Wireshark Changelog

What's new in Wireshark 4.2.4

Mar 27, 2024
  • Bug Fixes:
  • If you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will need to download and install Wireshark 4.2.4 or later by hand.
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2024-06 T.38 dissector crash. Issue 19695. CVE-2024-2955.
  • Additionally, CVE-2024-24478, CVE-2024-24479, and CVE-2024-24476 were recently assigned to Wireshark without any coordination with the Wireshark project. As far as we can determine, each one is based on invalid assumptions and we have requested that they be rejected.
  • The following bugs have been fixed:
  • Extcap with configuration never starts; "Configure all extcaps before start of capture." is shown instead. Issue 18487.
  • Packet Dissection CSV Export includes last column even if hidden. Issue 19666.
  • Inject TLS secrets closes Wireshark on Windows. Issue 19667.
  • Fuzz job issue: fuzz-2024-02-27-7196.pcap. Issue 19674.
  • Wireshark crashes when adding another port to the HTTP dissector. Issue 19677.
  • Fuzz job issue: fuzz-2024-03-03-7204.pcap. Issue 19685.
  • Fuzz job issue: randpkt-2024-03-05-8004.pcap. Issue 19688.
  • When adding a new row to a table an error report may be inserted. Issue 19705.
  • '--export-objects' does not work as expected on tshark version later than 3.2.10. Issue 19715.
  • Fuzz job issue: fuzz-2024-03-21-7215.pcap. Issue 19717.

New in Wireshark 4.2.3 (Feb 14, 2024)

  • Bug Fixes:
  • If you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will need to download and install Wireshark 4.2.3 or later by hand.
  • The following bugs have been fixed:
  • Capture start fails when file set enabled and file extension not supplied if directory contains a period. Issue 14614.
  • Cannot drag and move custom filter buttons in toolbar. Issue 19447.
  • Not equal won’t work when used with wlan.addr. Issue 19449.
  • sshdump fails to connect with private key (ssh-rsa Issue 19510.
  • ChmodBPF installation fails on macOS Sonoma 14.1.2. Issue 19527.
  • Windows installers should check for Windows 8.1. Issue 19569.
  • Fuzz job crash output: fuzz-2024-01-05-7725.pcap. Issue 19570.
  • Fuzz job crash output: fuzz-2024-01-06-7734.pcap. Issue 19578.
  • Incorrect recursion depth assert failure when dissecting a legitimate GOOSE message. Issue 19580.
  • OPC UA - large read request is reported as malformed in 4.2.1 but not in 4.0.12. Issue 19581.
  • TFTP dissector bug type listed as netscii instead of netascii doesn’t show all TFTP packets including TFTP blocks. Issue 19589.
  • SMB1 replies from LAN Drive app only show up as NBSS Continuation Message. Issue 19593.
  • ciscodump - older SSH key exchange algorithms not supported. Issue 19594.
  • Problem decoding LAPB/X.25/FTAM after adding X.75 decoding. Issue 19595.
  • Wireshark Filter not working. Issue 19604.
  • CFLOW: failure to decode 0 length data fields of IPFIX variable length data types. Issue 19605.
  • Copy …?as Printable Text Feature Missing in 4.1/4.2. Issue 19607.
  • Export Objects - HTTP is missing some HTTP/2 files in a two-pass analysis. Issue 19609.
  • ASAM-CMP Plugin: Malformed message, length mismatch if vendor defined data of status messages has odd length. Issue 19626.
  • OSS-Fuzz 66561: wireshark:fuzzshark_ip_proto-udp: Null-dereference READ in wmem_map_lookup. Issue 19642.

New in Wireshark 4.2.2 (Jan 5, 2024)

  • Bug Fixes:
  • This release fixes a software update issue on Windows which causes Wireshark to hang if you are upgrading from version 4.2.0 or 4.2.1. If you are experiencing this issue you will need to download and install Wireshark 4.2.2 or later.
  • The following bugs have been fixed:
  • sharkd is not installed by the Windows installer. Issue 19556.
  • Fuzz job crash output: fuzz-2024-01-01-7740.pcap. Issue 19558.
  • Can’t open a snoop file from the Open dialog box unless I select "All files" as the file type. Issue 19565.
  • Add s4607 dissector to "decode as" Issue 19566.
  • Updater for 4.2.1 hangs. Issue 19568.
  • Updated Protocol Support:
  • RSVP, RTPS, and STANAG 4607

New in Wireshark 4.2.1 (Jan 4, 2024)

  • The following bugs have been fixed:
  • Capture filters not saved to recently used list. Issue 12918.
  • CFM dissector does not handle Sender ID TLV correctly when Chassis ID Length is zero. Issue 13720.
  • OSS-Fuzz 64290: wireshark:fuzzshark_ip: Global-buffer-overflow in dissect_zcl_read_attr_struct. Issue 19490.
  • Overriding capture options set by preference by command line arguments (like -S) doesn’t work. Issue 14549.
  • Segfault when enabling monitor mode on wireless card that falsely claims to support it. Issue 16693.
  • Documented format of temporary file name is out of date in the Wireshark User’s Guide. Issue 18464.
  • Selection highlight lost when interface list is sorted. Issue 19133.
  • HTTP3 malformed packets. Issue 19475.
  • Capture filter compilation fails with obscure error message. Issue 19480.
  • XML: Parsing encoding attribute failed when standalone attribute exists. Issue 19485.
  • Display filter expressions where the protocol name starts with digit and contains a hyphen are rejected. Issue 19489.
  • diameter.3GPP-* display filters not working after upgrade to version 4.2.0. Issue 19493.
  • GigE-vision: Control Protocol shows "unknown" as value for ASCII character set. Issue 19494.
  • The HTTP/3 Request Header URI is not correct. Issue 19497.
  • QUIC/TLS not extracting "h3" from ALPN in a capture. Issue 19503.
  • Documentation on system requirements should be updated. Issue 19512.
  • 4.2.0: init.lua in subdirectories not loaded anymore. Issue 19516.
  • Malformed SIP/SDP messages: components are not decoded properly. Issue 19518.
  • heuristic_protos do not reset on profile swap. Issue 19520.
  • Wireshark 4.2 crashes on Apply As Column. Issue 19521.
  • NFLOG timestamp is incorrect. Issue 19525.
  • Qt6 Crash (Double Free) When Attempting to Save TCP Stream Graph. Issue 19529.
  • Fixed parsing display filter expressions containing literal OID values, e.g. snmp.name == 1.3.6.1.2.1.1.3.0.

New in Wireshark 4.2.0 (Nov 16, 2023)

  • What’s New:
  • This is the first major Wireshark release under the Wireshark Foundation, a nonprofit which hosts Wireshark and promotes protocol analysis education. The foundation depends on your contributions in order to do its work. If you or your employer would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
  • Wireshark supports dark mode on Windows.
  • A Windows installer for Arm64 has been added.
  • Packet list sorting has been improved.
  • Wireshark and TShark are now better about generating valid UTF-8 output.
  • A new display filter feature for filtering raw bytes has been added.
  • Display filter autocomplete is smarter about not suggesting invalid syntax.
  • Tools › MAC Address Blocks can lookup a MAC address in the IEEE OUI registry.
  • The enterprises, manuf, and services configuration files have been compiled in for improved start-up times. These files are no longer available in the master branch in our source code repository. You can download the manuf file from our automated build directory.
  • The installation target no longer installs development headers by default.
  • The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs).
  • Wireshark can be compiled on Windows using MSYS2. Check the Developer’s guide for instructions.
  • Wireshark can be cross-compiled for Windows using Linux. Check the Developer’s guide for instructions.
  • Tools › Browser (SSL Keylog) can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value.
  • Windows installer file names now have the format Wireshark-<version>-<architecture>.exe.
  • Wireshark now supports the Korean language.
  • Many other improvements have been made. See the “New and Updated Features” section below for more details.
  • Bug Fixes:
  • The following bugs have been fixed:
  • Issue 18413 - RTP player do not play audio frequently on Windows builds with Qt6.
  • Issue 18510 - Playback marker does not move after resume with Qt6.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 4.2.0rc3:
  • Nothing of note.
  • The following features are new (or have been significantly updated) since version 4.2.0rc2:
  • The Windows installers now ship with Npcap 1.78. They previously shipped with Npcap 1.77.
  • The following features are new (or have been significantly updated) since version 4.2.0rc1:
  • The Windows installers now ship with Npcap 1.77. They previously shipped with Npcap 1.71.
  • The following features are new (or have been significantly updated) since version 4.1.0:
  • Improved dark mode support.
  • The Windows installers now ship with Qt 6.5.3. They previously shipped with Qt 6.2.3.
  • The following features are new (or have been significantly updated) since version 4.0.0:
  • The API has been updated to ensure that the dissection engine produces valid UTF-8 strings.
  • Wireshark now builds with Qt6 by default. To use Qt5 instead pass USE_qt6=OFF to CMake.
  • The "ciscodump" extcap supports Cisco IOS XE 17.x.
  • The default interval between GUI updates when capturing has been decreased from 500ms to 100ms, and is now configurable.
  • The -n option also now disables IP address geolocation information lookup in configured MaxMind databases (and geolocation lookup can be enabled with -Ng.) This is most relevant for TShark, where geolocation lookups are synchronous.
  • The display filter drop-down list is now sorted by "most recently used" instead of "most recently created".
  • Display filter syntax-related changes:
  • It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…​>. This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field’s raw data.
  • Negation (unary minus) now works with any display filter arithmetic expression.
  • Using the slice operator with strings produces a string. Previously it would produce a byte array. This is useful to index/slice UTF-8 multibyte strings. String byte slices can still be obtained using the "@" (raw operator) prefix.
  • Arithmetic expressions are allowed as set elements.
  • Absolute date and time values can be written as Unix time.
  • The limitation where a minus sign needed to be preceded by a space character has been removed.
  • Added XOR logical operator.
  • Fixed the implementation of all …​ in membership operator (#19188).
  • When parsing absolute time values the display filter engine has learned to understand timezones as specified in strptime(3), including some common North American designations. Arbitrary timezone names are not supported however. Previously only ISO8601 offsets and the "UTC" designation was understood.
  • Writing value strings without double quotes is deprecated and will generate a warning. Value strings are integer or boolean values that can be represented using a user-friendly textual format, such as "Set"/"Unset" instead of numerical values like 1 and 0. It is now a requirement that value strings need to be written enclosed in double-quotes.
  • The deprecated ~≃ operator symbol has been removed. It was replaced by !== in version 4.0.
  • Running the test suite requires the pytest Python module. The emulation layer that allowed running tests without pytest installed has been removed.
  • When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file.
  • TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap.
  • The text of any configured column (displayed or hidden) can be filtered anywhere that filters are used - in display filters, filters in taps, coloring rules, Wireshark read filters, and the -Y, -R, and -e options to TShark, the "Apply as Filter" GUI option, etc.
  • The filter field names are prefixed by "_ws.col", followed by a lowercase version of the COL_ name found in epan/column-utils.h, e.g. "_ws.col.info" or "_ws.col.protocol"
  • Using the column names as a filter is slower than other filter types because the columns must be constructed, so when the same filtering can be achieved via other fields, prefer that.
  • The external name resolution text files "manuf", "enterprises" and "services" have been removed and replaced with static binary data. You can dump the respective internal data using tshark -G manuf|enterprises|services.
  • The "manuf" file is now also read from the personal configuration folder, and is profile-based.
  • The Lua console dialogs under the Tools menu were refactored and redesigned. It now consists of a single dialog window for input and output.
  • Wireshark now shows byte units in the statistics in the user-selected language (uses the system default language by default).
  • Packet list sorting has been improved:
  • When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed.
  • The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage. The maximum value can be changed in Preferences→Appearance→Layout
  • Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size. If there are more rows visible, a warning will appear. Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows.
  • Sorting can be interrupted.
  • When changing the dissector via the "Decode As" table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect.) The previous behavior was to reset the dissector to the default. To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options.
  • The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files. The extcap personal folder is now $HOME/.local/lib/wireshark/extcap. Previously it was $XDG_CONFIG_HOME/wireshark/extcap.
  • The "init.lua" file is now loaded from any of the Lua plugin directories. Previously it was loaded from the personal configuration directory. (For backward-compatibility this is still allowed; note that deprecated features may be removed in a future release).
  • Installation of development headers must be done explicitly using the CMake command cmake --install <builddir> --component Development.
  • The Windows build has a new SpeexDSP external dependency (https://www.speex.org). The speex code that was previously bundled has been removed.
  • New --print-timers option added to TShark.
  • Removed Features and Support:
  • With the addition of the universal and consistent filtering support for column text, the previous support in the -e option to TShark for displaying column text via the column title has been removed in general. Those field names cannot be used elsewhere (as they may not be legal filter names) and create confusion if more than one column has the same title or if a column is renamed. Prefer the column format instead, e.g. "_ws.col.info" for "_ws.col.Info". However, for backwards compatibility with existing tools and scripts, the titles of the default columns can continue to be used with tshark -e (but not elsewhere.)
  • The bundled script "dtd_gen.lua" that was disabled by default has been removed from the installation. It can be found in the Wireshark Wiki under "Contrib".
  • The Wi-Fi NAN dissector filter name has been changed from 'nan' to 'wifi_nan'.
  • New File Format Decoding Support:
  • RTPDump
  • New Protocol Support:
  • Aruba UBT, ASAM Capture Module Protocol (CMP), ATSC Link-Layer Protocol (ALP), DECT DLC protocol layer (DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe), Digital Object Identifier Resolution Protocol (DO-IRP), Discard Protocol, FiRa UWB Controller Interface (UCI), FiveCo’s Register Access Protocol (5CoRAP), Fortinet FortiGate Cluster Protocol (FGCP), GPS L1 C/A LNAV navigation messages, GSM Radio Link Protocol (RLP), H.224, High Speed Fahrzeugzugang (HSFZ), Hypertext Transfer Protocol version 3 (HTTP/3), ID3v2, IEEE 802.1CB (R-TAG), Iperf3, JSON 3GPP, Low Level Signalling (ATSC3 LLS), Management Component Transport Protocol (MCTP), Management Component Transport Protocol - Control Protocol (MCTP CP), Matter home automation protocol, Microsoft Delivery Optimization, Multi-Drop Bus (MDB), Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP, RDP audio output virtual channel Protocol (rdpsnd), RDP clipboard redirection channel Protocol (cliprdr), RDP Program virtual channel Protocol (RAIL), SAP Enqueue Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), SMPTE ST2110-20 (Uncompressed Active Video), Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker), UWB UCI Protocol, Video Protocol 9 (VP9), VMware HeartBeat, Windows Delivery Optimization (MS-DO), Z21 LAN Protocol (Z21), Zabbix, ZigBee Direct (ZBD), and Zigbee TLV
  • Updated Protocol Support:
  • JSON: The dissector now has a preference to enable/disable "unescaping" of string values. By default it is off. Previously it was always on.
  • JSON: The dissector now supports "Display JSON in raw form".
  • IPv6: The dissector has a new preference to show some semantic details about addresses (default off).
  • IPv6: The dissector now supports dissecting the Application-aware IPv6 Networking (APN6) option in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH), including all three types of APN ID, which are 32-bit, 64-bit and 128-bit in length.
  • XML: The dissector now supports display character according to the "encoding" attribute of the XML declaration, and has a new preference to set default character encoding for some XML document without "encoding" attribute.
  • SIP: The dissector now has a new preference to set default charset for displaying the body of SIP messages in raw text view.
  • HTTP: The dissector now supports dissecting chunked data in streaming reassembly mode. Subdissectors of HTTP can register itself in "streaming_content_type" subdissector table for enabling streaming reassembly mode while transferring in chunked encoding. This feature ensures the server stream messages of GRPC-Web over HTTP/1.1 can be dissected even if the last chunk is absent.
  • The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
  • CFM: The dissector has been overhauled and updated to the level of IEEE std 802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015). This includes dissection of additional PDU types and TLVs as well as deeper dissection of existing PDUs and TLVs.
  • Too many other protocol updates have been made to list them all here.
  • New and Updated Codec support:
  • Adaptive Multi-Rate (AMR), if compiled with opencore-amr.
  • Major API Changes:
  • Lua function "package.prepend_path" has been removed. If you need it please consider adding your own package.path customization code or installing your dependencies in Wireshark’s default paths.
  • The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to reassemble the streaming data of a high level protocol that is not on top of TCP.
  • Some of the API now uses C99 types instead of GLib types. Issue 19116

New in Wireshark 4.0.11 (Nov 16, 2023)

  • The following bugs have been fixed:
  • First ZigBee APS packet is not decrypted. Issue 16507.
  • Problem with decoding OpenFlow actions in OFPT_FLOW_MOD message. Issue 17072.
  • The "frames" method in sharkd does not consider time references and displays incorrect delta time. Issue 17923.
  • Wireshark and TShark throw packet-wireguard-WARNING when running on systems with FIPS enabled. Issue 18441.
  • Wireshark interprets If_fcslen option in the Interface Description Block as byte instead of bit. Issue 19174.
  • Flathub’s Wireshark page shows wrong version number. Issue 19382.
  • OSPFv3 RI decode error. Issue 19444.
  • GSM SIM READ / UPDATE BINARY command has wrong offset. Issue 19472.

New in Wireshark 4.2.0 RC 2 (Oct 18, 2023)

  • Wireshark supports dark mode on Windows.
  • A Windows installer for Arm64 has been added.
  • Packet list sorting has been improved.
  • Wireshark and TShark are now better about generating valid UTF-8 output.
  • A new display filter feature for filtering raw bytes has been added.
  • Display filter autocomplete is smarter about not suggesting invalid syntax.

New in Wireshark 4.2.0 RC 1 (Oct 6, 2023)

  • Wireshark supports dark mode on Windows
  • A Windows installer for Arm64 has been added
  • Packet list sorting has been improved
  • Wireshark and TShark are now better about generating valid UTF-8 output
  • A new display filter feature for filtering raw bytes has been added
  • Display filter autocomplete is smarter about not suggesting invalid syntax
  • Tools › MAC Address Blocks can lookup a MAC address in the IEEE OUI registry
  • The enterprises, manuf, and services configuration files have been compiled in for improved start-up times
  • The installation target no longer installs development headers by default
  • The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs)
  • Wireshark can be compiled on Windows using MSYS2 Check the Developer’s guide for instructions
  • Wireshark can be cross-compiled for Windows using Linux Check the Developer’s guide for instructions
  • Tools › Browser (SSL Keylog) can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value
  • Windows installer file names now have the format Wireshark-<version>-<architecture>exe
  • Many other improvements have been made See the “New and Updated Features” section below for more details
  • Bug Fixes:
  • The following bugs have been fixed:
  • Issue 18413 - RTP player do not play audio frequently on Windows builds with Qt6
  • Issue 18510 - Playback marker does not move after resume with Qt6
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 410:
  • Improved dark mode support
  • The following features are new (or have been significantly updated) since version 400:
  • The Windows installers now ship with Qt 653 They previously shipped with Qt 623
  • The API has been updated to ensure that the dissection engine produces valid UTF-8 strings
  • Wireshark now builds with Qt6 by default To use Qt5 instead pass USE_qt6=OFF to CMake
  • The "ciscodump" extcap supports Cisco IOS XE 17x
  • The default interval between GUI updates when capturing has been decreased from 500ms to 100ms, and is now configurable
  • The -n option also now disables IP address geolocation information lookup in configured MaxMind databases (and geolocation lookup can be enabled with -Ng) This is most relevant for TShark, where geolocation lookups are synchronous
  • The display filter drop-down list is now sorted by "most recently used" instead of "most recently created"
  • Display filter syntax-related changes:
  • It is now possible to filter on raw packet data for any field by using the syntax @somefield == <bytes…?> This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field’s raw data
  • Negation (unary minus) now works with any display filter arithmetic expression
  • Using the slice operator with strings produces a string Previously it would produce a byte array This is useful to index/slice UTF-8 multibyte strings String byte slices can still be obtained using the "@" (raw operator) prefix
  • Arithmetic expressions are allowed as set elements
  • Absolute date and time values can be written as Unix time
  • The limitation where a minus sign needed to be preceded by a space character has been removed
  • Added XOR logical operator
  • Fixed the implementation of all …? in membership operator (#19188)
  • When parsing absolute time values the display filter engine has learned to understand timezones as specified in strptime(3), including some common North American designations Arbitrary timezone names are not supported however Previously only ISO8601 offsets and the "UTC" designation was understood
  • Writing value strings without double quotes is deprecated and will generate a warning Value strings are integer or boolean values that can be represented using a user-friendly textual format, such as "Set"/"Unset" instead of numerical values like 1 and 0 It is now a requirement that value strings need to be written enclosed in double-quotes
  • The deprecated ~? operator symbol has been removed It was replaced by !== in version 40
  • Running the test suite requires the pytest Python module The emulation layer that allowed running tests without pytest installed has been removed
  • When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file
  • TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap
  • The text of any configured column (displayed or hidden) can be filtered anywhere that filters are used - in display filters, filters in taps, coloring rules, Wireshark read filters, and the -Y, -R, and -e options to TShark, the "Apply as Filter" GUI option, etc
  • The filter field names are prefixed by "_wscol", followed by a lowercase version of the COL_ name found in epan/column-utilsh, eg "_wscolinfo" or "_wscolprotocol"
  • Using the column names as a filter is slower than other filter types because the columns must be constructed, so when the same filtering can be achieved via other fields, prefer that
  • The external name resolution text files "manuf", "enterprises" and "services" have been removed and replaced with static binary data You can dump the respective internal data using tshark -G manuf|enterprises|services
  • The "manuf" file is now also read from the personal configuration folder, and is profile-based
  • The Lua console dialogs under the Tools menu were refactored and redesigned It now consists of a single dialog window for input and output
  • Wireshark now shows byte units in the statistics in the user-selected language (uses the system default language by default)
  • Packet list sorting has been improved:
  • When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed
  • The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage The maximum value can be changed in Preferences?Appearance?Layout
  • Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size If there are more rows visible, a warning will appear Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows
  • Sorting can be interrupted
  • When changing the dissector via the "Decode As" table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect) The previous behavior was to reset the dissector to the default To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options
  • The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files The extcap personal folder is now $HOME/local/lib/wireshark/extcap Previously it was $XDG_CONFIG_HOME/wireshark/extcap
  • The "initlua" file is now loaded from any of the Lua plugin directories Previously it was loaded from the personal configuration directory (For backward-compatibility this is still allowed; note that deprecated features may be removed in a future release)
  • Installation of development headers must be done explicitly using the CMake command cmake --install <builddir> --component Development
  • The Windows build has a new SpeexDSP external dependency (https://wwwspeexorg) The speex code that was previously bundled has been removed
  • New --print-timers option added to TShark
  • Removed Features and Support:
  • With the addition of the universal and consistent filtering support for column text, the previous support in the -e option to TShark for displaying column text via the column title has been removed in general Those field names cannot be used elsewhere (as they may not be legal filter names) and create confusion if more than one column has the same title or if a column is renamed Prefer the column format instead, eg "_wscolinfo" for "_wscolInfo" However, for backwards compatibility with existing tools and scripts, the titles of the default columns can continue to be used with tshark -e (but not elsewhere)
  • The bundled script "dtd_genlua" that was disabled by default has been removed from the installation It can be found in the Wireshark Wiki under "Contrib"
  • The Wi-Fi NAN dissector filter name has been changed from 'nan' to 'wifi_nan'
  • New File Format Decoding Support:
  • RTPDump:
  • New Protocol Support:
  • Aruba UBT, ASAM Capture Module Protocol (CMP), ATSC Link-Layer Protocol (ALP), DECT DLC protocol layer (DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe), Digital Object Identifier Resolution Protocol (DO-IRP), Discard Protocol, FiRa UWB Controller Interface (UCI), FiveCo’s Register Access Protocol (5CoRAP), Fortinet FortiGate Cluster Protocol (FGCP), GPS L1 C/A LNAV navigation messages, GSM Radio Link Protocol (RLP), H224, High Speed Fahrzeugzugang (HSFZ), Hypertext Transfer Protocol version 3 (HTTP/3), ID3v2, IEEE 8021CB (R-TAG), Iperf3, JSON 3GPP, Low Level Signalling (ATSC3 LLS), Management Component Transport Protocol (MCTP), Management Component Transport Protocol - Control Protocol (MCTP CP), Matter home automation protocol, Microsoft Delivery Optimization, Multi-Drop Bus (MDB), Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP, RDP audio output virtual channel Protocol (rdpsnd), RDP clipboard redirection channel Protocol (cliprdr), RDP Program virtual channel Protocol (RAIL), SAP Enqueue Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), SMPTE ST2110-20 (Uncompressed Active Video), Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker), UWB UCI Protocol, Video Protocol 9 (VP9), VMware HeartBeat, Windows Delivery Optimization (MS-DO), Z21 LAN Protocol (Z21), Zabbix, ZigBee Direct (ZBD), and Zigbee TLV
  • Updated Protocol Support:
  • JSON: The dissector now has a preference to enable/disable "unescaping" of string values By default it is off Previously it was always on
  • JSON: The dissector now supports "Display JSON in raw form"
  • IPv6: The dissector has a new preference to show some semantic details about addresses (default off)
  • IPv6: The dissector now supports dissecting the Application-aware IPv6 Networking (APN6) option in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH), including all three types of APN ID, which are 32-bit, 64-bit and 128-bit in length
  • XML: The dissector now supports display character according to the "encoding" attribute of the XML declaration, and has a new preference to set default character encoding for some XML document without "encoding" attribute
  • SIP: The dissector now has a new preference to set default charset for displaying the body of SIP messages in raw text view
  • HTTP: The dissector now supports dissecting chunked data in streaming reassembly mode Subdissectors of HTTP can register itself in "streaming_content_type" subdissector table for enabling streaming reassembly mode while transferring in chunked encoding This feature ensures the server stream messages of GRPC-Web over HTTP/11 can be dissected even if the last chunk is absent
  • The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838 Media types no longer need to be lower cased before registering or looking up in the table
  • CFM: The dissector has been overhauled and updated to the level of IEEE std 8021Q-2022 and ITU-T Rec G8013/Y1371 (08/2015) This includes dissection of additional PDU types and TLVs as well as deeper dissection of existing PDUs and TLVs
  • Too many other protocol updates have been made to list them all here
  • New and Updated Codec support:
  • Adaptive Multi-Rate (AMR), if compiled with opencore-amr
  • Major API Changes:
  • Lua function "packageprepend_path" has been removed If you need it please consider adding your own packagepath customization code or installing your dependencies in Wireshark’s default paths
  • The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to reassemble the streaming data of a high level protocol that is not on top of TCP
  • Some of the API now uses C99 types instead of GLib types Issue 19116

New in Wireshark 4.0.10 (Oct 5, 2023)

  • What’s New:
  • We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
  • If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
  • Bug Fixes
  • The following bugs have been fixed:
  • Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS. Issue 19374.

