What's new in Wireshark 4.2.4
Mar 27, 2024
- Bug Fixes:
- If you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will need to download and install Wireshark 4.2.4 or later by hand.
- The following vulnerabilities have been fixed:
- wnpa-sec-2024-06 T.38 dissector crash. Issue 19695. CVE-2024-2955.
- Additionally, CVE-2024-24478, CVE-2024-24479, and CVE-2024-24476 were recently assigned to Wireshark without any coordination with the Wireshark project. As far as we can determine, each one is based on invalid assumptions and we have requested that they be rejected.
- The following bugs have been fixed:
- Extcap with configuration never starts; "Configure all extcaps before start of capture." is shown instead. Issue 18487.
- Packet Dissection CSV Export includes last column even if hidden. Issue 19666.
- Inject TLS secrets closes Wireshark on Windows. Issue 19667.
- Fuzz job issue: fuzz-2024-02-27-7196.pcap. Issue 19674.
- Wireshark crashes when adding another port to the HTTP dissector. Issue 19677.
- Fuzz job issue: fuzz-2024-03-03-7204.pcap. Issue 19685.
- Fuzz job issue: randpkt-2024-03-05-8004.pcap. Issue 19688.
- When adding a new row to a table an error report may be inserted. Issue 19705.
- '--export-objects' does not work as expected on tshark version later than 3.2.10. Issue 19715.
- Fuzz job issue: fuzz-2024-03-21-7215.pcap. Issue 19717.
New in Wireshark 4.2.3 (Feb 14, 2024)
- Bug Fixes:
- If you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will need to download and install Wireshark 4.2.3 or later by hand.
- The following bugs have been fixed:
- Capture start fails when file set enabled and file extension not supplied if directory contains a period. Issue 14614.
- Cannot drag and move custom filter buttons in toolbar. Issue 19447.
- Not equal won’t work when used with wlan.addr. Issue 19449.
- sshdump fails to connect with private key (ssh-rsa Issue 19510.
- ChmodBPF installation fails on macOS Sonoma 14.1.2. Issue 19527.
- Windows installers should check for Windows 8.1. Issue 19569.
- Fuzz job crash output: fuzz-2024-01-05-7725.pcap. Issue 19570.
- Fuzz job crash output: fuzz-2024-01-06-7734.pcap. Issue 19578.
- Incorrect recursion depth assert failure when dissecting a legitimate GOOSE message. Issue 19580.
- OPC UA - large read request is reported as malformed in 4.2.1 but not in 4.0.12. Issue 19581.
- TFTP dissector bug type listed as netscii instead of netascii doesn’t show all TFTP packets including TFTP blocks. Issue 19589.
- SMB1 replies from LAN Drive app only show up as NBSS Continuation Message. Issue 19593.
- ciscodump - older SSH key exchange algorithms not supported. Issue 19594.
- Problem decoding LAPB/X.25/FTAM after adding X.75 decoding. Issue 19595.
- Wireshark Filter not working. Issue 19604.
- CFLOW: failure to decode 0 length data fields of IPFIX variable length data types. Issue 19605.
- Copy …?as Printable Text Feature Missing in 4.1/4.2. Issue 19607.
- Export Objects - HTTP is missing some HTTP/2 files in a two-pass analysis. Issue 19609.
- ASAM-CMP Plugin: Malformed message, length mismatch if vendor defined data of status messages has odd length. Issue 19626.
- OSS-Fuzz 66561: wireshark:fuzzshark_ip_proto-udp: Null-dereference READ in wmem_map_lookup. Issue 19642.
New in Wireshark 4.2.2 (Jan 5, 2024)
- Bug Fixes:
- This release fixes a software update issue on Windows which causes Wireshark to hang if you are upgrading from version 4.2.0 or 4.2.1. If you are experiencing this issue you will need to download and install Wireshark 4.2.2 or later.
- The following bugs have been fixed:
- sharkd is not installed by the Windows installer. Issue 19556.
- Fuzz job crash output: fuzz-2024-01-01-7740.pcap. Issue 19558.
- Can’t open a snoop file from the Open dialog box unless I select "All files" as the file type. Issue 19565.
- Add s4607 dissector to "decode as" Issue 19566.
- Updater for 4.2.1 hangs. Issue 19568.
- Updated Protocol Support:
- RSVP, RTPS, and STANAG 4607
New in Wireshark 4.2.1 (Jan 4, 2024)
- The following bugs have been fixed:
- Capture filters not saved to recently used list. Issue 12918.
- CFM dissector does not handle Sender ID TLV correctly when Chassis ID Length is zero. Issue 13720.
- OSS-Fuzz 64290: wireshark:fuzzshark_ip: Global-buffer-overflow in dissect_zcl_read_attr_struct. Issue 19490.
- Overriding capture options set by preference by command line arguments (like -S) doesn’t work. Issue 14549.
- Segfault when enabling monitor mode on wireless card that falsely claims to support it. Issue 16693.
- Documented format of temporary file name is out of date in the Wireshark User’s Guide. Issue 18464.
- Selection highlight lost when interface list is sorted. Issue 19133.
- HTTP3 malformed packets. Issue 19475.
- Capture filter compilation fails with obscure error message. Issue 19480.
- XML: Parsing encoding attribute failed when standalone attribute exists. Issue 19485.
- Display filter expressions where the protocol name starts with digit and contains a hyphen are rejected. Issue 19489.
- diameter.3GPP-* display filters not working after upgrade to version 4.2.0. Issue 19493.
- GigE-vision: Control Protocol shows "unknown" as value for ASCII character set. Issue 19494.
- The HTTP/3 Request Header URI is not correct. Issue 19497.
