This is an experimental release intended to test new features for Stratoshark 1.0.

What is Stratoshark?

Stratoshark is a system call and log analyzer. It combines the analysis and filtering features of Wireshark with the capture and data enrichment features of Falco. It can be used for troubleshooting, analysis, development and education.

Stratoshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol and system analysis education. Stratoshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, please visit wiresharkfoundation.org.

What’s New

The following changes have been made since version 0.9.2:

  • The Windows installers now ship with Qt 6.8.3. They previously shipped with Qt 6.8.1.

  • Stratoshark now ships with “strato”, a command line tool similar to tshark.

  • The Windows and macOS packages now ship with the gcpaudit and k8saudit plugins.

  • The Falco Events dissector now adds IP geolocation fields alongside IPv4 and IPv6 address fields.

The following changes have been made since version 0.9.1:

  • A new “Plots” dialog has been added, which provides scatter plots in contrast to the “I/O Graphs” dialog, which provides histograms. The Plots dialog window supports multiple plots, markers, and automatic scrolling.

  • The Falco Bridge dissector has been renamed to Falco Events. Filter fields now have a "falcoevents" protocol prefix, but a "falcobridge" protocol alias has been added for backward compatibility. Issue 20397

  • Stratoshark can now show field offsets for supported plugins.

  • Cloudtrail log messages can now be viewed as formatted JSON data.

  • The system call dissector now has a "falcoevents.fd.stream" field, which provides a unique number for each file descriptor. The "Follow File Descriptor Stream" feature now uses this field to track streams. Issue 20538

  • We now ship universal macOS installers instead of separate packages for Arm64 and Intel. Issue 17294

The following changes have been made since version 0.9.0:

  • The application icons have been updated.

Bug Fixes

The following bugs have been fixed since version 0.9.2:

  • .scap file extension wrongly associated with Wireshark. Issue 20583.

  • sshdig should have a snaplen option. Issue 20586.

The following bugs have been fixed since version 0.9.1:

  • Stratoshark help message has Wiresharkisms in it. Issue 20229.

  • Stratoshark and editcap could write incorrect block types. Merge request 19238.

  • Stratoshark says I can’t capture on local interfaces. Issue 20494.

  • Stratoshark: Crash While Sorting on evt.buflen column. Issue 20571.

The following bugs have been fixed since version 0.9.0:

  • Falco Bridge: Empty frame.protocols field. Issue 20248.

  • Sysdig event and Falco bridge dissection mismatch due to unsupported pcapng block types. Issue 20358.

New and Updated Features

Stratoshark can capture system calls locally on Linux and a variety of log sources on Windows, macOS, and Linux.

Getting Stratoshark

Stratoshark source code and installation packages are available from https://www.stratoshark.org/download.html.

File Locations

Stratoshark looks in several different locations for preference files, plugins, and other files. These locations vary from platform to platform. You can use Help  About Stratoshark  Folders to find the default locations on your system.

Getting Help

Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.

Bugs and feature requests can be reported on the issue tracker.

You can learn system call and log analysis and meet Stratoshark’s developers at SharkFest.

How You Can Help

The Wireshark Foundation helps as many people as possible understand their systems and networks as much as possible. You can find out more and donate at wiresharkfoundation.org.