New in Wireshark 4.0.9 (Oct 4, 2023)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-27 RTPS dissector memory leak. Issue 19322. CVE-2023-5371.
  • The following bugs have been fixed:
  • Updating from within Wireshark if a file is open fails because it can’t close Wireshark. Issue 17658.
  • ESL timestamp provided by ET2000 not displayed. Issue 18308.
  • Kafka: dissect_kafka_sync_group_request missing version check for instance_id. Issue 19290.
  • Start Capture via context menu crashes on macOS with an older Qt version. Issue 19299.
  • Delta time displayed is incorrect after unsetting time reference. Issue 19324.
  • Fuzz job crash output: randpkt-2023-09-09-7060.pcap. Issue 19332.
  • Missing one bit in SCCP::sequencing/segmenting. Issue 19336.
  • Protobuf field malformed packet for last byte of 'repeated fixed32' Issue 19342.
  • RTP/RFC 4571: Wrong desegmentation/reassembly in RTP over TCP packets. Issue 19345.
  • Sparklines not working on macOS Sonoma with both native OS and Homebrew pcap. Issue 19349.
  • Incorrect bit values and namings in BSS Configuration Report TLV. Issue 19352.

New in Wireshark 4.0.8 (Aug 24, 2023)

  • What’s New:
  • We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
  • If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-23 CBOR dissector crash. Issue 19144.
  • wnpa-sec-2023-24 BT SDP dissector infinite loop. Issue 19258.
  • wnpa-sec-2023-25 BT SDP dissector memory leak. Issue 19259.
  • wnpa-sec-2023-26 CP2179 dissector crash. Issue 19229.
  • The following bugs have been fixed:
  • TShark cannot capture to pipe on Windows correctly. Issue 17900.
  • Wireshark wrongly blames group membership when pcap capabilities are removed. Issue 18279.
  • Packet bytes window broken layout. Issue 18326.
  • RTP Player only shows waveform until sequence rollover. Issue 18829.
  • Valid Ethernet CFM DMM packets are shown as malformed. Issue 19198.
  • Crash on DICOM Export Objects window close. Issue 19207.
  • The QUIC dissector is reporting the quic_transport_parameters max_ack_delay with the title "GREASE" Issue 19209.
  • Preferences: Folder name editing behaves weirdly, cursor jumps. Issue 19213.
  • DHCPFO: Expert info list does not show all expert infos. Issue 19216.
  • Websocket packets not decoded and displayed for Field type=Custom and Field name websocket.payload.text. Issue 19220.
  • Cannot read pcapng file captured on OpenBSD and read on FreeBSD. Issue 19230.
  • UI: While capturing the Wireshark icon changes from green to blue when new file is created. Issue 19252.
  • Conversation: heap-use-after-free after wmem_leave_file_scope. Issue 19265.
  • IP Packets with DSCP 44 does not indicate "Voice-Admit" Issue 19270.
  • NAS 5GS Malformed Packet Decoding SOR transparent container PLMN ID and access technology list. Issue 19273.
  • UI: Auto scroll button in the toolbar is turned on when manually scrolling to the end of packet list. Issue 19274.

New in Wireshark 4.0.7 (Jul 12, 2023)

  • What’s New:
  • We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
  • If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-21 Kafka dissector crash. Issue 19105.
  • wnpa-sec-2023-22 iSCSI dissector crash. Issue 19164.
  • The following bugs have been fixed:
  • Crash when (re)loading a capture file after renaming a dfilter macro. Issue 13753.
  • Moving a column deselects selected packet and moves to beginning of packet list. Issue 16251.
  • If you set the default interface in the preferences, it doesn’t work with TShark. Issue 16593.
  • Severe performance issues in Follow ? Save As raw workflow. Issue 17313.
  • TShark doesn’t support the tab character as an aggregator character in "-T fields" Issue 18002.
  • On Windows clicking on a link in the 'Software Update' window launches, now unsupported, MS Internet Explorer. Issue 18488.
  • Wireshark 4.x.on Win10-x64 crashes after saving a file with a name already in use. Issue 18679.
  • NAS-5GS Operator-defined Access Category: Multiple Criteria values not displayed in dissected packet display. Issue 18941.
  • Server Hello Packet Invisible - during 802.1Authentication- from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) & above. Issue 19071.
  • TShark reassembled data is incomplete/truncated. Issue 19107.
  • CQL protocol parsing issues with Result frames from open source Cassandra. Issue 19119.
  • TLS 1.3 second Key Update doesn’t work. Issue 19120.
  • HTTP2 dissector reports an assertion error on large data frames. Issue 19121.
  • epan: Single letter hostnames aren’t displayed correctly. Issue 19137.
  • BLF: CAN-FD-Message format is missing a field. Issue 19146.
  • BLF: last parameter of LIN-Message is not mandatory (BUGFIX) Issue 19147.
  • PPP IPv6CP: Incorrect payload length warning. Issue 19149.
  • INSTALL file needs to be updated for Debian. Issue 19167.
  • Updated Protocol Support:
  • 9P, AMQP, BGP, CQL, DHCPFO, EAP, GlusterFS, GSM MAP, HTTP2, iSCSI, Kafka, Kerberos, NAN, NAS-5GS, OCP.1, OpenFlow 1.0, PDCP-NR, PEAP, PPPoE, RSL, RTCP, rtnetlink, and XMPP
  • Some RTP streams make Wireshark crash when trying to play stream. Issue 19170.
  • Wrong ordering in OpenFlow 1.0 Datapath unique ID. Issue 19172.
  • Incorrect mask in RTCP slice picture ID. Issue 19182.
  • Dissection error in AMQP 1.0. Issue 19191.

New in Wireshark 4.0.6 (May 25, 2023)

  • What’s New:
  • We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
  • If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you will likely have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-12 Candump log file parser crash. Issue 19062. CVE-2023-2855.
  • wnpa-sec-2023-13 BLF file parser crash. Issue 19063. CVE-2023-2857.
  • wnpa-sec-2023-14 GDSDB dissector infinite loop. Issue 19068.
  • wnpa-sec-2023-15 NetScaler file parser crash. Issue 19081. CVE-2023-2858.
  • wnpa-sec-2023-16 VMS TCPIPtrace file parser crash. Issue 19083. CVE-2023-2856.
  • wnpa-sec-2023-17 BLF file parser crash. Issue 19084. CVE-2023-2854.
  • wnpa-sec-2023-18 RTPS dissector crash. Issue 19085. CVE-2023-0666.
  • wnpa-sec-2023-19 IEEE C37.118 Synchrophasor dissector crash. Issue 19087. CVE-2023-0668.
  • wnpa-sec-2023-20 XRA dissector infinite loop. Issue 19100.
  • The following bugs have been fixed:
  • Conversations list has incorrect unit (bytes) in bit speed columns in the 3.7 development versions. Issue 18211.
  • The media_type table should treat media types, e.g. application/3gppHal+json, as case-insensitive. Issue 18611.
  • NNTP dissector bug. Issue 18981.
  • Incorrect padding in BFCP decoder. Issue 18890.
  • SPNEGO dissector bug. Issue 18991.
  • SRT values are incorrect when applying a time shift. Issue 18999.
  • Add warning that capturing is not supported in Wireshark installed from flatpak. Issue 19008.
  • Opening Wireshark with -z io,stat option. Issue 19042.
  • batadv dissector bug. Issue 19047.
  • radiotap-gen build fails if pcap is not found. Issue 19059.
  • [UDS] When filtering the uds.wdbi.data_identifier or uds.iocbi.data_identifier field is interpreted as 1 byte whereas it consists of 2 bytes. Issue 19078.
  • Wireshark can’t save this capture in that format. Issue 19080.
  • MSMMS parsing buffer overflow. Issue 19086.
  • USB HID parser shows wrong label for usages Rx/Vx/Vbrx of usage page Generic Desktop Control. Issue 19095.
  • "Follow ? QUIC Stream" mixes data between streams. Issue 19102.
  • New and Updated Features:
  • The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
  • Removed Features and Support
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • batadv, BFCP, CommunityID, COSE, GDSDB, H.265, HTTP, ILP, ISAKMP, MSMMS, NNTP, NR RRC, NTLMSSP, QUIC, RTPS, SPNEGO, Synphasor, TCP, UDS, ULP, USB HID, and XRA
  • New and Updated Capture File Support
  • BLF, Candump, NetScaler, and VMS TCPIPtrace
  • New File Format Decoding Support
  • There is no new or updated file format support in this release.

New in Wireshark 4.0.4 (Mar 3, 2023)

  • What’s New:
  • We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
  • If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you will likely have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon. Issue 18734.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-08 ISO 15765 and ISO 10681 dissector crash. Issue 18839.
  • The following bugs have been fixed:
  • UTF-8 characters end up escaped in PSML output. Issue 10445.
  • Export filtered displayed packets won’t save IP fragments of SCTP fragments needed to reassemble a displayed frame. Issue 12597.
  • DICOM dissection in reassembled PDV goes wrong. Issue 13388.
  • "Export Objects - IMF" produces incorrect file, TCP reassembly fails with retransmissions that have additional data. Issue 13523.
  • The intelligent scroll bar or minimap is not predictable on locating and scrolling. Issue 13989.
  • If you mark (or unmark) the currently-selected frame, the packet details still say it’s not marked (or it is marked) Issue 14330.
  • An out-of-order packet incorrectly detected as retransmission breaks desegmentation of TCP stream. Issue 15993.
  • Sorting Packet Loss Column is not sorting correct. Issue 16785.
  • Some HTTPS packets cannot be decrypted. Issue 17406.
  • SIP TCP decoding regression from Wireshark 1.99.0 to 3.6.8. Issue 18411.
  • Frame comments not preserved when using filter to write new pcap from tshark. Issue 18693.
  • ChmodBPF not working on macOS Ventura 13.1. Issue 18734.
  • Wireshark GUI and window manager stuck after setting display filter. Issue 18809.
  • Dissector bug, protocol H.261. Issue 18812.
  • File extension heuristics are case-sensitive. Issue 18821.
  • Symbolic links to packages in macOS dmg can’t be double-clicked to install on macOS 13.2. Issue 18830.
  • Potential memory leak in tshark.c. Issue 18837.
  • Fuzz job crash output: fuzz-2023-02-05-7303.pcap. Issue 18842.
  • f5fileinfo: Hardware platforms missing descriptions. Issue 18848.
  • The lines in the intelligent scrollbar are off by one. Issue 18850.
  • Wireshark crashes on invalid UDS packet in Lua context. Issue 18865.
  • TECMP dissector shows the wrong Voltage in Vendor Data. Issue 18871.
  • UDS: Names of RDTCI subfunctions 0x0b …? 0x0e are not correct. Issue 18873.
  • Updated Protocol Support:
  • ASTERIX, BGP, DHCP, ERF, F5 Ethernet trailer, GMR-1 RR, Gryphon, GSM SMS, H.261, H.450, ISO 10681, ISO 15765, MIPv6, NAS-5gs, NR RRC, NS Trace, OptoMMP, PDCP-LTE, PDCP-NR, QSIG, ROHC, RSVP, RTCP, SCTP, SIP, TCP, TECMP, TWAMP, UDS, and UMTS RLC

New in Wireshark 4.0.3 (Jan 18, 2023)

  • Bug Fixes:
  • Wnpa-sec-2023-01 EAP dissector crash. Issue 18622.
  • Wnpa-sec-2023-02 NFS dissector memory leak. Issue 18628.
  • Wnpa-sec-2023-03 Dissection engine crash. Issue 18766.
  • Wnpa-sec-2023-04 GNW dissector crash. Issue 18779.
  • Wnpa-sec-2023-05 iSCSI dissector crash. Issue 18796.
  • Wnpa-sec-2023-06 Multiple dissector excessive loops. Issue 18711. Issue 18720, Issue 18737.
  • Wnpa-sec-2023-07 TIPC dissector crash. Issue 18770.
  • The following bugs have been fixed:
  • Qt: After modifying coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect. Issue 12475.
  • Help file doesn’t display for extcap interfaces. Issue 15592.
  • For USB traffic on XHC20 interface destination is always given as Host. Issue 16768.
  • Wireshark Expert Info - cannot deselect the limit to display filter tick box. Issue 18461.
  • Wrong pointer conversion in get_data_source_tvb_by_name() Issue 18517.
  • Wrong number of bits skipped while decoding an empty UTF8String on UPER packet. Issue 18702.
  • Crash when analyzing protobuf packets. Issue 18730.
  • Uninitialized values in various dissectors. Issue 18742.
  • String (GeoIP country/city) ordering doesn’t work in Endpoints. Issue 18749.
  • Wireshark crashes with an assertion failure on stray minus in filter. Issue 18750.
  • IO Graph: Add new graph only works until the 10th graph. Issue 18762.
  • Fuzz job crash output: fuzz-2022-12-30-11007.pcap. Issue 18770.
  • Q.850 - error in label for cause 0x7F. Issue 18780.
  • Uninitialized values in CoAP and RTPS dissectors. Issue 18785.
  • Screenshots in AppStream metainfo.xml file not available. Issue 18801.

New in Wireshark 4.0.2 (Dec 7, 2022)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • Wnpa-sec-2022-09 Multiple dissector infinite loops.
  • Wnpa-sec-2022-10 Kafka dissector memory exhaustion.
  • The following bugs have been fixed:
  • Qt: Endpoints dialog - unexpected byte unit suffixes in packet columns. Issue 18229.
  • GOOSE: field "floating_point" not working anymore. Issue 18491.
  • EVS Header-Full format padding issues. Issue 18498.
  • Wireshark 4.0.0 VOIP playback has no sound and can’t resume after pausing. Issue 18510.
  • Wireshark crashes when exporting a profile on Mac OSX if there is no extension. Issue 18525.
  • EVS dissector missing value description. Issue 18550.
  • Qt 6 font descriptions not backward compatible with Qt 5. Issue 18553.
  • Wireshark, wrong TCP ACKed unseen segment message. Issue 18558.
  • Invalid Cyrillic symbol in timezone at "Arrival Time" field in frame. Issue 18562.
  • ProtoBuf parse extension definitions failed. Issue 18599.
  • Fuzz job crash output: fuzz-2022-11-09-11134.pcap. Issue 18613.
  • Fuzz job crash output: fuzz-2022-11-14-11111.pcap. Issue 18632.
  • Wireshark is using old version of ASN (ETSI TS 125 453 V11.2.0) which is imapacting length of param in the messages. Issue 18646.
  • BGP: False IGMP flags value in EVPN routes (type 6,7,8) Issue 18660.
  • Wslog assumes stderr and stdout exist. Issue 18684.
  • Editing packet comments, with non-ASCII characters, on Windows saves them in the local code page, not in UTF-8. Issue 18698.
  • Unable to decrypt PSK based DTLS traffic which uses Connection ID. Issue 18705.
  • HTTP2 tests fail when built without nghttp2. Issue 18707.

New in Wireshark 4.0.1 (Oct 26, 2022)

  • What’s New:
  • The Windows installers now ship with Qt 5.12.2. They previously shipped with Qt 6.2.3.
  • Bug Fixes:
  • Comparing a boolean field against 1 always succeeds on big-endian machines. Issue 12236.
  • Qt: MaxMind GeoIP columns not added to Endpoints table. Issue 18320.
  • Fuzz job crash output: fuzz-2022-10-04-7131.pcap. Issue 18402.
  • The RTP player might not play audio on Windows. Issue 18413.
  • Wireshark 4.0 breaks display filter expression with > sign. Issue 18418.
  • Capture filters not working when using SSH capture and dumpcap. Issue 18420.
  • Packet diagram field values are not terminated. Issue 18428.
  • Packet bytes not displayed completely if scrolling. Issue 18438.
  • Fuzz job crash output: fuzz-2022-10-13-7166.pcap. Issue 18467.
  • Decoding bug H.245 userInput Signal. Issue 18468.
  • CFDP dissector doesn’t handle "destination filename" only. Issue 18495.
  • Home page capture button doesn’t pop up capture options dialog. Issue 18506.
  • Missing dot in H.248 protocol name. Issue 18513.
  • Missing dot for protocol H.264 in protocol column. Issue 18524.
  • Fuzz job crash output: fuzz-2022-10-23-7240.pcap. Issue 18534.

New in Wireshark 4.0.0 (Oct 5, 2022)

  • What’s New:
  • We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
  • The display filter syntax is more powerful with many new extensions. See below for details.
  • The Conversation and Endpoint dialogs have been redesigned. See below for details.
  • The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
  • Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
  • Speed when using MaxMind geolocation has been greatly improved.
  • The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
  • Many other improvements have been made. See the “New and Updated Features” section below for more details.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 4.0.0rc2:
  • Nothing of note.
  • The following features are new (or have been significantly updated) since version 4.0.0rc1:
  • The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
  • The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
  • The following features are new (or have been significantly updated) since version 3.7.2:
  • The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
  • The following features are new (or have been significantly updated) since version 3.7.1:
  • The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
  • The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
  • New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
  • The following features are new (or have been significantly updated) since version 3.7.0:
  • The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
  • The Conversation and Endpoint dialogs have been redesigned with the following improvements:
  • The context menu now includes the option to resize all columns, as well as copying elements.
  • Data may be exported as JSON.
  • Tabs may be detached and reattached from the dialog.
  • Adding and removing tabs will keep them in the same order all the time.
  • If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets.
  • Columns are now sorted via secondary properties if an identical entry is found.
  • Conversations are sorted via second address and first port number.
  • Endpoints are sorted via port numbers.
  • IPv6 addresses are sorted correctly after IPv4 addresses.
  • The dialog elements have been moved to make it easier to handle for new users.
  • Selection of tap elements is done via a list.
  • All configurations and options are done via a left side button row.
  • Columns for the Conversations and Endpoint dialogs can be hidden by a context menu.
  • TCP and UDP conversations now include the stream ID and allow filtering on it.
  • The following features are new (or have been significantly updated) since version 3.6.0:
  • The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
  • The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
  • The display filter syntax has been updated and enhanced:
  • A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
  • Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
  • Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
  • Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
  • New display filter functions max(), min() and abs() have been added.
  • Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
  • A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
  • The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
  • Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used.
  • Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B".
  • Logical AND now has higher precedence than logical OR, in line with most programming languages.
  • It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
  • Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
  • Support for some additional character escape sequences in double quoted strings has been added. Along with octal (<number>) and hex (x<number>) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
  • Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit.
  • Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: \, ', ".
  • A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
  • The aliases "any_eq" for "==" and "all_ne" for "!=" have been added.
  • The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead.
  • Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
  • The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
  • Literal strings can handle embedded null bytes (the value '') correctly. This includes regular expression patterns. For example the double-quoted string " is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes.
  • Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0.
  • It is now possible to test for the existence of a slice.
  • All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other.
  • The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
  • text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
  • Consistent with the other command line tools like editcap, mergecap, tshark, and the "Import from Hex Dump" option within Wireshark, the default capture file format for text2pcap is now pcapng. The -n flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release.
  • text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similar to the -T option of editcap.
  • text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
  • text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
  • text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
  • In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
  • The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
  • The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
  • The IEEE 802.11 dissector supports Mesh Connex (MCX).
  • The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
  • The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
  • It is possible to set extcap passwords in tshark and other CLI tools.
  • The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
  • Support to display JSON mapping for Protobuf message has been added.
  • macOS debugging symbols are now shipped in separate packages, similar to Windows packages.
  • In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
  • The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
  • The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
  • ciscodump now supports IOS, IOS-XE and ASA remote capturing
  • Removed Features and Support:
  • The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.
  • New Protocol Support:
  • Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Huawei GRE bonding (GREbond), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Open Control Protocol for OCA/AES70 (OCP.1), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS Network Coprocessor product (ZB NCP)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • There is no new or updated capture file support in this release.
  • Major API Changes:
  • proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.
  • proto.h: The field display types for floats have been extended and refactored. The type BASE_FLOAT has been removed. Use BASE_NONE instead. New display types for floats are BASE_DEC, BASE_HEX, BASE_EXP and BASE_CUSTOM.
  • The Wireshark Lua API now uses the lrexlib bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change.
  • The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated.
  • Other Development Changes:
  • The PCRE2 library is now required to build Wireshark.
  • You must now have a compiler with C11 support in order to build Wireshark.
  • The following libraries and tools have had their minimum required version increased:
  • CMake 3.10 is required on macOS and Linux.
  • Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration.
  • Windows SDK 10.0.18362.0 is required due to issues with C11 support.
  • macOS version 10.11 to 10.14 (was 10.8) is required depending on the version of Qt:
  • Qt 5.10 or higher requires macOS version 10.11
  • Qt 5.12 or higher requires macOS version 10.12
  • Qt 5.14 or higher requires macOS version 10.13
  • Qt 6.0 or higher requires macOS version 10.14
  • GLib version 2.50.0 (was 2.38.0) is required.
  • Libgcrypt version 1.8.0 (was 1.5.0) is required.
  • c-ares version 1.13.0 (was 1.5.0).
  • Python version 3.6.0 (was 3.4.0).
  • GnuTLS version 3.5.8 (was 3.3.0).
  • Nghttp2 minimum version has been set to 1.11.0 (none previous).
  • Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks.

New in Wireshark 3.6.8 (Sep 8, 2022)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2022-06 F5 Ethernet Trailer dissector infinite loop. Issue 18307.
  • The following bugs have been fixed:
  • TCAP Malformed exception on externally re-assembled packet Issue 10515.
  • Extended 3GPP-GPRS-Negotiated-QoS-profile strings decoded incompletely Issue 10688.
  • HTTP2 dissector decodes first SSL record only Issue 11173.
  • L2TP improvements - cookie length detection, UDP encapsulation and more Issue 16565.
  • USB Truncation of URB_isochronous in frames Issue 18021.
  • ISUP/BICC parameter summary text duplication Issue 18094.
  • Running rpm-setup.sh shows missing packages that Centos does not need Issue 18166.
  • IPX/IPX RIP: Crash on expand subtree Issue 18234.
  • Qt: A file or packet comment that is too large will corrupt the pcapng file Issue 18235.
  • BGP dissector bug Issue 18248.
  • Wrong interpretation of the cbsp.rep_period field in epan/dissectors/packet-gsm_cbsp.c Issue 18254.
  • Assertion due to incorrect mask for btatt.battery_power_state.* Issue 18267.
  • Qt: Expert Info dialog not showing Malformed Frame when Frame length is less than captured length Issue 18312.
  • Wireshark and tshark become non-responsive when reading certain packets Issue 18313.
  • Updated Protocol Support:
  • BGP, BICC, BT ATT, CBSP, Couchbase, F5 Ethernet Trailer, Frame, GTP, GTP (prime), IPsec, ISUP, L2TP, NAS-5GS, Protobuf, SCCP, TCP, and TLS
  • New and Updated Capture File Support:
  • pcap, pcapng

New in Wireshark 3.7.2 Dev (Jul 28, 2022)

  • What’s New:
  • The context menu now includes the option to resize all columns, as well as copying elements.
  • Data may be exported as JSON.
  • Tabs may be detached and reattached from the dialog.
  • Adding/Removing tabs will keep them in the same order all the time.
  • If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets.
  • Columns are now sorted via secondary properties if an identical entry is found.
  • Conversations will be sorted via second address and first port number.
  • Endpoints will be sorted via port numbers.
  • IPv6 addresses are sorted correctly after IPv4 addresses.
  • The dialog elements have been moved to make it easier to handle for new users.
  • Selection of tap elements is done via list.
  • All configurations and options are done via a left side button row.
  • Columns for the Conversations and Endpoint dialogs can be hidden by context menu.
  • TCP/UDP conversations now include the stream id and allows filtering on it.
  • The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
  • Speed when using MaxMind geolocation has been greatly improved.
  • The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
  • New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
  • The Wireshark Lua API now uses the lrexlib bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change.
  • The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated.
  • The PCRE2 library is now a required dependency to build Wireshark.
  • You must now have a compiler with C11 support in order to build Wireshark.
  • The following libraries and tools have had their minimum required version increased:
  • CMake 3.10 is required on macOS and Linux.
  • Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration.
  • Windows SDK 10.0.18362.0 is required due to issues with C11 support.
  • GLib version 2.50.0 (was 2.38.0) is required.
  • Libgcrypt version 1.8.0 (was 1.5.0) is required.
  • C-ares version 1.14.0 (was 1.5.0).
  • Python version 3.6.0 (was 3.4.0).
  • GnuTLS version 3.5.8 (was 3.3.0).
  • Nghttp2 minimum version has been set to 1.11.0 (none previous).
  • For building with Qt on macOS, the following versions are required depending on the Qt version to be used:
  • Qt 5.10 or higher requires macOS version 10.11
  • Qt 5.12 or higher requires macOS version 10.12
  • Qt 5.14 or higher requires macOS version 10.13
  • Qt 6.0 or higher requires macOS version 10.14
  • Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks.
  • Many other improvements have been made. See the “New and Updated Features” section below for more details.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.7.0:
  • The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
  • The Conversation and Endpoint dialogs have been reworked extensively
  • The following features are new (or have been significantly updated) since version 3.6.0:
  • The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
  • The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
  • The display filter syntax has been updated and enhanced:
  • A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
  • Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression all tcp.port › 1024 is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
  • Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
  • Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
  • New display filter functions max(), min() and abs() have been added.
  • Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
  • A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
  • The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
  • Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used.
  • Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B".
  • Logical AND now has higher precedence than logical OR, in line with most programming languages.
  • It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
  • Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
  • Support for some additional character escape sequences in double quoted strings has been added. Along with octal (<number>) and hex (x<number>) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
  • Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit.
  • Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: \, ', ".
  • A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
  • The aliases "any_eq" for "==" and "all_ne" for "!=" have been added.
  • The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead.
  • Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
  • The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
  • Literal strings can handle embedded null bytes (the value '') correctly. This includes regular expression patterns. For example the double-quoted string " is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes.
  • Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0.
  • It is now possible to test for the existence of a slice.
  • All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other.
  • The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
  • Text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
  • Consistent with the other command line tools like editcap, mergecap, tshark, and the "Import from Hex Dump" option within Wireshark, the default capture file format for text2pcap is now pcapng. The -n flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release.
  • Text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similar to the -T option of editcap.
  • Text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
  • Text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
  • Text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
  • In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
  • The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
  • The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
  • The IEEE 802.11 dissector supports Mesh Connex (MCX).
  • The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
  • The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
  • It is possible to set extcap passwords in tshark and other CLI tools.
  • The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
  • Support to display JSON mapping for Protobuf message has been added.
  • In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
  • The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
  • The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
  • Ciscodump now supports IOS, IOS-XE and ASA remote capturing
  • Removed Features and Support:
  • The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.
  • New Protocol Support:
  • Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS NCP
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Major API Changes:
  • Proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.

