

Show HN: Wireshark as a web app - digitalsushi
http://cloudshark.org/captures/05aae7c1b941

======
kylemaxwell
As a network forensic investigator, if I were to upload packet captures to a
third-party, I'd almost certainly lose my job - and rightfully so. Now, the
appliance looks interesting for collaboration, as long as it stays in my
protected environment, but I'm not sure that's necessarily the best way to go
about this general task.

Other questions I'd ask: how well does it integrate with SIEMs like ArcSight?
What about larger bandwidth needs, like for 10-gig networks? Can I extend the
storage? How quickly does it actually search?

I've bookmarked their site for later review.

~~~
epicmelon
Good point - I'm not sure what else would make me feel more comfortable,
however. Having control of the appliance (VM or otherwise) is good enough for
me.

------
tptacek
This looks extraordinarily well done. What are you planning on doing with it?
I can think of a lot of different use cases.

("How well does it integrate with ArcSight"? Sheesh.)

------
rabidsnail
Why would I want this? When I'm doing protocol analysis I'm usually doing
packet capture at the same time, which a web app can't do for me since it's
not in my lan. I've never been in a situation where I ran pcap by itself and
then did offline analysis on the data.

~~~
Anderkent
Don't you do remote analysis ever? Have your client/friend/whoever do the
capture and send it to you for analysis?

That's at least one use case I can imagine.

~~~
fsniper
Even than, why on earth I should skip my own copy of WireShark and use
CloudShark?

~~~
sant0sk1
I assume you aren't on OS X where Wireshark is fugly, clunky, and takes
forever to boot.

~~~
bajsejohannes
But isn't wireshark fugly and clunky on all platforms? I love the tool, but
the UI has a lot to be desired. I'm frankly a bit surprised that they opted
for copying it instead of remaking it.

~~~
ssmall
Agreed. I use it on Linux and OSX and my only real beef with it on OSX is that
it runs under X11. Id rather the mildly clunky OSX interface where I know
where everything is than a total new foreign web interface. I guess its just a
matter of taste.

------
jusob
For those interested in this type of app, there is also pcapr.net (for example
[http://pcapr.net/view/4l1c3.b0b/2009/6/4/8/Microsoft-
Office-...](http://pcapr.net/view/4l1c3.b0b/2009/6/4/8/Microsoft-Office-Web-
Components-ActiveX-Buffer-Overflow.pcap.html)). The visualization may not as
good as cloudshark.org, but they already have a big community, and a very good
search feature. You have to create a free account to enable all features.

------
dustingetz
this does not capture packets. from the homepage: "CloudShark brings your
CAPTURE FILES to the cloud." presumably so you can link to them, any other
uses aren't immediately obvious.

------
eugenejen
At the other hand, if one can come up a wireshark fork that outputs a nice web
UI to you local browser, will that be useful to anyone?

I found modern web UI is really much more advance than what existing desktop
UI implementation. I was thinking of making a wrapper app around tcpdump/pcap
app and generates a nice Web UI for localhost user.

~~~
absconditus
"I found modern web UI is really much more advance than what existing desktop
UI implementation."

That is a rather bizarre claim.

~~~
eugenejen
Sorry, bad grammar.

I meant "modern web UI is more advanced than desktop UI".

Like what Jeff Atwood said before in 2007.

[http://www.codinghorror.com/blog/2007/06/who-killed-the-
desk...](http://www.codinghorror.com/blog/2007/06/who-killed-the-desktop-
application.html)

------
thechut
This is a great tool to use with Android smartphones. I can run wireshark on
my phone but all I end up with is a pcap dump file and you can't watch it in
real time. There are viewers for Android, but this could make quick uploading
and viewing very easy. Going to upload from my phone now to test it out.

Edit: Seems to work really well as viewer for Shark for Android. Although I do
agree with the security concerns it's still a very cool product.

------
bryogenic
If you actually want to run Wireshark on remote traffic(which is what I
initially thought this app did) you can do any one of these commands:

[http://www.commandlinefu.com/commands/view/4373/analyze-
traf...](http://www.commandlinefu.com/commands/view/4373/analyze-traffic-
remotely-over-ssh-w-wireshark)

------
mkjones
The bandwidth over time visualization is what makes this most valuable to me
vs. normal wireshark. It made debugging the differences between two different
"internet speed test" sites a lot easier (higher latency = slow-start takes
longer = lower bandwidth on a new connection):

<http://mkjon.es/cloudshark-slow.png> <http://mkjon.es/cloudshark-fast.png>

That being said, I wish it had a demo dataset to work with. I'm kind of
regretting uploading packet dumps (even restricted to one remote IP / port)
given that they contain my mac address / my router's mac address. I don't
think I'll use this for much in the future just because pcaps usually contain
private data. I guess that's why they charge for the on-site software /
device.

------
longlho
It'd be better if this were open-source, uploading pcaps on a 3rd-party site
is pretty scary...

------
xpotential
Love the UI! I particularly like how intuitive the range slider is at the top.
I see that it's the standard jQuery UI Slider control... how is the chart
being generated? I can see it's a dynamic base64 PNG from the server but is
that work you did yourselves or is there a library that's doing that? Nice
work!

------
feralchimp
Nice web-based UI for capture files, BUT:

They need a Security story other than "run it on an appliance inside your
network." I would also appreciate a single page (unless I missed it) that
explains the Analysis value-adds.

------
EToS
would an interesting concept to replace fiddler for http analysis if it
captured packets

------
taylorbuley
Great work here.

------
tszming
Wireshark is too low level unless you are doing hardcore network experiments.
Most of the time I found out tcpflow or mitmproxy is more than enough, of coz
YMMV.

~~~
jlawer
mitmproxy and tcpflow are great for testing web stuff... not so much iscsi...

