TraceWrangler

• Beta 0.6.2 (22nd of May, 2017)
• Added: added a VLAN removal option to edit tasks for consistency, which was already possible via anonymization (thx to Simon Lindemann)
• Added: storing TTL/hopcount for IP addresses to traceintel database
• Added: added "Auto Mode" checkbox to IPv4 and IPv6 replacement options, so that "Auto replacement" is performed automatically without having to click buttons
• Added: preferences option added to set arbitrary traceintel database file name
• Added: preferences otpion added to store all traceintel database files in a global path instead of each trace file directory locally
• Added: "Auto" menu option added to "Add" button in the sanitization form for specific MAC, IPv4 and IPv6 single address replacements
• Fixed: edit tasks could crash under some situations because of accessing resources that had been discarded earlier
• Fixed: GTP-u processing failed for Linux cooked captures
• Fixed: filter was added to wrong (unitialized) list, causing runtime errors when loading merge settings (thx to Chris Maynard)
• Fixed: editing a file without writing a header comment listing the modifications failed (thx to Chris Maynard)
• Fixed: errors in PCAPng files forcing the read process to abort reading blocks returned undefined objects or values, leading to crashes (thx to Paul Offord)
• Fixed: some sanitization task setup UI elements weren't behaving correctly
• Fixed: sanity check added when parsing IPv4 layers to prevent crashes caused by bogus IP length field values
• Fixed: address replacements in anonymization tasks sometimes only worked for some of the addresses, leaving others original
• Fixed: problem with hiding task buttons still existed when using drag and drop of .task files
• Fixed: multiple error messages when adding zero byte files. Now a file needs to be at least 24 bytes to be accepted.
• Fixed: no option to add files from a directory after files are already in the list. Now popup and main menu have options for this.
• Fixed: task quick buttons were not hidden when importing task file via popup menu
• Fixed: some TCP conversation statistics based on the client IP were miscalculated
• Changed: "Auto" replacement option for sanitization now checks if the two IPs are likely to be in the same subnet and adjusts replacements accordingly
• Changed: TCP port replacement by socket now allows specifying the full replacement socket, not just the port
• Beta 0.6.0 (5th of July, 2016)
• New Features:
• Conversation Summary
• lines can be marked now, and will stay visible even if not matching a filter if applied. Jumping from marked lines to the next/previous is possible
• New highlight mode for TCP conversations to show conversations that start and end within the time of a selected conversation
• New aggregated view for TCP conversations, grouping them by IP pair
• Added copy-to-clipboard for the selected cell, plus external IP lookup when an IP address is selected
• New protocols supported
• RTPS (parsing and assembling, as far as required for sanitization)
• ERSPAN parser added
• Sanitization Tasks
• GTPv1 can now be assembled, allowing sanitization of packets with a GTPv1 layer
• Sanitization task can now reassemble IPv4 fragments to allow sanitizing reassembled payloads (RTPS sanitization forced this feature)
• pcaptouch command line executable added, allowing setting the file time stamp to the time of the first frame in each file. It can also fix the file extension
• Enhancements:
• ngconvert now displaying the percentage of progress when converting a file
• write speed when writing frames to PCAPng files improved for all tools
• Main Window
• Buttons added on top of task list to allow even faster adding of tasks if there isn't any yet
• code added to allow ignoring file time stamp setting error messages
• warning message added when files are not auto scanned due to threshold
• window label added to be able to distinguish various TW instances
• Preferences
• Setting added to turn off warnings about files not being auto scanned
• Proxy detection for performing update checks should work better now
• Conversation Summary
• pop-up menu added to column headers to allow hiding and showing columns (settings are not persistent yet)
• displaying FlowCount per IP conversation entry plus average TCP RTT if available
• displaying total TCP Flags per Conversation in TCPDump Format
• enhanced the pop-up menus with shortcut keys
• TraceIntel database
• table structure changed to store more details
• Sanitization Tasks
• parameter added for keeping Ethernet trailer intact
• setting added to allow re-padding of payloads
• setting added for ignoring length differences in replacement strings
• black marker settings added for addresses (replace all bytes with zeros)
• parameters added for RTPS sanitization
• setting added for preventing IP reassembly
• now calculating delta between IP total length and wire size to see if the new IP total length needs to be adjusted. This can happen when encountering hard sliced frames and keeping the payload/replacing it with zeros/strings
• functionality added to preserve Ethernet trailer
• Edit Tasks
• added detection of ERSPAN layers and removing them when GRE is cut away
• IPv6 wasn't treated correctly for GTPv1 editing; now adjusting EtherType
• now using the highest L2 header before the GTPv1 header as new L2 base
• now able to handle SLL headers with malformed VLAN information injected into the header as if it were Ethernet. VLAN information is kept intact and added to the Pseudo Ethernet header
• sub option added to meta editing to allow to force wire size modification even if wire size and capture size are not the same (as per request of Nathan Flowers)
• Extraction Tasks
• Exporting frames to multiple files now works based on the filename schema instead of what filters were used
• displaying filters in grayed out mode if no frame will match, based on if the filter has a first frame location assigned (after looking conversations up in the conversation store for the filter)
• status panel added to show process of creating filters from beacon file when the file is larger than a certain threshold
