CloudShark 3.10.0

CloudShark 3.10.0

We are very excited to announce CloudShark 3.10.0, delivering many new packet analysis features and updates under the hood. Over the last several versions you have seen us hard at work on improving the installation and deployment experience. We are very happy to be back looking at packets!

Important!

If you are upgrading CloudShark 3.8.x, you must perform these upgrade steps.

If you are already running CloudShark 3.9.x, please follow the quick upgrade instructions instead.

 

What's new?

  • A new system-wide default profile disabling TCP sub-dissector reassembly to boost performance when working with files containing large TCP streams
  • Support for dissecting QUIC
  • In-browser audio playback of RTP streams using the OPUS codec
  • Support for PCAPNG files with an embedded Decryption Secrets Block (DSB) allowing the decryption of DTLS, TLS, QUIC, Wireguard and more
  • Displays the raw TCP sequence numbers alongside the relative ones
  • Support for CommunityID / JA3 / JA3S hashes for correlating traffic across different tools
  • Ability to reassemble out-of-order TCP packets

What's been improved?

  • The Wireless Networks analysis tool has been rewritten to correctly detect the latest Wifi Alliance security modes, including WPA3 (more below)
  • VoIP/RTP audio playback sounds much better - previous versions of CloudShark had been artificially degrading the audio during the MP3 conversion process.
  • Protocol Decode trees now indicate which fields are computed and not actually found on the wire. These are surrounded by [square brackets] now.

What's changed?

  • The display filter syntax has been modified slightly (see below)
  • Some common protocols have been renamed: "bootp" is finally "dhcp" and "ssl" has been deprecated in favor of "tls".
  • Removed Twitter and Facebook as External Authentication endpoints. These had been deprecated in a previous version and are now gone.
  • Raw data from RTP streams is no longer available for download
  • Support for GSM audio playback has been removed
  • A new version of Wireshark is used under the hood: Version 3.6.9. If you need to build your own version, please find our patched tarball here.

 

Tired of updating your on-premises server?

Let's admit it – as packet people, upgrading software and managing a server is not how we want to spend our time. So, let us run CloudShark for you! QA Cafe is now offering private hosting for CloudShark customers. We'll setup and maintain your own private cloud server for your data and users, and you get to stick to the packets. It's always up to date, monitored 24/7, and is the same price as your existing on-prem subscription!

Contact sales@qacafe.com today for more information.

Display filter changes

Please note some small changes to Display Filters:

  • The filter expression "a != b" now has the same meaning as "!(a == b)". This expression used to result in ambiguous results and was discouraged. A common example of this is to hide an IP address from the displayed packets such as ip.addr != 1.1.1.1 - with this change, this now behaves the way you want it to.
  • If you still want the old behavior of !=, it has been replaced with "~=" or "any_ne" such as "ip.addr ~= 1.1.1.1". 
  • Set elements using the "in" operator must now be separated by a comma. For example: tcp.port in {80, 8080, 443} or http.request.method in {"GET", "HEAD"}

New WLAN Networks 

A lot has happened in the WiFi security space since we first introduced our WLAN Networks tool to CloudShark. The 3.10 release has rewritten the tool to better identify what security mode a given SSID is advertising via Beacon and Probe Responses. We chose to use the term "Enterprise" for the modes utilizing 802.1x authentication. They mean the same thing.

The new modes include detection for:

  • WPA-Personal and WPA-Enterprise
  • WPA2-Personal and WPA2-Enterprise
  • WPA2/3-Personal and WPA2/3-Enterprise (Transition mode)
  • WPA3-Personal (also known as SAE)
  • WPA3-Enterprise
  • WPA3-Enterprise 192 bit

Additional Caveats

  • CloudShark 3.10.0 is supported on CentOS or RHEL 7 systems.
  • Files with Decryption Secret Blocks (DSB's) aka "Embedded Secrets" are not able to be exported to a new session or file. Bug report.