Hi,
Given enough time I could find all of this out for myself, but I'd like to check my understanding of how things fit together, if someone could indulge me? I've only downloaded a couple of Windows builds so far.
Trying out some captures, and enabling View | Reload as File Format | Capture, it looks as though 'Sysdig Machine Info Block' is fairly similar to 'enhanced packet block', though unfortunately 'Dissect next layer' doesn't do anything yet.
The data visible in the bytes pane is much less than the data block and only corresponds to the Sysdig Event. What is the rest of the data?
Where a frame has Event Information, is this info enriched by libsinp? Is that done entirely at the time of capture? Or does some of the info here come from the dissector e.g., looking up the timestamps of related event frames?
Similarly, are the Event Arguments and Process Information already in the event data? Are they perhaps parsed by their own libraries into structs, making it difficult to show which bytes each value fromes from? I suppose I am used to the idea that you can click on any non-generated field and see exactly where it came from.
If Falco is like an IDS, are we dissecting alerts output from when rules match, or just generating filters that are equivalent to falco rules? Would it ever make sense to have the falco equivalent of the snort post-dissector that shows the context and details of detected anomalies against some rule set?
If we see some anti-pattern in events we'd like to detect in the future, how would we teach Stratoshark to do that? Would we hand-code it in sysdig or falco dissectors, or create a new falco rule for it? And put it in a local profile? Is there the falco equivalent of the emerging-threats rules?
Anyway, the first thing I would like to do with Stratoshark is to sanity-check Wireshark starting up and shutting down. At least we should see the file reads/writes we do, and look into anything fishy.
Any help would be appreciated. Thanks,
Martin