• functionality added to import filters from CSV
• VLANID placeholder added
• replaced checkbox with "match all" hint
• Merge Tasks
• writing file comments is now configurable to avoid writing large source file name lists to the SHB comment field
• feature added to write the filename of each source file for the first frame merged into the output file (only in concatenation mode)
• ICMPv6 Parser
• Handling of ICMP redirects added
• IPv4 Assembler
• Forcing payload length improved
• Fixes:
• Main Window
• Update URL was still using port 80. Now changed to 443
• Update check improved to hopefully work with most proxies now
• Skipping over traceintel.db didn't work for all methods of adding files
• Preferences
• Storing values to disk may crash for items with quotation marks
• Conversation Summary
• RTT string output used ThousandSeparator instead of DecimalSeparator
• CSV export now uses quotes for all fields
• CSV export checks if the file exists
• some changes to get low screen resolution to work
• filter matching now case insensitive
• some columns were not sortable
• Sanitization Tasks
• enabling MAC replacements but not setting any randomization lead to random MACs
• determining a replacement EUI64 address failed when Ethernet sanitization was not active
• now handling :: and ::1 correctly
• UDP ports could be randomized even if not configured when UDP sanitization was enabled due to an uninitialized variable
• now also checking the IPv4 original for being loopback or all-zero and returning it instead of a replacement except if a DB replacement was configured
• storing VLAN replacements was in the wrong order, failing when hitting duplicates
• IP total length modification was resulting in values too small when Ethernet trailer was present
• replacing L4 ports by socket list wasn't working correctly; it requried to enter the replacement IP (which may not already be known) to do it's job. Now using the original IP
• CRC handling for TCP & UDP was not always correct
• various task form glitches fixed
• Extraction Tasks
• crash fixed when trying to get an interface that isn't used by any output frame
• adding frames from beacons failed if not a trace file
• TraceIntel database
• memory leak when keeping creating new IntelDB instances even though running in persistent DB mode
• major overhaul of the persistent IntelDB mechanism which was incomplete and leaking memory
• avoid writing the database to disk unnecessarily
• Frame data structures
• creating a new frame sometimes crashed by not copying the comment list
• stupid zeroing loop was slowing down initialization
• increased the maximum number of interfaces to 256 (from 32), because mergecap writes an ISB for each file merged
• Loaders
• NAI CAP: offset of next packet was determined as wire size, not capture size, leading to crashes on sliced files
• PCAP:  Raw IP link layer type 101 added
• PCAPng: added code to handle fractional time stamp calculation
• determining last frame offset and index was completely broken (looks like copy&paste error from first frame)
• Filters
• Reading filters from file wasn't initializing them correctly in some cases
• Filtering gave wrong results in some situations, due to multiple bugs
• General parsing
• parsing wasn't handling the case of an Ethernet trailer > 4
• failed plausibly checks did not set the correct parse result status, leading to problems (e.g. with NetFlow when not parsing v5 types)
• ICMPv6 Parser
• crash fixed when encountering unknown ICMP type
• MPLS Parser
• MPLS shims with Ethernet following sometimes have an additional control word, which adds 4 more bytes which need to be skipped
• NetFlow Parser
• plausibility check allowed all NetFlow versions; now reduced to 5 as we can't parse any other
• IPv4 Assembler
• setting flag values failed in some cases because of not clearing all of them first
• setting flags cleared fragment offset as well, always ending up as zero
• fragment offset now correctly stored as group of 8 octets
• TCP Assembler
• keeping CRC when copying values from TCP parser
• UDP Assembler
• merging UDP header and payload for checksum calculation was using the wrong size variable, leading to broken CRCs
• setting keepCRC to true when copying data from parser
• DNS Parser
• some records weren't parsed because of an off-by-one check
• Beta 0.4.0 build 616 (17th of June, 2015)
• New Features:
• Conversation List:
• Added the option to export rows into separate files
• Main Window
• Added rename option to tools menu, allowing to rename the files in the list based on a pattern
• Tasks
• Extraction task added to available tasks
• Extraction task can create filters from capture files and Snort alert logs
• New parsers added
• VXLAN
• New assemblers added:
• VXLAN
• GTP-u V1
• Enhancements:
• Main Window
• task process details pane added; right now only used for extraction tasks
• tasks are marked red when they can't be run for some reason
• Conversation List
• handshake seen and teardown seen are now separate TCP flow status messages
• displaying TCP flow teardown status when no handshake was seen
• calculating the total bytes and frames of all selected rows
• displaying a hint for each row, listing the files the row was seen in
• code added to allow double clicking rows to open them directly in the associated PCAPng file viewer
• Code added to export list rows to CSV
• detecting hard slicing and adding an attribute if found
• simple TCP Port reuse tracking added (seeing a SYN after having a complete conversation)
• added determining if a socket was refused or had inactivity timeouts
• Anonymization
• option to generate random IPs in the IPv4 private range if original is private
• determining if an IPv4 address is a documentation address and ignoring it if option is set
• SocketPortPair added to support defining TCP/UDP port replacements for specific original sockets only
• code added to dermine Multicast base mac for an IPv6 address
• setting an IPv6 socket now allows snort notation (without square brackets), needed for Snort alert log parsing
• checks added to make sure a replacement is not the same as the original by chance
