This is an experimental release intended to test new features for Stratoshark 1.0.

What is Stratoshark?

Stratoshark is a system call and log analyzer. It combines the analysis and filtering features of Wireshark with the capture and data enrichment features of Falco. It can be used for troubleshooting, analysis, development and education.

Stratoshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol and system analysis education. Stratoshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, please visit wiresharkfoundation.org.

What’s New

The following changes have been made since version 0.9.1:

  • The Falco Bridge dissector has been renamed to Falco Events. Filter fields now have a "falcoevents" protocol prefix, but a "falcobridge" protocol alias has been added for backward compatibility.

  • Stratoshark can now show field offsets for supported plugins.

  • Cloudtrail log messages can now be viewed as formatted JSON data.

  • The system call dissector now has a "falcoevents.fd.stream" field, which provides a unique number for each file descriptor. The "Follow File Descriptor Stream" feature now uses this field to track streams.

  • We now ship universal macOS installers instead of separate packages for Arm64 and Intel.

The following changes have been made since version 0.9.0:

  • The application icons have been updated.

Bug Fixes

The following bugs have been fixed since version 0.9.1:

  • Stratoshark help message has Wiresharkisms in it. Issue 20229

  • Stratoshark and editcap could write incorrect block types. Merge request 19238.

  • Stratoshark says I can’t capture on local interfaces. Issue 20494

  • Stratoshark: Crash While Sorting on evt.buflen column. Issue 20571

The following bugs have been fixed since version 0.9.0:

  • Falco Bridge: Empty frame.protocols field. Issue 20248

  • Sysdig event and Falco bridge dissection mismatch due to unsupported pcapng block types. Issue 20358

New and Updated Features

Stratoshark can capture system calls locally on Linux and a variety of log sources on Windows, macOS, and Linux.

Getting Stratoshark

Stratoshark source code and installation packages are available from https://www.stratoshark.org/download.html.

File Locations

Stratoshark looks in several different locations for preference files, plugins, and other files. These locations vary from platform to platform. You can use Help  About Stratoshark  Folders to find the default locations on your system.

Getting Help

Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.

Bugs and feature requests can be reported on the issue tracker.

You can learn system call and log analysis and meet Stratoshark’s developers at SharkFest.

How You Can Help

The Wireshark Foundation helps as many people as possible understand their systems and networks as much as possible. You can find out more and donate at wiresharkfoundation.org.