What’s New In Wireshark 4.4?
Categories:
Announcement
Wireshark 4.4.0 has been released and it includes a lot of improvements and updates since version 4.2.0 was released last November. I’ll cover some highlights here, but you will definitely want to check out the release notes1 for details.
Graph Dialogs 🔗Many bugs have been fixed in the graph dialogs (I/O Graphs, Sequence Diagrams, and TCP Stream Graphs), and performance has been improved.
The following improvements have been made to the I/O Graphs dialog:
The minimum interval is now 1 microsecond. The Y axis now uses SI prefixes. Bar graphs are rendered more sensibly. The graph list can be reordered by dragging and dropping items. Graph legends and layer orders always match the graph list order. The legend can be moved by right-clicking on it. The new bar graphs and intervalsThe Sequence Diagram (Flow Graphs and VoIP Calls) dialog has been improved as well:
The entire graph can be exported as an image. Previously, only the items on screen were exported. Endpoints with the same address are now displayed correctly. The TCP Stream Graphs dialog does a better job of identifying the client and server sides of connections.
From Network Packets to Log Data: How Logray built upon Falco’s foundation
In the ever-evolving landscape of network security, a new star has emerged – Logray. The name comes from “log” (as in event logs) and “ray” (the closest zoological cousin to sharks, similar to “wire” and “shark” for network packets. Logray represents a significant leap in network security tools. Premiering at SharkFest ’22, it takes the best of Wireshark and innovates further by focusing on log data analysis. While Wireshark focuses on scrutinizing network traffic, Logray delves into system calls, Amazon Cloudtrail logs, and other log data, offering new vistas for network security professionals.
At its core, Logray retains the user-friendly aspects of Wireshark, including the familiar filter engine, intuitive colouring, and context menus. Yet, it goes beyond by accommodating the reading of PcapNG files embedded with log data and facilitating the integration of third-party plugins using Falco’s powerful plugin API. System call and log data is saved using the PCAP Next Generation Dump File Format (pcapng), which provides a powerful and versatile shared foundation which broadens the scope of data capture and analysis.
A notable innovation within Logray is ‘falcodump‘, a component enabling the dumping of log data via a Falco source plugin.
The evolution of system introspection from BPF to Wireshark to Falco
Categories:
Security
Falco, an open source innovation, was conceived with the vision of crafting a flexible and robust rules engine atop the Sysdig libraries. This initiative aimed to furnish a potent tool for the detection of aberrant behaviors and intrusions within modern applications, akin to the Snort paradigm but tailored to the realm of system calls and finely tuned for cloud environments.
Nevertheless, it’s important to recognize that Falco and Wireshark represent distinct facets of this evolutionary process. Falco offers ongoing surveillance akin to Snort, while Wireshark specializes in interactive endpoint network traffic analysis.
Introduction 🔗Part of this journey has been the emergence of cloud-native apps. From the early days of BPF (Berkley Packet Filter) and libpcap (a portable C/C++ library for network traffic capture), which laid the foundation for network packet analysis, to the familiar graphical user interface of Wireshark, our understanding of network data has undergone profound changes. This article embarks on a journey through this transformation, shedding light on how tcpdump and libpcap sparked an explosion of packet-based analysis and runtime security tools exemplified by Wireshark and Snort.
Wireshark, Snort, Nmap, Kismet, ngrep, and a bunch of other tools started at around the same time and are all evolutionary branches of tcpdump and libpcap.