• code added to randomize IPv6 addresses and prefixes stateless or stateful
• function added to allow removing unwanted frames from the destination file, currently used for ICMPv4 type/code
• Payload and general settings now have their own tabs
• can now anonymize frames containing GTP-u tunneling layers
• Editing
• code added to allow replacing a specific Ethertype when converting Linux cooked captures to pseudo Ethernet
• Juniper L2 header options updated
• added the option to remove MPLS shims
• option added to add a comment to a frame if the Juniper header has no L2 structure and a fake Ethernet header is built
• Parsers
• handling Ethernet over MPLS by looking at potential Ethertypes
• Filters
• Filters can now carry a label that can be used for file name generation
• Filter editor now allows copy & paste
• Preferences
• Proxy settings can now be taken from system settings
• General
• code added to allow using a persistent TraceIntelDB for loading multiple files faster from the same directory
• Bug Fixes:
• Main Window
• uses HTTPS URL for update checks now, not needing the redirect anymore
• updating the file details pane didn't work when a previously selected file was reselected
• displaying the comments for files wasn't working
• Conversation List:
• clearing the interface mapping list was missing, leading to problems when exporting files
• Filter not always working correctly when negating the expression
• Copy/Paste now working for filter field
• crash when extracting flows when trying to access non existing file entries
• TCP Handshake and teardown status wasn't tracked correctly
• fixed loading IPv4 endpoint table twice and IPv6 endpoint table not at all
• fixed determining if there is an Ethernet trailer failed when multiple Ethernet layers were present, e.g via VXLAN encapsulation
• determining Ethernet trailer was wrong for IPv6
• Anonymization
• ICMPv6: Setting Source and Target link layer addresses wasn't reflected in the assembled frame
• ICMPv6 checksums weren't calculated correctly
• UDP checksum cannot be 0
• determining if an IPv6 address is a solicited node multicast was broken
• determining Pseudo Header was sometimes not working correctly (it ignored ICMPv6 and fragmentation headers)
• crash fixed when looking for a GUID replacement
• crash fixed when trying to store Solicited Node Multicast address replacements more than once
• fixed missing path delimiter to replacement DB path when forced in settings
• fixed crash when creating random fe80 addresses failed
• fixed that MAC addresses weren't checked for being an IPv6 multicast carrier
• processing Ethernet addresses even when Ethernet sanitization is not enabled but IPv6 requires it to
• processing IPv6 neighbor solicitation/advertisement wasn't working correctly
• processing IPv6 ND wasn't working correctly; now looking at the discovery target first
• code added to allow replacing unknown payload bytes with zeros or a pattern
• input validation of content replacement strings failed when no '|' where used
• Editing
• removing GTP-u layers now works also for frames with more than 2 IP layers
• creating a pseudo Ethernet header was not really working
• General
• storing task details lost some information in certain situations
• writing PCAPng interfaces was broken when the original interface was modified instead of the copy
• setting wrong link type on write when it was changed for the new interface
• not writing NRB anymore when copying over blocks from the loader and there are no records for IPv4 and IPv6
• loader did not identify Juniper link layer type
• file entries were duplicated under some circumstances
• Intel DB version raised to 1.3 to void older dbs (structure has changed)
• various minor bugs fixed
• Beta 0.3.6 build 583 (2nd of January, 2015)
• New Features:
• Main Window now shows total frames and bytes of all loaded files if available
• Conversation List
• supports "not" or "!" as an operator for the filter box
• added a simple "Export to CSV" feature for TCP
• shows total number of frames and bytes in the status bar of all selected rows
• New parsers added
• NetFlow v5
• HSRP
• Geneva
• New assemblers added:
• NetFlow v5
• HSRP
• Sanitization
• new setting for IPv4 to allow replacing private IP addresses with a different random private address, or keep it, or fully randomize it
• IPv4 documentation IPs can now be excluded from randomization
• Selecting ICMPv4 type/code values to remove matching frames from the capture completely
• TCP/UDP sanitization settings now allow replacing a port specifically for an IP/Port combination
• Enhancements:
• Conversation List
• can report TCP Teardown without a initial handshake, and conversation that succeed only after multiple SYN retries/rejects
• Keep the focus on the selected node when sorting
• Shows more attributes, like Ethernet Trailer found, Hard Slicing
• Exporting Conversations from the list will now skip over irrelevant files to speed up the extraction process
• Sanitization
• EUI64 based IPv6 addresses are now sanitized in synchronization with the MAC address they are based upon
• Additional checks were added to make sure randomized replacements are not exactly the same as the original
• PCAPng Loader will now auto correct irrelevant errors when loading files, e.g. capture size > wire size
• Bug Fixes:
• File details in main window weren't cleared when no files are selected anymore. Also they weren't redisplayed if a previously selected file was reselected.
• New version check did not work with HTTPS version of the TraceWrangler home page
• Conversation List did not display IPv6 based UDP conversations correctly
• Conversation List did not show the list of conversations based on the order their first frames are found in the capture file
• PCAPng loader would crash when Interface Description Blocks were not all written before the first packet block (Thanks to Pascal Quantin)
• TCP parser could crash in some cases when parsing options
• Writing to IntelDB could crash when Snap Length was too big
• File entries were duplicated in the file table under some circumstances, so also deleting them failed
• UDP port replacement crash fixed
• GUID replacement crash fixed
  
