%201.svg){kind=logo}
SCAP is the file format of system call captures in Stratoshark
System CAPture (SCAP) files are data files generated by specialised programs to capture system call activity on a Linux host, process, or container. These .scap files provide valuable insights into system behaviour by recording the interactions between applications and the Linux kernel. System calls (syscalls) serve as the essential bridge between user applications and the operating system, allowing programs to request services such as file manipulation, network access, and process control.
SCAP files enable security and operations teams to detect malicious script executions, identify outbound connections to command-and-control (C2) servers, and troubleshoot application failures. By analyzing these files, teams can enhance system stability, optimize application performance, and respond to potential security threats.
The libscap library facilitates the creation of SCAP captures by allowing tools like Sysdig and Falco to collect system call data directly from userspace. This library communicates with kernel drivers — such as eBPF probes — retrieving syscall events from the ring buffer (where the drivers store them) and passing the data to libsinsp for further processing.
SCAP files can be opened and analyzed using tools like Stratoshark. Much like Wireshark and tcpdump analyze network traffic by reading PCAP (.pcap) files, Stratoshark offers the same intuitive experience for monitoring Linux systems, containers, and Kubernetes environments. By leveraging SCAP files, Stratoshark empowers users to diagnose issues, detect anomalies, and ensure smooth operations across cloud-native and containerized infrastructures.