New in Wireshark 3.6.7 (Jul 27, 2022)

  • What’s New:
  • This is the last release branch with support for 32-bit Windows. Updates will no longer be available after May 22, 2024 for that platform. Issue 17779
  • The following bugs have been fixed:
  • Multiple Files preference "Create new file automatically…​after" [time] working incorrectly Issue 16783.
  • get_filter Lua function doesn’t return the filter Issue 17188.
  • Dissector bug, protocol HTTP failed assertion "saved_layers_len < 500" with chunked/multipart Issue 18130.
  • Wrong EtherCAT bit label (possible dissector bug) Issue 18132.
  • UDP packets falsely marked as "malformed packet" Issue 18136.
  • TLS certificate parser with filter crash Issue 18155.
  • Incorrect type for the IEC 60870 APDU appears in packet details pane Issue 18167.
  • NHRP Problem Issue 18181.
  • EtherCAT CoE header unknown type Issue 18220.
  • New and Updated Features:
  • Updated Protocol Support:
  • BGP, DTLS, EtherCAT, EtherCAT Mailbox, HTTP, IEC 104, MEGACO, NHRP, PPPoE, QUIC, RTCP, Signal PDU, SOME/IP, and X509IF

New in Wireshark 3.6.6 (Jun 16, 2022)

  • Bug Fixes:
  • The following bugs have been fixed:
  • TLS: RSA decryption fails with Extended Master Secret and renegotiation Issue 18059.
  • "dfilter" file on Windows adds carriage returns, and requires line feeds Issue 18082.
  • Npcap bundled version needs a bump to v1.60 for Windows 11 compatibility Issue 18084.
  • "Browse" button in Prefs/Name Resolution/MaxMind crashes Wireshark on macOS Issue 18088.
  • TFTP: some packets are not recognized as TFTP packets with 3.6.5 Issue 18122.
  • Updated Protocol Support:
  • DTLS, F5 Capture Information, F5 Ethernet Trailer, FlexRay, MBIM, TFTP, TLS, and ZigBee ZCL

New in Wireshark 3.7.0 Dev (May 11, 2022)

  • What’s New:
  • We do not ship official 32-bit Windows packages for this branch. If you need to use Wireshark on that platform, please install the latest 3.6 release. Issue 17779
  • The PCRE2 library (https://www.pcre.org/) is now a required dependency to build Wireshark.
  • You must now have a compiler with C11 support in order to build Wireshark.
  • New and Updated Features
  • The following features are new (or have been significantly updated) since version 3.6.0:
  • The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
  • The display filter syntax has been updated and enhanced:
  • Syntax to match a specific layer in the protocol stack has been added. For example “ip.addr#2 == 1.1.1.1” matches only the inner layer in an IP-over-IP packet.
  • Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
  • Support for some additional character escape sequences in double quoted strings has been added. Along with octal (<number>) and hex (x<number>) encoding, the following C escape sequences are now supported with the same meaning: , , , , , , . Previously they were only supported with character constants.
  • Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: , ', ".
  • The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
  • A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
  • The aliases "any_eq" for "==" and "all_ne" for "!=" have been added.
  • The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead.
  • Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used.
  • Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B".
  • A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value with a leading colon or in between angle brackets is a literal value. See the User’s Guide for details.Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
  • The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
  • Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
  • Logical AND now has higher precedence than logical OR, in line with most programming languages.
  • New display filter functions max(), min() and abs() have been added.
  • Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
  • The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
  • Text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
  • Text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similiar to the -T option of editcap.
  • Text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
  • Text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
  • Text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
  • In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
  • The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
  • The IEEE 802.11 dissector supports Mesh Connex (MCX).
  • The “Capture Options” dialog contains the same configuration icon as Welcome Screen. It is now possible to configure interfaces there.
  • The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row. Passwords are never stored on disk.
  • It is possible to set extcap passwords in tshark and other CLI tools.
  • The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
  • Support to display JSON mapping for Protobuf message has been added.
  • MacOS debugging symbols are now shipped in separate packages, similar to Windows packages.
  • In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
  • The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
  • The Event Tracing for Windows (ETW) file reader now supports display IP packets from an event trace logfile or an event trace live session.
  • Removed Features and Support:
  • The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.
  • New Protocol Support:
  • Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Realtek, REdis Serialization Protocol v2 (RESP), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), USB Attached SCSI (UASP), and ZBOSS NCP
  • Updated Protocol Support
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Major API Changes:
  • Proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.

New in Wireshark 3.6.5 (May 5, 2022)

  • Bug Fixes:
  • This release fixes an installation issue on Windows which was introduced in the 3.6.4 release.

New in Wireshark 3.6.4 (May 4, 2022)

  • The following bugs have been fixed:
  • Build failure with GCC 7.5, Linux Issue 17911.
  • RDP dissected as SSL Issue 17952.
  • IPFIX/cflow dissector asserts when varlen field length is zero Issue 18010.
  • 802.11ax HE PHY "Device Class" dissected incorrectly Issue 18030.
  • DHCPv6 Option 15 User-Class incorrectly parsed in Wireshark Issue 18032.
  • ICMPv6 dissector: PREF64 option parsing only works for prefix length 96 Issue 18033.
  • Switch macOS updater to Sparkle 2 Issue 18035.
  • CQL timestamp dissector displays the wrong timestamp Issue 18038.
  • Unable to dissect 802.11ax Target Wake Time (TWT) packets Issue 18050.

New in Wireshark 3.6.3 (Mar 23, 2022)

  • What’s New:
  • The following bugs have been fixed:
  • Fuzz job crash output: fuzz-2022-01-19-7399.pcap Issue 17894.
  • TLS dissector incorrectly reports JA3 values Issue 17942.
  • "Wiki Protocol page" in packet details menu is broken - wiki pages not migrated to GitLab? Issue 17944.
  • Dissector bug, protocol PFCP display Flow Description IE value error in Additional Flow Description of PFD Management Request Message Issue 17951.
  • Bluetooth: Fails to open Log file for SCO connection Issue 17964.
  • Fuzz job crash output: fuzz-2022-03-07-10896.pcap Issue 17984.
  • libwiretap: Save as ERF causes segmentation fault Issue 17989.
  • HTTP server returning multiple early hints shows too many responses in "Follow HTTP Stream" Issue 18006.
  • Updated Protocol Support:
  • CSN.1, HTTP, IEEE 802.11, NTLM SSP, PFCP, PKTLOG, SSDP, TLS, and USB HID
  • New and Updated Capture File Support:
  • pcap and pcapng

New in Wireshark 3.6.2 (Feb 11, 2022)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2022-01 RTMPT dissector infinite loop. Issue 17813.
  • wnpa-sec-2022-02 Large loops in multiple dissectors. Issue 17829, Issue 17842, Issue 17847, Issue 17855, Issue 17891, Issue 17925, Issue 17926, Issue 17931, Issue 17932, Issue 17933.
  • wnpa-sec-2022-03 PVFS dissector crash. Issue 17840.
  • wnpa-sec-2022-04 CSN.1 dissector crash. Issue 17882.
  • wnpa-sec-2022-05 CMS dissector crash. Issue 17935.
  • The following bugs have been fixed:
  • Support for GSM SMS TPDU in HTTP2 body Issue 17784.
  • Wireshark 3.6.1 broke the ABI by removing ws_log_default_writer from libwsutil Issue 17822.
  • Fedora RPM package build failing with RPATH of /usr/local/lib64 Issue 17830.
  • macos-setup.sh: ftp.pcre.org no longer exists Issue 17834.
  • nmap.org/npcap ? npcap.com: domain/URL change Issue 17838.
  • MPLS ECHO FEC stack change TLV not dissected correctly Issue 17868.
  • Attempting to open a systemd journal export file segfaults Issue 17875.
  • Dissector bug on 802.11ac packets Issue 17878.
  • The Info column shows only one NGAP/S1AP packet of several packets inside an SCTP packet Issue 17886.
  • Uninstalling Wireshark 3.6.1 on Windows 10 fails to remove the installation directory because it doesn’t remove the User’s Guide subdirectory and all its contents. Issue 17898.
  • 3.6 doesn’t build without zlib Issue 17899.
  • SIP Statistics no longer properly reporting method type accounting Issue 17904.
  • Fuzz job crash output: fuzz-2022-01-26-6940.pcap Issue 17909.
  • SCTP retransmission detection broken for the first data chunk of each association with relative TSN Issue 17917.
  • “Show In Folder” doesn’t work correctly for filenames with spaces Issue 17927.
  • New and Updated Features
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • AMP, ASN.1 PER, ATN-ULCS, BGP, BP, CFLOW, CMS, CSN.1, GDSDB, GSM RP, GTP, HTTP3, IEEE 802.11 Radiotap, IPDC, ISAKMP, Kafka, MP2T, MPEG PES, MPEG SECT, MPLS ECHO, NGAP, NTLMSSP, OpenFlow 1.4, OpenFlow 1.5, P_MUL, PN-RT, PROXY, PTP, PVFS, RSL, RTMPT, rtnetlink, S1AP, SCTP, Signal PDU, SIP, TDS, USB, WAP, and ZigBee ZCL
  • New and Updated Capture File Support:
  • BLF and libpcap
  • New File Format Decoding Support:
  • There is no new or updated file format support in this release.

New in Wireshark 3.6.1 (Dec 29, 2021)

  • the following vulnerabilities have been fixed:
  • wnpa-sec-2021-17 RTMPT dissector infinite loop. Issue 17745. CVE-2021-4185.
  • wnpa-sec-2021-18 BitTorrent DHT dissector infinite loop. Issue 17754. CVE-2021-4184.
  • wnpa-sec-2021-19 pcapng file parser crash. Issue 17755. CVE-2021-4183.
  • wnpa-sec-2021-20 RFC 7468 file parser infinite loop. Issue 17801. CVE-2021-4182.
  • wnpa-sec-2021-21 Sysdig Event dissector crash. CVE-2021-4181.
  • wnpa-sec-2021-22 Kafka dissector infinite loop. Issue 17811.
  • The following bugs have been fixed:
  • Allow sub-second timestamps in hexdumps Issue 15562.
  • GRPC: An unnecessary empty Protobuf tree item is displayed if the GRPC message body length is 0 Issue 17675.
  • Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system path.pkg" on M1 MacBook Air Monterey without Rosetta 2 Issue 17757.
  • TECMP: LIN Payload is cut off by 1 byte Issue 17760.
  • Wireshark crashes if a 64 bit field of type BASE_CUSTOM is applied as a column Issue 17762.
  • Command line option "-o console.log.level" causes wireshark and tshark to exit on start Issue 17763.
  • Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture Issue 17764.
  • Unable to build without tshark Issue 17766.
  • IEEE 802.11 action frames are not getting parsed and always seen as malformed Issue 17767.
  • IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes Issue 17775.
  • dfilter: 'tcp.port not in {1}' crashes Wireshark Issue 17785.
  • New and Updated Features:
  • The 'console.log.level' preference was removed in Wireshark 3.6.0. This release adds an '-o console.log.level:' backward-compatibilty option on the CLI that maps to the new logging sub-system. Note that this does not have bitmask semantics and does not correspond to any actual preference. It is just a transition mechanism for users that were relying on this CLI option and will be removed in the future. To see the new diagnostic output options consult the manpages or the output of '--help'.
  • Updated Protocol Support:
  • ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11, IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig Event, and TECMP
  • New and Updated Capture File Support:
  • BLF and RFC 7468

New in Wireshark 3.6.0 (Nov 23, 2021)

  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.6.0rc3:
  • The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
  • The following features are new (or have been significantly updated) since version 3.6.0rc2:
  • Display filter set elements must now be comma-separated. See below for more details.
  • The following features are new (or have been significantly updated) since version 3.6.0rc1:
  • The display filter expression “a != b” now has the same meaning as “!(a == b)”.
  • The following features are new (or have been significantly updated) since version 3.4.0:
  • Several changes have been made to the display filter syntax:
  • The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.
  • It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
  • Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
  • Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as …​ in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version.
  • Support for the syntax "a not in b" with the same meaning as "not a in b" has been added.
  • Packaging updates:
  • A macOS Arm 64 (Apple Silicon) package is now available.
  • The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
  • The Windows installers now ship with Npcap 1.55.
  • A 64-bit Windows PortableApps package is now available.
  • TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
  • Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types.
  • Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
  • “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams.
  • Wireshark now supports dissecting RTP packets with OPUS payloads.
  • Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
  • The RTP Player has been significatnly redesigned and improved. See Playing VoIP Calls and RTP Player Window in the User’s Guide for more details.
  • The RTP Player can play many streams in row.
  • The UI is more responsive.
  • The RTP Player maintains playlist and other tools can add and remove streams to and from it.
  • Every stream can be muted or routed to the left or right channel for replay.
  • The option to save audio has been moved from the RTP Analysis dialog to the RTP Player. The RTP Player also saves what was played, and it can save in multichannel .au or .wav.
  • The RTP Player is now accessible from the Telephony › RTP › RTP Player menu.
  • The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal and can stay opened on background.
  • The same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …​)
  • The “Follow Stream” dialog is now able to follow SIP calls based on their Call-ID value.
  • The “Follow Stream” dialog’s YAML output format has been updated to add timestamps and peers information For more details see Following Protocol Streams in the User’s Guide.
  • IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the “Enable stricter conversation tracking heuristics” top level protocol preference.
  • USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures.
  • TShark can now export TLS session keys with the --export-tls-session-keys option.
  • Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated.
  • The “RTP Stream Analysis” dialog CSV export format was slightly changed. The first line of the export contains column titles as in other CSV exports.
  • Wireshark now supports the Turkish language.
  • The settings in the “Import from Hex Dump” dialog is now stored in a profile import_hexdump.json file.
  • Analyze › Reload Lua Plugins has been improved to properly support FileHandler.
  • The “RTP Stream Analysis” and “IAX2 Stream Analysis” dialogs now show correct calculation mean jitter calculations.
  • RTP streams are now created based on Skinny protocol messages in addition to other types of messages.
  • The “VoIP Calls Flow Sequence” window shows more information about various Skinny messages.
  • Initial support for building Wireshark on Windows using GCC and MinGW-w64 has been added. See README.msys2 in the sources for more information.
  • New File Format Decoding Support:
  • Vector Informatik Binary Log File (BLF)
  • New Protocol Support:
  • 5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT LMP), Bundle Protocol version 7 (BPv7), Bundle Protocol version 7 Security (BPSec), CBOR Object Signing and Encryption (COSE), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme extra Eth Header (EXEH), High-Performance Connectivity Tracer (HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol (EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI payload (xIRI)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Vector Informatik Binary Log File (BLF)

New in Wireshark 3.4.10 (Nov 18, 2021)

  • The following vulnerabilities have been fixed:
  • Wnpa-sec-2021-07 Bluetooth DHT dissector crash. Issue 17651. CVE-2021-39929.
  • Wnpa-sec-2021-08 Bluetooth HCI_ISO dissector crash. Issue 17649. CVE-2021-39926.
  • Wnpa-sec-2021-09 Bluetooth SDP dissector crash. Issue 17635. CVE-2021-39925.
  • Wnpa-sec-2021-10 Bluetooth DHT dissector large loop. Issue 17677. CVE-2021-39924.
  • Wnpa-sec-2021-11 PNRP dissector large loop. Issue 17684.
  • Wnpa-sec-2021-12 C12.22 dissector crash. Issue 17636. CVE-2021-39922.
  • Wnpa-sec-2021-13 IEEE 802.11 dissector crash. Issue 17704. CVE-2021-39928.
  • Wnpa-sec-2021-14 Modbus dissector crash. Issue 17703. CVE-2021-39921.
  • Wnpa-sec-2021-15 IPPUSB dissector crash. Issue 17705. CVE-2021-39920.
  • The following bugs have been fixed:
  • OSS-Fuzz: Heap-use-after-free in ROS Issue 16342.
  • Allow for '' (NULL) character as filter instead of requiring 0x00 for the character match Issue 16525.
  • Dumpcap with threads reports double received count vs captured Issue 17089.
  • I/O Graphs values reset to default with 3.5 due to change of UAT Issue 17623.
  • HTTP2 dissector reports an assertion error on large data frames Issue 17633.
  • TShark stops capturing when capturing with multiple files and packet printing enabled Issue 17654.
  • Wireshark is unable to decode the IMSI IE received in BSSMAP Perform Location request Issue 17667.
  • WSLUA: Crash on reload if Proto has no fields Issue 17668.
  • Crash in flow analysis for TCP Issue 17722.
  • Updated Protocol Support:
  • BT HCI_ISO, BT SDP, BT-DHT, C12.22, CAN FD, CSN1, EAPOL-MKA, EVS, GSM BSSMAP LE, HTTP2, IDMP, IEEE 1905.1a, IEEE 802.11, IPPUSB, Modbus, PNRP, and TCP
  • New and Updated Capture File Support:
  • Pcap

New in Wireshark 3.6.0 RC 1 (Oct 14, 2021)

  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.4.0:
  • The Windows installers now ship with Npcap 1.55.
  • A 64-bit Windows PortableApps package is now available.
  • A macOS Arm 64 (Apple Silicon) package is now available.
  • TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It is accessed with the new tcp.completeness filter.
  • Protobuf fields that are not serialized on the wire (missing in capture files) can now be displayed with default values by setting the new 'add_default_value' preference. The default values might be explicitly declared in 'proto2' files, or false for bools, first value for enums, zero for numeric types.
  • Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
  • "Follow DCCP stream" feature to filter for and extract the contents of DCCP streams.
  • Wireshark now supports dissecting the rtp packet with OPUS payload.
  • Importing captures from text files is now also possible based on regular expressions. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
  • Display filter literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This is useful to avoid the complexity of using two levels of character escapes with regular expressions.
  • Significant RTP Player redesign and improvements (see Wireshark User Documentation, Playing VoIP Calls and RTP Player Window)
  • RTP Player can play many streams in row
  • UI is more responsive
  • RTP Player maintains playlist, other tools can add/remove streams to it
  • Every stream can be muted or routed to L/R channel for replay
  • Save audio is moved from RTP Analysis to RTP Player. RTP Player saves what was played. RTP Player can save in multichannel .au or .wav.
  • RTP Player added to menu Telephony>RTP>RTP Player
  • VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal, can stay opened on background
  • Same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …?)
  • Follow stream is now able to follow SIP calls based on their Call-ID value.
  • Follow stream YAML output format’s has been changed to add timestamps and peers information (for more details see the user’s guide, Following Protocol Streams)
  • IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the "Enable stricter conversation tracking heuristics" top level protocol preference.
  • USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures.
  • TShark can now export TLS session keys with the --export-tls-session-keys option.
  • Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated.
  • Format of export to CSV in RTP Stream Analysis dialog was slightly changed. First line of export contains names of columns as in other CSV exports.
  • Wireshark now supports the Turkish language.
  • The settings in the 'Import from Hex Dump' dialog is now stored in a profile import_hexdump.json file.
  • Reload Lua plugins has been improved to properly support FileHandler.
  • New File Format Decoding Support
  • Vector Informatik Binary Log File (BLF)
  • New Protocol Support:
  • 5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT LMP), CBOR Object Signing and Encryption (COSE), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme extra Eth Header (EXEH), High-Performance Connectivity Tracer (HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol (EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI payload (xIRI)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Vector Informatik Binary Log File (BLF)

New in Wireshark 3.4.9 (Oct 6, 2021)

  • Bug Fixes:
  • TShark PDML output embeds "proto" elements within other "proto" elements Issue 10588.
  • Filter expressions comparing against single-octet hex strings where the hex digit string equals a protocol name don’t work Issue 12810.
  • AMQP 0.9: dissector fails to handle Content-Body frame split across TCP packets Issue 14217.
  • IEEE 802.15.4: Missing check on "PAN ID Present" bit of the Multipurpose Frame Control field Issue 17496.
  • Wireshark ignored some character in filename when exporting SMB objects. Issue 17530.
  • tshark -z credentials: assertion failed: (allocator→in_scope) Issue 17576.
  • IS-IS Extended IP Reachability Prefix-SID not decoded properly Issue 17610.
  • Error when reloading lua plugins with a capture file loaded via a custom lua file handler Issue 17615.
  • Absolute time UTC field filters are constructed incorrectly, don’t match the packet Issue 17617.
  • GUI freezes when clicking on large (non-capture) file in File chooser Issue 17620.
  • Crash after selecting a different profile while capturing Issue 17622.
  • BT-DHT reports malformed packets that are actually uTP on same connection Issue 17626.
  • New and Updated Features:
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • AMQP, Aruba IAP, BGP, BT-DHT, CoAP, DCERPC SPOOLSS, Diameter, EPL, GSM A-bis OML, GSM A-I/F COMMON, GSM SIM, IEEE 1905.1a, IEEE 802.15.4, IMAP, InfiniBand, ISIS LSP, ISObus VT, JPEG, MP2T, NORDIC_BLE, QUIC, RTCP, SDP, SMB, TWAMP-Control, USB HID, and VSS Monitoring
  • New and Updated Capture File Support
  • CAM Inspector, Ixia IxVeriWave, pcapng, and USBDump

New in Wireshark 3.5.0 Development (Aug 28, 2021)

  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.4.0:
  • The Windows installers now ship with Npcap 1.50.
  • A 64-bit Windows PortableApps package is now available.
  • A macOS Arm 64 (Apple Silicon) package is now available.
  • TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It is accessed with the new tcp.completeness filter.
  • Protobuf fields that are not serialized on the wire (missing in capture files) can now be displayed with default values by setting the new 'add_default_value' preference. The default values might be explicitly declared in 'proto2' files, or false for bools, first value for enums, zero for numeric types.
  • Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
  • "Follow DCCP stream" feature to filter for and extract the contents of DCCP streams.
  • Wireshark now supports dissecting the rtp packet with OPUS payload.
  • Importing captures from text files is now also possible based on regular expressions. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
  • Display filter literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This is useful to avoid the complexity of using two levels of character escapes with regular expressions.
  • Significant RTP Player redesign and improvements (see Wireshark User Documentation, Playing VoIP Calls and RTP Player Window)
  • RTP Player can play many streams in row
  • UI is more responsive
  • RTP Player maintains playlist, other tools can add/remove streams to it
  • Every stream can be muted or routed to L/R channel for replay
  • Save audio is moved from RTP Analysis to RTP Player. RTP Player saves what was played. RTP Player can save in multichannel .au or .wav.
  • RTP Player added to menu Telephony>RTP>RTP Player
  • VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal, can stay opened on background
  • Same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …​)
  • Follow stream is now able to follow SIP calls based on their Call-ID value.
  • Follow stream YAML output format’s has been changed to add timestamps and peers information (for more details see the user’s guide, Following Protocol Streams)
  • IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the "Enable stricter conversation tracking heuristics" top level protocol preference.
  • USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures.
  • TShark can now export TLS session keys with the --export-tls-session-keys option.
  • Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated.
  • Format of export to CSV in RTP Stream Analysis dialog was slightly changed. First line of export contains names of columns as in other CSV exports.
  • Wireshark now supports the Turkish language.
  • New File Format Decoding Support
  • Vector Informatik Binary Log File (BLF)
  • New Protocol Support
  • Bluetooth Link Manager Protocol (BT LMP), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), High-Performance Connectivity Tracer (HiPerConTracer), Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, and World of Warcraft World (WOWW)
  • Updated Protocol Support
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support
  • Vector Informatik Binary Log File (BLF)

New in Wireshark 3.4.8 (Aug 26, 2021)

  • The following bugs have been fixed:
  • Dissector bug reported for Bluetooth Cycling Power Measurement characteristic for extreme angles value Issue 17505.
  • vcruntime140_1.dll deleted on Wireshark update/install Issue 17506.
  • Raknet Addresses are incorrectly identified. Issue 17509.
  • Editcap saving files as ethernet when specifying '-T ieee-802-11-*' Issue 17520.
  • CoAP dissector confuses Content-Format with Accept Issue 17536.
  • Updated Protocol Support:
  • BT ATT, BT LE LL, CoAP, DLM3, GSM SIM, iLBC, and RakNet

New in Wireshark 3.4.7 (Jul 15, 2021)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • Wnpa-sec-2021-06 DNP dissector crash. Issue 17462. CVE-2021-22235.
  • The following bugs have been fixed:
  • TCP dissector - Erroneous DSACK reporting Issue 17315.
  • No wlan_radio.duration calculated for PHY type: 802.11ac (VHT) Issue 17419.
  • NAN Dissector has wrong minimum length for availability attribute Issue 17431.

