This is an experimental release intended to test new features for Stratoshark 1.0.

What is Stratoshark?

Stratoshark is a system call and log analyzer. It combines the analysis and filtering features of Wireshark with the capture and data enrichment features of Falco. It can be used for troubleshooting, analysis, development and education.

Stratoshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol and system analysis education. Stratoshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, please visit wiresharkfoundation.org.

What’s New

The following changes have been made since version 0.9.3:

  • Stratoshark can now read Process Monitor (Procmon) files.

  • Welcome Page Redesign The welcome page has been redesigned to be more informative and easier to navigate. It now highlights the learning sections better and includes a new sidebar with tips and tricks for using Wireshark effectively. The welcome page is now also more accessible, with improved keyboard navigation and screen reader support.

  • Lua Debugger A built-in Lua script debugger has been added. It supports breakpoints, single-stepping, variable inspection, expression evaluation, and stack traces.

  • Themes Stratoshark now uses the same theme system as Wireshark, driving the colors used throughout the GUI from a single theme instead of many individual color preferences. The renamed Appearance  Theme and Font preferences page lets you pick a theme, switch between Light, Dark, and System appearance, set the packet pane font, and preview the result. A built-in default theme ships with Stratoshark, and additional themes can be installed as JSONC (JSON with Comments) files. The previous per-color settings (marked and ignored packets, "Follow Stream" client and server text, display filter validity, and the selected packet) are now provided by the active theme. Personal themes can now be dropped as single .jsonc files into $HOME/.local/lib/stratoshark/themes (Unix) or %APPDATA%\Stratoshark\themes (Windows); the filename becomes the theme’s name in the dropdown. The exact path is shown in the About dialog’s Folders tab. On first launch after the upgrade, Stratoshark checks the Default profile’s preferences for customized values of the removed per-color settings. If any are found, a personal theme named Personal (Migrated) is created automatically in the personal themes directory, the legacy keys are removed from the Default profile’s preferences file, and the theme is activated so the original visual customizations are preserved. The migration runs once: the generated personal.jsonc can be edited, renamed, or deleted by hand at any time. The welcome page section headers ("Open", "Capture", "Learn") and the filter validity tints have been restored to the historical Classic look (Tango sky_blue brand, saturated GTK-era dark green / dark red filter backgrounds).

  • Zooming (View  Zoom In / View  Zoom Out) now scales the whole window, including the capture and display filter fields and other window elements. Previously only the packet list and detail pane text size changed. The new behavior should be much more useful for demos and presentations.

  • The keyboard shortcuts dialog (About Wireshark → Keyboard Shortcuts) has been moved out of of the About dialog to the menu View → Internals → Keyboard Shortcuts and now has a button to print the list of keyboard shortcuts to an HTML file.

  • The application icon has been updated to support Liquid Glass on macOS Tahoe.

  • Stratoshark and strato can now read plain Kubernetes Audit logs and Google Cloud Audit logs, and CloudTrail logs.

  • The CloudTrail and Google Cloud Audit log plugins have been translated to Rust on macOS and Windows. Issue 20869

The following changes have been made since version 0.9.2:

  • The Windows installers now ship with Qt 6.8.3. They previously shipped with Qt 6.8.1.

  • Stratoshark now ships with “strato”, a command line tool similar to tshark.

  • The Windows and macOS packages now ship with the gcpaudit and k8saudit plugins.

  • The Falco Events dissector now adds IP geolocation fields alongside IPv4 and IPv6 address fields.

The following changes have been made since version 0.9.1:

  • A new “Plots” dialog has been added, which provides scatter plots in contrast to the “I/O Graphs” dialog, which provides histograms. The Plots dialog window supports multiple plots, markers, and automatic scrolling.

  • The Falco Bridge dissector has been renamed to Falco Events. Filter fields now have a "falcoevents" protocol prefix, but a "falcobridge" protocol alias has been added for backward compatibility. Issue 20397

  • Stratoshark can now show field offsets for supported plugins.

  • Cloudtrail log messages can now be viewed as formatted JSON data.

  • The system call dissector now has a "falcoevents.fd.stream" field, which provides a unique number for each file descriptor. The "Follow File Descriptor Stream" feature now uses this field to track streams. Issue 20538

  • We now ship universal macOS installers instead of separate packages for Arm64 and Intel. Issue 17294

The following changes have been made since version 0.9.0:

  • The application icons have been updated.

Bug Fixes

The following bugs have been fixed since version 0.9.3:

In order to work around issue 20869, the macOS package ships with the gcpaudit and k8saudit plugins disabled. In order to enable them, you can rename them from Stratoshark.app/Contents/PlugIns/stratoshark/falco/plugin.so.disabled to Stratoshark.app/Contents/PlugIns/stratoshark/falco/plugin.so.

The following bugs have been fixed since version 0.9.2:

  • .scap file extension wrongly associated with Wireshark. Issue 20583.

  • sshdig should have a snaplen option. Issue 20586.

The following bugs have been fixed since version 0.9.1:

  • Stratoshark help message has Wiresharkisms in it. Issue 20229.

  • Stratoshark and editcap could write incorrect block types. Merge request 19238.

  • Stratoshark says I can’t capture on local interfaces. Issue 20494.

  • Stratoshark: Crash While Sorting on evt.buflen column. Issue 20571.

The following bugs have been fixed since version 0.9.0:

  • Falco Bridge: Empty frame.protocols field. Issue 20248.

  • Sysdig event and Falco bridge dissection mismatch due to unsupported pcapng block types. Issue 20358.

New and Updated Features

Stratoshark can capture system calls locally on Linux and a variety of log sources on Windows, macOS, and Linux.

Removed Features and Support

Dumpcap’s TCP@host:port interface has been removed.

Building with Qt 5 is no longer supported.

Getting Stratoshark

Stratoshark source code and installation packages are available from https://www.stratoshark.org/download.html.

File Locations

Stratoshark looks in several different locations for preference files, plugins, and other files. These locations vary from platform to platform. You can use Help  About Stratoshark  Folders to find the default locations on your system.

Getting Help

Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.

Bugs and feature requests can be reported on the issue tracker.

You can learn system call and log analysis and meet Stratoshark’s developers at SharkFest.

How You Can Help

The Wireshark Foundation helps as many people as possible understand their systems and networks as much as possible. You can find out more and donate at wiresharkfoundation.org.