- QUIC/TLS not extracting "h3" from ALPN in a capture. Issue 19503.
- Documentation on system requirements should be updated. Issue 19512.
- 4.2.0: init.lua in subdirectories not loaded anymore. Issue 19516.
- Malformed SIP/SDP messages: components are not decoded properly. Issue 19518.
- heuristic_protos do not reset on profile swap. Issue 19520.
- Wireshark 4.2 crashes on Apply As Column. Issue 19521.
- NFLOG timestamp is incorrect. Issue 19525.
- Qt6 Crash (Double Free) When Attempting to Save TCP Stream Graph. Issue 19529.
- Fixed parsing display filter expressions containing literal OID values, e.g. snmp.name == 1.3.6.1.2.1.1.3.0.
New in Wireshark 4.2.0 (Nov 16, 2023)
- What’s New:
- This is the first major Wireshark release under the Wireshark Foundation, a nonprofit which hosts Wireshark and promotes protocol analysis education. The foundation depends on your contributions in order to do its work. If you or your employer would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
- Wireshark supports dark mode on Windows.
- A Windows installer for Arm64 has been added.
- Packet list sorting has been improved.
- Wireshark and TShark are now better about generating valid UTF-8 output.
- A new display filter feature for filtering raw bytes has been added.
- Display filter autocomplete is smarter about not suggesting invalid syntax.
- Tools › MAC Address Blocks can lookup a MAC address in the IEEE OUI registry.
- The enterprises, manuf, and services configuration files have been compiled in for improved start-up times. These files are no longer available in the master branch in our source code repository. You can download the manuf file from our automated build directory.
- The installation target no longer installs development headers by default.
- The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs).
- Wireshark can be compiled on Windows using MSYS2. Check the Developer’s guide for instructions.
- Wireshark can be cross-compiled for Windows using Linux. Check the Developer’s guide for instructions.
- Tools › Browser (SSL Keylog) can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value.
- Windows installer file names now have the format Wireshark-<version>-<architecture>.exe.
- Wireshark now supports the Korean language.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.
- Bug Fixes:
- The following bugs have been fixed:
- Issue 18413 - RTP player do not play audio frequently on Windows builds with Qt6.
- Issue 18510 - Playback marker does not move after resume with Qt6.
- New and Updated Features:
- The following features are new (or have been significantly updated) since version 4.2.0rc3:
- Nothing of note.
- The following features are new (or have been significantly updated) since version 4.2.0rc2:
- The Windows installers now ship with Npcap 1.78. They previously shipped with Npcap 1.77.
- The following features are new (or have been significantly updated) since version 4.2.0rc1:
- The Windows installers now ship with Npcap 1.77. They previously shipped with Npcap 1.71.
- The following features are new (or have been significantly updated) since version 4.1.0:
- Improved dark mode support.
- The Windows installers now ship with Qt 6.5.3. They previously shipped with Qt 6.2.3.
- The following features are new (or have been significantly updated) since version 4.0.0:
- The API has been updated to ensure that the dissection engine produces valid UTF-8 strings.
- Wireshark now builds with Qt6 by default. To use Qt5 instead pass USE_qt6=OFF to CMake.
- The "ciscodump" extcap supports Cisco IOS XE 17.x.
- The default interval between GUI updates when capturing has been decreased from 500ms to 100ms, and is now configurable.
- The -n option also now disables IP address geolocation information lookup in configured MaxMind databases (and geolocation lookup can be enabled with -Ng.) This is most relevant for TShark, where geolocation lookups are synchronous.
- The display filter drop-down list is now sorted by "most recently used" instead of "most recently created".
- Display filter syntax-related changes:
- It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…>. This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field’s raw data.
- Negation (unary minus) now works with any display filter arithmetic expression.
- Using the slice operator with strings produces a string. Previously it would produce a byte array. This is useful to index/slice UTF-8 multibyte strings. String byte slices can still be obtained using the "@" (raw operator) prefix.
- Arithmetic expressions are allowed as set elements.
- Absolute date and time values can be written as Unix time.
- The limitation where a minus sign needed to be preceded by a space character has been removed.
- Added XOR logical operator.
- Fixed the implementation of all … in membership operator (#19188).
- When parsing absolute time values the display filter engine has learned to understand timezones as specified in strptime(3), including some common North American designations. Arbitrary timezone names are not supported however. Previously only ISO8601 offsets and the "UTC" designation was understood.
- Writing value strings without double quotes is deprecated and will generate a warning. Value strings are integer or boolean values that can be represented using a user-friendly textual format, such as "Set"/"Unset" instead of numerical values like 1 and 0. It is now a requirement that value strings need to be written enclosed in double-quotes.
- The deprecated ~≃ operator symbol has been removed. It was replaced by !== in version 4.0.
- Running the test suite requires the pytest Python module. The emulation layer that allowed running tests without pytest installed has been removed.
- When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file.
- TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap.
- The text of any configured column (displayed or hidden) can be filtered anywhere that filters are used - in display filters, filters in taps, coloring rules, Wireshark read filters, and the -Y, -R, and -e options to TShark, the "Apply as Filter" GUI option, etc.
- The filter field names are prefixed by "_ws.col", followed by a lowercase version of the COL_ name found in epan/column-utils.h, e.g. "_ws.col.info" or "_ws.col.protocol"
- Using the column names as a filter is slower than other filter types because the columns must be constructed, so when the same filtering can be achieved via other fields, prefer that.
- The external name resolution text files "manuf", "enterprises" and "services" have been removed and replaced with static binary data. You can dump the respective internal data using tshark -G manuf|enterprises|services.
- The "manuf" file is now also read from the personal configuration folder, and is profile-based.
