1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
include::attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: {css_dir}/{stylesheet}
= Stratoshark {stratoshark-version} Release Notes
// Asciidoctor Syntax Quick Reference:
// https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/
This is an experimental release intended to test new features for Stratoshark 1.0.
== What is Stratoshark?
Stratoshark is a system call and log analyzer.
It combines the analysis and filtering features of Wireshark with the capture and data enrichment features of https://falco.org[Falco].
It can be used for troubleshooting, analysis, development and education.
Stratoshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol and system analysis education.
Stratoshark and the foundation depend on your contributions in order to do their work.
If you or your organization would like to contribute or become a sponsor, please visit https://wiresharkfoundation.org[wiresharkfoundation.org].
== What’s New
// Add a summary of **major** changes here.
// Add other changes to "New and Updated Features" below.
// Many other improvements have been made.
// See the “New and Updated Features” section below for more details.
The following changes have been made since version 0.9.2:
* The Windows installers now ship with Qt 6.8.3.
They previously shipped with Qt 6.8.1.
The following changes have been made since version 0.9.1:
* The Falco Bridge dissector has been renamed to Falco Events.
Filter fields now have a "falcoevents" protocol prefix, but a "falcobridge" protocol alias has been added for backward compatibility.
wsbuglink:20397[]
* Stratoshark can now show field offsets for supported plugins.
* Cloudtrail log messages can now be viewed as formatted JSON data.
* The system call dissector now has a "falcoevents.fd.stream" field, which provides a unique number for each file descriptor.
The "Follow File Descriptor Stream" feature now uses this field to track streams. wsbuglink:20538[]
* We now ship universal macOS installers instead of separate packages
for Arm64 and Intel. wsbuglink:17294[]
The following changes have been made since version 0.9.0:
* The application icons have been updated.
=== Bug Fixes
//The following bugs have been fixed:
//* wsbuglink:5000[]
//* wsbuglink:6000[Stratoshark bug]
//* cveidlink:2014-2486[]
//* Stratoshark grabs your ID at 3 am, goes to Waffle House, and insults people.
The following bugs have been fixed since version 0.9.2:
* .scap file extension wrongly associated with Wireshark. wsbuglink:20583[].
* sshdig should have a snaplen option. wsbuglink:20586[].
The following bugs have been fixed since version 0.9.1:
* Stratoshark help message has Wiresharkisms in it. wsbuglink:20229[].
* Stratoshark and editcap could write incorrect block types. https://gitlab.com/wireshark/wireshark/-/merge_requests/19238[Merge request 19238].
* Stratoshark says I can't capture on local interfaces. wsbuglink:20494[].
* Stratoshark: Crash While Sorting on evt.buflen column. wsbuglink:20571[].
The following bugs have been fixed since version 0.9.0:
* Falco Bridge: Empty frame.protocols field. wsbuglink:20248[].
* Sysdig event and Falco bridge dissection mismatch due to unsupported pcapng block types. wsbuglink:20358[].
=== New and Updated Features
Stratoshark can capture system calls locally on Linux and a variety of log sources on Windows, macOS, and Linux.
// The following features are either new or have been significantly updated since version 0.9.0:
//* The Windows installers now ship with Qt 6.5.2.
// They previously shipped with Qt 6.2.3.
// === Removed Features and Support
// === Removed Dissectors
//=== New File Format Decoding Support
//[commaize]
//--
//--
// === New Protocol Support
// Add one protocol per line between the -- delimiters in the format
// “Full protocol name (Abbreviation)”
// git log --oneline --diff-filter=A --stat v4.3.0rc0.. epan/dissectors plugins
// [commaize]
// --
// --
// === Updated Protocol Support
// Too many protocol updates have been made to list them all here.
//=== New and Updated Capture File Support
// There is no new or updated capture file support in this release.
// Add one file type per line between the -- delimiters.
// [commaize]
// --
// --
// === New and Updated Capture Interfaces support
// [commaize]
// --
// --
//=== New and Updated Codec support
//_Non-empty section placeholder._
// === Major API Changes
== Getting Stratoshark
Stratoshark source code and installation packages are available from
https://www.stratoshark.org/download.html.
// === Vendor-supplied Packages
// Most Linux and Unix vendors supply their own Wireshark packages.
// You can usually install or upgrade Wireshark using the package management system specific to that platform.
// A list of third-party packages can be found on the
// https://www.wireshark.org/download.html[download page]
// on the Wireshark web site.
== File Locations
Stratoshark looks in several different locations for preference files, plugins, and other files.
These locations vary from platform to platform.
You can use menu:Help[About Stratoshark,Folders] to find the default locations on your system.
== Getting Help
// The User’s Guide, manual pages and various other documentation can be found at
// https://www.wireshark.org/docs/
Community support is available on
https://ask.wireshark.org/[Wireshark’s Q&A site]
and on the wireshark-users mailing list.
Subscription information and archives for all of Wireshark’s mailing lists can be found on https://lists.wireshark.org/lists/[the mailing list site].
Bugs and feature requests can be reported on
https://gitlab.com/wireshark/wireshark/-/issues[the issue tracker].
You can learn system call and log analysis and meet Stratoshark’s developers at
https://sharkfest.wireshark.org[SharkFest].
// Official Wireshark training and certification are available from
// https://www.wiresharktraining.com/[Wireshark University].
== How You Can Help
The Wireshark Foundation helps as many people as possible understand their systems and networks as much as possible.
You can find out more and donate at https://wiresharkfoundation.org[wiresharkfoundation.org].
// == Frequently Asked Questions
// A complete FAQ is available on the
// https://www.wireshark.org/faq.html[Stratoshark web site].
|
