Member post by Nigel Douglas, Sysdig
In cloud-native systems, understanding the behaviour of complex, distributed web apps requires powerful tools that can dissect system activity down to its core. As the CNCF graduate project Falco demonstrates, this often begins with monitoring system calls from the Linux kernel and enriching that data across cloud and Kubernetes to provide actionable runtime insights. Falco’s libraries, registries, and plugins have not only revolutionised Linux runtime security but have also laid the groundwork for a growing ecosystem of tools capable of analysing system behaviour in cloud-native infrastructure.
Falco’s Foundations: libsinsp and libscap
At the heart of Falco are two foundational libraries: libsinsp (System INSPection LIBrary) and libscap (System CAPture LIBrary). These libraries enable Falco and other tools to extract, enrich, and analyse system call events from the operating system.
- libscap operates as the low-level backbone, handling live capture control, trace file management, event retrieval, and OS state extraction. By communicating directly with drivers — such as kernel modules or eBPF probes — libscap captures syscall events and manages their storage in System CAPture (.scap) files.
- libsinsp builds on libscap by enriching raw syscall data with context, such as process metadata, file descriptors, and user associations. It mirrors the OS state, enabling users to treat low-level system primitives as high-level entities like programs or files. With advanced event filtering and a rule engine, libsinsp simplifies analysis, converting raw system data into meaningful insights.
Together, these libraries form the backbone of Falco’s runtime security capabilities, while also empowering other open-source projects.
The Role of Plugins in Extending Capabilities
Falco’s plugin framework makes these libraries adaptable to various data sources beyond system calls. Plugins can be created to ingest and process cloud audit logs, container events, and other telemetry, extending Falco’s functionality far beyond traditional syscall monitoring. This flexibility has opened the door for new tools and integrations, making Falco’s ecosystem more versatile and valuable.
Stratoshark: From PCAP to SCAP
One of the most exciting developments leveraging Falco’s libraries is Stratoshark, an open-source project from the Sysdig team. Stratoshark takes the familiar Packet CAPture (PCAP) analysis experience of tools like Wireshark and brings it into the modern era of cloud-native systems with SCAP files.
Using libsinsp and libscap, Stratoshark captures and analyses syscall activity and cloud audit logs, providing a powerful yet user-friendly interface for dissecting these datasets. It supports the same file formats as Falco and Sysdig CLI, allowing seamless transitions between tools. With Stratoshark, users can filter and analyse system call activity just as network administrators have long done with packet captures, enabling new insights into application-level behaviour in cloud environments.
Comparing Ecosystem Approaches: Tracee, Tetragon, and Falco
Falco and Sysdig aren’t the only tools exploring the power of system call monitoring. Tracee and Tetragon are notable alternatives that provide unique approaches:
- Tracee uses eBPF to monitor runtime activity and detect security events. It emphasises real-time visibility into system behaviour and uncovers suspicious runtime activity patterns.
- Tetragon promises Kubernetes-aware observability and security enforcement. By applying policies directly within eBPF, it claims to reduce overhead while providing real-time runtime enforcement.
Where Falco and Stratoshark differentiate themselves is in their approachability and flexibility. Falco’s plugin architecture and Stratoshark’s ability to read SCAPs for post-incident forensics brings a Wireshark-like experience to the Linux kernel and cloud-native world. The pair also bridges the gap between system call data and the overlying abstractions of cloud and Kubernetes logs for both security and performance tuning.
Why Understanding System Calls in a Cloud-Native Context Matters
System calls, the interface between applications and the operating system, are fundamental to understanding container workload behaviour. Tools like Falco, Tracee, and Tetragon allow developers and operators to peer into these interactions, uncovering anomalies, optimising performance, and improving security observability.
Falco’s libraries and plugins provide the foundation for this analysis, making system calls both accessible and actionable. By supporting tools like Stratoshark, they enable deeper exploration of cloud-native systems while maintaining the flexibility to integrate with other data sources and ecosystems.
The Road Ahead
As cloud-native adoption continues to grow, tools like Falco and Stratoshark will become increasingly critical. Their ability to unify system call data, enrich it with context, and present it in an accessible way empowers teams to troubleshoot, secure, and optimize modern applications.
Falco’s contributions to the CNCF ecosystem exemplify the power of open-source collaboration and the importance of building foundational tools that inspire innovation. With projects like Stratoshark leading the way, the evolution from PCAP to SCAP is a leap forward for security and observability in the cloud-native era.
If you’re interested in trying out Stratoshark today, you can check it out at https://stratoshark.org.