New in Wireshark 3.4.6 (Jun 3, 2021)

  • Bug Fixes:
  • wnpa-sec-2021-04 DVB-S2-BB dissector infinite loop
  • The following bugs have been fixed:
  • Macro filters can’t handle escaped characters Issue 17160.
  • Display filter crashes Wireshark Issue 17316.
  • IEEE-1588 Signalling Unicast TLV incorrectly reported as being malformed Issue 17355.
  • IETF QUIC TLS decryption error with extraneous packets during the handshake Issue 17383.
  • Statistics → Resolved Addresses: multi-protocol (TCP/UDP/…​) ports not displayed Issue 17395.
  • Updated Protocol Support:
  • DNP, DVB-S2-BB, ProtoBuf, PTP, QUIC, RANAP, and TACACS
  • New and Updated Capture File Support:
  • Ascend, ERF, K12, NetScaler, and pcapng

New in Wireshark 3.4.5 (Jun 3, 2021)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-04 MS-WSP dissector excessive memory consumption. Issue 17331.
  • The following bugs have been fixed:
  • TShark does not print GeoIP information Issue 14691.
  • TShark error when piping to "head" Issue 16192.
  • Parts of ASCII representation in Packet Bytes pane are missing Issue 17087.
  • Buildbot crash output: fuzz-2021-02-22-1012761.pcap Issue 17254.
  • NDPE attribute of NAN packet is not dissected Issue 17278.
  • TECMP: reserved flag interpreted as part of timestamp Issue 17279.
  • Master branch does not compile at least with gcc-11 Issue 17281.
  • DNS IXFR/AXFR multiple response Issue 17293.
  • File too large Issue 17301.
  • Build fails with CMake 3.20 Issue 17314.
  • Updated Protocol Support:
  • DECT, DNS, EAP, Kerberos, LDAP, MS-WSP, SMB2, Sysdig, TECMP, and WiFi NAN
  • New and Updated Capture File Support:
  • pcapng

New in Wireshark 3.4.4 (Mar 11, 2021)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-03 Wireshark could open unsafe URLs. Issue 17232. CVE-2021-22191
  • The following bugs have been fixed:
  • NTP Version 3 Client Decode PDML output issue (Reference ID Issue) Issue 17112
  • 3.4.2: public wireshark include files are including build time "config.h" Issue 17190
  • wireshark-3.4.3/epan/dissectors/packet-s7comm.c:3521: bad array index ? Issue 17198
  • SIP protocol: P-Called-Party-ID header mixed up with P-Charge-Info header Issue 17215
  • Asterix CAT010 Decode Error Issue 17226
  • ws.expert columns not populated for IPv4 Issue 17228
  • Buildbot crash output: fuzz-2021-02-12-1651908.pcap Issue 17233
  • gQUIC: Wireshark 3.4.3 fails to dissect a packet (gQUIC q024) that v3.2.6 succeeds. Issue 17250
  • Updated Protocol Support:
  • ASTERIX, Frame Relay, GQUIC, NTP, NVMe Fabrics RDMA, S7COMM, and SIP
  • New and Updated Capture File Support:
  • iSeries

New in Wireshark 3.4.3 (Jan 31, 2021)

  • What’s New:
  • The Windows installers now ship with Npcap 1.10. They previously shipped with Npcap 1.00
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-01 USB HID dissector memory leak. Bug 17124. CVE-2021-22173
  • wnpa-sec-2021-02 USB HID dissector crash. Bug 17165. CVE-2021-22174
  • The following bugs have been fixed:
  • SIP response single-line multiple Contact-URIs decoding error Bug 13752
  • Adding filter while "Telephony?VoIP Calls?Flow Sequence" open causes OOB memory reads and potential crashes. Bug 16952
  • QUIC packet not fully dissected Bug 17077
  • SOMEIP-SD hidden entries are off Bug 17091
  • Problem with calculation on UDP checksum in SRv6 Bug 17097
  • Dark mode not working in Wireshark 3.4.2 on macOS Bug 17098
  • Wireshark 3.4.0: build failure on older MacOS releases, due to 'CLOCK_REALTIME' Bug 17101
  • TECMP: Status Capture Module messages shows 3 instead of 2 bytes for HW version Bug 17133
  • Documentation - editorial error - README.dissector bad reference Bug 17141
  • Cannot save capture with comments to a format that doesn’t support it (no pop-up) Bug 17146
  • AUTOSAR-NM: PNI TF-String wrong way around Bug 17154
  • Fibre Channel parsing errors even with the fix for #17084 Bug 17168
  • f5ethtrailer: Won’t find a trailer after an FCS that begins with a 0x00 byte Bug 17171
  • f5ethtrailer: legacy format, low noise only, no vip name trailers no longer detected Bug 17172
  • Buildbot crash output: fuzz-2021-01-22-3387835.pcap Bug 17174
  • Dissection error on large ZVT packets Bug 17177
  • TShark crashes with -T ek option Bug 17179
  • Updated Protocol Support:
  • AUTOSAR-NM, DHCPv6, DoIP, FC ELS, GQUIC, IPv6, NAS 5GS, NAS EPS, QUIC, SIP, SOME/IP-SD, TECMP, TLS, TPNCP, USB HID, and ZVT
  • New and Updated Capture File Support:
  • f5ethtrailer and pcapng

New in Wireshark 3.4.2 (Dec 18, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • Wnpa-sec-2020-20 QUIC dissector crash Bug 17073.
  • The following bugs have been fixed:
  • New and Updated Features
  • IETF QUIC TLS decryption errors when packets are coalesced with random data Bug 16914.
  • QUIC: missing dissection of some coalesced SH packets Bug 17011.
  • Macos-setup.sh can’t find SDK on macOS Big Sur, as it went to 11 Bug 17043.
  • Mapping endpoints in browser ⇒ Map file error Bug 17074.
  • Wireshark 3.4.1 hangs on startup on macOS Big Sur 11.0.1 Bug 17075.
  • False expect error seen on FCoE frames (not seen with older release wireshark 1.2.18) Bug 17084.
  • Several libraries missing in 3.4.1 and 3.2.9 installers for macOS Bug 17086.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support
  • DOCSIS, FC-dNS, FC-SWILS, FCoE, QUIC, SNMP, and USBHID

New in Wireshark 3.4.1 (Dec 10, 2020)

  • Bug Fixes:
  • wnpa-sec-2020-16 Kafka dissector memory leak. Bug 16739. CVE-2020-26418.
  • wnpa-sec-2020-17 USB HID dissector crash. Bug 16958. CVE-2020-26421.
  • wnpa-sec-2020-18 RTPS dissector memory leak. Bug 16994. CVE-2020-26420.
  • wnpa-sec-2020-19 Multiple dissector memory leak. Bug 17032. CVE-2020-26419.
  • New and Updated Features:
  • IETF QUIC TLS decryption errors when a NAT rebinding happens for a connection Bug 16915.
  • IETF QUIC TLS decryption error with key update Bug 16916.
  • IETF QUIC TLS decryption error after the second key update Bug 16920.
  • SOME/IP: Wrong dissection of parameters after Array Bug 16951.
  • Can editcap properly corrupt pcapng file with systemd journal export block? Bug 16965.
  • Crash when a GIOP ior.txt file is present Bug 16984.
  • Protobuf: failed to parse .proto file contains negative enum values or option values of number type Bug 16988.
  • MMRP dissector bug Bug 17005.
  • QUIC: "Loss bits" capability Bug 17010.
  • Stdin capture fails on Windows Bug 17018.
  • SSTP no longer recognized Bug 17024.
  • RFC2190 encapsulated H.263 bitfields masked wrong in Mode A Bug 17025.
  • editcap fails when splitting into multiple pcapng files Bug 17060.
  • Updated Protocol Support:
  • ACDR, DOCSIS, Ericsson HDLC, F5 Ethernet Trailer, GIOP, GSM A, GSM RLC MAC, HTTP, IEEE 802.11, Kafka, LLC, MBIM, MMRP, NAS 5GS, NAS EPS, Nordic BLE, ProtoBuf, QUIC, Radiotap, RFC 2190, RTCP, RTPS, S1AP, SOME/IP, STUN, and USB Video
  • New and Updated Capture File Support:
  • pcapng

New in Wireshark 3.4.0 (Oct 30, 2020)

  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.4.0rc1:
  • Nothing of note.
  • The following features are new (or have been significantly updated) since version 3.3.1:
  • The Protobuf fields defined as google.protobuf.Timestamp type of Protobuf standard library can now be dissected as Wireshark fields of absolute time type.
  • The following features are new (or have been significantly updated) since version 3.3.0:
  • The Windows installers now ship with Npcap 1.00. They previously shipped with Npcap 0.9997.
  • The Windows installers now ship with Qt 5.15.1. They previously shipped with Qt 5.12.8.
  • The following features are new (or have been significantly updated) since version 3.2.0:
  • Windows executables and installers are now signed using SHA-2 only.
  • Save RTP stream to .au supports any codec with 8000 Hz rate supported by Wireshark (shown in RTP player). If save of audio is not possible (unsupported codec or rate), silence of same length is saved and warning is shown.
  • Asynchronous DNS resolution is always enabled. As a result, the c-ares library is now a required dependency.
  • Protobuf fields can be dissected as Wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching.
  • Dissectors based on Protobuf can register themselves to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYTES or STRING type.
  • Wireshark is able to decode, play, and save iLBC payload on platforms where the iLBC library is available.
  • Wireshark is able to decode, play, and save opus payload on platforms where the opus library is available.
  • Decode As” entries can now be copied from other profiles using a button in the dialog.
  • sshdump can now be copied to multiple instances. Each instance will show up a different interface and will have its own profile.
  • The main window now supports a packet diagram view, which shows each packet as a textbook-style diagram.
  • Filter buttons (“Preferences ? Filter Buttons”) can be grouped by using “//” as a path separator in the filter button label.
  • IPP Over USB packets can now be dissected and displayed
  • New Protocol Support:
  • Arinc 615A (A615A), Asphodel Protocol, AudioCodes Debug Recording (ACDR), Bluetooth HCI ISO (BT HCI ISO), Cisco MisCabling Protocol (MCP), Community ID Flow Hashing (CommunityID), DCE/RPC IRemoteWinspool SubSystem, (IREMOTEWINSPOOL), Dynamic Link Exchange Protocol (DLEP), EAP Generalized Pre-Shared Key (EAP-GPSK), EAP Password Authenticated Exchange (EAP-PAX), EAP Pre-Shared Key (EAP-PSK), EAP Shared-secret Authentication and Key Establishment (EAP-SAKE), Fortinet Single Sign-on (FSSO), FTDI Multi-Protocol Synchronous Serial Engine (FTDI MPSSE), Hypertext Transfer Protocol Version 3 (HTTP3), ILDA Digital Network (IDN), Java Debug Wire Protocol (JDWP), LBM Stateful Resolution Service (LBMSRS), Lithionics Battery Management, .NET Message Framing Protocol (MC-NMF), .NET NegotiateStream Protocol (MS-NNS), OBSAI UDP-based Communication Protocol (UDPCP), Palo Alto Heartbeat Backup (PA-HB-Bak), ScyllaDB RPC, Technically Enhanced Capture Module Protocol (TECMP), Tunnel Extensible Authentication Protocol (TEAP), UDP based FTP w/ multicast V5 (UFTP5), and USB Printer (USBPRINTER)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • MP4 (ISO/IEC 14496-12)

New in Wireshark 3.2.7 (Sep 24, 2020)

  • The Windows installers now ship with Npcap 0.9997. They previously shipped with Npcap 0.9994.
  • The Windows installers now ship with Qt 5.12.9. They previously shipped with Qt 5.12.8.
  • Bug Fixes
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-11 MIME Multipart dissector crash. Bug 16741. Fixed in master: 2411eae9ed Fixed in master-3.2: 21f082cb6e Fixed in master-3.0: 14e274f3be Fixed in master-2.6: 5803c7b87b
  • wnpa-sec-2020-12 TCP dissector crash. Bug 16816. Fixed in master: c4634b1e99 Fixed in master-3.2: e9b727595b Fixed in master-3.0: 7f3fe6164a Fixed in master-2.6: 9d7ab8b46f
  • wnpa-sec-2020-13 BLIP dissector crash. Bug 16866. Fixed in master: 4a94842710 Fixed in master-3.2: 594d312b12 Fixed in master-3.0: 2fb6002559 Fixed in master-2.6: n/a
  • The following bugs have been fixed:
  • HTTP dissector fails to display correct UTF-16 XML Bug 9069.
  • TFTP dissector does not track conversations correctly. Source file and Destination File redundant or disagree. Bug 10305.
  • Dissector skips DICOM command Bug 13110.
  • Editcap time adjustment doesn’t work when both infile and outfile are ERF Bug 16578.
  • dissect_tds7_colmetadata_token() has wrong return value if count is 0 Bug 16682.
  • "total block length …​ is too small" for Systemd Journal Export Block Bug 16734.
  • MNC 11 is showing Mobile Network Code (MNC): NTT DoCoMo Tokai Inc. (11) But its belonging to Rakuten Network Bug 16755.
  • DICOM object extraction: discrepancy between tshark and wireshark Bug 16771.
  • S1-U data forwarding info and S103 PDN data forwarding info IE’s showing improper value Bug 16777.
  • Wireshark crashes while opening a capture Bug 16780.
  • Changing preferences via Decode As does not call callback Bug 16787.
  • Decoding of PFCP IE 'Remote GTP-U Peer' is incorrect Bug 16805.
  • Ng-enb not decoded correctly for Target Identification IE for GTPV2 Bug 16822.
  • The client timestamp is parsed error for Google QUIC (version Q039) Bug 16839.
  • NAS-5G : PDU session reactivation result Bug 16842.
  • Wireshark fails to detect libssh >= 0.9.5 Bug 16845.

New in Wireshark 3.2.6 (Aug 13, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-10 Kafka dissector crash. Bug 16672. CVE-2020-17498.
  • The following bugs have been fixed:
  • Kafka dissector fails parsing FETCH responses. Bug 16623.
  • Dissector for ASTERIX Category 001 / 210 does not recognize bit 1 as extension. Bug 16662.
  • "invalid timestamp" for Systemd Journal Export Block. Bug 16664.
  • Decoding Extended Emergency number list IE length. Bug 16668.
  • Some macOS Bluetooth PacketLogger capture files aren’t recognized as PacketLogger files (regression, bisected). Bug 16670.
  • Short IMSIs (5 digits) lead to wrong decoding+warning. Bug 16676.
  • Decoding of PFCP IE 'PFD Contents' results in "malformed packet". Bug 16704.
  • RFH2 Header with 32 or less bytes of NameValue will not parse out that info. Bug 16733.
  • CDP: Port ID TLV followed by Type 1009 TLV triggers [Malformed Packet]. Bug 16742.
  • tshark crashed when processing opcda. Bug 16746.
  • tshark with --export-dicom gives “Segmentation fault (core dumped)”. Bug 16748.
  • Updated Protocol Support:
  • ASTERIX, BSSAP, CDP, CoAP, DCERPC SPOOLSS, DCOM, DICOM, DVB-S2, E.212, GBCS, GSM RR, GSM SMS, IEEE 802.11, Kafka, MQ, Nano, NAS 5GS, NIS+, NR RRC, PacketLogger, PFCP, RTPS, systemd Journal, TDS, TN3270, and TN5250
  • New and Updated Capture File Support:
  • PacketLogger and pcapng

New in Wireshark 3.2.5 (Jul 1, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-09 GVCP dissector infinite loop. Bug 16029. CVE-2020-15466
  • The following bugs have been fixed:
  • Add decryption support for QUIC IETF version 0xfaceb001 and 0xfaceb002. Bug 16378
  • Windows Uninstall does not remove all files in Program Files. Bug 16601
  • The "relative sequence number" is same as "raw sequence number" when tcp.analyze_sequence_numbers:FALSE. Bug 16604
  • Importing profiles from a different Windows PC fails. Bug 16608
  • Decode as not working correctly with multiple user profiles. Bug 16635
  • Wireshark can misdissect the HE Radiotap field if it’s ever dissected one with any value unknown. Bug 16636
  • Buildbot crash output: fuzz-2020-06-19-5981.pcap. Bug 16639
  • Buildbot crash output: fuzz-2020-06-20-7665.pcap. Bug 16642
  • mergecap man page contains invalid formatting. Bug 16652
  • Updated Protocol Support:
  • CoAP, GSM RR, GTPv2, GVCP, LTE RRC, NAS-5GS, NGAP, QUIC, R3, Radiotap, RTPS, and TCP

New in Wireshark 3.2.4 (May 19, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed
  • wnpa-sec-2020-08 The NFS dissector could crash. Bug 16476.
  • The following bugs have been fixed
  • SDP dissector does not parse sprop-parameter-sets field. Bug 16322.
  • PVS-Studio analyser long list of issues. Bug 16335.
  • Can’t have duplicate personal and global profile names. Bug 16423.
  • pcapng file dissector incorrectly computes nanoseconds from timestamps because it assumes the resolution is in nanoseconds. Bug 16440.
  • Read of uninitialized memory in detect_camins_file. Bug 16458.
  • Read of uninitialized memory in lanalyzer_read_trace_record. Bug 16459.
  • capture -> options -> select interface -> (choose) -> SEGV. Bug 16489.
  • SOMEIP: SOME/IP dissector ignores the length field configuration of structs. Bug 16490.
  • Packet List Pane doesn’t consume the entire pane. Bug 16491.
  • Range parameter on numeric parameter in extcap plugin doesn’t work. Bug 16510.
  • Export Packet Dissections not working on Windows (Wireshark 3.2.x). Bug 16516.
  • capinfos "Capture duration" output is truncated if there are more than 11 digits of seconds and fractions of a second. Bug 16519.
  • MIME Files Format/pcapng: Simple Packet Block parsed incorrectly. Bug 16526.
  • SOMEIP: SOME/IP-SD unique id is not unique for eventgroup types (BUG). Bug 16549.
  • Buildbot crash output: fuzz-2020-05-13-12195.pcap. Bug 16564.
  • Updated Protocol Support:
  • AoE, APRS, ASN.1 BER, DIS, DTLS, FTP, GSM SMS, H.264, IMAP, Infiniband, ISObus VT, Kafka, LSD, MAC LTE, NAS 5GS, NFS, ONC RPC, OSC, pcapng, PDCP LTE, RADIUS, RLC LTE, RTSP, SDP, SIP, Snort, SOMEIP, STUN, TLS, and UMTS FP
  • New and Updated Capture File Support:
  • Camins, Catapult DCT 2000, Lanalyzer, and MPEG

New in Wireshark 3.2.3 (Apr 9, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-07 The BACapp dissector could crash. Bug 16474. CVE-2020-11647.
  • The following bugs have been fixed:
  • Add (IETF) QUIC Dissector. Bug 13881.
  • Rename profile name loses list selection. Bug 15966.
  • Dissector bug warning dissecting TLS Certificate Request with many names. Bug 16202.
  • Only ACKs, but no DATA frames are visible in -> TCP Stream Graph -> Time Sequence (tcptrace). Bug 16281.
  • Copy>Description does not work properly for all tree items. Bug 16323.
  • Importing profiles in Windows - zip files fail and from directory crashes Wireshark. Bug 16410.
  • Packet List selection is gone when adding or removing a display filter. Bug 16414.
  • Check for updates, and auto-update, not working in 3.2.1. Bug 16416.
  • f5ethtrailer: TLS trailer creates incorrect CLIENT keylog entries. Bug 16417.
  • Buildbot crash output: randpkt-2020-03-04-18423.pcap. Bug 16424.
  • File open dialog shows garbled time stamps. Bug 16429.
  • RTCP Bye without optional reason reported as [Malformed Packet]. Bug 16434.
  • [oss-fuzz] #20732: Undefined-shift in dissect_rtcp. Bug 16445.
  • SOMEIP: SOME/IP-SD dissector fails to register SOME/IP ports, if IPv6 is being used (BUG). Bug 16448.
  • tshark logs: "…​could not be opened: Too many open files.". Bug 16457.
  • Typo in About Wireshark > Keyboard Shortcuts > Unignore All Displayed. Bug 16472.
  • Buildbot crash output: randpkt-2020-04-02-31746.pcap. Bug 16477.

New in Wireshark 3.2.2 (Feb 27, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed
  • wnpa-sec-2020-03 LTE RRC dissector memory leak. Bug 16341.
  • wnpa-sec-2020-04 WiMax DLMAP dissector crash. Bug 16368.
  • wnpa-sec-2020-05 EAP dissector crash. Bug 16397.
  • wnpa-sec-2020-06 WireGuard dissector crash. Bug 16394.
  • The following bugs have been fixed
  • Add (IETF) QUIC Dissector. Bug 13881.
  • Support for CoAP over TCP and WebSockets (RFC 8323). Bug 15910.
  • SMB IOCTL response packet with BUFFER_OVERFLOW status is dissected improperly. Bug 16261.
  • Wireshark fails to build with GCC-9. Bug 16319.
  • NVMe/TCP ICReq PDU Not Interpreted Correctly. Bug 16333.
  • ICMP: No response if ICMP reply packet has an ICMP checksum of 0x0000. Bug 16334.
  • Display filter parsing broken after upgrade from 3.0.7. Bug 16336.
  • IPv4 fragment offset value is incorrect in IPv4 header decode. Bug 16344.
  • RTCP frame length warning for SAT>IP APP packets. Bug 16345.
  • RTP export to rtpdump file doesn’t work. Bug 16351.
  • CFDP dissector skips a byte. Bug 16361.
  • ISAKMP: IKEv2 transforms and proposal have critical bit (BUG). Bug 16364.
  • No IPv4/IPv6 hosts in Resolved Addresses dialog. Bug 16366.
  • Lack of Check for Updates option in the Windows GUI. Bug 16381.
  • LLDP dissector consumes all octets to the end of the TVB and eth trailer dissector does not get called. Bug 16387.
  • LACP dissector consumes all octets to the end of the TVB and eth trailer dissector does not get called. Bug 16388.
  • Updated Protocol Support:
  • ARTNET, CFDP, CoAP, EAP, GTP, ICMP, ICMPv6, IPv4, ISAKMP, LACP, LLDP, LTE RRC, NBAP, NVME-TCP, QUIC, RDM, RTCP, RTP, SMB, SOME/IP, TLS, WiMax DLMAP, and WireGuard

New in Wireshark 3.2.1 (Jan 15, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-01 WASSP dissector crash. Bug 16324. CVE-2020-7044.
  • The following bugs have been fixed:
  • Incorrect parsing of USB CDC packets. Bug 14587.
  • Wireshark fails to create directory if parent directory does not yet exist. Bug 16143.
  • Buildbot crash output: randpkt-2019-11-30-22633.pcap. Bug 16240.
  • Closing Flow Graph closes (crashes) main GUI window. Bug 16260.
  • Wireshark interprets websocket frames after HTTP handshake in a wrong way. Bug 16274.
  • A-bis/OML: IPA Destination IP Address attribute contains inverted value (endianness). Bug 16282.
  • wiretap/log3gpp.c: 2 * leap before looking ?. Bug 16283.
  • Opening shell terminal prints Wireshark: Permission denied. Bug 16284.
  • h264: SPS frame_crop_right_offset shown in UI as frame_crop_left_offset. Bug 16285.
  • BGP: update of "Sub-TLV Length" by draft-ietf-idr-tunnel-encaps. Bug 16294.
  • SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown Bit(s)" expert message. Bug 16301.
  • USB Audio feature unit descriptor is incorrectly dissected. Bug 16305.
  • Compiling the .y files fails with Berkeley YACC. Bug 16306.
  • PDB files in Windows installer. Bug 16307.
  • NAS-5GS 5GS network feature support lacks MCSI, EMCN3 two fields (octet 4). Bug 16310.
  • Option to change “Packet List” columns header right click pop-up menu behavior. Bug 16317.
  • DLT: Dissector does not parse multiple DLT messages in single UDP packet. Bug 16321.
  • ISAKMP Dissection: Enhance Source id and Destination ID field of GDOI SA TEK payload for non IP ID type. Bug 16233.
  • DOIP: Typo in "identifcation request messages". Bug 16325.
  • Toolbar "?" help button - no text/help displayed. Bug 16327.
  • Updated Protocol Support:
  • 802.11 Radiotap, ASN.1 BER, BGP, DLT, DOIP, GSM A RR, GSM A-bis/OML, H264, HTTP, IEC 60870-5-104, IEEE 802.11, IPv4, ISAKMP, NAS 5GS, rtnetlink, SIP, TIPC, USB Audio, USB CDC, and WASSP
  • New and Updated Capture File Support
  • 3gpp phone log
  • Getting Wireshark:
  • Wireshark source code and installation packages are available from https://www.wireshark.org/download.html.
  • Vendor-supplied Packages
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.

New in Wireshark 3.2.0 (Dec 19, 2019)

  • Minor bug fixes.

New in Wireshark 3.2.0 RC 1 (Dec 5, 2019)

  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.1.1:
  • Miscellaneous UI fixes and updates.
  • The macOS installer now ships with Qt 5.12.6. It previously shipped with Qt 5.12.5.
  • The following features are new (or have been significantly updated) since version 3.1.0:
  • Automatic updates are supported on macOS.
  • You can now select multiple packets in the packet list at the same time
  • They can be exported as Text by “Ctrl+C” or “Cmd+C” and the corresponding menu in “Edit › Copy › As …?”
  • They can be marked/unmarked or ignored/unignored at the same time
  • They can be exported and printed using the corresponding menu entries “File › Export Specified Packets”, “File › Export Packet Dissections” and “File › Print”
  • You can now follow HTTP/2 and QUIC streams.
  • You can once again mark and unmark packets using the middle mouse button. This feature went missing around 2009 or so.
  • The Windows packages are now built using Microsoft Visual Studio 2019.
  • IOGraph automatically adds a graph for the selected display filter if no previous graph exists
  • Action buttons for the display filter bar may be aligned left via the context menu
  • Allow extcaps to be loaded from the personal configuration directory
  • The Windows installers now ship with Qt 5.12.6. They previously shipped with Qt 5.12.4.
  • The following features are new (or have been significantly updated) since version 3.0.0:
  • You can drag and drop a field to a column header to create a column for that field, or to the display filter input to create a display filter. If a display filter is applied, the new filter can be added using the same rules as “Apply Filter”
  • You can drag and drop a column entry to the display filter to create a filter for it.
  • You can import profiles from a .zip archive or an existing directory.
  • Dark mode support on macOS and dark theme support on other platforms has been improved.
  • Brotli decompression support in HTTP/HTTP2 (requires the brotli library).
  • The build system now checks for a SpeexDSP system library installation. The bundled Speex resampler code is still provided as a fallback.
  • WireGuard decryption can now be enabled through keys embedded in a pcapng in addition to the existing key log preference (Bug 15571).
  • A new tap for extracting credentials from the capture file has been added. It can be accessed through the -z credentials option in tshark or from the “Tools › Credentials” menu in Wireshark.
  • Editcap can now split files on floating point intervals.
  • Windows .msi packages are now signed using SHA-2. .exe installers are still dual-signed using SHA-1 and SHA-2.
  • The “Enabled Protocols” Dialog now only enables, disables and inverts protocols based on the set filter selection. The protocol type (standard or heuristic) may also be choosen as a filter value.
  • The “Analyze › Apply as Filter” and “Analyze › Prepare a Filter” packet list and detail popup menus now show a preview of their respective filters.
  • Protobuf files (*.proto) can now be configured to enable more precise parsing of serialized Protobuf data (such as gRPC).
  • HTTP2 support streaming mode reassembly. To use this feature, subdissectors can register itself to "streaming_content_type" dissector table and return pinfo?desegment_len and pinfo?desegment_offset to tell HTTP2 when to start and how many additional bytes requires when next called.
  • The message of stream gRPC method can now be parsed with supporting of HTTP2 streaming mode reassembly feature.
  • The Windows installers now ship with Qt 5.12.4. They previously shipped with Qt 5.12.1.
  • New Protocol Support:
  • 3GPP BICC MST (BICC-MST), 3GPP log packet (LOG3GPP), 3GPP/GSM Cell Broadcast Service Protocol (cbsp), Bluetooth Mesh Beacon, Bluetooth Mesh PB-ADV, Bluetooth Mesh Provisioning PDU, Bluetooth Mesh Proxy, CableLabs Layer-3 Protocol IEEE EtherType 0xb4e3 (CL3), DCOM IProvideClassInfo, DCOM ITypeInfo, Diagnostic Log and Trace (DLT), Distributed Replicated Block Device (DRBD), Dual Channel Wi-Fi (CL3DCW), EBHSCR Protocol (EBHSCR), EERO Protocol (EERO), evolved Common Public Radio Interface (eCPRI), File Server Remote VSS Protocol (FSRVP), FTDI FT USB Bridging Devices (FTDI FT), Graylog Extended Log Format over UDP (GELF), GSM/3GPP CBSP (Cell Broadcast Service Protocol), Linux net_dm (network drop monitor) protocol, MIDI System Exclusive DigiTech (SYSEX DigiTech), Network Controller Sideband Interface (NCSI), NR Positioning Protocol A (NRPPa) TS 38.455, NVM Express over Fabrics for TCP (nvme-tcp), OsmoTRX Protocol (GSM Transceiver control and data), and Scalable service-Oriented MiddlewarE over IP (SOME/IP)
  • Updated Protocol Support
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support
  • 3gpp phone, Android Logcat Text, Ascend, Candump, Endace ERF, NetScaler, pcapng, and Savvius *Peek
  • The following features are new (or have been significantly updated) since version 3.0.0:
  • New Protocol Support:
  • 3GPP BICC MST (BICC-MST), 3GPP log packet (LOG3GPP), 3GPP/GSM Cell Broadcast Service Protocol (cbsp), Bluetooth Mesh Beacon, Bluetooth Mesh PB-ADV, Bluetooth Mesh Provisioning PDU, Bluetooth Mesh Proxy, CableLabs Layer-3 Protocol IEEE EtherType 0xb4e3 (CL3), DCOM IProvideClassInfo, DCOM ITypeInfo, Diagnostic Log and Trace (DLT), Distributed Replicated Block Device (DRBD), Dual Channel Wi-Fi (CL3DCW), EBHSCR Protocol (EBHSCR), EERO Protocol (EERO), evolved Common Public Radio Interface (eCPRI), File Server Remote VSS Protocol (FSRVP), FTDI FT USB Bridging Devices (FTDI FT), Graylog Extended Log Format over UDP (GELF), GSM/3GPP CBSP (Cell Broadcast Service Protocol), Linux net_dm (network drop monitor) protocol, MIDI System Exclusive DigiTech (SYSEX DigiTech), Network Controller Sideband Interface (NCSI), NR Positioning Protocol A (NRPPa) TS 38.455, NVM Express over Fabrics for TCP (nvme-tcp), OsmoTRX Protocol (GSM Transceiver control and data), and Scalable service-Oriented MiddlewarE over IP (SOME/IP)

