CloudShark 3.5.0

Release Type  Release Number  Released Date 
Original  CloudShark 3.5 July 11th, 2018 
Hosted-only Maintenance Release #1  CloudShark 3.5.1 August, 2018
Maintenance Release #2  CloudShark 3.5.2 September 12th, 2018 
Maintenance Release #3  CloudShark 3.5.3 December 17th, 2018 
Maintenance Release #4  CloudShark 3.5.4 January 30th, 2019 

CloudShark 3.5 July 11th, 2018

It’s summer here in New England and the CloudShark team is back from Sharkfest ‘18 which was held in Mountain View, CA at the Computer History Museum over the last week in June. We met a bunch of great people, all packet enthusiasts like ourselves. It was a great time. Our latest Enterprise release comes with an updated TShark engine under the hood, and some general improvements to the CloudShark internals as well.

— CloudShark


New Features and Highlights

Wireshark 2.6.1

Wireshark 2.6 is running under the hood of CloudShark 3.5. There are so many improvements and additions that it’s worth taking a look through their release notes.

A few display filter changes to note:

  • The “matches” display filter operator is now case-insensitive.
  • The membership operator now supports ranges, allowing display filters such as tcp.port in {4430..4434} to be expressed.

System-wide Preferences

If you have additional custom preferences, color rules, macros, or other custom preferences saved in your ~/.wireshark directory, you will need to migrate those to the new ~/.config/wireshark/ path.

Enable/Disable Protocols

There are so many times that debugging an issue at one protocol is cluttered up by upper layer protocols for the same packet. This happens a lot when debugging TCP issues on an HTTP conversation.

The Custom Protocol Preferences dialog added in the previous release has been expanded to include Protocol Toggles. These are fields that let you toggle protocols on and off depending on what you’re analyzing. The settings stick with the file as you share it as well.

It is now possible to disable HTTP for a single capture file at a time in order to quiet down the HTTP protocol information from overwhelming your TCP analysis.

Here’s an example of a TCP conversation with the HTTP analysis layer turned off!

Other Improvements

Less-strict autoimport directory permissions

Autoimport directories now only require that the cloudshark system user have READ access to the files contained within them. This helps keep separation between the system users and a user account that is able to place files in those directories.

This should be completely transparent to existing autoimport locations. If you have any questions about this change, please contact support.

Bug fixes and other changes

  • Add stand-alone Threat Summary window (Threat Assessment Add-on)
  • Removed support for OGG-format VoIP calls / RTP streams.
  • Fix issue with installer not respecting ENV[HOME]
  • Migrate internal Wireshark preferences from ~/.wireshark to ~/.config/wireshark
  • New locations for the nginx error_log and access_log
  • Upgrade included Redis version to 3.2.12
  • Loosened version requirement for external Redis to 3.2.x (AWS)
  • Fixed a bug when an SSL Keylog and customer protocol preferences were set at the same time

Upgrade Instructions

Enterprise customers upgrading from a version as old as CloudShark 2.8.x can run the following as root to perform the upgrade:

cloudshark-admin --install-latest

Please read the upgrade instructions if you are upgrading from an older version of CloudShark.

CloudShark Hosted

If you are a CloudShark Hosted customer accessing through, the system has already been upgraded and is running now!

CloudShark 3.5.2 Sept. 12th, 2018

CloudShark 3.5.2 is a maintenance release to update some internal components and apply some minor bug fixes. We recommend upgrading to get the latest dissectors and protocol support.

New Features

Decrypt TLS 1.3 Traffic

OpenSSL 1.1.1 was released recently and features support for TLSv1.3. This protocol was officially published by the IETF over the summer.

We’re excited that this version of CloudShark is able to decrypt TLSv1.3 traffic. We have a sample capture here that was created with the new OpenSSL 1.1.1 client and server showing the decrypted traffic.

We are planning a blog post that goes more in-depth about this feature. Subscribe to our newsletter so you’ll be in the loop when that is published.

Additional Updates

New TCP Flags column-preset

The CloudShark Custom Columns dialog box lets you configure specific columns on a per-capture or per-user basis. Whenever you set some columns, you can choose to keep these columns for anyone that looks at that capture.

We’re always evaluating the best techniques for analysis, and a column we found helpful to add to the list is “TCP Flags”. Check out this capture to see what the new column looks like in action.

Improved layout for long file names

Thanks to feedback from one of our customers, we’ve been able to improve the layout of the decode view when looking at a capture file with a very long name. The file name will be truncated, but if you can make your browser wide enough, should reappear. Additionally, hovering over the name with your mouse will show you the full filename.

Check it out on this really long name.

Additional Bugfixes and Updates

  • Resolved a rare issue that could cause the system-id to flip on reboot. If this affects you please contact to resolve it.
  • The current CLOUDSHARK_USER is now available from the Linux environment when fetching captures by URL.
  • Improves the layout of the Conversations window for captures without certain conversations.
  • Upgrades to the latest release of Suricata 4.x for the Threat Assessment Addon.

CloudShark 3.5.3 Dec. 17th, 2018

CloudShark 3.5.3 is a minor update to support SHA256 fingerprints for SAML authentication and update Tshark.

Updated Features

256-bit SAML fingerprints

CloudShark supports using longer SHA256 fingerprints when configuring an external SAML 2.0 server for authentication. To use the longer value, you must enter the fingerprint manually. Uploading a key for CloudShark to extract the fingerprint for you will result in the default SHA1 fingerprint.

Support for TShark 2.6.5

TShark has been updated to version 2.6.5 on the server. If you have compiled your own custom version you will need to update as well. The list of updates and bugfixes can be found here.


  • Line numbers of specific Threat Assessment rules were being calculated incorrectly

CloudShark 3.5.4 Jan. 30th, 2019

CloudShark 3.5.4 addresses a long-standing timeout issue that was limiting commands to only 60-seconds before they were terminated. If you have been affected by this, please contact to discuss a work-around and potential side effects.

Updated Features

Keylog upload added to the API

The API upload method now accepts an optional ‘keylog’ parameter. This parameter allows the caller to submit an additional file upload containing the SSL_CLIENT_KEYLOG data for the given capture. The keylog information will be used to decrypt associated TLS streams within CloudShark..

Please read our API documentation for the upload method for more information.

Support for TShark 2.6.6

Tshark is updated to version 2.6.6. Customers using a custom build should update their base version as part of the CloudShark upgrade process.


  • Resolves an issue where the system-id was not able to be computed on certain AWS instances