This past Monday and Wednesday at Sharkfest we had a couple of sessions where we
went over what should be next for Wireshark. The discussion was lively each day,
with users and developers contributing lots of great ideas. A slightly-edited
version of the whiteboard contents from each session is included below.
There was a lot of focus on NTAR/Pcap-NG support. It sounds like quite a few
people could make use of the extra functionality it would provide. There was
also enthusiasm for dropping GTK1 support. On Wednesday there was a lot of focus
on start/stop triggers and on Wireshark's memory usage.
I've started working on removing GTK1 references from the packaging directory,
and plan to tackle the easy memory management items next.
Whiteboard dump:
Kickoff (Monday)
Features
- Multi-threaded dissection
- Bounce diagrams (timing + drill-down)
- Memory mapped file I/O
- Dump GTK1!!!
- Native UI (Windows Mac KDE)
* - Rename Epan
- Pcap-NG
- Dump to memory buffer
- Capture performance improvements
- Whiz-bang startup wizard
- CI improvements
- Packet correlation
* - Checksum + chimney handling
- Wirebrush (trace file scrubber)
- Formal code review (maybe just of core code initially)
- Higher level dissection
Use cases
- Network performance + forensics
- Transport layer analysis
- Research + validation
- Application troubleshooting
- Remote sampling
- Data cleansing
Wrap-up (Wednesday)
Memory Management
- Configurable upper limit on the amount of ep_ and se_allocated memory
- A sliding window for the packet list
- Let the user disable guard pages and canaries
General Roadmap
- Pcap-NG
- Start/stop triggers
- Use capture or display filters?
- Does this mean refactoring the interface dialog?
- Better name resolution
* - Drop GTK1