New in Wireshark 3.0.7 (Dec 4, 2019)

  • What’s New:
  • The Windows and macOS installers now ship with Qt 5.12.6. They previously shipped with Qt 5.12.5
  • Bug Fixes:
  • wnpa-sec-2019-22 CMS dissector crash. Bug 15961. CVE-2019-19553
  • The following bugs have been fixed:
  • ws_pipe_wait_for_pipe() can wait on closed handles. Bug 15696
  • Support for 11ax in PEEKREMOTE. Bug 15740
  • The temporary file …? could not be opened: Invalid argument. Bug 15751
  • Reassembling of the two TLS records is not working correctly. Bug 16109
  • Display Filter Area: Dropdown Missing pkt_comment and tcp.options.sack_perm (likely others). Bug 16130
  • Display Filter autocompletion should be disabled. Bug 16132
  • BGP Linkstate IP Reachability information is incorrect. Bug 16144
  • NGAP: ExpectedUEActivityBehaviour decode error. Bug 16145
  • HomePlug AV dissector: MMTYPE and FMI fields are dissected incorrectly. Bug 16158
  • JPEG files cannot be saved on Windows with french language. Bug 16165
  • X11 --display interpreted as --display-filter which maps to -Y option. Bug 16167
  • "Create new file automatically after" not working with extcap. Bug 16178
  • Encrypted TLS alerts sometimes listed as decrypted. Bug 16180
  • The "Remove Wireshark from the system path" package has "Add Wireshark to the system PATH" as its title. Bug 16200
  • tshark -T ek -x causes get_field_data: code should not be reached. Bug 16218
  • Crash on Go ? Next/Previous Packet in Conversation when no packet is selected. Bug 16228
  • Updated Protocol Support:
  • BGP, HomePlug AV, IEEE 802.11, and TLS

New in Wireshark 3.0.6 (Oct 23, 2019)

  • Bug fixes:
  • extcap: Several issues when capturing from multiple extcap interfaces. Bug 13653.
  • Expert Infos Incorrectly Displays Info Column instead of comment. Bug 15516.
  • Wireshark does not support USB packets with size greater than 256 KiB. Bug 15985.
  • IS-IS: add support for decoding TE TLV Type 138 as per RFC 5307. Bug 16012.
  • NET-SNMP EngineID Length handling Warning. Bug 16051.
  • TLS decryption is very slow on Windows when using a large PMS file compared to Linux/macOS. Bug 16059.
  • wireshark-3.0.5/epan/dissectors/packet-nas_5gs.c:2459: bad test ?. Bug 16075.
  • ERSPAN Type III over GRE without sequence number not decoded correctly. Bug 16089.
  • Windows dumpcap -v does not display capture library info. Bug 16108.
  • [Regression] FT_CHAR fields not supported in Lua API. Bug 16129.
  • Updated Protocol Support:
  • AgentX, BT L2CAP, ERSPAN, GRE, IPv4, IS-IS, NAS 5GS, OpcUa, SNMP, and SRT

New in Wireshark 3.0.5 (Sep 20, 2019)

  • The Windows installers now ship with Qt 5.12.5. They previously shipped with Qt 5.12.4.
  • If you have Npcap 0.994 or 0.995 installed, your system might crash when upgrading. We recommend that you uninstall these versions manually prior to installing Wireshark. See Npcap bugs 1591 and 1675 for more details. You can uninstall either version manually by doing the following:
  • Open a command or PowerShell prompt as Administrator and run sc.exe config npcap start=disabled.
  • Run sc.exe config npf start=disabled. This will fail if WinPcap compatibility mode isn’t enabled, but is otherwise harmless.
  • Reboot (optional).
  • Open “Programs and Features” in the Control Panel or “Apps & features” in Settings and uninstall Npcap.
  • Open “Device Manager” (devmgmt.msc) in the Control Panel and expand the “Network adapters” section. Uninstall each “Npcap Loopback Adapter” that you find.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • The following bugs have been fixed:
  • Qt interface crashes on a profile with packet list only. Bug 16048.
  • Wireshark 3.0.4 does not start on macOS 10.13 after an upgrade from 3.0.3. Bug 16050.
  • NET-SNMP EngineID Length handling Warning. Bug 16051.
  • Upgrade from Wireshark 3.0.2/3.0.3 to 3.0.4/later is confusing and may not complete properly. Bug 16052.
  • Crash SIGSEGV when decrypting IEEE 802.11 EAP re-authentications. Bug 16058.

New in Wireshark 3.0.4 (Sep 12, 2019)

  • What’s New:
  • The Windows installers now ship with Npcap 0.9983. They previously shipped with Npcap 0.996.
  • The macOS installer now ships with Qt 5.12.3. It previously shipped with Qt 5.12.4.
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-21 Gryphon dissector infinite loop. Bug 16020.
  • The following bugs have been fixed:
  • Coloring Rules dialog - enable/disable coloring rule issues. Bug 15153.
  • Enabling Time-Of-Day in IO Graph causes the x-axis origin to be set to 01.01.1970. Bug 15247.
  • Wireshark GUI crashes when attempting to DnD multiple (possibly corrupted) pcapng files. Bug 15377.
  • Buildbot crash output: randpkt-2019-06-14-14291.pcap. Bug 15848.
  • 802.11 RSN IE may be shorter than 18 bytes. Bug 15905.
  • Tshark outputs two data rate instead of one. Bug 15928.
  • Typo in checkbox label at bottom of sshdump configuration screen (save parameters). Bug 15929.
  • Invalid pkcs11_libs entry crashes on Windows. Bug 15957.
  • Add additional text output for DNS types (DNSSEC). Bug 15970.
  • LSD bittorent. Bug 15971.
  • dfilter_macros is missing from Configuration Files article. Bug 15973.
  • Pane configuration inconsistencies. Bug 15976.
  • Packet list is sorted in reverse order after applying a display filter in Qt 5.13. Bug 15979.
  • EAP-TLS fragments are repeatedly displayed. Bug 15982.
  • Broken TLS handshake reassembly in EAP-TTLS with multiple TLS sessions. Bug 15983.
  • Wireshark does not support USB packets with size greater than 256 KiB. Bug 15985.
  • "Unable to drop files during capture." when drag’n’drop entry to create display filter or filter button. Bug 15986.
  • Packet Bytes highlight for dns.qry.name.len and dns.count.labels off by one. Bug 15999.
  • Segmentation fault in nfs_name_snoop_fh. Bug 16017.
  • Changing the protocol preferences caused a crash. Bug 16019.
  • DCERPC dissector broken for functions with only scalar variables. Bug 16022.
  • Updated Protocol Support:
  • BACnet, DCERPC, DNS, EAP, FC-dNS, Gryphon, IEEE 802.11, LSD, NFS, and Radiotap
  • New and Updated Capture File Support:
  • CommView and PacketLogger

New in Wireshark 3.0.3 (Jul 18, 2019)

  • What’s New:
  • The Windows installers now ship with Qt 5.12.4. They previously shipped with Qt 5.12.3.
  • The Windows installers now ship with Npcap 0.996. They previously shipped with Npcap 0.995.
  • The macOS installer now ships with Qt 5.12.4. It previously shipped with Qt 5.12.1.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-20 ASN.1 BER and related dissectors crash. Bug 15870. CVE-2019-13619.
  • The following bugs have been fixed:
  • "ninja install" installs help/faq.py instead of help/faq.txt. Bug 15543.
  • In Wireshark 3.0, encrypted DOCSIS PDU packets no longer match the filter "eth.dst". Bug 15731.
  • Developer’s Guide section 3.9 "Contribute your changes" should incorporate or link "Writing a good commit message" from the Wiki. Bug 15752.
  • RSL dissector bugs in presence of optional IEs. Bug 15789.
  • The "Media Attribute Value" field is missed in rtcp SDP dissection (packet-sdp.c). Bug 15791.
  • BTLE doesn’t properly detect start fragment of L2CAP PDUs. Bug 15807.
  • Wi-SUN FAN decoder error, Channel Spacing and Reserved fields are swapped. Bug 15821.
  • tshark: Display filter error message references "-d" when it should reference "-Y". Bug 15825.
  • Open "protocol" preferences …? does not work for protocol in subtree. Bug 15836.
  • Problems with sshdump "Error by extcap pipe: sh: sudo: command not found". Bug 15845.
  • editcap won’t change encapsulation type when writing pcap format. Bug 15873.
  • ITU-T G.8113.1 MPLS-TP OAM CC,LMM,LMR,DMM and DMR are not seen in the 3.0.2. Bug 15887.
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • AERON, ASN.1, BTLE, CUPS, DNS, DOCSIS, DPNSS, GSM RLC/MAC, HiQnet, ISO 14443, ISObus VT, LDAP, MAC LTE, MIME multipart, MPLS, MQ, RSL, SDP, SMB, TNEF, and Wi-SUN
  • New and Updated Capture File Support
  • Ascend:
  • New and Updated Capture Interfaces support
  • There is no new or updated capture file support in this release.

New in Wireshark 3.0.2 (May 23, 2019)

  • What’s New:
  • The Windows installers now ship with Qt 5.12.3. They previously shipped with Qt 5.12.1.
  • The Windows installers now ship with Npcap 0.995. They previously shipped with Npcap 0.992.
  • The macOS packages are now notarized.
  • Bug Fixes:
  • wnpa-sec-2019-19 Wireshark dissection engine crash. Bug 15778.
  • Add (IETF) QUIC Dissector. Bug 13881.
  • Wireshark Hangs on startup initializing external capture plugins. Bug 14657.
  • [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree — possible infinite loop. Bug 14978.
  • Wireshark can call extcap with empty multicheck argument. Bug 15065.
  • CMPv2 KUR message disection gives unexpected value for serialNumber under OldCertId fields. Bug 15154.
  • "(Git Rev Unknown from unknown)" in version string for official tarball. Bug 15544.
  • External extcap does not get all arguments sometimes. Bug 15586.
  • Help file doesn’t display for extcap interfaces. Bug 15592.
  • Buildbot crash output: randpkt-2019-03-14-4670.pcap. Bug 15604.
  • Building only libraries on windows fails due to CLEAN_C_FILES empty. Bug 15662.
  • Statistics→Conversations→TCP→Follow Stream - incorrect behavior. Bug 15672.
  • Wrong NTP timestamp for RTCP XR RR packets (hf_rtcp_xr_timestamp field). Bug 15687.
  • ws_pipe: leaks pipe handles on errors. Bug 15689.
  • Build issue in Wireshark - 3.0.1 on RHEL6. Bug 15706.
  • ISAKMP: Segmentation fault with non-hex string for IKEv1 Decryption Table Initiator Cookie. Bug 15709.
  • extcap: non-boolean call arguments can be appended without value on selector Reload. Bug 15725.
  • Incorrectly interpreted format of MQTT PUBLISH payload data. Bug 15738.
  • print.c: Memory leak in ek_check_protocolfilter. Bug 15758.
  • IETF QUIC dissector incorrectly parses retry packet. Bug 15764.
  • Bacnet(app): fix wrong value for id 183 (logging-device → logging-object). Bug 15767.
  • The SMB2 code to look up decryption keys by session ID assumes it’s running on a little-endian machine. Bug 15772.
  • tshark -G folders leaves mmdbresolve process behind. Bug 15777.
  • Dissector bug, protocol TLS - failed assertion "data". Bug 15780.
  • WSMP : header_opt_ind field is not correctly set. Bug 15786.
  • Updated Protocol Support:
  • BACapp, DDP, EPL, Frame, IEEE 802.11, IS-IS CLV, ISAKMP, K12, KNXIP, MQTT, PNIO, QUIC, RTCP XR RR, SCTP, SMB2, TDS, TLS, WSMP, and ZEBRA
  • New and Updated Capture File Support:
  • pcapng

New in Wireshark 3.0.1 (Apr 8, 2019)

  • What’s New:
  • The Windows installers now ship with Npcap 0.992. They previously shipped with Npcap 0.99-r9.
  • Bug Fixes:
  • The following vulnerabilities have been fixed
  • wnpa-sec-2019-09 NetScaler file parser crash. Bug 15497. CVE-2019-10895.
  • wnpa-sec-2019-10 SRVLOC dissector crash. Bug 15546. CVE-2019-10899.
  • wnpa-sec-2019-11 IEEE 802.11 dissector infinite loop. Bug 15553. CVE-2019-10897.
  • wnpa-sec-2019-12 GSUP dissector infinite loop. Bug 15585. CVE-2019-10898.
  • wnpa-sec-2019-13 Rbm dissector infinite loop. Bug 15612. CVE-2019-10900.
  • wnpa-sec-2019-14 GSS-API dissector crash. Bug 15613. CVE-2019-10894.
  • wnpa-sec-2019-15 DOF dissector crash. Bug 15617. CVE-2019-10896.
  • wnpa-sec-2019-16 TSDNS dissector crash. Bug 15619. CVE-2019-10902.
  • wnpa-sec-2019-17 LDSS dissector crash. Bug 15620. CVE-2019-10901.
  • wnpa-sec-2019-18 DCERPC SPOOLSS dissector crash. Bug 15568. CVE-2019-10903.
  • The following bugs have been fixed
  • [oss-fuzz] UBSAN: shift exponent 34 is too large for 32-bit type 'guint32' (aka 'unsigned int') in packet-ieee80211.c:15534:49. Bug 14770.
  • [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type 'int' in packet-couchbase.c:1674:37. Bug 15439.
  • Duplicated TCP SEQ field in ICMP packets. Bug 15533.
  • Wrong length in dhcpv6 NTP Server suboption results in "Malformed Packet" and breaks further dissection. Bug 15542.
  • Wireshark’s speaker-to-MaxMind is burning up the CPU. Bug 15545.
  • GSM-A-RR variable bitmap decoding may report ARFCNs > 1023. Bug 15549.
  • Import hexdump dummy Ethernet header generation ignores direction indication. Bug 15561.
  • %T not supported for timestamps. Bug 15565.
  • LWM2M: resource with rn badly shown. Bug 15572.
  • When selecting BSSAP in 'Decode As' for a SCCP payload, it uses BSSAP+ which is not the same protocol. Bug 15578.
  • Possible buffer overflow in function ssl_md_final for crafted SSL 3.0 sessions. Bug 15599.
  • Windows console log output delay. Bug 15605.
  • Syslog dissector processes the UTF-8 BOM incorrectly. Bug 15607.
  • NFS/NLM: Wrong lock byte range in the "Info" column. Bug 15608.
  • randpkt -r causes segfault when count > 1. Bug 15627.
  • Tshark export to ElasticSearch (-Tek) fails with Bad json_dumper state: illegal transition. Bug 15628.
  • Packets with metadata but no data get the Protocol Info column overwritten. Bug 15630.
  • BGP MP_REACH_NLRI AFI: Layer-2 VPN, SAFI: EVPN - Label stack not decoded. Bug 15631.
  • Buildbot crash output: fuzz-2019-03-23-1789.pcap. Bug 15634.
  • Typo: broli → brotli. Bug 15647.
  • Wrong dissection of GTPv2 MM Context Used NAS integrity protection algorithm. Bug 15648.
  • Windows CHM (help file) title displays quoted HTML characters. Bug 15656.
  • Unable to load 3rd party plugins not signed by Wireshark’s codesigning certificate. Bug 15667.
  • Updated Protocol Support:
  • BGP, BSSAP, Couchbase, DCERPC SPOOLSS, DHCP, DHCPv6, DOF, FP, GSM A RR, GSS-API, GSUP, GTP, GTPv2, H248C, HL7, IEEE 802.11, IEEE 802.15.4, ISO 14443, LDSS, LwM2M-TLV, NLM, Rbm, SIP, SRVLOC, Syslog, TCP, TLS, and TSDNS
  • New and Updated Capture File Support:
  • NetScaler and pcap

New in Wireshark 3.0.0 (Feb 28, 2019)

  • Bug Fixes:
  • Data following a TCP ZeroWindowProbe is marked as retransmission and not passed to subdissectors (Bug 15427)
  • Lua Error on startup: init.lua: dofile has been disabled due to running Wireshark as superuser (Bug 15489).
  • Text and Image columns were handled incorrectly for TDS 7.0 and 7.1. (Bug 3098)
  • Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
  • The following features are new (or have been significantly updated) since version 3.0.0rc1:
  • The IP map feature (the “Map” button in the “Endpoints” dialog) has been added back in a modernized form (Bug 14693).
  • The following features are new (or have been significantly updated) since version 2.9.0:
  • Wireshark now supports the Swedish and Ukrainian languages.
  • Initial support for using PKCS #11 tokens for RSA decryption in TLS. This can be configured at Preferences, RSA Keys.
  • The build system now produces reproducible builds (Bug 15163).
  • The Windows installers now ship with Qt 5.12.1. Previously they shipped with Qt 5.12.0.
  • The following features are new (or have been significantly updated) since version 2.6.0:
  • The Windows .exe installers now ship with Npcap instead of WinPcap. Besides being actively maintained (by the nmap project), Npcap brings support for loopback capture and 802.11 WiFi monitor mode capture (if supported by the NIC driver).
  • Conversation timestamps are supported for UDP/UDP-Lite protocols
  • TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.
  • The “Capture Information” dialog has been added back (Bug 12004).
  • The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.
  • The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order.
  • Decryption support for the new WireGuard dissector (Bug 15011, requires Libgcrypt 1.8).
  • The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.
  • The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.
  • Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.
  • APT-X has been renamed to aptX.
  • When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.
  • The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.
  • Dumpcap now supports the -a packets:NUM and -b packets:NUM options.
  • Wireshark now includes a “No Reassembly” configuration profile.
  • Wireshark now supports the Russian language.
  • The build system now supports AppImage packages.
  • The Windows installers now ship with Qt 5.12.0. Previously they shipped with Qt 5.9.7.
  • Support for DTLS and TLS decryption using pcapng files that embed a Decryption Secrets Block (DSB) containing a TLS Key Log (Bug 15252).
  • The editcap utility gained a new --inject-secrets option to inject an existing TLS Key Log file into a pcapng file.
  • A new dfilter function string() has been added. It allows the conversion of non-string fields to strings so string functions (as contains and matches) can be used on them.
  • The Bash test suite has been replaced by one based on Python unittest/pytest.
  • The custom window title can now show file path of the capture file and it has a conditional separator.
  • Removed Features and Support:
  • The legacy (GTK+) user interface has been removed and is no longer supported.
  • The portaudio library is no longer needed due to the removal of GTK+.
  • Wireshark requires Qt 5.2 or later. Qt 4 is no longer supported.
  • Wireshark requires GLib 2.32 or later.
  • Wireshark requires GnuTLS 3.2 or later as optional dependency.
  • Building Wireshark requires Python 3.4 or newer, Python 2.7 is unsupported.
  • Building Wireshark requires CMake. Autotools is no longer supported.
  • TShark’s -z compare option was removed.
  • Building with Cygwin is no longer supported on Windows.
  • New File Format Decoding Support
  • Ruby Marshal format
  • New Protocol Support:
  • Apple Wireless Direct Link (AWDL), Basic Transport Protocol (BTP), BLIP Couchbase Mobile (BLIP), CDMA 2000, Circuit Emulation Service over Ethernet (CESoETH), Cisco Meraki Discovery Protocol (MDP), Distributed Ruby (DRb), DXL, E1AP (5G), EVS (3GPP TS 26.445 A.2 EVS RTP), Exablaze trailers, General Circuit Services Notification Application Protocol (GCSNA), GeoNetworking (GeoNw), GLOW Lawo Emberplus Data format, Great Britain Companion Specification (GBCS) used in the Smart Metering Equipment Technical Specifications (SMETS), GSM-R (User-to-User Information Element usage), HI3CCLinkData, Intelligent Transport Systems (ITS) application level, ISO 13400-2 Diagnostic communication over Internet Protocol (DoIP), ITU-t X.696 Octet Encoding Rules (OER), Local Number Portability Database Query Protocol (ANSI), MsgPack, NGAP (5G), NR (5G) PDCP, Osmocom Generic Subscriber Update Protocol (GSUP), PCOM protocol, PKCS#10 (RFC2986 Certification Request Syntax), PROXY (v2), S101 Lawo Emberplus transport frame, Secure Reliable Transport Protocol (SRT), Spirent Test Center Signature decoding for Ethernet and FibreChannel (STCSIG, disabled by default), Sybase-specific portions of TDS, systemd Journal Export, TeamSpeak 3 DNS, TPM 2.0, Ubiquiti Discovery Protocol (UBDP), WireGuard, XnAP (5G), and Z39.50 Information Retrieval Protocol
  • New and Updated Capture File Support:
  • RFC 7468 (PEM), Ruby marshal object files, systemd Journal Export, and Unigraf DPA-400 DisplayPort AUX channel monitor
  • New and Updated Capture Interfaces support:
  • dpauxmon, an external capture interface (extcap) that captures DisplayPort AUX channel data from linux kernel drivers.
  • sdjournal, an extcap that captures systemd journal entries.
  • Major API Changes:
  • Lua: the various logging functions (debug, info, message, warn and critical) have been removed. Use the print function instead for debugging purposes.
  • Lua: on Windows, file-related functions such as dofile now assume UTF-8 paths instead of the local code page. This is consistent with Linux and macOS and improves compatibility on non-English systems. (Bug 15118)

New in Wireshark 2.6.7 (Feb 27, 2019)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-06 ASN.1 BER and related dissectors crash. Bug 15447. CVE-2019-9209.
  • wnpa-sec-2019-07 TCAP dissector crash. Bug 15464. CVE-2019-9208.
  • wnpa-sec-2019-08 RPCAP dissector crash. Bug 15536.
  • The following bugs have been fixed:
  • Alignment Lost after Editing Column. Bug 14177.
  • Crash on applying display filters or coloring rules on capture files containing non-UTF-8 data. Bug 14905.
  • tshark outputs debug information. Bug 15341.
  • Feature request - HTTP, add the field "request URI" to response. Bug 15344.
  • randpkt should be distributed with the Windows installer. Bug 15395.
  • Memory leak with "-T ek" output format option. Bug 15406.
  • Display error in negative response time stats (gint displayed as unsigned). Bug 15416.
  • _epl_xdd_init not found. Bug 15419.
  • Decoding of MEGACO/H.248 request shows the Remote descriptor as "Local descriptor". Bug 15430.
  • Repeated NFS in Protocol Display field. Bug 15443.
  • RBM file dissector adds too many items to the tree, resulting in aborting the program. Bug 15448.
  • Wireshark heap out-of-bounds read in infer_pkt_encap. Bug 15463.
  • Column width and hidden issues when switching profiles. Bug 15466.
  • GTPv1-C SGSN Context Response / Forward Relocation Request decode GGSN address IPV6 issue. Bug 15485.
  • Lua Error on startup: init.lua: dofile has been disabled due to running Wireshark as superuser. Bug 15489.
  • DICOM ASSOCIATE Accept: Protocol Version. Bug 15495.
  • Multiple out-of-bounds reads in NetScaler trace handling (wiretap/netscaler.c). Bug 15497.
  • Wrong endianess when dissecting the "chain offset" in SMB2 protocol header. Bug 15524.
  • Memory leak in mate_grammar.lemon’s recolonize function. Bug 15525.
  • Updated Protocol Support:
  • ASN.1 BER, BSSAP, BT Mesh, DICOM, DNP3, EPL, ETSI CAT, GTP, HTTP, IEEE 802.15.4, ISAKMP, MEGACO, MPLS Echo, RPC, RPCAP, SMB2, and TCAP
  • Major API Changes:
  • Lua: on Windows, file-related functions such as dofile now assume UTF-8 paths instead of the local code page. This is consistent with Linux and macOS and improves compatibility on non-English systems. (Bug 15118)

New in Wireshark 3.0.0 RC2 (Feb 23, 2019)

  • The IP map feature (the “Map” button in the “Endpoints” dialog) has been added back in a modernized form (Bug 14693).
  • The macOS package now ships with Qt 5.12.1. Previously it shipped with Qt 5.9.7.
  • The macOS package requires version 10.12 or later. If you’re running an older version of macOS, please use Wireshark 2.6.
  • TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.
  • The “Capture Information” dialog has been added back (Bug 12004).
  • The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.
  • The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order. See the User’s Guide, chapter TCP Reassembly for details.
  • Decryption support for the new WireGuard dissector (Bug 15011, requires Libgcrypt 1.8).
  • The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.
  • The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.
  • Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.
  • APT-X has been renamed to aptX.
  • When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.
  • The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.
  • Dumpcap now supports the -a packets:NUM and -b packets:NUM options.
  • Wireshark now includes a “No Reassembly” configuration profile.
  • Wireshark now supports the Russian language.
  • The build system now supports AppImage packages.
  • The Windows installers now ship with Qt 5.12.0. Previously they shipped with Qt 5.9.7.
  • Support for DTLS and TLS decryption using pcapng files that embed a Decryption Secrets Block (DSB) containing a TLS Key Log (Bug 15252).
  • The editcap utility gained a new --inject-secrets option to inject an existing TLS Key Log file into a pcapng file.
  • A new dfilter function string() has been added. It allows the conversion of non-string fields to strings so string functions (as contains and matches) can be used on them.
  • The Bash test suite has been replaced by one based on Python unittest/pytest.
  • The custom window title can now show file path of the capture file and it has a conditional separator.
  • Official releases are available right now from the download page.

