v0.3.6

Added:

• Enrichments: prev_comm field was added to sched_process_exec description

• Stats: added preferences for filtering unix sockets in process tree with network

Changed:

• Live capture: default docker image was changed to v0.22.2

• Releases are now built for Wireshark 4.4.1 instead of 4.4.0

Fixed:

• Installation script fixes

• Remote capture: remove reliance on $PPID variable that doesn't exist in some shells

v0.3.5

Added:

• Releases for Linux ARM64

• Statistics:

  • File Types

  • Add per-container view to all existing statistics

• Enhanced file type detection for magic_write

• Support for more special argument datatypes

Changed:

• Live capture: increase modularity

Fixed:

• Live capture bugfixes

v0.3.4

Added:

• Releases for Wireshark 4.4.0

• Live capture: packet events (net_packet_raw) can be selected in event sets

Changed:

• Live capture: default docker image was changed to v0.22.0

Fixed:

• Build and install script fixes

v0.3.3

This release marks Traceeshark going public!

Added:

• Live capture - add packet event to event set selection

Fixed:

• Live capture fixes

v0.3.2

Added:

• Documentation

• Tracee packet capture context dissection (new Tracee feature)

• Script that merges Tracee pcaps with events

• IP addresses and ports in network events are now displayed in the appropriate columns

• Support for various special event argument data types

Changed:

• Releases are now built for Wireshark 4.2.6
• Command line argument in process execution events is now displayed as a generated field
• Live capture
  • Default docker image was changed to a recent development snapshot
  • New packet event was added to the Default preset

Fixed:

• Makefile and build script improvements
• Dissector and stats fixes
• Live capture fix for older Tracee versions

Removed:

• Live capture packet injector (no longer needed thanks to new packet event)

v0.3.1

This release fixes issues from v0.3.0, use this one instead. See CHANGELOG.md for changes made in v0.3.0.

Added:

• Pull request build workflow

• Build worflow step that tests that the plugins are loaded successfully

• Statistics

  • Process tree with written files

  • Process tree with network operations

  • Process tree with signatures

  • Add process executable and command line to process nodes

Changed:

• Process tree

  • Only paths relevant to the selected filter are displayed

  • Process fork events are used to determine the parent

Fixed:

• Compilation and loading errors on older and newer Wireshark versions

• Stats tree bugfixes

• Makefile fixes on Macos

v0.2.3

Added:

• Autoinstall script

• Release for Wireshark version 4.2.2 on Linux (Ubuntu 24.04 Wireshark package version)

Fixed:

• Macos build and installation fixes

• Windows build fixes

• Live capture bugfixes

v0.2.2

Added:

• Live capture

  • Remove container from previous run

  • Add configuration for capturing artifacts

  • Added toolbar for controlling the capture

  • Remote capture - copy artifacts from remote machine on demand and on capture stop

  • Inject captured packets into event stream on demand, periodically, and on capture stop

• Added GitHub workflow for automatic builds across all platforms

Fixed:

• Live capture bugfixes