers upgrading from a version as old as CloudShark 2.8.x can run the following as root to perform the upgrade:
Please read the upgrade instructions if you are upgrading from an older version of CloudShark.
If you are a CloudShark Hosted customer accessing through https://www.cloudshark.org, the system has already been upgraded and is running now!
The Custom Protocol Preferences feature introduced in CloudShark 3.4 has a bug
that could lead to overwriting or the creation of arbitrary files on the underlying
Linux operating system. The preferences used to define certain types of debug
log output from underlying
tshark commands could be improperly configured.
CloudShark 3.4.1 addresses this issue by preventing these types of preferences from being used. If you have upgraded to CloudShark 3.4.0, we recommend you upgrade to 3.4.1 now. Customers on the 3.3.x series (and earlier) are not affected.