New in Wireshark 3.0.0 RC1 (Feb 18, 2019)

  • Bug fixes:
  • Data following a TCP ZeroWindowProbe is marked as retransmission and not passed to subdissectors (Bug 15427[1])
  • Lua Error on startup: init.lua: dofile has been disabled due to running Wireshark as superuser (Bug 15489[2]).
  • Text and Image columns were handled incorrectly for TDS 7.0 and 7.1. (Bug 3098[3])
  • Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419[4])
  • New and updated features:
  • Wireshark now supports the Swedish and Ukrainian languages.
  • Initial support for using PKCS #11 tokens for RSA decryption in TLS. This can be configured at Preferences, RSA Keys.
  • The build system now produces reproducible builds (Bug 15163[5]).
  • The Windows installers now ship with Qt 5.12.1. Previously they shipped with Qt 5.12.0.

New in Wireshark 2.6.6 (Jan 9, 2019)

  • What’s New:
  • The Windows installers now ship with Qt 5.9.7. Previously they shipped with Qt 5.9.5.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-01 The 6LoWPAN dissector could crash. Bug 15217. CVE-2019-5716.
  • wnpa-sec-2019-02 The P_MUL dissector could crash. Bug 15337. CVE-2019-5717.
  • wnpa-sec-2019-03 The RTSE dissector and other dissectors could crash. Bug 15373. CVE-2019-5718.
  • wnpa-sec-2019-04 The ISAKMP dissector could crash. Bug 15374. CVE-2019-5719.
  • The following bugs have been fixed:
  • console.lua not found in a folder with non-ASCII characters in its name. Bug 15118.
  • Disabling Update list of packets in real time. will generally trigger crash after three start capture, stop capture cycles. Bug 15263.
  • UDP Multicast Stream double counts. Bug 15271.
  • text2pcap et al. set snaplength to 64kiB-1, while processing frames of 256kiB. Bug 15292.
  • Builds without libpcap fail if the libpcap headers aren’t installed. Bug 15317.
  • TCAP AnalogRedirectRecord parameter incorrectly coded as mandatory in QualReq_rr message. Bug 15350.
  • macOS DMG appears to have duplicate files. Bug 15361.
  • Wireshark jumps behind other windows when opening UAT dialogs. Bug 15366.
  • Pathnames containing non-ASCII characters are mangled in error dialogs on Windows. Bug 15367.
  • Executing -z http,stat -r file.pcapng throws a segmentation fault. Bug 15369.
  • IS-41 TCAP RegistrationNotification Invoke has borderCellAccess parameter coded as tag 50 (as denyAccess) but should be 58. Bug 15372.
  • In DNS statistics, response times > 1 sec not included. Bug 15382.
  • GTPv2 APN dissect problem. Bug 15383.
  • Updated Protocol Support:
  • 6LoWPAN, ANSI MAP, DNP3, DNS, GSM A, GTP, GTPv2, IMF, ISAKMP, ISObus VT, Kerberos, P_MUL, RTSE, S7COMM, and TCAP
  • Major API Changes:
  • Lua: on Windows, file-related functions such as dofile now assume UTF-8 paths instead of the local code page. This is consistent with Linux and macOS and improves compatibility on non-English systems. (Bug 15118)

New in Wireshark 2.9.0 Development (Dec 13, 2018)

  • New features:
  • The Windows .exe installers now ship with Npcap instead of WinPcap.
  • Conversation timestamps are supported for UDP/UDP-Lite protocols
  • TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.
  • The “Capture Information” dialog has been added back (Bug 12004[2]).
  • The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.
  • The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order. See the User’s Guide, chapter TCP Reassembly for details.
  • Decryption support for the new WireGuard dissector (Bug 15011[3], requires Libgcrypt 1.8).
  • The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.
  • The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.
  • Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.
  • APT-X has been renamed to aptX.
  • When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.
  • The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.
  • Dumpcap now supports the -a packets:NUM and -b packets:NUM options.
  • Wireshark now includes a “No Reassembly” configuration profile.
  • Wireshark now supports the Russian language.
  • The build system now supports AppImage packages.
  • The Windows installers now ship with Qt 5.12.0. Previously they shipped with Qt 5.9.7.
  • Removed Features and Support:
  • The legacy (GTK+) user interface has been removed and is no longer supported.
  • Wireshark requires Qt 5.2 or later. Qt 4 is no longer supported.
  • Wireshark requires GLib 2.32 or later.
  • Building Wireshark requires CMake. Autotools is no longer supported.
  • TShark’s -z compare option was removed.
  • New File Format Decoding Support:
  • Ruby Marshal format
  • New Protocol Support:
  • Apple Wireless Direct Link (AWDL), BLIP Couchbase Mobile (BLIP), CDMA 2000, Cisco Meraki Discovery Protocol (MDP), Distributed Ruby (DRb), DXL, E1AP (5G), EVS (3GPP TS 26.445 A.2 EVS RTP), Exablaze trailers, General Circuit Services Notification Application Protocol (GCSNA), GLOW Lawo Emberplus Data format, GSM-R (User-to-User Information Element usage), HI3CCLinkData, ISO 13400-2 Diagnostic communication over Internet Protocol (DoIP), ITU-t X.696 Octet Encoding Rules (OER), Local Number Portability Database Query Protocol (ANSI), MsgPack, NGAP (5G), NR (5G) PDCP, Osmocom Generic Subscriber Update Protocol (GSUP), PKCS#10 (RFC2986 Certification Request Syntax), PROXY (v2), S101 Lawo Emberplus transport frame, Secure Reliable Transport Protocol (SRT), Spirent Test Center Signature decoding for Ethernet and FibreChannel (STCSIG, disabled by default), Sybase-specific portions of TDS, systemd Journal Export, TeamSpeak 3 DNS, TPM 2.0, Ubiquiti Discovery Protocol (UBDP), WireGuard, and XnAP (5G)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • RFC 7468 (PEM), Ruby marshal object files, systemd Journal Export, and Unigraf DPA-400 DisplayPort AUX channel monitor
  • New and Updated Capture Interfaces support:
  • dpauxmon, an external capture interface (extcap) that captures DisplayPort AUX channel data from linux kernel drivers.
  • sdjournal, an extcap that captures systemd journal entries.
  • Major API Changes:
  • Lua: the various logging functions (debug, info, message, warn and critical) have been removed. Use the print function instead for debugging purposes.

New in Wireshark 2.6.5 (Nov 29, 2018)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • Wnpa-sec-2018-51 The Wireshark dissection engine could crash. Bug 14466. CVE-2018-19625.
  • Wnpa-sec-2018-52 The DCOM dissector could crash. Bug 15130. CVE-2018-19626.
  • Wnpa-sec-2018-53 The LBMPDM dissector could crash. Bug 15132. CVE-2018-19623.
  • Wnpa-sec-2018-54 The MMSE dissector could go into an infinite loop. Bug 15250. CVE-2018-19622.
  • Wnpa-sec-2018-55 The IxVeriWave file parser could crash. Bug 15279. CVE-2018-19627.
  • Wnpa-sec-2018-56 The PVFS dissector could crash. Bug 15280. CVE-2018-19624.
  • Wnpa-sec-2018-57 The ZigBee ZCL dissector could crash. Bug 15281. CVE-2018-19628.
  • The following bugs have been fixed:
  • VoIP Calls dialog doesn’t include RTP stream when preparing a filter. Bug 13440.
  • Wireshark installs on macOS with permissions for /Library/Application Support/Wireshark that are too restrictive. Bug 14335.
  • Closing Enabled Protocols dialog crashes wireshark. Bug 14349.
  • Unable to Export Objects → HTTP after sorting columns. Bug 14545.
  • DNS Response to NS query shows as malformed packet. Bug 14574.
  • Encrypted Alerts corresponds to a wrong selection in the packet bytes pane. Bug 14712.
  • Wireshark crashes/asserts with Qt 5.11.1 and assert/debugsymbols enabled. Bug 15014.
  • ESP will not decode since 2.6.2 - works fine in 2.4.6 or 2.4.8. Bug 15056.
  • Text2pcap generates malformed packets when TCP, UDP or SCTP headers are added together with IPv6 header. Bug 15194.
  • Wireshark tries to decode EAP-SIM Pseudonym Identity. Bug 15196.
  • Infinite read loop when extcap exits with error and error message. Bug 15205.
  • MATE unable to extract fields for PDU. Bug 15208.
  • Malformed Packet: SV. Bug 15224.
  • OPC UA Max nesting depth exceeded for valid packet. Bug 15226.
  • TShark 2.6 does not print GeoIP information. Bug 15230.
  • ISUP (ANSI) packets malformed in WS versions later than 2.4.8. Bug 15236.
  • Handover candidate enquire message not decoded. Bug 15237.
  • TShark piping output in a cmd or PowerShell prompt stops working when GeoIP is enabled. Bug 15248.
  • ICMPv6 with routing header incorrectly placed. Bug 15270.
  • IEEE 802.11 Vendor Specific fixed fields display as malformed packets. Bug 15273.
  • Text2pcap -4 and -6 option should require -i as well. Bug 15275.
  • Text2pcap direction sensitivity does not affect dummy ethernet addresses. Bug 15287.
  • MLE security suite display incorrect. Bug 15288.
  • Message for incorrect IPv4 option lengths is incorrect. Bug 15290.
  • TACACS+ dissector does not properly reassemble large accounting messages. Bug 15293.
  • NLRI of S-PMSI A-D BGP route not being displayed. Bug 15307.
  • New and Updated Features
  • There are no new features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • BGP, DCERPC, DCOM, DNS, EAP, ESP, GSM A BSSMAP, IEEE 802.11, IEEE 802.11 Radiotap, IPv4, IPv6, ISUP, LBMPDM, LISP, MLE, MMSE, OpcUa, PVFS, SLL, SSL/TLS, SV, TACACS+, TCAP, Wi-SUN, XRA, and ZigBee ZCL
  • New and Updated Capture File Support
  • 3GPP TS 32.423 Trace and IxVeriWave
  • New and Updated Capture Interfaces support
  • Sshdump
  • Getting Wireshark
  • Wireshark source code and installation packages are available from https://www.wireshark.org/download.html.
  • Vendor-supplied Packages
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system.
  • Known Problems
  • The BER dissector might infinitely loop. Bug 1516.
  • Capture filters aren’t applied when capturing from named pipes. Bug 1814.
  • Filtering tshark captures with read filters (-R) no longer works. Bug 2234.
  • Application crash when changing real-time option. Bug 4035.
  • Wireshark and TShark will display incorrect delta times in some cases. Bug 4985.
  • Wireshark should let you work with multiple capture files. Bug 10488.
  • Getting Help
  • Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the web site.

New in Wireshark 2.6.4 (Oct 12, 2018)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2018-47
  • MS-WSP dissector crash. Bug 15119. CVE-2018-18227.
  • wnpa-sec-2018-48
  • Steam IHS Discovery dissector memory leak. Bug 15171. CVE-2018-18226.
  • wnpa-sec-2018-49
  • CoAP dissector crash. Bug 15172. CVE-2018-18225.
  • wnpa-sec-2018-50
  • OpcUA dissector crash. CVE-2018-12086.
  • The following bugs have been fixed:
  • HTTP2 dissector decodes first SSL record only. Bug 11173.
  • Undocumented sub-option for -N option in man page and tshark -N help. Bug 14826.
  • Mishandling of Port Control Protocol option padding. Bug 14950.
  • MGCP: parameter lines are case-insensitive. Bug 15008.
  • Details of 2nd sub-VSA in bundled RADIUS VSA are incorrect. Bug 15073.
  • Heuristic DPLAY dissector fails to recognize DPLAY packets. Bug 15092.
  • gsm_rlcmac_dl dissector exception. Bug 15112.
  • dfilter_buttons file under user-created profile. Bug 15114.
  • Filter buttons disappear when using pre-2.6 profile. Bug 15121.
  • PROFINET Information element AM_DeviceIdentification in Asset Management Info block is decoded wrongly. Bug 15140.
  • Hw dest addr column shows incorrect address. Bug 15144.
  • Windows dumpcap -i TCP@<ip-address> fails on pcapng stream. Bug 15149.
  • Wildcard expansion doesn’t work on Windows 10 for command-line programs in cmd.exe or PowerShell. Bug 15151.
  • SSL Reassembly Error New fragment past old data limits. Bug 15158.

New in Wireshark 2.6.3 (Aug 30, 2018)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2018-44. Bluetooth AVDTP dissector crash. Bug 14884. CVE-2018-16058.
  • wnpa-sec-2018-45. Bluetooth Attribute Protocol dissector crash. Bug 14994. CVE-2018-16056.
  • wnpa-sec-2018-46. Radiotap dissector crash. Bug 15022. CVE-2018-16057.
  • The following bugs have been fixed:
  • Wireshark Hangs on startup initializing external capture plugins. Bug 14657.
  • Qt: SCTP Analyse Association Dialog: Segmentation fault when clicking twice the Filter Association button. Bug 14970.
  • Incorrect presentation of dissected data item (NETMASK) in ISAKMP dissector. Bug 14987.
  • Decode NFAPI: CONFIG.request Error. Bug 14988.
  • udpdump frame too long error. Bug 14989.
  • ISDN - LAPD dissector broken since version 2.5.0. Bug 15018.
  • ASTERIX Category 062 / 135 Altitude has wrong value. Bug 15030.
  • Wireshark cannot decrypt SSL/TLS session if it was proxied over HTTP tunnel. Bug 15042.
  • TLS records in a HTTP tunnel are displayed as "Encrypted Handshake Message". Bug 15043.
  • BTATT Dissector: Temperature Measurement: Celsius and Fahrenheit swapped. Bug 15058.
  • Diameter AVP User Location Info, Mobile Network Code decoded not correctly. Bug 15068.
  • Heartbeat message "Info" displayed without comma separator. Bug 15079.
  • Updated Protocol Support:
  • ASTERIX, Bluetooth, Bluetooth ATT, Bluetooth AVDTP, DHCP, DTLS, E.212, FP, GSM A RR, HTTP, HTTP2, IEEE 802.11, ISAKMP, ISDN, K12, NFAPI, Nordic BLE, PFCP, Radiotap, SSL, Steam IHS Discovery, and TLS 1.3
  • New and Updated Capture File Support:
  • pcapng
  • New and Updated Capture Interfaces support:
  • ciscodump, udpdump
  • Known Problems:
  • The BER dissector might infinitely loop. Bug 1516.
  • Capture filters aren’t applied when capturing from named pipes. Bug 1814.
  • Filtering tshark captures with read filters (-R) no longer works. Bug 2234.
  • Application crash when changing real-time option. Bug 4035.
  • Wireshark and TShark will display incorrect delta times in some cases. Bug 4985.
  • Wireshark should let you work with multiple capture files. Bug 10488.

New in Wireshark 2.6.2 (Jul 19, 2018)

  • What’s New:
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2018-34[1]
  • BGP dissector large loop. Bug 13741[2]. CVE-2018-14342[3].
  • wnpa-sec-2018-35[4]
  • ISMP dissector crash. Bug 14672[5]. CVE-2018-14344[6].
  • wnpa-sec-2018-36[7]
  • Multiple dissectors could crash. Bug 14675[8]. CVE-2018-14340[9].
  • wnpa-sec-2018-37[10]
  • ASN.1 BER dissector crash. Bug 14682[11]. CVE-2018-14343[12].
  • wnpa-sec-2018-38[13]
  • MMSE dissector infinite loop. Bug 14738[14]. CVE-2018-14339[15].
  • wnpa-sec-2018-39[16]
  • DICOM dissector crash. Bug 14742[17]. CVE-2018-14341[18].
  • wnpa-sec-2018-40[19]
  • Bazaar dissector infinite loop. Bug 14841[20].
  • CVE-2018-14368[21].
  • wnpa-sec-2018-41[22]
  • HTTP2 dissector crash. Bug 14869[23]. CVE-2018-14369[24].
  • wnpa-sec-2018-42[25]
  • CoAP dissector crash. Bug 14966[26]. CVE-2018-14367[27].
  • The following bugs have been fixed:
  • ISMP.EDP "Tuples" dissected incorrectly. Bug 4943[28].
  • Wireshark - Race issue when switching between files using
  • Wireshark’s "Files in Set" dialog. Bug 10870[29].
  • Sorting on "Source port" or "Destination port" column sorts
  • alphabetically, not numerically. Bug 11460[30].
  • Wireshark crashes when changing profiles. Bug 11648[31].
  • Crash when starting capture while saving capture file or
  • rescanning file after display filter change. Bug 13594[32].
  • Crash when switching to TRANSUM enabled profile. Bug 13697[33].
  • TCP retransmission with additional payload leads to incorrect
  • bytes and length in stream. Bug 13700[34].
  • Wireshark crashes with single quote string display filter. Bug
  • 14084[35].
  • randpkt can write packets that libwiretap can’t read. Bug
  • 14107[36].
  • Wireshark crashes when loading new file before previous load has
  • finished. Bug 14351[37].
  • Valid packet produces Malformed Packet: OpcUa. Bug 14465[38].
  • Error received from dissect_wccp2_hash_assignment_info(). Bug
  • 14573[39].
  • CRC checker wrong for FPP. Bug 14610[40].
  • Cross-build broken due to make-dissectors and make-taps. Bug
  • 14622[41].
  • Extraction of SMB file results in wrong size. Bug 14662[42].
  • 6LoWPAN dissector merges fragments from different sources. Bug
  • 14700[43].
  • IP address to name resolution doesn’t work in TShark. Bug
  • 14711[44].
  • "Decode as" Modbus RTU over USB doesn’t work with 2.6.0 but with
  • 2.4.6. Bug 14717[45].
  • proto_tree_add_protocol_format might leak memory. Bug 14719[46].
  • tostring for NSTime objects in lua gives wrong results. Bug
  • 14720[47].
  • Media type "application/octet-stream" registered for both Thread
  • and UASIP. Bug 14729[48].
  • Crash related to SCTP tap. Bug 14733[49].
  • Formatting of OSI area addresses/address prefixes goes past the
  • end of the area address/address prefix. Bug 14744[50].
  • ICMPv6 Router Renumbering - Packet Dissector - malformed. Bug
  • 14755[51].
  • WiMAX HARQ MAP decoder segfaults when length is too short. Bug
  • 14780[52].
  • HTTP PUT request following a HEAD request is not correctly
  • decoded. Bug 14793[53].
  • SYNC PDU type 3 miss the last PDU length. Bug 14823[54].
  • Reversed 128 bits service UUIDs when Bluetooth Low Energy
  • advertisement data are dissected. Bug 14843[55].
  • Issues with Wireshark when the user doesn’t have permission to
  • capture. Bug 14847[56].
  • Wrong description when LE Bluetooth Device Address type is
  • dissected. Bug 14866[57].
  • LE Role advertisement type (0x1c) is not dissected properly
  • according to the Bluetooth specification. Bug 14868[58].
  • Regression: Wireshark 2.6.0 and 2.6.1 are unable to read NetMon
  • files which were readable by previous versions. Bug 14876[59].
  • Wireshark doesn’t properly display (deliberately) invalid 220
  • responses from Postfix. Bug 14878[60].
  • Follow TCP Stream and click reassembled content moves you to
  • incorrect current packet. Bug 14898[61].
  • Crash when changing profiles while loading a capture file. Bug
  • 14918[62].
  • Duplicate PDU during C Arrays Output Export. Bug 14933[63].
  • DCE/RPC not dissected when "reserved for use by implementations"
  • flag bits set. Bug 14942[64].
  • Follow TCP Stream truncates output on missing (but ACKed)
  • segments. Bug 14944[65].
  • There’s no option to include column headings when printing
  • packets or exporting packet dissections with Qt Wireshark. Bug
  • 14945[66].
  • Qt: SCTP Graph Dialog: Abort when doing analysis. Bug 14971[67].
  • CMake is unable to find LUA libraries. Bug 14983[68].
  • Updated Protocol Support:
  • 6LoWPAN, ASN.1 BER, Bazaar, BGP, Bluetooth, Bluetooth HCI_CMD, CIGI,
  • Cisco ttag, CoAP, Data, DCERPC, Diameter 3GPP, DICOM, DOCSIS, FPP,
  • GSM A GM, GTPv2, HTTP, HTTP2, IAX2, ICMPv6, IEEE 1722, IEEE 802.11,
  • IPv4, ISMP, LISP, MMSE, MTP3, MySQL, NFS, OpcUa, PPI GPS, Q.931,
  • RNSAP, RPCoRDMA, S1AP, SCTP, SMB, SMTP, STUN, SYNC, T.30, TCP,
  • TRANSUM, WAP, WCCP, Wi-SUN, WiMax HARQ Map Message, and WSP
  • New and Updated Capture File Support:
  • Alcatel-Lucent Ascend and Microsoft Network Monitor

New in Wireshark 2.6.1 (May 23, 2018)

  • What’s New:
  • The Windows installers now ship with Qt 5.9.5. Previously they shipped with Qt 5.9.4.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • ws-sa2018-25
  • The LDSS dissector could crash. (ws-bug14615)
  • ws-sa2018-26
  • The IEEE 1905.1a dissector could crash. (ws-bug14647)
  • ws-sa2018-27
  • The RTCP dissector could crash. (ws-bug14673)
  • ws-sa2018-28
  • Multiple dissectors could consume excessive memory. (ws-bug14678)
  • ws-sa2018-29
  • The DNS dissector could crash. (ws-bug14681)
  • ws-sa2018-30
  • The GSM A DTAP dissector could crash. (ws-bug14688)
  • ws-sa2018-31
  • The Q.931 dissector could crash. (ws-bug14689)
  • ws-sa2018-32
  • The IEEE 802.11 dissector could crash. (ws-bug14686)
  • ws-sa2018-33
  • Multiple dissectors could crash. (ws-bug14703)
  • The following bugs have been fixed:
  • Qt GUI does not snap to exactly half of screen in Windows. (Bug 13516[1])
  • Segmentation fault when switching profiles. (Bug 14316[2])
  • QUIC dissector produces incorrect packet numbers (wrong-endian).(Bug 14462[3])
  • Wrong default file format chosen in when saving a capture with comments added if the original format doesn’t support comments. (Bug 14601[4])
  • Lua: Error during loading [AppData directory]:1: bad argument #1 to dofile (dofile: file does not exist). (Bug 14619[5])
  • Crash when selecting text. (Bug 14620[6])
  • ui/macosx directory missing from source release tarball. (Bug 14627[7])
  • Wireshark 2.9.0 snapshot crashes/segfaults on Windows when launched with -k or -i. (Bug 14632[8])
  • "Copy as printable text" isn’t copying non-alphanumeric characters. (Bug 14633[9])
  • File missing from release tarball. (Bug 14634[10])
  • NEWS is out of date and does not display properly in Notepad. (Bug 14636[11])
  • l16mono.so is installed in the wrong place. (Bug 14638[12])
  • Remove: HACK to support UHD’s weird header offset on data packets. (Bug 14641[13])
  • WinSparkle 0.5.6 is out of date and is buggy. (Bug 14642[14])
  • Unable to create or open VOIP captures. (Bug 14648[15])
  • RTMPT: incorrect dissection of multiple RTMP packets within a single TCP packet. (Bug 14650[16])
  • Endpoints dialog displays invalid GeoIP information due to incorrect byte order. (Bug 14656[17])
  • Qt: Crash in ShowPacketBytesDialog(). (Bug 14658[18])
  • Statistics ? Resolved addresses show IP addresses without domain. (Bug 14667[19])
  • Erroneous MAC-LTE Dissection for Sidelink Shared Channel Packets. (Bug 14669[20])
  • Files missing from docbook CMake file. (Bug 14676[21])
  • Wireshark hangs when opening certain files if it’s been configured to use the new GeoIP databases. (Bug 14701[22])
  • The “Open”, “Save”, and other file dialogs should now be shown at the correct size on HiDPI Windows systems.
  • Updated Protocol Support:
  • BATADV, BT LE LL, CoAP, DNS, DTLS, GSM A DTAP, GSM A GM, GTP, GTPv2, IEEE 1905.1a, IEEE 802.11, LDSS, LwM2M-TLV, MAC LTE, NAS EPS, Q.931, RTCP, RTMPT, SDP, TCP, and VITA 49
  • New and Updated Capture File Support
  • 3GPP TS 32.423 Trace and Android Logcat
  • New and Updated Capture Interfaces support

New in Wireshark 2.6.0 (Apr 25, 2018)

  • HTTP Request sequences are now supported.
  • Wireshark now supports MaxMind DB files. Support for GeoIP and GeoLite Legacy databases has been removed.
  • The Windows packages are now built using Microsoft Visual Studio 2017.
  • The IP map feature (the “Map” button in the “Endpoints” dialog) has been removed.