- The Lua console dialogs under the Tools menu were refactored and redesigned. It now consists of a single dialog window for input and output.
- Wireshark now shows byte units in the statistics in the user-selected language (uses the system default language by default).
- Packet list sorting has been improved:
- When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed.
- The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage. The maximum value can be changed in Preferences→Appearance→Layout
- Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size. If there are more rows visible, a warning will appear. Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows.
- Sorting can be interrupted.
- When changing the dissector via the "Decode As" table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect.) The previous behavior was to reset the dissector to the default. To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options.
- The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files. The extcap personal folder is now $HOME/.local/lib/wireshark/extcap. Previously it was $XDG_CONFIG_HOME/wireshark/extcap.
- The "init.lua" file is now loaded from any of the Lua plugin directories. Previously it was loaded from the personal configuration directory. (For backward-compatibility this is still allowed; note that deprecated features may be removed in a future release).
- Installation of development headers must be done explicitly using the CMake command cmake --install <builddir> --component Development.
- The Windows build has a new SpeexDSP external dependency (https://www.speex.org). The speex code that was previously bundled has been removed.
- New --print-timers option added to TShark.
- Removed Features and Support:
- With the addition of the universal and consistent filtering support for column text, the previous support in the -e option to TShark for displaying column text via the column title has been removed in general. Those field names cannot be used elsewhere (as they may not be legal filter names) and create confusion if more than one column has the same title or if a column is renamed. Prefer the column format instead, e.g. "_ws.col.info" for "_ws.col.Info". However, for backwards compatibility with existing tools and scripts, the titles of the default columns can continue to be used with tshark -e (but not elsewhere.)
- The bundled script "dtd_gen.lua" that was disabled by default has been removed from the installation. It can be found in the Wireshark Wiki under "Contrib".
- The Wi-Fi NAN dissector filter name has been changed from 'nan' to 'wifi_nan'.
- New File Format Decoding Support:
- RTPDump
- New Protocol Support:
- Aruba UBT, ASAM Capture Module Protocol (CMP), ATSC Link-Layer Protocol (ALP), DECT DLC protocol layer (DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe), Digital Object Identifier Resolution Protocol (DO-IRP), Discard Protocol, FiRa UWB Controller Interface (UCI), FiveCo’s Register Access Protocol (5CoRAP), Fortinet FortiGate Cluster Protocol (FGCP), GPS L1 C/A LNAV navigation messages, GSM Radio Link Protocol (RLP), H.224, High Speed Fahrzeugzugang (HSFZ), Hypertext Transfer Protocol version 3 (HTTP/3), ID3v2, IEEE 802.1CB (R-TAG), Iperf3, JSON 3GPP, Low Level Signalling (ATSC3 LLS), Management Component Transport Protocol (MCTP), Management Component Transport Protocol - Control Protocol (MCTP CP), Matter home automation protocol, Microsoft Delivery Optimization, Multi-Drop Bus (MDB), Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP, RDP audio output virtual channel Protocol (rdpsnd), RDP clipboard redirection channel Protocol (cliprdr), RDP Program virtual channel Protocol (RAIL), SAP Enqueue Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), SMPTE ST2110-20 (Uncompressed Active Video), Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker), UWB UCI Protocol, Video Protocol 9 (VP9), VMware HeartBeat, Windows Delivery Optimization (MS-DO), Z21 LAN Protocol (Z21), Zabbix, ZigBee Direct (ZBD), and Zigbee TLV
- Updated Protocol Support:
- JSON: The dissector now has a preference to enable/disable "unescaping" of string values. By default it is off. Previously it was always on.
- JSON: The dissector now supports "Display JSON in raw form".
- IPv6: The dissector has a new preference to show some semantic details about addresses (default off).
- IPv6: The dissector now supports dissecting the Application-aware IPv6 Networking (APN6) option in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH), including all three types of APN ID, which are 32-bit, 64-bit and 128-bit in length.
- XML: The dissector now supports display character according to the "encoding" attribute of the XML declaration, and has a new preference to set default character encoding for some XML document without "encoding" attribute.
- SIP: The dissector now has a new preference to set default charset for displaying the body of SIP messages in raw text view.
- HTTP: The dissector now supports dissecting chunked data in streaming reassembly mode. Subdissectors of HTTP can register itself in "streaming_content_type" subdissector table for enabling streaming reassembly mode while transferring in chunked encoding. This feature ensures the server stream messages of GRPC-Web over HTTP/1.1 can be dissected even if the last chunk is absent.
- The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
- CFM: The dissector has been overhauled and updated to the level of IEEE std 802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015). This includes dissection of additional PDU types and TLVs as well as deeper dissection of existing PDUs and TLVs.
- Too many other protocol updates have been made to list them all here.
- New and Updated Codec support:
- Adaptive Multi-Rate (AMR), if compiled with opencore-amr.
- Major API Changes:
- Lua function "package.prepend_path" has been removed. If you need it please consider adding your own package.path customization code or installing your dependencies in Wireshark’s default paths.
- The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to reassemble the streaming data of a high level protocol that is not on top of TCP.
- Some of the API now uses C99 types instead of GLib types. Issue 19116
New in Wireshark 4.0.11 (Nov 16, 2023)
- The following bugs have been fixed:
- First ZigBee APS packet is not decrypted. Issue 16507.
- Problem with decoding OpenFlow actions in OFPT_FLOW_MOD message. Issue 17072.
- The "frames" method in sharkd does not consider time references and displays incorrect delta time. Issue 17923.
- Wireshark and TShark throw packet-wireguard-WARNING when running on systems with FIPS enabled. Issue 18441.
- Wireshark interprets If_fcslen option in the Interface Description Block as byte instead of bit. Issue 19174.
