Want a free CloudShark tee shirt? Its simple, just follow @CloudShark on twitter and send an email to info@cloudshark.org including your twitter name, tee shirt size (S, M, L, XL) and postal address. We’ll do the rest.
We are running this promotion until we run out of shirts and we’ve been sending shirts all over the world. Bonus points if you send us a picture with you wearing your new CloudShark shirt.
Browser Support
We brought CloudShark to the web in a very short amount of time. One of the biggest reasons we could move so quickly is that we decided early on not to get bogged down in all the differences between web-browsers and how they handle our code. We stuck to a standards-oriented approach when laying out the pages and targeted mainstream modern browsers.
This means we are not able to support every web browser out there. While we would love to, we would rather move quickly with improving and adding more features, and less time fixing and hacking the layout for an older (and less-standards compliant) browser.
For best results, stick with Firefox 3.x, Safari 4 or 5, or Google Chrome.
Graphing Traffic with CloudShark
We’re very pleased to announce new capabilities in CloudShark! We’ve been working hard over the past couple weeks to introduce a new graphical view of your capture files. They say a picture is worth 1000 words, so here we go:
We have 3 graphing views right now. One user-specified and two default graphs that we feel would be useful with the widest variety of captures. The defaults are for the difference between TCP and UDP traffic, and the other shows IPv4 and IPv6 traffic.
The user-specified graph is a little different though. In CloudShark, you can specify a Display Filter to limit which packets are shown in the summary view. When a Display Filter is applied, the first graph shows the traffic matching that filter in blue, and anything that does not match in red.
For example, here is some HTTP traffic while making a voice call in the background.
Hiding and showing a series can be accomplished by clicking on it’s label in the legend. When a series is hidden, the y-axis will scale itself to best display the remaining data. Often, a series might be dwarfed and only appear after hiding others around it.
Head on over to CloudShark, upload your own captures, and give our graphs a try. Let us know how we can make them even better!
Reassembly is here!
One thing that Wireshark does amazingly well is reassembling IP fragments and TCP segments. We’re very happy to announce that we can do the same thing with CloudShark!
Have a look:
There are new tabs in the ASCII pane at the bottom of the screen that will let you toggle between the current frame you are viewing, and the reassembled data. This is usually TCP or IP but could be any kind of data that Wireshark knows how to reassemble.
Better yet, we’re perfecting the ability to click within that ASCII and have your selection revealed in the Decode section in the middle pane.
Here’s the above example capture you can play with (created with CDRouter).
Our first week in the surf
It’s been a great week since CloudShark launched. We’re learning a lot and have made some changes that should really speed things up.
We have just deployed a big rewrite of the server-side code providing capture summaries and packet decodes for CloudShark. This lets us move all the heavy lifting from the browser back to some very fast libraries on the server. You should be seeing some big performance improvements when opening capture files with lots of packets.
We’re also welcoming you to The Beach - this site right here - to keep helpful tips and tricks, tutorials, interesting articles, status updates… pretty much everything that won’t fit into a 140 character twitter message.
As always, feel free to contact us for any reason.
Enjoy!
Using Display Filters with CloudShark
The CloudShark display screen contains a text box for Wireshark style display filters. By default, no display filter is set and all packets in your capture file are displayed. However, you can specify a display filter to limit the packets that are displayed.
Display filters are handy in many situations. Let’s say you only want to display packet frame number 8. You can enter frame.number==8 in the display filter box and hit the Apply button. CloudShark will filter your results an only display frame 8.
Another common filter is to look for a specific IPv4 or IPv6 address. Let’s say you only want to see IPv4 traffic involving 192.168.1.1. You can enter ip.addr==192.168.1.1 in the display filter box. Of course, to see all the packets again, just hit the Clear button next to Apply. For an IPv6 example, try entering ipv6.addr==3001:51a:cafe::1.
There are a few good online resources that provide an introduction to display filters and also detail the many possibilities. There are over 70k different display filters available across the various protocols supported!
Here are some links to get started:
Wireshark User Guide: Building Display Filter Expressions
Wireshark Wiki: Display Filters
Display Filter Reference
You can also specify display filters when you create a URL to an existing CloudShark decode session. This makes it easy to point someone to a specific packet in a decode session. The filter is passed by using including a filter parameter in the URL.
For example, lets say you uploaded a capture file and want technical support to look at packet number 18 in the capture file. You might send this link via email:
http://www.cloudshark.org/captures/277f57f4ec56?filter=frame.number==18
Here is another example using the /view URL which allows you to specify the URL and filter parameters.
http://www.cloudshark.org/view?url=http://packetlife.net/captures/TCP_SACK.cap&filter=frame.number==8
One import side note: Wireshark’s capture filters and display filters are not the same. Capture filters are libpcap expressions used when actually capturing packets. The syntax of capture filters is different than display filters. Display filters have many more protocol options.
Give it a try!