New in Wireshark 2.4.6 (Apr 4, 2018)

  • The following vulnerabilities have been fixed:
  • The MP4 dissector could crash. (Bug 13777)
  • The ADB dissector could crash. (Bug 14460)
  • The IEEE 802.15.4 dissector could crash. (Bug 14468)
  • The NBAP dissector could crash. (Bug 14471)
  • The VLAN dissector could crash. (Bug 14469)
  • The LWAPP dissector could crash. (Bug 14467)
  • The TCP dissector could crash. (Bug 14472)
  • The CQL dissector could to into an infinite loop. (Bug 14530)
  • The Kerberos dissector could crash. (Bug 14576)
  • Multiple dissectors and other modules could leak memory. The TN3270 (Bug 14480), ISUP (Bug 14481), LAPD (Bug 14482), SMB2 (Bug 14483), GIOP (Bug 14484), ASN.1 (Bug 14485), MIME multipart (Bug 14486), H.223 (Bug 14487), and PCP (Bug 14488) dissectors were susceptible along with Wireshark and TShark (Bug 14489).
  • The following bugs have been fixed:
  • TRANSUM doesn’t account for DNS retries in the Request Spread. (Bug 14210)
  • BGP: IPv6 NLRI is received with Add-path ID, then Wireshark is not able to decode the packet correctly. (Bug 14241)
  • Lua script calling Ethernet dissector runs OK in 1.12.4 but crashes in later releases. (Bug 14293)
  • PEEKREMOTE dissector lacks 80mhz support, short preamble support and spatial streams encoding. (Bug 14452)
  • Statistics > UDP Multicast Streams > [Copy|Save as..] is broken. (Bug 14477)
  • Typo error in enumeration value of speech version identifier. (Bug 14528)
  • In "Unsaved packets" dialog one can NOT use keyboard to choose "Continue without Saving". (Bug 14531)
  • WCCP logical error in CHECK_LENGTH_ADVANCE_OFFSET macros. (Bug 14538)
  • Buildbot crash output: fuzz-2018-03-19-19114.pcap. (Bug 14544)
  • alloca() used in wsutil/getopt_long.c without <alloca.h> inclusion. (Bug 14552)
  • HP-UX HP ANSI C requires -Wp,-H200000 flag to compile. (Bug 14554)
  • Makefile.in uses non-portable "install" command. (Bug 14555)
  • HP-UX HP ANSI C doesn’t support assigning {} to a variable in epan/app_mem_usage.c. (Bug 14556)
  • PPP in SSTP, HDLC framing not parsed properly. (Bug 14559)
  • Using the DIAMETER dictionary causes the standard input to be closed when the dictionary is read. (Bug 14577)
  • Updated Protocol Support:
  • 6LoWPAN, ADB, BGP, CQL, DNS, Ethernet, GIOP, GSM BSSMAP, H.223, IEEE 802.11, IEEE 802.11 Radiotap, IEEE 802.15.4, ISUP, Kerberos, LAPD, LWAPP, MIME multipart, MP4, NBAP, NORDIC_BLE, PCP, PEEKREMOTE, S1AP, SMB2, SSTP, T.30, TCP, TN3270, TRANSUM, VLAN, WCCP, and WSP

New in Wireshark 2.4.5 (Feb 24, 2018)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • The IEEE 802.11 dissector could crash. Bug 14442, CVE-2018-7335
  • Multiple dissectors could go into large infinite loops. All ASN.1 BER dissectors (Bug 14444), along with the DICOM (Bug 14411), DMP (Bug 14408), LLTD (Bug 14419), OpenFlow (Bug 14420), RELOAD (Bug 14445), RPCoRDMA (Bug 14449), RPKI-Router (Bug 14414), S7COMM (Bug 14423), SCCP (Bug 14413), Thread (Bug 14428), Thrift (Bug 14379), USB (Bug 14421), and WCCP (Bug 14412) dissectors were susceptible.
  • The UMTS MAC dissector could crash. Bug 14339, CVE-2018-7334
  • The DOCSIS dissector could crash. Bug 14446, CVE-2018-7337
  • The FCP dissector could crash. Bug 14374, CVE-2018-7336
  • THe SIGCOMP dissector could crash. Bug 14398, CVE-2018-7320
  • The pcapng file parser could crash. Bug 14403, CVE-2018-7420
  • The IPMI dissector could crash. Bug 14409, CVE-2018-7417
  • The SIGCOMP dissector could crash. Bug 14410, CVE-2018-7418
  • The NBAP disssector could crash. Bug 14443, CVE-2018-7419
  • The following bugs have been fixed:
  • Change placement of "double chevron" in Filter Toolbar to eliminate overlap. (Bug 14121)
  • AutoScroll does not work. (Bug 14257)
  • BOOTP/DHCP: malformed packet → when user class option (77) is present. (Bug 14312)
  • GET MAX LUN wLength decoded as big-endian - USB Mass Storage. (Bug 14360)
  • Unable to create Filter Expression Button for a yellow filter. (Bug 14369)
  • Buildbot crash output: fuzz-2018-01-28-15874.pcap. (Bug 14371)
  • NetScaler RPC segmentation fault / stack overflow. (Bug 14399)
  • [oss-fuzz] #6028 RPC_NETLOGON: Direct-leak in g_malloc (generate_hash_key). (Bug 14407)
  • Newline "n" in packet list field increase line height for all rows. (Bug 14424)
  • ieee80211-radio.c preamble duration calculation not correct. (Bug 14439)
  • DIS: Malformed packet in SISO-STD-002 transmitter. (Bug 14441)
  • Updated Protocol Support:
  • ASN.1 BER, BOOTP/DHCP, DCE RPC NETLOGON, DICOM, DIS, DMP, DOCSIS, EPL, FCP, GSM A RR, HSRP, IAX2, IEEE 802.11, Infiniband, IPMI, IPv6, LDAP, LLTD, NBAP, NetScaler RPC, OpenFlow, RELOAD, RPCoRDMA, RPKI-Router, S7COMM, SCCP, SIGCOMP, Thread, Thrift, TLS/SSL, UMTS MAC, USB, USB Mass Storage, and WCCP
  • New and Updated Capture File Support:
  • pcap pcapng

New in Wireshark 2.5.0 Development Build (Feb 7, 2018)

  • This is a semi-experimental release intended to test new features for Wireshark 26
  • Many user interface improvements have been made See the New and
  • Updated Features section below for more details
  • New and Updated Features:
  • The following features are new (or have been significantly updated)
  • since version 240:
  • Display filter buttons can now be edited, disabled, and removed via
  • a context menu directly from the toolbar
  • Drag & Drop filter fields to the display filter toolbar or edit to
  • create a button on the fly or apply the filter as a display filter
  • Application startup time has been reduced
  • Some keyboard shortcut mix-ups have been resolved by assigning new
  • shortcuts to Edit -> Copy methods
  • TShark now supports color using the --color option
  • The "matches" display filter operator is now case-insensitive
  • Display expression (button) preferences have been converted to a
  • UAT This puts the display expressions in their own file Wireshark
  • still supports preference files that contain the old preferences,
  • but new preference files will be written without the old fields
  • SMI private enterprise numbers are now read from the
  • "enterprisestsv" configuration file
  • The QUIC dissector has been renamed to Google QUIC (quic -> gquic)
  • The selected packet number can now be shown in the Status Bar by
  • enabling Preferences -> Appearance -> Layout -> Show selected
  • packet number
  • File load time in the Status Bar is now disabled by default and can
  • be enabled in Preferences -> Appearance -> Layout -> Show file load
  • time
  • Support for the G729A codec in the RTP Player is now added via the
  • bcg729 library
  • Support for hardware-timestamping of packets has been added
  • Improved NetMon cap support with comments, event tracing, network
  • filter, network info types and some Message Analyzer exported
  • types
  • The personal plugins folder on Linux/Unix is now
  • ~/local/lib/wireshark/plugins
  • TShark can print flow graphs using -z flow
  • Capinfos now prints SHA256 hashes in addition to RIPEMD160 and
  • SHA1 MD5 output has been removed
  • The packet editor has been removed (This was a GTK+ only
  • experimental feature)
  • Support BBC micro:bit Bluetooth profile
  • The Linux and UNIX installation step for Wireshark will now install
  • headers required to build plugins A pkg-config file is provided to
  • help with this (see doc/pluginsexample for details) Note you must
  • still rebuild all plugins between minor releases (XY)
  • The Windows installers and packages now ship with Qt 594
  • New Protocol Support:
  • 80211ax (High Efficiency WLAN (HEW)), ActiveMQ Artemis Core Protocol,
  • AMT (Automatic Multicast Tunneling), Bluetooth Mesh, Broadcom tags
  • (Broadcom Ethernet switch management frames), CAN-ETH, CVS password
  • server, FP Mux, GRPC (gRPC), IEEE 19051a, IEEE 8023br Frame
  • Preemption Protocol, ISOBUS, LoRaTap, LoRaWAN, Lustre Filesystem,
  • Lustre Network, Network Functional Application Platform Interface
  • (NFAPI) Protocol, New Radio Radio Resource Control protocol, NXP
  • 802154 Sniffer Protocol, PFCP (Packet Forwarding Control Protocol),
  • Protobuf (Protocol Buffers), QUIC (IETF), Session Multiplex Protocol,
  • SolarEdge monitoring protocol, Tibia, TWAMP and OWAMP, and Wi-Fi Device
  • Provisioning Protocol
  • Updated Protocol Support
  • Too many protocols have been updated to list here
  • New and Updated Capture File Support
  • Microsoft Network Monitor
  • New and Updated Capture Interfaces support:
  • LoRaTap

New in Wireshark 2.4.4 (Jan 11, 2018)

  • Bug Fixes:
  • The following bugs have been fixed:
  • wnpa-sec-2018-01
  • Multiple dissectors could crash. (Bug 14253) CVE-2018-5336
  • wnpa-sec-2018-03
  • The IxVeriWave file parser could crash. (Bug 14297) CVE-2018-5334
  • wnpa-sec-2018-04
  • The WCP dissector could crash. (Bug 14251) CVE-2018-5335
  • Prior to this release dumpcap enabled the Linux kernel’s BPF JIT compiler via the net.core.bpf_jit_enable sysctl. This could make systems more vulnerable to Spectre variant 1 (CVE-2017-5753) and this feature has been removed (Bug 14313).
  • Some keyboard shortcut mix-up has been resolved by assigning new shortcuts to Edit ? Copy methods.
  • Remote interfaces are not saved. (Bug 8557)
  • Additional grouping in Expert Information dialog. (Bug 11753)
  • First start with non-empty extcap folder after install or reboot hangs at "initializing tap listeners". (Bug 12845)
  • Can’t hide expert categories in Expert Information. (Bug 13831)
  • Expert info dialog should have "Collapse All"/"Expand All" options. (Bug 13842)
  • SIP Statistics extract does not work. (Bug 13942)
  • Service Response Time - SCSI dialog crashes. (Bug 14144)
  • Wireshark & Tshark 2.4.2 core dumps with segmentation fault. (Bug 14194)
  • SSH remote capture promiscuous mode. (Bug 14237)
  • SOCKS pseudo header displays incorrect Version value. (Bug 14262)
  • Only first variable of list is dissected in NTP Control request message. (Bug 14268)
  • NTP Authenticator field dissection fails if padding is used. (Bug 14269)
  • BSSAP packet dissector issue - BSSAP_UPLINK_TUNNEL_REQUEST message. (Bug 14289)
  • "[Malformed Packet]" for Mobile IP (MIP) protocol. (Bug 14292)
  • There is a potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c file. (Bug 14295)
  • Saving a temporary capture file may not result in the temporary file being removed. (Bug 14298)
  • Updated Protocol Support:
  • Bluetooth, BSSAP, BT ATT, BT HCI, BT SMP, MIP, NTP, SCTP, SOCKS, UDS, and WCP
  • New and Updated Capture File Support:
  • Ixia IxVeriWave

New in Wireshark 2.4.3 (Dec 1, 2017)

  • Bug Fixes:
  • wnpa-sec-2017-47
  • The IWARP_MPA dissector could crash. (Bug 14236)
  • wnpa-sec-2017-48
  • The NetBIOS dissector could crash. (Bug 14249)
  • wnpa-sec-2017-49
  • The CIP Safety dissector could crash. (Bug 14250)
  • "tshark -G ?" doesn’t provide expected help. (Bug 13984)
  • File loading is very slow with TRANSUM dissector enabled. (Bug 14094)
  • packet-knxnetip.c:936: bad bitmask ?. (Bug 14115)
  • packet-q931.c:1306: bad compare ?. (Bug 14116)
  • SSL Dissection bug. (Bug 14117)
  • Wireshark crashes when exporting various files to .csv, txt and other ‘non-capture file’ formats. (Bug 14128)
  • RLC reassembly doesn’t work for RLC over UDP heuristic dissector. (Bug 14129)
  • HTTP Object export fails with long extension (possibly query string). (Bug 14130)
  • 3GPP Civic Address not displayed in Packet Details. (Bug 14131)
  • Wireshark prefers packet.dll in System32\Npcap over the one in System32. (Bug 14134)
  • PEEKREMOTE dissector does not decode 11ac MCS rates properly. (Bug 14136)
  • Visual Studio Community Edition 2015 lacks tools named in developer guide. (Bug 14147)
  • TCP: Malformed data with Riverbed Probe option. (Bug 14150)
  • Wireshark Crash when trying to use Preferences | Advanced. (Bug 14157)
  • Right click on SMB2 Message ID and then Apply as Column causes Runtime Error. (Bug 14169)
  • Return [Enter] should apply change (Column title - Button Label toolbars). (Bug 14191)
  • Wireshark crashes if "rip.display_routing_domain" is set to TRUE in preferences file. (Bug 14197)
  • Entry point inflatePrime not found for androiddump.exe and randpktdump.exe. (Bug 14207)
  • BGP: IPv6 NLRI is received with Add-path ID, then Wire shark is not able to decode the packet correctly. (Bug 14241)
  • Wrong SSL decryption when using EXTENDED MASTER SECRET and Client certificate request (mutual authentication). (Bug 14243)
  • Frame direction isn’t always set if it comes from the pcapng record header rather than the packet pseudo-header. (Bug 14245)
  • Updated Protocol Support:
  • 3GPP NAS, BGP, CIP Safety, DTLS, IEEE 802.11 Radio, IWARP_MPA, KNXnet/IP, LCSAP, MQTT, NetBIOS, PEEKREMOTE, Q.931, RIP, RLC, SIP, SSL/TLS, TCP, and TRANSUM

New in Wireshark 2.4.2 (Oct 11, 2017)

  • Bug Fixes:
  • The following bugs have been fixed:
  • wnpa-sec-2017-42
  • BT ATT dissector crash (Bug 14049) CVE-2017-15192
  • wnpa-sec-2017-43
  • MBIM dissector crash (Bug 14056) CVE-2017-15193
  • wnpa-sec-2017-44
  • DMP dissector crash (Bug 14068) CVE-2017-15191
  • wnpa-sec-2017-45
  • RTSP dissector crash (Bug 14077) CVE-2017-15190
  • wnpa-sec-2017-46
  • DOCSIS infinite loop (Bug 14080) CVE-2017-15189
  • Wireshark crash when end capturing with "Update list of packets in real-time" option off. (Bug 13024)
  • Diameter service response time statistics broken in 2.2.4. (Bug 13442)
  • Sequence number isn’t shown as the X axis in TCP Stream Graph - RTT. (Bug 13740)
  • Using an SSL subdissector will cause SSL data to not be decoded (related to reassembly of application data). (Bug 13885)
  • Wireshark 2.4.0 doesn’t build with Qt 4.8. (Bug 13909)
  • Some Infiniband Connect Req fields are not decoded correctly. (Bug 13997)
  • Voip Flow Sequence button crash. (Bug 14010)
  • wireshark-2.4.1/epan/dissectors/packet-dmp.c:1034: sanity check in wrong place ?. (Bug 14016)
  • wireshark-2.4.1/ui/qt/tcp_stream_dialog.cpp:1206: sanity check in odd place ?. (Bug 14017)
  • [oss-fuzz] ASAN: 232 byte(s) leaked in 4 allocation(s). (Bug 14025)
  • [oss-fuzz] ASAN: 47 byte(s) leaked in 1 allocation(s). (Bug 14032)
  • Own interface toolbar logger dialog for each log command. (Bug 14033)
  • Wireshark crashes when dissecting DOCSIS REGRSPMP which contains UCD. (Bug 14038)
  • Broken installation instructions for Visual Studio Community Edition. (Bug 14039)
  • RTP Analysis "save as CSV" saves twice the forward stream, if two streams are selected. (Bug 14040)
  • VWR file read ends early with vwr: Invalid data length 0. (Bug 14051)
  • reordercap fails with segmentation fault 11 on MacOS. (Bug 14055)
  • Cannot Apply Bitmask to Long Unsigned. (Bug 14063)
  • text2pcap since version 2.4 aborts when there are no arguments. (Bug 14082)
  • gtpprime: Missing in frame.protocols. (Bug 14083)
  • HTTP dissector believes ICY response is a request. (Bug 14091)
  • Updated Protocol Support:
  • 6LoWPAN, Bluetooth, BOOTP/DHCP, BT ATT, BT LE, DCERPC, DMP, DOCSIS, EPL, GTP, H.248, HTTP, InfiniBand, MBIM, RPC, RTSP, SSL, and WSP
  • New and Updated Capture File Support:
  • Vendor-supplied Packages:
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system.

New in Wireshark 2.4.1 (Aug 30, 2017)

  • Bug Fixes:
  • wnpa-sec-2017-38. MSDP dissector infinite loop (Bug 13933)
  • wnpa-sec-2017-39. Profinet I/O buffer overrun (Bug 13847)
  • wnpa-sec-2017-40. Modbus dissector crash (Bug 13925)
  • wnpa-sec-2017-41. IrCOMM dissector buffer overrun (Bug 13929)
  • Incorrect presentation of Ascend-Data-Filter (RADIUS attribute 242). (Bug 11630)
  • Confusing "Apply a display filter <Command/>" keyboard shortcut. (Bug 12450)
  • Wireshark crashes at startup if it needs to display a dialog early in the startup process. (Bug 13275)
  • RADIUS dictionary: BEGIN-VENDOR does not support format=Extended-Vendor-Specific-*. (Bug 13745)
  • Dumpcap on big-endian machines writes out corrupt, unreadable Enhanced Packet Blocks. (Bug 13802)
  • Interface Toolbar support for Windows. (Bug 13833)
  • Wireshark should behave better on high resolution displays on Windows. (Bug 13877)
  • Udpdump.pod missing from build. (Bug 13903)
  • RTP Player Format Error. (Bug 13906)
  • VNC Protocol disector : Framebuffer Updates. (Bug 13910)
  • DNS LOC RRs with out-of-range longitude or latitude aren’t shown as errors. (Bug 13914)
  • DIS Dissector Entity Appearance Record displayed in wrong location. (Bug 13917)
  • Win64 CMake bug - (CYGWIN_INSTALL_PATH redefinition) causing missing packages when using CMake 3.9.0. (Bug 13922)
  • APL records parsed incorrectly for IPv4 prefixes. (Bug 13923)
  • File→Merge dialog doesn’t show all options. Resizing doesn’t help. (Bug 13924)
  • TCAP SRT Analysis incorrectly matched TCAP begins and ends. (Bug 13926)
  • Error in MKA Distributed SAK parameter set dissection. (Bug 13927)
  • E.212: Check length before trying 3-digits MNC. (Bug 13935)
  • mpeg_descriptor: AC3 System A: Respect descriptor length. (Bug 13939)
  • Crash in Wireshark using Dumper:dump() from Lua. (Bug 13944)
  • MRCPv2 not decoded correctly. (Bug 13952)
  • UDP Checksum verification not working for 0x0000 checksum. (Bug 13955)
  • OSPF v3 LSA Type not well parsed. (Bug 13979)
  • GTPv2 - decoding issue for Packet Flow ID (type 123). (Bug 13987)
  • TRANSUM fails to calculate RTE figures for DCE-RPC where request Packet Type is zero. (Bug 13988)
  • BTLE Hop and SCA fields incorrectly dissected in BLE CONNECT_REQ. (Bug 13990)
  • [oss-fuzz] BGP memleak: ASAN: 276 byte(s) leaked in 5 allocation(s). (Bug 13995)
  • Some Infiniband Connect Req fields are not decoded correctly. (Bug 13997)
  • GTP: gtp.ext_comm_flags_II_pmtsmi bit not decoded correctly. (Bug 14001)
  • InfiniBand: sIP and dIP inside IP CM Private Data are decoded in the wrong order. (Bug 14002)
  • 802.11 wlan.ft.subelem.r0kh_id should be sequence of bytes. (Bug 14004)
  • USB capture: Unrecognized libpcap format or not libpcap data. (Bug 14006)
  • SQ Header Pointer in NVMoF response capsule is decoded with the wrong endian. (Bug 14008)
  • Updated Protocol Support:
  • BGP, BT LE, DIS, DNS, E.212, EPL, GTP, GTPv2, IEEE 802.11, InfiniBand, IPv4, IrCOMM, MKA, Modbus, MPEG Descriptor, MRCPv2, MSDP, MTP2, Nordic BLE, NVMe, OSPF, pcapng MIME, PMIPv6, Profinet I/O, RADIUS, SML, TCAP, TRANSUM, UA3G, UDP, VNC, and ZigBee

New in Wireshark 2.4.0 (Jul 20, 2017)

  • New and Updated Features:
  • Experimental 32-bit and 64-bit Windows Installer (.msi) packages are available. It is recommended that you use these independently of the NSIS (.exe) installers. That is, you should make sure the NSIS package is completely uninstalled before installing the Windows Installer package and vice-versa.
  • Source packages are now compressed using xz instead of bzip2.
  • The legacy (GTK+) UI is disabled by default in the Windows installers.
  • The legacy (GTK+) UI is disabled by default in the development environment (Autotools and CMake).
  • SS7 Point Codes can now be resolved into names with a hosts-like file.
  • Wireshark can now go fullscreen to have more room for packets.
  • TShark can now export objects like the other GUI interfaces.
  • Support for G.722 and G.726 codecs in the RTP Player (via the SpanDSP library).
  • You can now choose the output device when playing RTP streams.
  • Added support for dissectors to include a unit name natively in their hf field. A field can now automatically append "seconds" or "ms" to its value without additional printf-style APIs.
  • The Default profile can now be reset to default values.
  • You can move back and forth in the selection history in the Qt UI.
  • IEEE 802.15.4 dissector now uses an UAT for decryption keys. The original decryption key preference has been obsoleted.
  • Extcap utilities can now provide configuration for a GUI interface toolbar to control the extcap utility while capturing.
  • Extcap utilities can now validate the capture filter.
  • Display filter function len() can now be used on all string and byte fields.
  • Added an experimental timeline view for 802.11 wireless packet data which can be enabled via the "802.11 radio information" preferences.
  • Added TLS 1.3 (draft 21) dissection and decryption support (Bug 12779).
  • The (D)TLS Application Layer protocol (e.g. HTTP or CoAP) can now be changed via the Decode As dialog.
  • The RSA keys dialog for SSL keys has improved feedback for invalid settings and no longer requires the IP address, Port or Protocol fields to be set in addition to the Key File.
  • TCP Analysis will detect and flag more spurious retransmissions.
  • New Protocol Support:
  • Bluetooth HCI Vendor Intel, CAN FD, Citrix NetScaler Metric Exchange Protocol, Citrix NetScaler RPC Protocol, DirectPlay 8 protocol, Ericsson A-bis P-GSL, Ericsson A-bis TFP (Traffic Forwarding Protocol), Facebook Zero, Fc00/cjdns Protocol, Generic Netlink (genl), GSM Osmux, GSMTAP based logging, Health Level 7 (HL7), High-speed SECS message service (HSMS), HomePNA, IndigoCare iCall protocol, IndigoCare Netrix protocol, iPerf2, ISO 15765, Linux 802.11 Netlink (nl80211), Local Service Discovery (LSD), M2 Application Protocol, Mesh Link Establishment (MLE), MUDURL, Netgear Ensemble Protocol, NetScaler HA Protocol, NetScaler Metric Exchange Protocol, NetScaler RPC Protocol, NM protocol, Nordic BLE Sniffer, NVMe, NVMe Fabrics RDMA, OBD-II PIDs, OpenThread simulator, RFTap Protocol, SCTE-35 Digital Program Insertion Messages, Snort Post-dissector, Thread CoAP, UDP based FTP w/ multicast (UFTP and UFTP4), Unified Diagnostic Services (UDS), vSocket, Windows Cluster Management API (clusapi), and X-Rite i1 Display Pro (and derivatives) USB protocol
  • New and Updated Capture File Support:
  • ERF, IxVeriWave, Libpcap, and Pcap-ng
  • Major API Changes:
  • IEEE802.11: wlan_mgt display filter element got renamed to wlan.
  • Libgcrypt is now a required dependency.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system.

New in Wireshark 2.2.8 (Jul 18, 2017)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2017-13: WBMXL dissector infinite loop (Bug 13477, Bug 13796) CVE-2017-7702, CVE-2017-11410. Note: This is an update for a fix in Wireshark 2.2.6 and 2.0.12.
  • wnpa-sec-2017-28: openSAFETY dissector memory exhaustion (Bug 13649, Bug 13755) CVE-2017-9350, CVE-2017-11411". Note: This is an update for a fix in Wireshark 2.2.7.
  • wnpa-sec-2017-34 AMQP dissector crash. (Bug 13780) CVE-2017-11408
  • wnpa-sec-2017-35 MQ dissector crash. (Bug 13792) CVE-2017-11407
  • wnpa-sec-2017-36 DOCSIS infinite loop. (Bug 13797) CVE-2017-11406
  • The following bugs have been fixed:
  • Y.1711 dissector reverses defect type order. (Bug 8292)
  • Packet list keeps scrolling back to selected packet while names are being resolved. (Bug 12074)
  • REGRESSION] Export Objects do not show files from a SMB2 capture. (Bug 13214)
  • LTE RRC: lte-rrc.q_RxLevMin filter fails on negative values. (Bug 13481)
  • Hexpane showing in proportional font again. (Bug 13638)
  • Regression in SCCP fragments handling. (Bug 13651)
  • TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs. (Bug 13739)
  • Dissector for WSMP (IEEE 1609.3) not current. (Bug 13766)
  • RANAP: possible issue in the heuristic code. (Bug 13770)
  • oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type int in packet-btrfcomm.c:314:37. (Bug 13783)
  • RANAP: false positives on heuristic algorithm. (Bug 13791)
  • Automatic name resolution not saved to PCAP-NG NRB. (Bug 13798)
  • DAAP dissector dissect_daap_one_tag recursion stack exhausted. (Bug 13799)
  • Malformed DCERPC PNIO packet decode, exception handler invalid poionter reference. (Bug 13811)
  • It seems SPVID was decoded from wrong field. (Bug 13821)
  • README.dissectors: Add notes about predefined string structures not available to plugin authors. (Bug 13828)
  • Statistics?Packet Lengths doesn’t display details for 5120 or greater. (Bug 13844)
  • cmake/modules/FindZLIB.cmake doesn’t find inflatePrime. (Bug 13850)
  • BGP: incorrect decoding COMMUNITIES whose length is larger than 255. (Bug 13872)
  • Updated Protocol Support:
  • AMQP, BGP, BSSMAP, BT RFCOMM, DAAP, DOCSIS, E.212, FDDI, GSM A GM, GSM BSSMAP, IEEE 802.11, IP, ISIS LSP, LTE RRC, MQ, OpenSafety, OSPF, PROFINET IO, RANAP, SCCP, SGSAP, SMB2, TCAP, TCP, UMTS FP, UMTS RLC, WBXML, WSMP, and Y.1711
  • New and Updated Capture File Support:
  • pcap pcap-ng