- Flathub’s Wireshark page shows wrong version number. Issue 19382.
- OSPFv3 RI decode error. Issue 19444.
- GSM SIM READ / UPDATE BINARY command has wrong offset. Issue 19472.
New in Wireshark 4.2.0 RC 2 (Oct 18, 2023)
- Wireshark supports dark mode on Windows.
- A Windows installer for Arm64 has been added.
- Packet list sorting has been improved.
- Wireshark and TShark are now better about generating valid UTF-8 output.
- A new display filter feature for filtering raw bytes has been added.
- Display filter autocomplete is smarter about not suggesting invalid syntax.
New in Wireshark 4.2.0 RC 1 (Oct 6, 2023)
- Wireshark supports dark mode on Windows
- A Windows installer for Arm64 has been added
- Packet list sorting has been improved
- Wireshark and TShark are now better about generating valid UTF-8 output
- A new display filter feature for filtering raw bytes has been added
- Display filter autocomplete is smarter about not suggesting invalid syntax
- Tools › MAC Address Blocks can lookup a MAC address in the IEEE OUI registry
- The enterprises, manuf, and services configuration files have been compiled in for improved start-up times
- The installation target no longer installs development headers by default
- The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs)
- Wireshark can be compiled on Windows using MSYS2 Check the Developer’s guide for instructions
- Wireshark can be cross-compiled for Windows using Linux Check the Developer’s guide for instructions
- Tools › Browser (SSL Keylog) can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value
- Windows installer file names now have the format Wireshark-<version>-<architecture>exe
- Many other improvements have been made See the “New and Updated Features” section below for more details
- Bug Fixes:
- The following bugs have been fixed:
- Issue 18413 - RTP player do not play audio frequently on Windows builds with Qt6
- Issue 18510 - Playback marker does not move after resume with Qt6
- New and Updated Features:
- The following features are new (or have been significantly updated) since version 410:
- Improved dark mode support
- The following features are new (or have been significantly updated) since version 400:
- The Windows installers now ship with Qt 653 They previously shipped with Qt 623
- The API has been updated to ensure that the dissection engine produces valid UTF-8 strings
- Wireshark now builds with Qt6 by default To use Qt5 instead pass USE_qt6=OFF to CMake
- The "ciscodump" extcap supports Cisco IOS XE 17x
- The default interval between GUI updates when capturing has been decreased from 500ms to 100ms, and is now configurable
- The -n option also now disables IP address geolocation information lookup in configured MaxMind databases (and geolocation lookup can be enabled with -Ng) This is most relevant for TShark, where geolocation lookups are synchronous
- The display filter drop-down list is now sorted by "most recently used" instead of "most recently created"
- Display filter syntax-related changes:
- It is now possible to filter on raw packet data for any field by using the syntax @somefield == <bytes…?> This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field’s raw data
- Negation (unary minus) now works with any display filter arithmetic expression
- Using the slice operator with strings produces a string Previously it would produce a byte array This is useful to index/slice UTF-8 multibyte strings String byte slices can still be obtained using the "@" (raw operator) prefix
- Arithmetic expressions are allowed as set elements
- Absolute date and time values can be written as Unix time
- The limitation where a minus sign needed to be preceded by a space character has been removed
- Added XOR logical operator
- Fixed the implementation of all …? in membership operator (#19188)
- When parsing absolute time values the display filter engine has learned to understand timezones as specified in strptime(3), including some common North American designations Arbitrary timezone names are not supported however Previously only ISO8601 offsets and the "UTC" designation was understood
- Writing value strings without double quotes is deprecated and will generate a warning Value strings are integer or boolean values that can be represented using a user-friendly textual format, such as "Set"/"Unset" instead of numerical values like 1 and 0 It is now a requirement that value strings need to be written enclosed in double-quotes
- The deprecated ~? operator symbol has been removed It was replaced by !== in version 40
- Running the test suite requires the pytest Python module The emulation layer that allowed running tests without pytest installed has been removed
- When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file
- TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap
- The text of any configured column (displayed or hidden) can be filtered anywhere that filters are used - in display filters, filters in taps, coloring rules, Wireshark read filters, and the -Y, -R, and -e options to TShark, the "Apply as Filter" GUI option, etc
- The filter field names are prefixed by "_wscol", followed by a lowercase version of the COL_ name found in epan/column-utilsh, eg "_wscolinfo" or "_wscolprotocol"
- Using the column names as a filter is slower than other filter types because the columns must be constructed, so when the same filtering can be achieved via other fields, prefer that
- The external name resolution text files "manuf", "enterprises" and "services" have been removed and replaced with static binary data You can dump the respective internal data using tshark -G manuf|enterprises|services
- The "manuf" file is now also read from the personal configuration folder, and is profile-based
- The Lua console dialogs under the Tools menu were refactored and redesigned It now consists of a single dialog window for input and output
- Wireshark now shows byte units in the statistics in the user-selected language (uses the system default language by default)
- Packet list sorting has been improved:
- When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed
- The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage The maximum value can be changed in Preferences?Appearance?Layout
- Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size If there are more rows visible, a warning will appear Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows
- Sorting can be interrupted
- When changing the dissector via the "Decode As" table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect) The previous behavior was to reset the dissector to the default To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options