  
• Beta 0.3.4 build 546 (5th of October, 2014)
• New Features:
• Anonymization tasks
• accepts Snort style content byte strings for payload replacement
• Offline help file added. Can be opened from the help menu of the main window
• Conversation/Endpoint Statistics
• Lists allows display filtering by using a text box in the status bar
• one or more selected conversation can be extracted to a single file, even if spanning multiple input files
• Conversations are now checked for additional attributes, e.g. one sided conversations, spanning files, etc.
• Conversations are tracked for which interfaces their frames were captured on. This allows writing files with only interface blocks that are in use
• Enhancements:
• TraceIntelDB
• stores more details about endpoints and conversations, including the time stamp of the last frame if available
• determining if a file is the same as an entry in the database now checks first and last frame time stamp for PCAPng and ignores file size changes
• database is now tracking if any changes need to be written to disk, so memory based databases are not written to disk anymore unless it is necessary, saving a lot of time
• PCAPng loader
• small errors in capture files are corrected if possible, e.g. if capture size > wire size
• Parse engine
• can now be told to stop parsing after Layer 2 and 3, e.g. when it is clear while filtering that no more depth is needed
• Bug Fixes:
• General
• byte swap routines failed for the 64 bit version since the in-line assembler instructions needed to be improved for that
• Loaders
• NAI CAP loader crashed when reading certain files where the interface entries weren't parsed correctly
• Anonymization tasks
• Copy & Paste now working for Replacement String Cells. Will always copy whole cell and overwrite whole cell on paste
• Main Window
• no longer switch to file list even when adding files was canceled and the list is empty
• file hints were not shown on mouse over events
• conversation option in tool window was not disabled when the last file was removed from the file list
• Conversation/Endpoint Statistics
• Duration values did not calculate the minutes part correctly for values above 60 minutes
• Parsers:
• Ethernet parser did not return OSI layer value
• some memory leaks fixed

               

-- Beta 0.3.1 build 517

               Fixed: ICMPv4 and ICMPv6 payload handling and checksum calculation were incorrect

               Fixed: IPv4 header length was not calculated correctly

               Fixed: IPv4 options were not copied correctly when assembling new IPv4 layer

               Fixed: TCP options were not copied correctly when assembling new TCP layer

               Fixed: maximum frame size was limited to 10k bytes, now increased to 64k bytes

               Fixed: off-by-one error fixed when reserving frame buffer space

               Fixed: calculating delta times failed in some situations

               Fixed: calculating CRC32 for frame content was incorrect. CRC32 is necessary for calculation of Ethernet FCS

               Fixed: using 16 bit values for frame size and capture length is not enough in some cases, increased to 32 bits

               Fixed: problems occurred on systems that have no daylight savings time

               Fixed: zero IPv6 address returned 0:0:0:0:0:0:0:0 instead of ::

               Fixed: Greater than/Lesser than operators for IPv6 addresses where not working correctly

               Fixed: stack overflow when returning a string for a tIPv6Socket type

               Fixed: returning NIL if an interface cannot be found by index, fixing a bad crash

               Fixed: CAPTimeToTicks routine to handle some new trace files made by Network General S6040

               Fixed: reading Network General S6040 channels are now linked to correct interfaces

               Fixed: reading the PCAPng Master blocks did not look at the BlockTotalLen correctly

               Fixed: reading batches of frames could run into trouble sometimes because the remaining Filesize was not always checked correctly first

               Fixed: nanoseconds where not assigned correctly when calculating frame timestamps while writing frames to PCAPng files

               Fixed: calculation of the option length of PCAPng EnhancedBlocks was wrong when a filter type was set but the filter was empty

               Fixed: writing PCAPng frames did not explicitly set the interface timestamp resolution

               Fixed: WriteFrameBytes now using longword as FrameSize type when writing PCAPng files

               Fixed: memory leak fixed in the input file scan routine

               Fixed: IntelDB file was not disconnected correctly after writing statistics

               Fixed: determining if frames where sliced or not wasn't working correctly, and still may need some more work for oversized frames

               Fixed: frame time order was not determined correctly in some cases

               Fixed: capture interfaces were not transfered to the interface list for ENC and PCAP files

               Fixed: trace duration now calculated at the end of the scan

               Fixed: Trace duration was not calculated after loading statistics from DB

               Fixed: Block Chain Root was not assigned to PCAPng Statistics when loading from DB        

               Fixed: deleting the entries in the file list failed when more than one entry were in the list

               Fixed: anonymization tasks loading IPv4 IP address replacements produced wrong results since the replacement address was not assigned

               Fixed: parsing Dynamic Update records failed due to parsing Zone information at the wrong offset

               Fixed: parsing records with more than 3 recursive pointers failed due to loop protection code, limit increased to 16 now

               Fixed: parsing IP addresses from answer records failed for bogus answer lengths; now length checks ensure enough bytes are present and while issuing a warning the data will be parsed

               Fixed: parsing DHCP for strings for ServerHostname and Boot Image failed when they were not empty        

               Fixed: parsing DHCP pointered FQDNs failed for TCP packets due to missing offset increase of 2 bytes

               Fixed: EOL option didn't force aborting parsing of TCP options, so parser got stuck when hitting an arbitrary "option len" byte of 0

               Fixed: parsing GTP headers other than the tunnel message type lead to a memory leak and a crash

               Fixed: internal memory leak happened when querying the length of the remaining payload

               Fixed: another memory leak fixed where the payload chunk was not freed

               Fixed: adding new socket layers wasn't working when multiple IP layers were encountered in a frame

               Fixed: truncated ICMPv4 payloads could lead to negative trailer length, which in turn lead to wrong packet length construction in sanitization tasks

               Fixed: some indexes were off by one when parsing frames, leading to crashes

               Fixed: determining if a protocol should be parsed or treated as payload was not working correctly

               Fixed: IPv4 sanitization did not process the IPv4 option list

               Fixed: Ipv4 sanitization got the IP payload length wrong sometimes

               Fixed: truncating an already truncated original frame the IP length was not set correctly

               Fixed: handling payload when cutting layers of was not working

               Fixed: sanitizing ICMpv4 was not checking the ICMP type to see if it was an Echo Request/Reply

               Fixed: memory leak fixed in GetEthernetAssembly caused by assembly.free not being called

               Fixed: evil memory leak fixed caused by an object creating payload copies to determine its length

               Fixed: two memory leaks fixed when discarding payloads due to sanitization parameter settings. No, it is not enough to set the length of the payload to 0. Free is a must.

               Fixed: another memory leak fixed where the final payload to construct the sanitized frame wasn't freed

               Fixed: Edit tasks Loader and Writer weren't properly closed at the end of the task

               Fixed: crash in edit task when assigning LinkType when not running Cooked Header or Juniper Replacement

               Fixed: crash in edit task when closing the writer twice

               Fixed: creating replacements for empty FQDNs failed; now an empty FQDN is returned

               Fixed: off-by-one error when creating replacement FQDNs

               Fixed: replacement FQDNs were backwards. My bad, should have been tested :-)

               Fixed: adding files to the file list was streamlined in all variants

               Fixed: showing strange results in main window when no frames where found in a file

               Fixed: making the PCAPng struct tab visible forced it to become active; now the current tab stays current

               Fixed: new files were not shown in the list until every file in the batch had been added

               Fixed: file status was not updated in some cases

               Fixed: not showing the first frametime stamp if the file hadn't been deeply scanned

               Fixed: manual scanning didn't work correctly

               Changed: now using frametimestamps with nanosecond details for first/last frame timestamp to improve accuracy

               Changed: when skipping checksum calculation for very large TCP payloads the next header type is now set to PAYLOAD to allow processing as undetermined payload

               Changed: added preferences setting to allow disabling the download check

               Changed: caption now declaring beta mode

               Changed: displaying capture duration instead of interface count in file list, and file list size increased

               Changed: scrolling every file node into view when active, not just when its really processed, to avoid sudden jumps

               Added: linktype for IP Raw added

               Added: added code to check and create the Ethernet FCS

               Added: added code to handle Ethertypes for outdated/deprecated VLAN tags

               Added: code to write a generic PCAPng header if the input file is not PCAPng

               Added: code added to PCAPng loader to handle SysDig blocks

               Added: TCP MultiPath options now being handled by TCP parser and assembler, which means that anonymization will work with those options

               Added: functionality to export trace file header comment to descript.ion file (used by Total Commander, Take Command etc.)

               Added: conversations are now scanned while scanning the file structure for general statistics

               Added: setting IntelDB to invisible if parameter is given

               Added: Functionality for address lookup from conversation storage now available for anonymization task settings

               Added: replacement option to replace arbitrary strings in unknown payloads. The setting for this is still awkward to use, but it was a 15 minute implementation.

               Added: option added to anonymization settings dialog to handle the Ethernet FCS

               Added: button added to make it easy to clear the anonymization dialog settings

               Added: button added to allow setting the current anonymization dialog settings as default

               Added: button added to allow setting the form back to "Factory default"

               Added: new Merge task added, which allows concatenation of multiple trace files, including those with more than one capture interface (which mergecap currently can't)

               Added: Merge task allows filtering on certain packets so that the resulting merged file only contains frames matching the filters

               Added: option added to set file timestamps of capture files to that of the input file, the first frame, or the last frame.

               Added: trace file options added to main screen, which displays file statistics like capinfos

               Added: SysDig block types added to PCAPng display

               Added: functionality to remove tasks by popup

               Added: code to handle the exit menu option

               Added: code to help avoiding creating duplicate task names

               Added: code to display conversation scan counters while scanning

               Added: button to abort automatic and manual scans

               Added: code added to toggle resizing upper or lower pane, can be set in preferences

               Added: code to check filesize max amd warn if too big        

       -- Alpha 0.1.3 build 320

               Added: Added a new option to the editing task settings allowing the replacement of Linux Cooked headers with Ethernet headers

               Fixed: Interface Description Block has IP and subnet values written without byteswapping them first (thanks ime-braun)

               Fixed: There were multiple Memory leaks when handling frame content, editing/cutting frame content, and writing to disk.

               Fixed: trace file formats other than PCAPng had a channel count of 0 in the file list

               Fixed: editing tasks did not update the processing status bar in the file list while running

       -- Alpha 0.1.3 build 317

               Fixed: The UDP checksum was set to "bad" values instead of keeping it at zero when it was zero in the original trace

               Fixed: removing files from the file list didn't work when more than one file was selected

               Fixed: writing Simple Packet Blocks in PCAPng files was using the wrong packet header (EPB)

               Fixed: writing Interface Description Block with IPv4 option was broken, creating invalid files

               Added: displaying MAC, IPv4 and IPv6 options of Interface Description Blocks in the PCAPng Structure Viewer

       -- Alpha 0.1.3 build 315

               Fixed: Cutting GRE and GTP-U layers resulted in frames having a longer wiresize than capture size, because the wire length wasn't adjusted properly (Thanks to Chris Maynard)

               Fixed: IPv4-in-IPv4 tunneling crashed on sanitization because I forgot to create the IPv4 pseudo header for the IP protocol type 4 (IPIP). Thanks to Chris Maynard for sending me the trace that crashed TW :-)

               Fixed: forgot to handle optional checksum, key and sequence values in GRE parser and assembler

               Fixed: Adding new tasks sometimes opened a form that held old settings. Now TraceWrangler has a folder with default settings for each kind of task and uses those files to initialize the forms (Thanks to Tony Fortunato)

               Fixed: Cutting GRE and GTP-U layers failed when frames contained VLAN tags (Thanks to Herbert Grabmayer)

       -- Alpha 0.1.3 build 313

               Fixed: Determining time bias for frame time stamp calculation crashed on systems with local timezone set to UTC (Thanks to George Gibat)

               Fixed: Loading PCAP files failed for files with Link Layer Type set to Linux cooked capture (Thanks to Chris Maynard)

               Fixed: Processing Edit tasks did not do anything for file formats other than PCAPng

               Fixed: The Linklayer type wasn't handled correctly when reading file formats other than PCAPng, so the resulting PCAPng file would always have an ETHERNET linklayer (Thanks to Chris Maynard)

               Fixed: the GRE parser calculated wrong offsets for the next parser when key bit or sequence number bit was set in the flags byte

               Added: GTP-U removal now should be able to handle frames that have a Linux Cooked Frame header instead of an Ethernet header (could not test since I have no trace of that kind)

       -- Alpha 0.1.3 build 310

               Fixed: DHCPv4 parser was skipped in release mode, so sanitizing DHCPv4 failed

               Added: edit task has a new option to strip a GTP-U header from a frame, including the IP and UDP layer it is transfered by.

       -- Alpha 0.1.3 build 308

               Fixed: Assembling packets containing IPv6 fragmentation headers crashed when trying to figure out the IPv6 pseudo header for CRC calculation

               Fixed: Retrieving certain IPv4 addresses from the replacement table crashed when assigning an signed integer to an unsigned value. Similar issues were fixed for DHCPv4 options

               Fixed: Anonymization task dialog UI problems fixed (Thanks to Tony Fortunato)

               Fixed: Writing TCP SACK edge blocks had a constant TCP option length of 4. Now it is calculated correctly depending on the number of edges (Thanks to Stuart Kendrick)

               Fixed: DHCPv4 option 15 (Domain Name) wasn't sanitized

               Fixed: creating replacement FQDNs had a couple of flaws

               Fixed: thousands separator for packet count in file list is now internationalized (Thanks to Tony Fortunato)

               Fixed: UDP assembly didn't consider the size of payloads different than the unsanitized payload

               Fixed: layers that had a different size after sanitization resulted in strange messages about truncated frames or load errors (Thanks to Tony Fortunato)

               Fixed: PCAPng writing routines had a bug where options were written before the packet bytes, leading to corrupt files

               Fixed: Parsing/Assembling RARP frames wasn't working (Thanks to Tony Fortunato)

               Fixed: Parsing/Assembling 802.3 formatted Ethernet headers was broken (Thanks to Tony Fortunato)

               Fixed: In some cases, remaining payload (a.k.a. bytes containing unkown protocol layers) wasn't handled correctly, leading to broken frames

               Changed: the DHCPv4 parser zeroed the payload of all unknown options, which doesn't make much sense. Now unknown options are left out instead, so they will not make it into the sanitized frame

               Changed: engine doing editing tasks completely rewritten

               Added: handling DHCPv4 options 42 (NTP Servers), 44 (NetBIOS Nameservers), 46 (NetBIOS NodeType) and 120  (SIP Servers) (Thanks to Tony Fortunato for a sample trace)

               Added: edit task can now be set to strip Juniper headers from frames in files written by Juniper devices. This will rewrite the link type, and transfer the packet direction to the metadata of the frame. (Thanks to Mike Canney for a sample trace)

       -- Alpha 0.1.3 build 294

               Fixed: IPv6 did not read and write Version, Class and Flow Label correctly

               Fixed: results of randomizing an IP address are no longer allowed to be 0.0.0.0 or in the range of 127.0.0.0/8

               Fixed: IPv6 link local addresses will now stay link local addresses by forcing the prefix to be fe80::/64

               Fixed: generating sanitized MAC addresses do no longer allow the all zero or broadcast address to be created, but after it has been processed by the address list

               Fixed: storing/retrieving IPv4 addresses from database could crash for large 32 bit values because they weren't processed as unsigned values

               Fixed: processing DHCPv4 host names wasn't working

               Fixed: ICMPv4 did not sanitize the RedirectGwy for ICMP Redirect messages

               Changed: FQDNs are now replaced with "x" characters as placeholders by default

               Added: randomizing IPv6 addresses will keep the address in the according address range/class, e.g. Multicasts will stay Multicasts, private addresses will stay private, and public addresses will be in 2000::/3

               Added: option to allow keeping IPv6 documentation addresses intact (prefix range of 2001:db8::/32)

               Added: support for reading and writing MPLS added

               Added: support for reading and writing GRE headers added

               Added: support for ICMPv6 added to anonymization tasks

               Added: option to keep IPv4 APIPA and Multicast addresses intact when randomizing IPs

               Added: code to only randomize TCP/UDP ports for ports above 1024, if the setting for it is checked                

