||March 17, 2015
|Maintenance Release #1
||March 19, 2015
|Maintenance Release #2
||March 25, 2015
|Maintenance Release #3
||April 21, 2015
CloudShark 2.5.2754 March 17, 2015
CloudShark 2.5 is here!
It’s been a long cold winter here in the Northeast United States, and we are so happy to start seeing signs of Spring. Since we’ve been stuck inside the last few months, we’ve been hard at work on a bunch of new features and improvements to CloudShark. It’s quite a list, and we’re proud of this latest release!
— The CloudShark Team
New Features and Highlights
Need to know who’s sending the most traffic in a capture? Receiving the most? CloudShark now includes a new Endpoints tool that lets you look at the packet and byte counts for your top IPv4, IPv6, Ethernet, and TCP/UDP endpoints. Sort on any field, and share the URL. Click on a row to filter your capture file down to just what you’re looking for.
Learn more about the new Endpoints tool.
As an addition to the Endpoints tool, CloudShark 2.5 includes the MaxMind GeoLite databases for City, Country, and ISP. This allows CloudShark to map IP addresses in your captures to locations in the world. Even better, locations are display filter compatible so you can link to them just like any other filter.
Learn more about geolocation in CloudShark.
HTTP Analysis Improvements
CloudShark’s HTTP Analysis tool has been dusted off and given a little bit of a facelift. It’s now much easier to perform all the available HTTP analysis from within the default dialog box. This has also given us space to include a link to the new HTTP Object Forensics:
See all the improvements.
HTTP Object Forensics
Ever have a trace and need to view the pages, images, and other files that had been transferred via HTTP? CloudShark can now export HTTP objects from inside of capture files. Preview documents, scripts, images, videos and audio right in your browser – or download any captured asset to your local machine for further analysis.
Learn more about HTTP Object forensics.
Keylog-based SSL Decryption
With more and more web traffic being encrypted, it becomes necessary to decrypt the data before performing any analysis at the application layer. CloudShark 2.5 now lets you specify a client keylog file containing the session-id and master key for encrypted traffic. With that information, it is possible to decrypt that traffic from the client’s point of view without the need for the server’s private key!
Learn more about decrypting SSL in CloudShark.
Debugging SSL Decryption
Getting SSL decryption to work can be a tedious process of exporting keys, converting them into the right format, importing them into CloudShark, and configuring them on captures. Finding problems in this kind of setup can be difficult.
CloudShark 2.5 provides the Administrator the ability to generate an SSL debug log to assist in debugging the setup and configuration of decryption rules and keys.
Learn more about SSL Debugging.
Wireless traffic is often hard to analyze also due to encryption. This release adds the ability to specify a WPA passphrase or pre-shared key to decrypt 802.11 frames contained within a capture.
Integrated Decode Options Editor
Behind the scenes, CloudShark leverages the powerful decode engine in tshark. There are a multitude of preferences and options for controlling aspects of a decoded packet and protocols. The preferences file that manages these options is now easy to edit from within CloudShark’s web interface.
Administrators can find the button at the bottom of the Settings page.
Updated Protocol Support
CloudShark 2.5 includes Wireshark 1.12.4. This version of Wireshark provides several bug fixes and updates protocol support for multiple protocols.
Read the official Wireshark release notes.
Read the upgrade instructions for information on obtaining the latest version of CloudShark.
Bug fixes and other changes
- Removed debug alert box from some malformed packets.
- Added new packet-decode pane as dialog box.
- Prevented some potential XSS vulnerabilities in the Admin area.
- Properly escape potential XSS in some filter expressions.
- Updated graphing library to the latest version.
- Resolved issue with installation in non-EN_US character sets.
- Removed trailing white-space from various inputs to improve SSL Decrypt, Decode As, Custom Columns, and Search.
Maintenance Release #1
CloudShark 2.5 should be upgraded by running the following command as root:
bash <(curl -s get.cloudshark.org/upgrade2.5)
This resolves an issue affecting older installations that do not have the latest repository configuration on their machines. There are no other changes.
Maintenance Release #2
We recommend all users upgrade to this latest build of CloudShark 2.5 to eliminate any lingering issues with the repository and cloudshark-admin command.
Bug fixes and other changes
- Fixed an issue that prevented searching on some fields.
- Resolved a race condition that could lead to duplicate external accounts being created.
- The owner attribute on the entire /home/cloudshark directory will be reset to cloudshark on installation.
- Added the correct hyperlink to the SSL Keylog dialog box.
Maintenance Release #3
Bandwidth graphs in the capture index
CloudShark now lets you add a sparkline Bandwidth graph to your Capture index. Useful for quickly scanning a set of capture files for spikes, dropouts, or other interesting bandwidth behavior. Click on “Table Options” and drag the “Bandwidth” column into place.
A small version of the bandwidth graph will be added to your table.
Bug fixes and other changes
- Fixed an issue when loading capture files via URL through the VIEW or OPEN api calls. These URLs were being escaped an extra time within CloudShark leading to issues for some parameters.
- Increased the external-authentication timeout for AD/LDAP users to 55 seconds. This helps some users who were having trouble with slow logins. If you are experiencing problems with delayed logins, please read our updated external authentication guide.