- The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files The extcap personal folder is now $HOME/local/lib/wireshark/extcap Previously it was $XDG_CONFIG_HOME/wireshark/extcap
- The "initlua" file is now loaded from any of the Lua plugin directories Previously it was loaded from the personal configuration directory (For backward-compatibility this is still allowed; note that deprecated features may be removed in a future release)
- Installation of development headers must be done explicitly using the CMake command cmake --install <builddir> --component Development
- The Windows build has a new SpeexDSP external dependency (https://wwwspeexorg) The speex code that was previously bundled has been removed
- New --print-timers option added to TShark
- Removed Features and Support:
- With the addition of the universal and consistent filtering support for column text, the previous support in the -e option to TShark for displaying column text via the column title has been removed in general Those field names cannot be used elsewhere (as they may not be legal filter names) and create confusion if more than one column has the same title or if a column is renamed Prefer the column format instead, eg "_wscolinfo" for "_wscolInfo" However, for backwards compatibility with existing tools and scripts, the titles of the default columns can continue to be used with tshark -e (but not elsewhere)
- The bundled script "dtd_genlua" that was disabled by default has been removed from the installation It can be found in the Wireshark Wiki under "Contrib"
- The Wi-Fi NAN dissector filter name has been changed from 'nan' to 'wifi_nan'
- New File Format Decoding Support:
- RTPDump:
- New Protocol Support:
- Aruba UBT, ASAM Capture Module Protocol (CMP), ATSC Link-Layer Protocol (ALP), DECT DLC protocol layer (DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe), Digital Object Identifier Resolution Protocol (DO-IRP), Discard Protocol, FiRa UWB Controller Interface (UCI), FiveCo’s Register Access Protocol (5CoRAP), Fortinet FortiGate Cluster Protocol (FGCP), GPS L1 C/A LNAV navigation messages, GSM Radio Link Protocol (RLP), H224, High Speed Fahrzeugzugang (HSFZ), Hypertext Transfer Protocol version 3 (HTTP/3), ID3v2, IEEE 8021CB (R-TAG), Iperf3, JSON 3GPP, Low Level Signalling (ATSC3 LLS), Management Component Transport Protocol (MCTP), Management Component Transport Protocol - Control Protocol (MCTP CP), Matter home automation protocol, Microsoft Delivery Optimization, Multi-Drop Bus (MDB), Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP, RDP audio output virtual channel Protocol (rdpsnd), RDP clipboard redirection channel Protocol (cliprdr), RDP Program virtual channel Protocol (RAIL), SAP Enqueue Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), SMPTE ST2110-20 (Uncompressed Active Video), Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker), UWB UCI Protocol, Video Protocol 9 (VP9), VMware HeartBeat, Windows Delivery Optimization (MS-DO), Z21 LAN Protocol (Z21), Zabbix, ZigBee Direct (ZBD), and Zigbee TLV
- Updated Protocol Support:
- JSON: The dissector now has a preference to enable/disable "unescaping" of string values By default it is off Previously it was always on
- JSON: The dissector now supports "Display JSON in raw form"
- IPv6: The dissector has a new preference to show some semantic details about addresses (default off)
- IPv6: The dissector now supports dissecting the Application-aware IPv6 Networking (APN6) option in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH), including all three types of APN ID, which are 32-bit, 64-bit and 128-bit in length
- XML: The dissector now supports display character according to the "encoding" attribute of the XML declaration, and has a new preference to set default character encoding for some XML document without "encoding" attribute
- SIP: The dissector now has a new preference to set default charset for displaying the body of SIP messages in raw text view
- HTTP: The dissector now supports dissecting chunked data in streaming reassembly mode Subdissectors of HTTP can register itself in "streaming_content_type" subdissector table for enabling streaming reassembly mode while transferring in chunked encoding This feature ensures the server stream messages of GRPC-Web over HTTP/11 can be dissected even if the last chunk is absent
- The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838 Media types no longer need to be lower cased before registering or looking up in the table
- CFM: The dissector has been overhauled and updated to the level of IEEE std 8021Q-2022 and ITU-T Rec G8013/Y1371 (08/2015) This includes dissection of additional PDU types and TLVs as well as deeper dissection of existing PDUs and TLVs
- Too many other protocol updates have been made to list them all here
- New and Updated Codec support:
- Adaptive Multi-Rate (AMR), if compiled with opencore-amr
- Major API Changes:
- Lua function "packageprepend_path" has been removed If you need it please consider adding your own packagepath customization code or installing your dependencies in Wireshark’s default paths
- The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to reassemble the streaming data of a high level protocol that is not on top of TCP
- Some of the API now uses C99 types instead of GLib types Issue 19116
New in Wireshark 4.0.10 (Oct 5, 2023)
- What’s New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
- Bug Fixes
- The following bugs have been fixed:
- Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS. Issue 19374.
New in Wireshark 4.0.9 (Oct 4, 2023)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-27 RTPS dissector memory leak. Issue 19322. CVE-2023-5371.
- The following bugs have been fixed:
- Updating from within Wireshark if a file is open fails because it can’t close Wireshark. Issue 17658.
- ESL timestamp provided by ET2000 not displayed. Issue 18308.
- Kafka: dissect_kafka_sync_group_request missing version check for instance_id. Issue 19290.
- Start Capture via context menu crashes on macOS with an older Qt version. Issue 19299.
- Delta time displayed is incorrect after unsetting time reference. Issue 19324.
- Fuzz job crash output: randpkt-2023-09-09-7060.pcap. Issue 19332.
- Missing one bit in SCCP::sequencing/segmenting. Issue 19336.
- Protobuf field malformed packet for last byte of 'repeated fixed32' Issue 19342.
- RTP/RFC 4571: Wrong desegmentation/reassembly in RTP over TCP packets. Issue 19345.
- Sparklines not working on macOS Sonoma with both native OS and Homebrew pcap. Issue 19349.
- Incorrect bit values and namings in BSS Configuration Report TLV. Issue 19352.
New in Wireshark 4.0.8 (Aug 24, 2023)
- What’s New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-23 CBOR dissector crash. Issue 19144.
- wnpa-sec-2023-24 BT SDP dissector infinite loop. Issue 19258.
- wnpa-sec-2023-25 BT SDP dissector memory leak. Issue 19259.
- wnpa-sec-2023-26 CP2179 dissector crash. Issue 19229.
- The following bugs have been fixed:
- TShark cannot capture to pipe on Windows correctly. Issue 17900.
- Wireshark wrongly blames group membership when pcap capabilities are removed. Issue 18279.
- Packet bytes window broken layout. Issue 18326.
- RTP Player only shows waveform until sequence rollover. Issue 18829.
- Valid Ethernet CFM DMM packets are shown as malformed. Issue 19198.
- Crash on DICOM Export Objects window close. Issue 19207.
- The QUIC dissector is reporting the quic_transport_parameters max_ack_delay with the title "GREASE" Issue 19209.
- Preferences: Folder name editing behaves weirdly, cursor jumps. Issue 19213.
- DHCPFO: Expert info list does not show all expert infos. Issue 19216.
- Websocket packets not decoded and displayed for Field type=Custom and Field name websocket.payload.text. Issue 19220.
- Cannot read pcapng file captured on OpenBSD and read on FreeBSD. Issue 19230.
- UI: While capturing the Wireshark icon changes from green to blue when new file is created. Issue 19252.
- Conversation: heap-use-after-free after wmem_leave_file_scope. Issue 19265.
- IP Packets with DSCP 44 does not indicate "Voice-Admit" Issue 19270.
- NAS 5GS Malformed Packet Decoding SOR transparent container PLMN ID and access technology list. Issue 19273.
- UI: Auto scroll button in the toolbar is turned on when manually scrolling to the end of packet list. Issue 19274.
New in Wireshark 4.0.7 (Jul 12, 2023)
- What’s New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-21 Kafka dissector crash. Issue 19105.
- wnpa-sec-2023-22 iSCSI dissector crash. Issue 19164.
- The following bugs have been fixed:
- Crash when (re)loading a capture file after renaming a dfilter macro. Issue 13753.
- Moving a column deselects selected packet and moves to beginning of packet list. Issue 16251.
- If you set the default interface in the preferences, it doesn’t work with TShark. Issue 16593.
- Severe performance issues in Follow ? Save As raw workflow. Issue 17313.
- TShark doesn’t support the tab character as an aggregator character in "-T fields" Issue 18002.
- On Windows clicking on a link in the 'Software Update' window launches, now unsupported, MS Internet Explorer. Issue 18488.
- Wireshark 4.x.on Win10-x64 crashes after saving a file with a name already in use. Issue 18679.
- NAS-5GS Operator-defined Access Category: Multiple Criteria values not displayed in dissected packet display. Issue 18941.
- Server Hello Packet Invisible - during 802.1Authentication- from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) & above. Issue 19071.
- TShark reassembled data is incomplete/truncated. Issue 19107.
- CQL protocol parsing issues with Result frames from open source Cassandra. Issue 19119.
- TLS 1.3 second Key Update doesn’t work. Issue 19120.
- HTTP2 dissector reports an assertion error on large data frames. Issue 19121.
- epan: Single letter hostnames aren’t displayed correctly. Issue 19137.
- BLF: CAN-FD-Message format is missing a field. Issue 19146.
- BLF: last parameter of LIN-Message is not mandatory (BUGFIX) Issue 19147.
- PPP IPv6CP: Incorrect payload length warning. Issue 19149.
- INSTALL file needs to be updated for Debian. Issue 19167.
- Updated Protocol Support:
- 9P, AMQP, BGP, CQL, DHCPFO, EAP, GlusterFS, GSM MAP, HTTP2, iSCSI, Kafka, Kerberos, NAN, NAS-5GS, OCP.1, OpenFlow 1.0, PDCP-NR, PEAP, PPPoE, RSL, RTCP, rtnetlink, and XMPP
- Some RTP streams make Wireshark crash when trying to play stream. Issue 19170.
- Wrong ordering in OpenFlow 1.0 Datapath unique ID. Issue 19172.
- Incorrect mask in RTCP slice picture ID. Issue 19182.
- Dissection error in AMQP 1.0. Issue 19191.
New in Wireshark 4.0.6 (May 25, 2023)
- What’s New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you will likely have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-12 Candump log file parser crash. Issue 19062. CVE-2023-2855.
- wnpa-sec-2023-13 BLF file parser crash. Issue 19063. CVE-2023-2857.
- wnpa-sec-2023-14 GDSDB dissector infinite loop. Issue 19068.
- wnpa-sec-2023-15 NetScaler file parser crash. Issue 19081. CVE-2023-2858.
- wnpa-sec-2023-16 VMS TCPIPtrace file parser crash. Issue 19083. CVE-2023-2856.
- wnpa-sec-2023-17 BLF file parser crash. Issue 19084. CVE-2023-2854.
- wnpa-sec-2023-18 RTPS dissector crash. Issue 19085. CVE-2023-0666.
- wnpa-sec-2023-19 IEEE C37.118 Synchrophasor dissector crash. Issue 19087. CVE-2023-0668.
- wnpa-sec-2023-20 XRA dissector infinite loop. Issue 19100.
- The following bugs have been fixed:
- Conversations list has incorrect unit (bytes) in bit speed columns in the 3.7 development versions. Issue 18211.
- The media_type table should treat media types, e.g. application/3gppHal+json, as case-insensitive. Issue 18611.
- NNTP dissector bug. Issue 18981.
- Incorrect padding in BFCP decoder. Issue 18890.
- SPNEGO dissector bug. Issue 18991.
- SRT values are incorrect when applying a time shift. Issue 18999.
- Add warning that capturing is not supported in Wireshark installed from flatpak. Issue 19008.
- Opening Wireshark with -z io,stat option. Issue 19042.
- batadv dissector bug. Issue 19047.
- radiotap-gen build fails if pcap is not found. Issue 19059.
- [UDS] When filtering the uds.wdbi.data_identifier or uds.iocbi.data_identifier field is interpreted as 1 byte whereas it consists of 2 bytes. Issue 19078.
- Wireshark can’t save this capture in that format. Issue 19080.
- MSMMS parsing buffer overflow. Issue 19086.
- USB HID parser shows wrong label for usages Rx/Vx/Vbrx of usage page Generic Desktop Control. Issue 19095.
- "Follow ? QUIC Stream" mixes data between streams. Issue 19102.
- New and Updated Features:
- The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
- Removed Features and Support
- New Protocol Support:
- There are no new protocols in this release.
- Updated Protocol Support:
- batadv, BFCP, CommunityID, COSE, GDSDB, H.265, HTTP, ILP, ISAKMP, MSMMS, NNTP, NR RRC, NTLMSSP, QUIC, RTPS, SPNEGO, Synphasor, TCP, UDS, ULP, USB HID, and XRA
- New and Updated Capture File Support
- BLF, Candump, NetScaler, and VMS TCPIPtrace
- New File Format Decoding Support
- There is no new or updated file format support in this release.
New in Wireshark 4.0.4 (Mar 3, 2023)
- What’s New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you will likely have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-08 ISO 15765 and ISO 10681 dissector crash. Issue 18839.
- The following bugs have been fixed:
- UTF-8 characters end up escaped in PSML output. Issue 10445.
- Export filtered displayed packets won’t save IP fragments of SCTP fragments needed to reassemble a displayed frame. Issue 12597.
- DICOM dissection in reassembled PDV goes wrong. Issue 13388.
- "Export Objects - IMF" produces incorrect file, TCP reassembly fails with retransmissions that have additional data. Issue 13523.
- The intelligent scroll bar or minimap is not predictable on locating and scrolling. Issue 13989.
- If you mark (or unmark) the currently-selected frame, the packet details still say it’s not marked (or it is marked) Issue 14330.
- An out-of-order packet incorrectly detected as retransmission breaks desegmentation of TCP stream. Issue 15993.
- Sorting Packet Loss Column is not sorting correct. Issue 16785.
- Some HTTPS packets cannot be decrypted. Issue 17406.
- SIP TCP decoding regression from Wireshark 1.99.0 to 3.6.8. Issue 18411.
- Frame comments not preserved when using filter to write new pcap from tshark. Issue 18693.
- ChmodBPF not working on macOS Ventura 13.1. Issue 18734.
- Wireshark GUI and window manager stuck after setting display filter. Issue 18809.
- Dissector bug, protocol H.261. Issue 18812.
- File extension heuristics are case-sensitive. Issue 18821.
- Symbolic links to packages in macOS dmg can’t be double-clicked to install on macOS 13.2. Issue 18830.
- Potential memory leak in tshark.c. Issue 18837.
- Fuzz job crash output: fuzz-2023-02-05-7303.pcap. Issue 18842.
- f5fileinfo: Hardware platforms missing descriptions. Issue 18848.
- The lines in the intelligent scrollbar are off by one. Issue 18850.
- Wireshark crashes on invalid UDS packet in Lua context. Issue 18865.
- TECMP dissector shows the wrong Voltage in Vendor Data. Issue 18871.
- UDS: Names of RDTCI subfunctions 0x0b …? 0x0e are not correct. Issue 18873.
- Updated Protocol Support:
- ASTERIX, BGP, DHCP, ERF, F5 Ethernet trailer, GMR-1 RR, Gryphon, GSM SMS, H.261, H.450, ISO 10681, ISO 15765, MIPv6, NAS-5gs, NR RRC, NS Trace, OptoMMP, PDCP-LTE, PDCP-NR, QSIG, ROHC, RSVP, RTCP, SCTP, SIP, TCP, TECMP, TWAMP, UDS, and UMTS RLC
New in Wireshark 4.0.3 (Jan 18, 2023)
- Bug Fixes:
- Wnpa-sec-2023-01 EAP dissector crash. Issue 18622.
- Wnpa-sec-2023-02 NFS dissector memory leak. Issue 18628.
- Wnpa-sec-2023-03 Dissection engine crash. Issue 18766.
- Wnpa-sec-2023-04 GNW dissector crash. Issue 18779.
- Wnpa-sec-2023-05 iSCSI dissector crash. Issue 18796.
- Wnpa-sec-2023-06 Multiple dissector excessive loops. Issue 18711. Issue 18720, Issue 18737.
- Wnpa-sec-2023-07 TIPC dissector crash. Issue 18770.
- The following bugs have been fixed:
- Qt: After modifying coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect. Issue 12475.
- Help file doesn’t display for extcap interfaces. Issue 15592.
- For USB traffic on XHC20 interface destination is always given as Host. Issue 16768.
- Wireshark Expert Info - cannot deselect the limit to display filter tick box. Issue 18461.
- Wrong pointer conversion in get_data_source_tvb_by_name() Issue 18517.
- Wrong number of bits skipped while decoding an empty UTF8String on UPER packet. Issue 18702.
- Crash when analyzing protobuf packets. Issue 18730.
- Uninitialized values in various dissectors. Issue 18742.
- String (GeoIP country/city) ordering doesn’t work in Endpoints. Issue 18749.
- Wireshark crashes with an assertion failure on stray minus in filter. Issue 18750.
- IO Graph: Add new graph only works until the 10th graph. Issue 18762.
- Fuzz job crash output: fuzz-2022-12-30-11007.pcap. Issue 18770.
- Q.850 - error in label for cause 0x7F. Issue 18780.
- Uninitialized values in CoAP and RTPS dissectors. Issue 18785.
- Screenshots in AppStream metainfo.xml file not available. Issue 18801.
New in Wireshark 4.0.2 (Dec 7, 2022)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- Wnpa-sec-2022-09 Multiple dissector infinite loops.
- Wnpa-sec-2022-10 Kafka dissector memory exhaustion.
- The following bugs have been fixed:
- Qt: Endpoints dialog - unexpected byte unit suffixes in packet columns. Issue 18229.
- GOOSE: field "floating_point" not working anymore. Issue 18491.
- EVS Header-Full format padding issues. Issue 18498.
- Wireshark 4.0.0 VOIP playback has no sound and can’t resume after pausing. Issue 18510.
- Wireshark crashes when exporting a profile on Mac OSX if there is no extension. Issue 18525.
- EVS dissector missing value description. Issue 18550.
- Qt 6 font descriptions not backward compatible with Qt 5. Issue 18553.
- Wireshark, wrong TCP ACKed unseen segment message. Issue 18558.
- Invalid Cyrillic symbol in timezone at "Arrival Time" field in frame. Issue 18562.
- ProtoBuf parse extension definitions failed. Issue 18599.
- Fuzz job crash output: fuzz-2022-11-09-11134.pcap. Issue 18613.
- Fuzz job crash output: fuzz-2022-11-14-11111.pcap. Issue 18632.
- Wireshark is using old version of ASN (ETSI TS 125 453 V11.2.0) which is imapacting length of param in the messages. Issue 18646.
- BGP: False IGMP flags value in EVPN routes (type 6,7,8) Issue 18660.
- Wslog assumes stderr and stdout exist. Issue 18684.
- Editing packet comments, with non-ASCII characters, on Windows saves them in the local code page, not in UTF-8. Issue 18698.
- Unable to decrypt PSK based DTLS traffic which uses Connection ID. Issue 18705.
- HTTP2 tests fail when built without nghttp2. Issue 18707.
New in Wireshark 4.0.1 (Oct 26, 2022)
- What’s New:
- The Windows installers now ship with Qt 5.12.2. They previously shipped with Qt 6.2.3.
- Bug Fixes:
- Comparing a boolean field against 1 always succeeds on big-endian machines. Issue 12236.
- Qt: MaxMind GeoIP columns not added to Endpoints table. Issue 18320.
- Fuzz job crash output: fuzz-2022-10-04-7131.pcap. Issue 18402.
- The RTP player might not play audio on Windows. Issue 18413.
- Wireshark 4.0 breaks display filter expression with > sign. Issue 18418.
- Capture filters not working when using SSH capture and dumpcap. Issue 18420.
- Packet diagram field values are not terminated. Issue 18428.
- Packet bytes not displayed completely if scrolling. Issue 18438.
- Fuzz job crash output: fuzz-2022-10-13-7166.pcap. Issue 18467.
- Decoding bug H.245 userInput Signal. Issue 18468.
- CFDP dissector doesn’t handle "destination filename" only. Issue 18495.
- Home page capture button doesn’t pop up capture options dialog. Issue 18506.
- Missing dot in H.248 protocol name. Issue 18513.
- Missing dot for protocol H.264 in protocol column. Issue 18524.
- Fuzz job crash output: fuzz-2022-10-23-7240.pcap. Issue 18534.
New in Wireshark 4.0.0 (Oct 5, 2022)
- What’s New:
- We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- The display filter syntax is more powerful with many new extensions. See below for details.
- The Conversation and Endpoint dialogs have been redesigned. See below for details.
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
- Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
- Speed when using MaxMind geolocation has been greatly improved.
- The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.
- New and Updated Features:
- The following features are new (or have been significantly updated) since version 4.0.0rc2:
- Nothing of note.
- The following features are new (or have been significantly updated) since version 4.0.0rc1:
- The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
- The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
- The following features are new (or have been significantly updated) since version 3.7.2:
- The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
- The following features are new (or have been significantly updated) since version 3.7.1:
- The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
- The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
- New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
- The following features are new (or have been significantly updated) since version 3.7.0:
- The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
- The Conversation and Endpoint dialogs have been redesigned with the following improvements:
- The context menu now includes the option to resize all columns, as well as copying elements.
- Data may be exported as JSON.
- Tabs may be detached and reattached from the dialog.
- Adding and removing tabs will keep them in the same order all the time.
- If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets.
- Columns are now sorted via secondary properties if an identical entry is found.
- Conversations are sorted via second address and first port number.
- Endpoints are sorted via port numbers.
- IPv6 addresses are sorted correctly after IPv4 addresses.
- The dialog elements have been moved to make it easier to handle for new users.
- Selection of tap elements is done via a list.
- All configurations and options are done via a left side button row.
- Columns for the Conversations and Endpoint dialogs can be hidden by a context menu.
- TCP and UDP conversations now include the stream ID and allow filtering on it.
- The following features are new (or have been significantly updated) since version 3.6.0:
- The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
- The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
- The display filter syntax has been updated and enhanced:
- A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
- Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
- Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
- Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
- New display filter functions max(), min() and abs() have been added.
- Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
- A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
- The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
- Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used.
- Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B".
- Logical AND now has higher precedence than logical OR, in line with most programming languages.
- It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
- Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
- Support for some additional character escape sequences in double quoted strings has been added. Along with octal (<number>) and hex (x<number>) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
- Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit.
- Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: \, ', ".
- A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
- The aliases "any_eq" for "==" and "all_ne" for "!=" have been added.
- The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead.
- Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
- The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
- Literal strings can handle embedded null bytes (the value '