CloudShark Support

CloudShark 3.4

Release Type Release Number Release Date
Original CloudShark 3.4 December 11th, 2017
Maintenance Release #1 CloudShark 3.4.1 December 18th, 2017

CloudShark 3.4 December 11th, 2017


Happy Holidays from all of us here at QA Cafe and CloudShark!.

We’ve been working on several new features to help with your packet analysis. Whether it’s finding out where in the world packets or malware traffic is coming from, or tracking bandwidth at the sub-millisecond level, or tweaking protocol decode preferences to fine tune your analysis, we’ve made big improvements!

As always, a HUGE thank you to our customers who suggest features, report bugs, and give us amazing feedback about how CloudShark helps them every day. Keep it up everybody!

— CloudShark

New Features and Highlights

GeoIP Mapping

If you’re tracing problems across a world-wide network, or just want to know where traffic and visitors are coming from, CloudShark’s new GeoIP maps will show you where in the world your packets are from.

The analysis tool gives you a map of the world shaded for the number of endpoints, packets, or bytes.

Changing what data is displayed on the map will update the table, and hovering over the graph or the table will highlight the corresponding entry. Clicking on a country will bring you right to the display filter for those packets. And, like everything else in CloudShark, can be accessed simply by URL.

See it in action on one of our example traces.

Graphing Improvements

What started as a simple bug report from a customer turned into a minor overhaul of our graphs. CloudShark graphs now can display data to the microsecond level for short duration captures, and performs much better across a variety of intervals sub millisecond. Each series is able to generate a whopping 50,000 data points - much more than before.

Custom Protocol Preferences

Experts always need a way to get in under the hood and tinker with the decode engine in specific situations. CloudShark has always provided a mechanism to set system-wide preferences, but they were applied to every file on the system.

CloudShark 3.4 adds a new Custom Protocol Preference dialog box for setting specific low-level protocol preferences and persisting them along with the individual capture file. From within the capture view, click on the new “Profile” drop-down and choose “Protocol Preferences”.

These protocol preferences can be modified to affect behaviors like subdissector reassembly, de-segmenting TCP streams, or enabling the calculation of checksums. Any advanced dissector preference can be set. Preferences are easily searchable and there is documentation displayed for each field.

Simplified RSA Key Dialog

Building on top of improvements in the latest tshark, CloudShark has simplified the RSA decryption dialog box for capture files. Only the key name needs to be specified in order to decrypt packets. The IP/Port/Protocol is not needed.

This should speed up adding decryption rules to capture files.

Upgraded to the latest Tshark

CloudShark 3.4 includes the latest protocols and dissectors from the most recent Wireshark 2.4 release. You can read the Wireshark release notes here.

Threat Assessment Addon

CloudShark Threat Assessment has new GeoIP features built in as well. Threat Maps have been added to highlight which countries resolve back to IP address included in alerts. The vectors can be filtered by clicking on the map to zero in on what malware is communicating with what country.

Take a look at this example of a Threat Map.

An issue was also identified where certain alerts were not being correlated with a packet number by Suricata. This would cause the threat vectors from being displayed out of order. CloudShark 3.4 is able to handle this better now.

Any “Threat Details” URL’s that have been saved from an earlier version of CloudShark will need to be updated.

Bug fixes and other changes

  • Escape invalid characters from JSON
  • Add timestamps to the log file for easier debugging
  • Fix a bug that prevented exporting a capture file after opening a graph
  • Fix problem calculating display filter from zoomed in section of a graph
  • Threat Vectors are now displayed in the correct chronological order
  • Offline installations no longer enable a remote nginx repository

Upgrade Instructions

Enterprise customers upgrading from a version as old as CloudShark 2.8.x can run the following as root to perform the upgrade:

cloudshark-admin --install-latest

Please read the upgrade instructions if you are upgrading from an older version of CloudShark.

CloudShark Hosted

If you are a CloudShark Hosted customer accessing through https://www.cloudshark.org, the system has already been upgraded and is running now!


CloudShark 3.4.1 December 18th, 2017

The Custom Protocol Preferences feature introduced in CloudShark 3.4 has a bug that could lead to overwriting or the creation of arbitrary files on the underlying Linux operating system. The preferences used to define certain types of debug log output from underlying tshark commands could be improperly configured.

CloudShark 3.4.1 addresses this issue by preventing these types of preferences from being used. If you have upgraded to CloudShark 3.4.0, we recommend you upgrade to 3.4.1 now. Customers on the 3.3.x series (and earlier) are not affected.

Bug fixes and other changes

  • The 802.11 Wireless column preset has been updated with the correct field name for the SSID. It has changed from wlan_mgt.ssid to simply wlan.ssid.
  • Upgraded to the latest release of our graphing library
  • Prevented XSS when network name resolution is enabled and a malicious hostname is in the system-wide hosts file.
  • Protocol Preferences “default” column value matches the system-default
  • SearchWorkers now run with the correct environment and can use system-wide preferences
  • Fixed an exception in Wireless Decryption that could happen with a heavily corrupted wireless capture

About CloudShark

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: