Release Notes

Releases

February 05, 2026 (Thursday) Release Notes

Netomize is excited to announce the fifth major release of PacketSmith, version 5.0.0 (codenamed Pinus strobus).

This ambitious release is the culmination of countless hours of R&D to add unparalleled features to PacketSmith.

It features the following additions, fixes and updates: 

  1. Added. Integrated Microsoft’s Antimalware Scan Interface (AMSI) detection module to scan frames, streams, and istreams for malicious content.
    • This feature is available via the option -D,–Detect amsi.
    • The included documentation features several real-world use cases that demonstrate the practical value of this feature.
  2. Added. Yara-X detection module. Using Yara-X CAPI, we’ve added the capability to scan a frame, TCP/UDP packets, streams and istreams.
    • We have exposed all the major protocols supported by PacketSmith to the Yara compiler and scanner, via custom pattern identifiers (PaIDs), unique to PacketSmith. Think of these PaIDs as domain-specific objects with nested attributes that you can leverage to write powerful and semantic-aware Yara-X rules to detect malicious traffic, targeting different protocols in the same rule.
    • Netomize is not aware of any other tool on the market that possesses such capabilities.
    • This feature is available via the option -D,–Detect yara.
    • Consult the accompanying documentation for an exhaustive technical breakdown and practical implementation examples of this feature.
    • For a sneak peek into Yara-X + PacketSmith Detection Module.
  3. Added. DNS parser and dissector over UDP/TCP. All of the DNS headers and records are exposed via the custom Yara-X PaID object dns, which you could use to write detection rules targeting the DNS protocol.
  4. The new cmdline option “-F, –Filter arg“, for applying conditional filters to pcap packets.
    • This “global” filter option is added to make it easier to SELECT frames, TCP/UDP packets, TCP/UDP streams over IPv4/IPv6, and ICMPv4/ICMPv6 istreams, across different features.
    • In future releases, PacketSmith will transition toward a centralized filter option model. Most features will utilize this “global” cmdline option as needed, eliminating the requirement for individual sub-options.
    • This option will be called out for every feature that’s dependent on it.
  5. Added. ICMPv4/v6 Echo istreams payload reassembly.
    • This is needed and important for payload scanning. In case of data exfiltration, over hundreds of ICMP Echo packets. This feature is request-type aware.
  6. Added. Multiple new sections to the configuration file, including
    • [udp_reassembly] -> for configuring various global settings of the UDP reassembler
    • [icmp_reassembly] -> for configuring various global settings of the ICMP Echo reassembler (istreams)
    • [yara] -> for configuring various global settings of the Yara-X engine, scanner and compiler
    • [dns] -> for configuring various global settings of the DNS dissector, such as port numbers

Miscellaneous changes: 

  1. Internal. TCP and UDP stream calculation/creation have been “globalized”, whereby such streams are made available throughout the lifetime of the program right after all the underlying protocols have been dissected.
  2. Fixed. A bug in the setting of the AECN flag (-n, –tcp_flags).
    • The bit position was miscalculated.
  3. Fixed. A bug in the parsing of the IPv4 options (allocating a bigger buffer).
    • This bug was introduced in version 3!
  4. Fixed. The IPv6 fragment reassembly was failing to locate the upper raw layer, after the IPv6 layer. The same fix was applied to the IPv4 fragment reassembly.
  5. Fixed. Another bug in the IPv6 fragment reassembly was fixed. This one is due to packets containing ESP fragmented layer. The order of parsing the ESP layer in case of fragment reassembly was incorrect.
  6. Added. A couple of attributes to various sections in the configuration file
    • The attributes “active_tcp” and “active_udp” in the streams section enable/disable stream creation. Use this setting carefully; disabling it will break certain functionalities.
    • The attribute “allow_ports” to the tcp_reassembly section to specify a list of allowed TCP dst ports for TCP streams. This is added for performance reasons.
      • All TCP streams’ keys with a dst port other than the ones in the list will be purged. 
      • This feature is documented in the “Allow/Exclude Port Numbers” section.
    • The attribute “exclude_ports” to purge UDP streams from the streams bucket based on a defined (dst) port exclusion list. This is added for performance reasons.
      • This feature is documented in the “Allow/Exclude Port Numbers” section.
    • The option to define specific IP ranges for TCP or UDP (across both IPv4 and IPv6) that the engine should purge from a stream type.
      • This feature is documented in the “Skip IP List” section.
      • The entries are defined in the file “streams/skip_ip_list.txt”.
  7. Updated. IPv6 address input validation is relaxed to accommodate both standard and compressed formats.
  8. Updated. To accurately reflect the underlying implementation logic, the stream directionality has been redefined from “duplex” to “half_duplex”.
  9. Significant performance gains have been achieved in the processing and assignment of TCP stream directionality.

Best regards,

M.

Netomize is excited to announce the fourth major release of PacketSmith, version 4.0.0 (codenamed Cactus). 

This significant release is the result of continuous commitment to making PacketSmith a tool that solves real-world network problems.

It features the following additions, fixes and updates: 

  1. Added. A performant and “configurable” TCP reassembly engine.
    • This will help a lot in future releases when building valid TCP streams, for raw payload extraction, or dissecting transport layer protocols. This is internal to PacketSmith, and will be used whenever necessary.
    • We have support for parsing various TCP options.
    • A comprehensive TCP stream handshake validator has been implemented. Its purpose is to identify all handshake packets within a stream and determine the stream’s directionality.
      • The handshake validator is exposed to the user via the option —Info streams_hshake
  2. Added. An x.509 certificate extractor designed for use with TLS/SSL over TCP and DTLS over UDP streams. 
    • The addition of this feature required the implementation of the TCP reassembly engine.
    • A DER certificate parser was implemented to parse, dissect and output detailed JSON objects and arrays of all located certificates, in addition to dumping them as DER files without any user intervention.
    • The stream has to start with a TLS Handshake content type, and the identification of handshakes of type Certificate. 
    • This feature is available via the option -X,—Xtract cert
  3. Added. Implemented TCP and UDP stream payload “reassembly”, which is achieved by simply concatenating the payloads of the stream’s constituent packets (this is not to be confused with the TCP reassembly engine). This feature is exposed in the configuration file with the certificate extractor section to choose between TCP stream payload concatenation or TCP reassembly.
  4. Added. Parsing of the UDP-Lite protocol with the capability to fix its checksums over IPv4/IPv6.
  5. Added. An INI configuration file (packetsmith.ini) was added to control some of PacketSmith’s features behaviour.

Miscellaneous changes: 

  1. Internal. Internal code refactoring and other non-visible bug fixes. 
  2. Fixed. Removed a debug condition that was mistakenly left in version 3.0 during testing.
  3. Fixed. Enhanced collision resolution heuristics for stream keys.

Best regards,

M.

Netomize is excited to announce the third major release of PacketSmith, version 3.0.0 (codenamed Allium fistulosum). 

This significant release features the following additions, fixes and updates: 

  1. Added. Version 2.0 introduced support for reassembling fragmented IPv4 and IPv6 packets. The major feature in this release is the new “fragmenter” implementation at the IPv4/IPv6 network layer. Crucially, our IPv6 fragmentation implementation fully complies with RFC standards even when various extension headers are present.
    • Available via the optionfrag_pkt (ipv4|ipv6):<mtu>
    • To compute the checksum for fragmented packets, you must first disable IP fragmentation reassembly using the option -u ip_frag_disable. This is necessary because, by default, IP reassembly combines the fragments back into the original packets before the checksum calculation.
  2. Added the capability to search and replace IPv4/IPv6 addresses, statically, independent of any stream type.
    • This is helpful in case you’re dealing with ICMP/IGMP or any other packet stack that doesn’t use the TCP/UDP protocol.
    • Available via the option —up_ip_addr static:<ipv4|ipv6>,<from_ip_addr>,<to_ip_addr>
  3. Added. PacketSmith now recognizes the Authentication Header (AH) and the Encapsulation Security Protocol (ESP) for IPv4/IPv6
    • In IPv6, AH is treated as an extension, but ESP is positioned as a distinct, independent layer within the packet’s protocol stack.
    • In IPv4, the AH and ESP protocols function as independent layers within the packet protocol stack.
  4. We’ve added a UDP packet fragmenter/splitter in this release. The key feature is that it fragments UDP packets based only on the data payload size, independent of any lower-layer protocols. Starting with version 3.0, you can now fragment UDP packets to match a specified maximum payload size.
    • Available via the option frag_pkt udp:<mtu_value>:(ipv4|ipv6|ipv10)
    • While the term “MTU” is used for UDP, the value represents the maximum payload size. But we still use the same common notation.
  5. Added. Support for VXLAN (Virtual eXtensible LAN) encapsulation layer parsing and unwrapping. PacketSmith now recognizes VXLAN and VXLAN-GPE (the same header)
    • For the optiontakeoff_lr, we have added the capability to unwrap a VXLAN-encapsulated frame by replacing the entire frame with the original overlay/encapsulated frame.
    • The VXLAN encapsulation layer is only parsed when the option —takeoff_ly vxlan is specified.

Miscellaneous changes: 

  1. Internal. Internal code refactoring and other non-visible bug fixes. 
  2. Fixed. Fixed a bug in the —ip_up_lyr option for the ipv4_id sub-command.
    • The “id” assignment operator was set to ‘=’ when in fact should have been ‘:’.
  3. Fixed. For the IPv6 extensions, we fixed the code responsible for parsing the extensions to handle all the types required by RFC 8200. Additionally, we fixed handling the correct extension type when writing it back to the pcap.
  4. Updated. The command line options for updating the IP/MAC addresses and port numbers have been consolidated and vectorized per category for seamless and verbose usage.
    • For example, to update the IP address by stream, we’ve introduced this format pattern:
      • —up_ip_addr stream:<ipv4|ipv6>,<src|dst>,<tcp|udp|both>,<from_ip_addr>,<to_ip_addr>
      • Similar format patterns are used for the other options.

Best regards,

M.

Netomize is excited to announce the second release of PacketSmith, version 2.0.0 (codenamed Pistia stratiotes). 

This release is the result of significant effort and features the following additions: 

  1. Added ICMPv4/v6 Echo request/replay, UDP and TCP payload parametrized anonymization feature (option -T, —Tport_lyr)
    • To facilitate the secure sharing of sensitive packet captures—which may contain real-world traffic or other confidential data—PacketSmith provides a robust anonymization capability.
  2. Added the capability to detect and reassemble fragmented IPv4 and IPv6 packets 
    • Other than in-memory IP fragmentation packet reassembly, PacketSmith provides the capability to rewrite the fully reassembled IPv4/v6 fragmented packet into the original pcap (option -u ip_frag_perm and -u ip_frag_disable).
  3. Added ICMPv4/v6 Echo stream assembler (istreams)
    • PacketSmith is the only known tool capable of constructing ICMPv4/v6 Echo streams, like TCP/UDP streams (option -I, –Info istreams_j and istreams_j:fids)
  4. Added a new ICMPv4/v6 Echo suspicious/malicious traffic detection module
    • This module identifies malicious and suspicious activity using behavioral and protocol-semantic analysis, making it independent of specific signatures (option -D, –Detect icmp).

Miscellaneous changes: 

  1. Internal. Internal code refactoring and other non-visible bug fixes. 
  2. Added. Added specific functionalities for future features.
  3. Improved. The method for downcasting the identification number from the fragmentation extension was improved, ensuring it adds more entropy to the IPv4 identification field (option -r, ipv6toipv4).
  4. Fixed. We fixed a bug in the JSON stream output where ranged frames were incorrectly appended as a single binary object instead of being separated by a comma.
  5. Updated. The -u, –upd_ip_lyr is fully vectorized now which allows the invocations of multiple sub-commands at the same time (only unique sub-commands are allowed)
  6. Updated nlohmann JSON for Modern C++ library to version 3.12.0.

In the coming days or weeks, we’ll be releasing articles documenting some of the work that went into implementing those features with use cases.

Best regards,

M.

Netomize is excited to announce the first release of PacketSmith, version 1.0.0 (codenamed Cycas revoluta)!

PacketSmith is the product of extensive effort, born from our commitment to addressing practical challenges and common frustrations users face with packet captures (PCAPs) in their day-to-day work.

For a comprehensive overview of what PacketSmith can do, please visit our Features, Supported Protocols and Tutorials pages.

This is just the beginning! Future releases will introduce a host of new functionalities, from advanced packet crafting and payload extraction to robust detection capabilities.

We truly hope PacketSmith proves to be a valuable addition to your toolkit.

Best regards,

M.

PacketSmith Screenshot