       -- Alpha 0.1.2 build 281

               Fixed: crash when parsing IPv6 packets containing UDP headers where IPv6 wasn't tunneled (thx, @packetlevel)

               Fixed: status when processing files was finished wasn't correctly updated in the statusbar

               Fixed: setting a subdirectory as output path failed

               Fixed: routines calculating TCP and ICMP checksum were faulty, leading to bad CRCs in resulting files as well

               Fixed: generating MAC addresses now checks for multicast and broadcast

               Added: parser and assembler to handle the DHCPv4 layer

               Added: anonymization task settings to allow clearing echo request/reply payloads

               Added: storing FQDNs to replacement database

               Added: parsing and writing Linux cooked headers

               Added: generating new IPv4 addresses now checks if original addresses are Multicast or Broadcast. Also, generated addresses are now verified to be unique so that no two same replacements are made for different originals

               Added: option to exclude IPv4 multicast addresses from randomization

               Added: sanitity and debug code added to pinpoint problems in case trace samples cannot be provided

               Changed: MAC address replacement routine now sets a default first octet of $F2 when the vendor octets aren't preserved

               Changed:  anonymization task now sanitizes the most important layer values by default        

       -- Alpha 0.1.1 build 270

               Fixed: protocol layers that failed to be parsed were not handled as generic payload correctly, leading to oversized frames that Wireshark can't read

               Fixed: randomizing IP IDs wasn't working correctly for fragments since every fragment got a random ID. Now fragments belonging to the same original packet will have the same random ID.

               Fixed: other minor issues were fixed

               Added: parser/assembler for IPv6 fragmentation headers

               Added: preference setting to check for update via http proxy

               Added: preference setting to check for update on startup

       -- Alpha 0.1.1 build 263

               Fixed: IPv4 fragments weren't handled correctly, which could lead to damaged anonymized frames because TraceWrangler did not realize that there were no further headers beyond the IP layer

               Fixed: loading PCAPng files had a small problem with sanity checks for Interface Statistics Blocks

               Fixed: ICMPv4 didn't handle Echo Request/Reply payloads correctly

               Fixed: IPv4 Identification is now kept the same for fragments when randomization is configured. TraceWrangler will make sure that the IP ID stays unique per fragment group and roll the dice again in case of a collision with a former fragment group of the same IP pair.

       -- Alpha 0.1.1 build 260

               Fixed: ARP values weren't byte swapped on write

               Fixed: loading settings could fail if the settings file had an older format

               Changed: disabled Name Resolution Block sanitization options other than removing the block completely

       -- Alpha 0.1.1 build 257

               Fixed: setting frame.flags to 0 to avoid that the pcapng writer calculates block option lengths that aren't there, resulting in Wireshark refusing to load a file

               Added: more sanity checking code when parsing block options

       -- Alpha 0.1.1 build 255 --

               Fixed: IPv6 traces crashed when trying to anonymize if not embedded in a IPv4 tunnel

               Fixed: aborting a sanitization task didn't work

               Fixed: file status is now set to fail when a task is aborted because of an error

               Fixed: execute button was active when there was a task but no file

               Added: hint texts in anonymization task editor are available for all layers now

       -- Alpha 0.1.1 build 253 --

               Fixed: nasty crash caused by copying "wiresize" number of bytes into a frame instead of "capture size", leading to memory corruption (thx, Landi)

               Changed: TraceIntel database will not be used by default to avoid problems with processing different trace files with identical names

       -- Alpha 0.1.1 build 251 --

               Fixed: TCP checksum calculation was incorrect in some cases

               Fixed: TCP header length could be wrong when options were written in a different way than in the original packet (thx, Landi)

               Fixed: Preferences dialog would not include new advanced option strings when an older preferences file was loaded

               Fixed: Timestamp calculation was incorrect in some cases, leading to out of order timestamps and the Wireshark TCP expert going crazy

               Fixed: Trailing octets were not handled correctly in some cases, e.g. ICMP quotes of UDP packets

               Added: Sanitization status is now updated visually in the trace file list while processing frames

               Added: preference setting to write the ReplacementDB to disk for debugging purposes, instead of using a memory based DB that is discarded after the task has finished

               Added: settings in anonymization task editor will now highlight the tree nodes on the left when a layer is set to modify something. This should make it easy to see what is going to be modified when the task is run.

               Added: popup menu added for task list in main window; allows exporting and importing tasks

               Added: drag & drop for ".task" files to add it to the list

               Added: all files specified as a parameter when running TraceWrangler will be added as trace files except those ending on ".task", which will be added as tasks

               Added: "About" dialog