New in Wireshark 2.2.7 (Jun 2, 2017)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2017-22
  • Bazaar dissector infinite loop (Bug 13599) CVE-2017-9352
  • wnpa-sec-2017-23
  • DOF dissector read overflow (Bug 13608) CVE-2017-9348
  • wnpa-sec-2017-24
  • DHCP dissector read overflow (Bug 13609, Bug 13628) CVE-2017-9351
  • wnpa-sec-2017-25
  • SoulSeek dissector infinite loop (Bug 13631) CVE-2017-9346
  • wnpa-sec-2017-26
  • DNS dissector infinite loop (Bug 13633) CVE-2017-9345
  • wnpa-sec-2017-27
  • DICOM dissector infinite loop (Bug 13685) CVE-2017-9349
  • wnpa-sec-2017-28
  • openSAFETY dissector memory exhaustion (Bug 13649) CVE-2017-9350
  • wnpa-sec-2017-29
  • BT L2CAP dissector divide by zero (Bug 13701) CVE-2017-9344
  • wnpa-sec-2017-30
  • MSNIP dissector crash (Bug 13725) CVE-2017-9343
  • wnpa-sec-2017-31
  • ROS dissector crash (Bug 13637) CVE-2017-9347
  • wnpa-sec-2017-32
  • RGMP dissector crash (Bug 13646) CVE-2017-9354
  • wnpa-sec-2017-33
  • IPv6 dissector crash (Bug 13675) CVE-2017-9353
  • The following bugs have been fixed:
  • DICOM dissection error. (Bug 13164)
  • Qt: drag & drop of one column header in PacketList moves other columns. (Bug 13183)
  • Can not export captured DICOM objects in version 2.2.5. (Bug 13570)
  • False complain about bad checksum of ICMP extension header. (Bug 13586)
  • LibFuzzer: ISUP dissector bug (isup.number_different_meaning). (Bug 13588)
  • Dissector Bug, protocol BT ATT. (Bug 13590)
  • Wireshark dispalys RRCConnectionReestablishmentRejectRRCConnectionReestablishmentReject in Info column. (Bug 13595)
  • [oss-fuzz] UBSAN: shift exponent 105 is too large for 32-bit type int in packet-ositp.c:551:79. (Bug 13606)
  • [oss-fuzz] UBSAN: shift exponent -77 is negative in packet-netflow.c:7717:23. (Bug 13607)
  • [oss-fuzz] UBSAN: shift exponent 1959 is too large for 32-bit type int in packet-sigcomp.c:2128:28. (Bug 13610)
  • [oss-fuzz] UBSAN: shift exponent 63 is too large for 32-bit type guint32 (aka unsigned int) in packet-rtcp.c:917:24. (Bug 13611)
  • [oss-fuzz] UBSAN: shift exponent 70 is too large for 64-bit type guint64 (aka unsigned long) in dwarf.c:42:43. (Bug 13616)
  • [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type int in packet-xot.c:260:23. (Bug 13618)
  • [oss-fuzz] UBSAN: shift exponent -5 is negative in packet-sigcomp.c:1722:36. (Bug 13619)
  • [oss-fuzz] UBSAN: index 2049 out of bounds for type char [2049] in packet-quakeworld.c:134:5. (Bug 13624)
  • [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type int in packet-netsync.c:467:25. (Bug 13639)
  • [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type int in packet-sigcomp.c:3857:24. (Bug 13641)
  • [oss-fuzz] ASAN: stack-use-after-return epan/dissectors/packet-ieee80211.c:14341:23 in add_tagged_field. (Bug 13662)
  • Welcome screen invalid capture filter wihtout WinPcap installed causes runtime error. (Bug 13672)
  • SMB protocol parser does not parse SMB_COM_TRANSACTION2_SECONDARY (0x33) command correctly. (Bug 13690)
  • SIP packets with SDP marked as malformed. (Bug 13698)
  • [oss-fuzz] UBSAN: index 8 out of bounds for type gboolean const[8] in packet-ieee80211-radiotap.c:1836:12. (Bug 13713)
  • Crash on "Show packet bytes…" context menu item click. (Bug 13723)
  • DNP3 dissector does not properly decode packed variations with prefixed qualifiers. (Bug 13733)
  • Updated Protocol Support:
  • Bazaar, BT ATT, BT L2CAP, DHCP, DICOM, DNP3, DNS, DOF, DWARF, ICMP, IEEE 802.11, IPv6, ISUP, LTE RRC, MSNIP, Netflow, Netsync, openSAFETY, OSITP, QUAKEWORLD, Radiotap, RGMP, ROS, RTCP, SIGCOMP, SMB, SoulSeek, and XOT

New in Wireshark 2.2.6 (Apr 13, 2017)

  • The following vulnerabilities have been fixed:
  • IMAP dissector crash
  • WBMXL dissector infinite loop
  • NetScaler file parser infinite loop
  • RPCoRDMA dissector infinite loop
  • BGP dissector infinite loop
  • DOF dissector infinite loop
  • PacketBB dissector crash
  • SLSK dissector long loop
  • SIGCOMP dissector infinite loop
  • WSP dissector infinite loop
  • The following bugs have been fixed:
  • T30 FCF byte decoding masks DTC, CIG and NCS.
  • Wireshark gives decoding error during rnsap message dissection(SCCP reassembly).
  • Added IEEE 802.15.4-2003 AES-CCM security modes (packet-ieee802154).
  • Payload in 2 SCCP DT1 messages in the same frame isn’t (sub)dissected.
  • IEEE 802.15.4: an area of Payload IEs is dissected twice.
  • Qt UI: Wireshark crash when deleting IO graph string while it’s in editing mode.
  • Crash on exit due to an invalid frame data sequence state.
  • Access Violation using Lua dissector.
  • Some bytes ignored in every packet in NetScaler packet trace when vmnames are included in packet headers.
  • VOIP RTP stream Find Reverse button doesn’t work.
  • Lua dissector: ProtoField int&42; do not allow FT_HEX or FT_OCT, crash when set to FT_HEX_DEC or FT_DEC_HEX.
  • GIOP LocateRequest v1.0 is improperly indicated as "malformed".
  • Bug in ZigBee - Zone Status Change Notification.
  • Packet exception in packet-ua3g and incomplete strings in packet-noe.
  • Wrong BGP capability dissect.
  • Endpoint statistics column labels seem incorrect.
  • Strange automatic jump in packet details for a certain DNS response packet.
  • When a Lua enum or bool preference is changed via context menu, prefs_changed isn’t called with Qt Wireshark.
  • IO Graph selects wrong packet or displays "Packet number x isn’t displayed".
  • tshark’s -z endpoints,ip ignores optional filter.
  • SSL: Handshake type in Info column not always separated by comma.
  • libfuzzer: PEEKREMOTE dissector bug.
  • libfuzzer: packetBB dissector bug (packetbb.msg.addr.valuecustom).
  • libfuzzer: WSP dissector bug (wsp.header.x_wap_tod).
  • libfuzzer: MIH dissector bug.
  • libfuzzer: DNS dissector bug.
  • libfuzzer: WLCCP dissector bug.
  • libfuzzer: TAPA dissector bug.
  • libfuzzer: lapsat dissector bug.
  • libfuzzer: wassp dissector bug.
  • Illegal reassembly of GSM SMS packets.
  • SSH Dissector uses incorrect length for protocol field (ssh.protocol).
  • NBAP malformed packet for short Binding ID.
  • libfuzzer: WSP dissector bug (wsp.header.x_up_1.x_up_proxy_tod).
  • libfuzzer: asterix dissector bug (asterix.021_230_RA).
  • RTPproxy dissector adds multi lines to info column.

New in Wireshark 2.2.5 (Mar 4, 2017)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2017-03
  • LDSS dissector crash (Bug 13346)
  • wnpa-sec-2017-04
  • RTMTP dissector infinite loop (Bug 13347)
  • wnpa-sec-2017-05
  • WSP dissector infinite loop (Bug 13348)
  • wnpa-sec-2017-06
  • STANAG 4607 file parser infinite loop (Bug 13416)
  • wnpa-sec-2017-07
  • NetScaler file parser infinite loop (Bug 13429)
  • wnpa-sec-2017-08
  • NetScaler file parser crash (Bug 13430)
  • wnpa-sec-2017-09
  • K12 file parser crash (Bug 13431)
  • wnpa-sec-2017-10
  • IAX2 dissector infinite loop (Bug 13432)
  • wnpa-sec-2017-11
  • NetScaler file parser infinite loop (Bug 12083)
  • The 32-bit and 64-bit Windows installers might have been susceptible to a DLL hijacking flaw.
  • The following bugs have been fixed:
  • Display filter textbox loses focus during live capturing. (Bug 11890)
  • Wireshark crashes when saving pcaps, opening pcaps, and exporting specified packets. (Bug 12036)
  • tshark stalls on FreeBSD if androiddump is present. (Bug 13104)
  • UTF-8 characters in packet list column title. (Bug 13342)
  • Recent capture file list should appear immediately on startup. (Bug 13352)
  • editcap segfault if a packet length is shorter than ignore bytes parameter. (Bug 13378)
  • dftest segfault with automated build of 2.2.5. (Bug 13387)
  • UMTS MAC Dissector shows Packet size limited for BCCH payload. (Bug 13392)
  • VS2010 win32 编译失败. (Bug 13398)
  • EAP AKA not being decoded properly. (Bug 13411)
  • Dumpcap crashes during rpcap setup. (Bug 13418)
  • Crash on closing SNMP capture file if snmp credentials are present. (Bug 13420)
  • GPRS-NS message PDU type displayed in octal instead of hexadecimal. (Bug 13428)
  • Updated Protocol Support:
  • GPRS-NS, GTPv2, IAX2, IEEE 802.11, LDSS, MS-WSP, OpcUa, ROHC, RTMTP, SNMP, STANAG 4607, T.38, and UMTS FP
  • New and Updated Capture File Support:
  • K12 and NetScaler
  • There are no new features, file formats, protocols, major API changes, new or updated capture interfaces supported in this release.

New in Wireshark 2.2.4 (Jan 24, 2017)

  • The following vulnerabilities have been fixed:
  • The ASTERIX dissector could go into an infinite loop.
  • The DHCPv6 dissector could go into a large loop.
  • The following bugs have been fixed:
  • TCP reassembly: tcp.reassembled_in is not set in first packet.
  • Duplicated Interfaces instances while refreshing.
  • Time zone name needs to be converted to UTF-8 on Windows.
  • Crash on fast local interface changes.
  • Please align columns in tshark’s output.
  • Display data rate fields for VHT rates invalid with BCC modulation.
  • plugin_if_get_ws_info causes Access Violation if called during rescan.
  • SMTP BDAT dissector not reverting to command-code after DATA.
  • Wireshark fails to recognize V6 DBS Etherwatch capture files.
  • Runtime Error when try to merge .pcap files (Wireshark crashes).
  • PPP BCP BPDU size reports not header size, but all data underneath and its header size in UI.
  • In-line UDP checksum bytes in 6LoWPAN IPHC are swapped.
  • Uninitialized memcmp on data in daintree-sna.c.
  • Crash when dissect WDBRPC Version 2 protocol with Dissect unknown program numbers enabled.
  • Contents/Resources/bin directory isn’t in the app bundle after installation.
  • Regression: IEEE17221 (AVDECC) decoded as IEEE1722 (AVB Transportation Protocol).
  • Can’t decode packets captured with OpenBSD enc(4) encapsulating.
  • UDLD flags are at other end of octet.
  • MS-WSP dissector no longer works since commit 8c2fa5b5cf789e6d0d19cd0dd34479d0203d177a.
  • TBCD string decoded wrongly in MAP ATI message.
  • Filter Documentation: The tilde (~) operator is not documented.
  • VoIP Flow Sequence Causes Application Crash.
  • Updated Protocol Support:
  • 6LoWPAN, DVB-CI, ENC, GSM MAP, IEEE 1722, IEEE 1722.1, ISAKMP, MS-WSP, PPP, QUIC, Radiotap, RPC, SMTP, TCP, UCD, and UDLD

New in Wireshark 2.2.3 (Jan 24, 2017)

  • The following vulnerabilities have been fixed:
  • Arbitrary file deletion on Windows.
  • The following bugs have been fixed:
  • Saving all exported objects (SMB/SMB2) results in out of physical memory.
  • Export HTTP Objects - Single file shows as multiple files in 2.0.2.
  • Follow Stream and graph buttons remain greyed out in conversation window.
  • Dicom list of tags in element of VR=AT not properly decoded.
  • Malformed Packet: BGP Update (withdraw) message.
  • Install fail on macOS Sierra (error PKInstallErrorDomain Code=112).
  • GTP: "Create PDP Context response" message shows back-off timer as malformed when included in the response.
  • ICMP dissector fails to properly detect timestamps.
  • RLC misdissection.
  • Text2pcap on Windows produces corrupt output when writing the capture file to the standard output.
  • HTML escaping of quotes in error message.
  • TShark doesn’t respect protocols.display_hidden_proto_items setting.
  • RPC/RDMA dissector should exit when frame is not RPC-over-RDMA.
  • Some RPC-over-RDMA frames are not recognized as RPC-over-RDMA.
  • RPC-over-RDMA frames with chunk lists are "Malformed".
  • TShark fails to pass RPC-over-RDMA frames to RPC subdissector.
  • Adding a DOF DPS Identity Secret, session Key, or Mode Template causes Wireshark to crash.
  • Wireshark shows "MS Video Source Request" in a RTCP packet as "Malformed".
  • Updated Protocol Support:
  • BGP, BOOTP/DHCP, BTLE, DICOM, DOF, Echo, GTP, ICMP, Radiotap, RLC, RPC over RDMA, RTCP, SMB, TCP, UFTP4, and VXLAN

New in Wireshark 2.2.2 (Nov 17, 2016)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • Profinet I/O long loop. (Bug 12851)
  • AllJoyn crash. (Bug 12953)
  • OpenFlow crash. (Bug 13071)
  • DCERPC crash. (Bug 13072)
  • DTN infinite loop. (Bug 13097)
  • The Windows PortableApps packages were susceptible to a DLL hijacking flaw.
  • The following bugs have been fixed:
  • TCP: nextseq incorrect if TCP_MAX_UNACKED_SEGMENTS exceeded & FIN true. (Bug 12579)
  • SMPP schedule_delivery_time displayed wrong in Wireshark 2.1.0. (Bug 12632)
  • Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. (Bug 12712)
  • dmg for OS X does not install man pages. (Bug 12746)
  • Fails to compile against Heimdal 1.5.3. (Bug 12831)
  • TCP: Next sequence number off by one when sending payload in SYN packet (e.g. TFO). (Bug 12838)
  • Follow TCP Stream shows duplicate stream data. (Bug 12855)
  • Dissection engine falsely asserts that EIGRP packet’s checksum is incorrect. (Bug 12982)
  • IEEE 802.15.4 frames erroneously handed over to ZigBee dissector. (Bug 12984)
  • Capture Filter Bookmark Inactive in Capture Options page. (Bug 12986)
  • CLNP dissector does not parse ER NPDU properly. (Bug 12993)
  • SNMP trap bindings for NON scalar OIDs. (Bug 13013)
  • BGP LS Link Protection Type TLV (1093) decoding. (Bug 13021)
  • Application crash sorting column for tcp.window_size_scalefactor up and down. (Bug 13023)
  • ZigBee Green Power add key during execution. (Bug 13031)
  • Malformed AMPQ packets for session.expected and session.confirmed fields. (Bug 13037)
  • Wireshark 2.2.1 crashes when attempting to merge pcap files. (Bug 13060)
  • [IS-637A] SMS - Teleservice layer parameter -→ IA5 encoded text is not correctly displayed. (Bug 13065)
  • Failure to dissect USB Audio feature unit descriptors missing the iFeature field. (Bug 13085)
  • MSISDN not populated/decoded in JSON GTP-C decoding. (Bug 13086)
  • E212: 3 digits MNC are identified as 2 digits long if they end with a 0. (Bug 13092)
  • Exception with last unknown Cisco AVP available in a SCCRQ message. (Bug 13103)
  • TShark stalls on FreeBSD if androiddump is present. (Bug 13104)
  • Dissector skips DICOM command. (Bug 13110)
  • UUID (FT_GUID) filtering isn’t working. (Bug 13121)
  • Manufacturer name resolution fail. (Bug 13126)
  • packet-sdp.c allocates transport_info→encoding_name from wrong memory pool. (Bug 13127)
  • Payload type name for dynamic payload is wrong for reverse RTP channels. (Bug 13132)
  • UPDATED PROTOCOL SUPPORT:
  • 6LoWPAN, AllJoyn, AMPQ, ANSI IS-637 A, BGP, CLNP, DCERPC, DICOM, DTN, E.212, EIGRP, ERF, GVSP, IEEE 802.11, IEEE 802.15.4, IP, ISO-8583, Kerberos, L2TP, LACP, MAC LTE, OpenFlow, Profinet I/O, RTPS, SCTP, SDP, Skype, SMPP, SNA, SNMP, SPNEGO, TCP, USB Audio, XML, and ZigBee

New in Wireshark 2.2.1 (Oct 7, 2016)

  • WHAT'S NEW:
  • The Windows installers now ship with Qt 5.6. Previously they shipped with Qt 5.3.
  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2016-56. The Bluetooth L2CAP dissector could crash. (Bug 12825)
  • wnpa-sec-2016-57. The NCP dissector could crash. (Bug 12945)
  • The following bugs have been fixed:
  • Flow Graph colored data arrows. (Bug 12065)
  • Capture File Properties under Statistics Grayed Out after Stopping a Capture. (Bug 12071)
  • Qt: Hidden columns displayed during live capture. (Bug 12377)
  • Unable to save changes to coloring rules. (Bug 12814)
  • Bad description for NBSS error code 0x81. (Bug 12835)
  • Live capture from USBPcap fails immediately. (Bug 12846)
  • Cannot decrypt EAP-TTLS traffic (not recognized as conversation). (Bug 12879)
  • Export packet dissections Option disabled after capturing traffic. (Bug 12898)
  • Failure to open file named with Chinese or other multibyte characters. (Bug 12900)
  • k12 text file format causes errors. (Bug 12903)
  • File | File Set | List Files dialog is blank. (Bug 12904)
  • Decoding/Display of an INAP CONNECT message goes wrong for the Destination Routing Address part. (Bug 12911)
  • TLS padding extension dissector length parsing bug. (Bug 12922)
  • Diameter dictionary bugs. (Bug 12927)
  • File open from menu bar with filter in place causes Wireshark to crash. (Bug 12929)
  • Unable to capture USBPcap trace using tshark with extcap built. (Bug 12949)
  • P1 dissector fails a TVB assertion. (Bug 12976)
  • Multiple PortableApps instances can once again be run at the same time.
  • UPDATED PROTOCOL SUPPORT:
  • 6LowPAN, BT L2CAP, CIP, DCOM IRemUnknown, Diameter, DMP, EAP, ISUP, NBT, NCP, NetFlow, SSL / TLS, and U3V
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Ascend, and K12

New in Wireshark 2.2.0 (Sep 8, 2016)

  • NEW:
  • Bug Fixes:
  • Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. (Bug 12712)
  • Extcap errors not reported back to UI. (Bug 11892)
  • NEW AND UPDATES:
  • The following features are new (or have been significantly updated) since version 2.2.0rc2:
  • No major changes since 2.2.0rc2.
  • The following features are new (or have been significantly updated) since version 2.2.0rc1:
  • "Decode As" supports SSL (TLS) over TCP.
  • The following features are new (or have been significantly updated) since version 2.1.1:
  • Invalid coloring rules are now disabled instead of discarded. This will provide backward compatibility with a coloring rule change in Wireshark 2.2.
  • The following features are new (or have been significantly updated) since version 2.1.0:
  • Added -d option for Decode As support in Wireshark (mimics TShark functionality)
  • The Qt UI, GTK+ UI, and TShark can now export packets as JSON. TShark can additionally export packets as Elasticsearch-compatible JSON.
  • The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
  • The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
  • The RTP player now allows up to 30 minutes of silence frames.
  • Packet bytes can now be displayed as EBCDIC.
  • The Qt UI loads captures faster on Windows.
  • proto_tree_add_checksum was added as an API. This attempts to standardize how checksums are reported and filtered for within *Shark. There are no more individual "good" and "bad" filter fields, protocols now have a "checksum.status" field that records "Good", "Bad" and "Unverified" (neither good or bad). Color filters provided with Wireshark have been adjusted to the new display filter names, but custom ones may need to be updated.
  • The following features are new (or have been significantly updated) since version 2.0.0:
  • The intelligent scroll bar now sits to the left of a normal scroll bar and provides a clickable map of nearby packets.
  • You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
  • You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.
  • You can now use regular expressions in Find Packet and in the advanced preferences.
  • Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).
  • The byte under the mouse in the Packet Bytes pane is now highlighted.
  • TShark supports exporting PDUs via the -U flag.
  • The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
  • Most dialogs in the Qt UI now save their size and positions.
  • The Follow Stream dialog now supports UTF-16.
  • The Firewall ACL Rules dialog has returned.
  • The Flow (Sequence) Analysis dialog has been improved.
  • We no longer provide packages for 32-bit versions of OS X.
  • The Bluetooth Device details dialog has been added.
  • New File Format Decoding Support:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you’re curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file’s format in the Open File dialog.
  • New Protocol Support:
  • Apache Cassandra - CQL version 3.0, Bachmann bluecom Protocol, Bluetooth Pseudoheader for BR/EDR, Cisco ERSPAN3 Marker, Cisco ttag, Digital Equipment Corporation Local Area Transport, Distributed Object Framework, DOCSIS Upstream Channel Descriptor Type 35, Edge Control Protocol (ECP), Encrypted UDP based FTP with multicast, Ericsson IPOS Kernel Packet Header (IPOS), Extensible Control & Management Protocol (eCMP), FLEXRAY Protocol (automotive bus), IEEE 802.1BR E-Tag, Intel Omni-Path Architecture, ISO 8583-1, ISO14443, ITU-T G.7041/Y.1303 Generic Framing Procedure (GFP), LAT protocol (DECNET), Metamako trailers, Network Service Header for Ethernet & GRE, Network-Based IP Flow Mobility (NBIFOM), Nokia Intelligent Service Interface (ISI), Open Mobile Alliance Lightweight Machine to Machine TLV (LwM2M TLV), Real Time Location System (RTLS), RTI TCP Transport Layer (RTITCP), SMB Witness Service, STANAG 5602 SIMPLE, Standard Interface for Multiple Platform Link Evaluation (SIMPLE), USB3 Vision Protocol (USB machine vision cameras), USBIP Protocol, UserLog Protocol, and Zigbee Protocol Clusters (Closures Lighting General Measurement & Sensing HVAC Security & Safety)
  • Updated Protocol Support:
  • Bluetooth OBEX dissector (btobex) was renamed to Obex Dissector (obex), which allows it to be used with "Decode As" over USB, TCP and UDP.
  • A preference was added to TCP dissector for handling IPFIX process information. It has been disabled by default.
  • New and Updated Capture File Support:
  • Micropross mplog
  • New and Updated Capture Interfaces support
  • Non-empty section placeholder.
  • Major API Changes:
  • The libwireshark API has undergone some major changes:
  • The address macros (e.g., SET_ADDRESS) have been removed. Use the (lower case) functions of the same names instead.
  • "old style" dissector functions (that don’t return number of bytes used) have been replaced in name with the "new style" dissector functions.
  • tvb_get_string and tvb_get_stringz have been replaced with tvb_get_string_enc and tvb_get_stringz_enc respectively.

New in Wireshark 2.2.0 RC 2 (Aug 31, 2016)

  • The following features are new (or have been significantly updated) since version 2.2.0rc1:
  • "Decode As" supports SSL (TLS) over TCP.

New in Wireshark 2.2.0 RC 1 (Aug 23, 2016)

  • NEW:
  • Invalid coloring rules are now disabled instead of discarded. This will provide backward compatibility with a coloring rule change in Wireshark 2.2.
  • BUG FIXES:
  • Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. ([1]Bug 12712)
  • NEW UPDATES AND FEATURES:
  • Added -d option for Decode As support in Wireshark (mimics TShark functionality)
  • The Qt UI, GTK+ UI, and TShark can now export packets as JSON.
  • TShark can additionally export packets as Elasticsearch-compatible JSON.
  • The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
  • The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
  • The RTP player now allows up to 30 minutes of silence frames.
  • Packet bytes can now be displayed as EBCDIC.
  • The Qt UI loads captures faster on Windows.
  • proto_tree_add_checksum was added as an API. This attempts to standardize how checksums are reported and filtered for within Shark. There are no more individual "good" and "bad" filter fields, protocols now have a "checksum.status" field that records "Good", "Bad" and "Unverified" (neither good or bad). Color filters provided with Wireshark have been adjusted to the new display filter names, but custom ones may need to be updated.
  • The intelligent scroll bar now sits to the left of a normal scroll bar and provides a clickable map of nearby packets.
  • You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
  • You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.
  • You can now use regular expressions in Find Packet and in the advanced preferences.
  • Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).
  • The byte under the mouse in the Packet Bytes pane is now highlighted.
  • TShark supports exporting PDUs via the -U flag.
  • The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
  • Most dialogs in the Qt UI now save their size and positions.
  • The Follow Stream dialog now supports UTF-16.
  • The Firewall ACL Rules dialog has returned.
  • The Flow (Sequence) Analysis dialog has been improved.
  • We no longer provide packages for 32-bit versions of OS X.
  • The Bluetooth Device details dialog has been added.
  • New File Format Decoding Support:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you're curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file's format in the Open File dialog.
  • New Protocol Support:
  • Apache Cassandra - CQL version 3.0, Bachmann bluecom Protocol, Bluetooth Pseudoheader for BR/EDR, CISCO ERSPAN3 Marker, Edge Control Protocol (ECP), Encrypted UDP based FTP with multicast, Ericsson IPOS Kernel Packet Header Dissector Added (IPOS), Extensible Control & Management Protocol (eCMP), FLEXRAY Protocol dissector added (automotive bus), IEEE 802.1BR E-Tag, ISO 8583-1, ISO14443, ITU-T
  • G.7041/Y.1303 Generic Framing Procedure (GFP), LAT protocol (DECNET), Metamako trailers, Network-Based IP Flow Mobility (NBIFOM), Nokia Intelligent Service Interface (ISI), Open Mobile Alliance Lightweight Machine to Machine TLV payload Added (LwM2M TLV), Real Time Location System (RTLS), RTI TCP Transport Layer (RTITCP), STANAG 5602 SIMPLE, USB3 Vision Protocol (USB machine vision cameras), USBIP Protocol, UserLog Protocol, and Zigbee Protocol Clusters Dissectors Added (Closures Lighting General Measurement & Sensing HVAC Security & Safety)
  • Updated Protocol Support:
  • Bluetooth OBEX dissector (btobex) was renamed to Obex Dissector (obex), allow to DecodeAs it over USB, TCP and UDP.
  • A preference was added to TCP dissector for handling IPFIX process information. It has been disabled by default.
  • New and Updated Capture File Support:
  • Micropross mplog
  • New and Updated Capture Interfaces support:
  • Non-empty section placeholder.
  • Major API CHANGES:
  • The libwireshark API has undergone some major changes:
  • The address macros (e.g., SET_ADDRESS) have been removed. Use the (lower case) functions of the same names instead.
  • "old style" dissector functions (that don't return number of bytes used) have been replaced in name with the "new style" dissector functions.
  • tvb_get_string and tvb_get_stringz have been replaced with tvb_get_string_enc and tvb_get_stringz_enc respectively.

New in Wireshark 2.0.5 (Jul 28, 2016)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • CORBA IDL dissector crash on 64-bit Windows. (Bug 12495)
  • PacketBB crash. (Bug 12577)
  • WSP infinite loop. (Bug 12594)
  • RLC long loop. (Bug 12660)
  • LDSS dissector crash. (Bug 12662)
  • RLC dissector crash. (Bug 12664)
  • OpenFlow long loop. (Bug 12659)
  • MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)
  • WBXML crash. (Bug 12663)
  • The following bugs have been fixed:
  • T30 FCF byte decoding masks DTC, CIG and NCS. (Bug 1918)
  • TShark crashes with option "-z io,stat,…" in the presence of negative relative packet timestamps. (Bug 9014)
  • Packet size limited during capture msg is repeated in the Info column. (Bug 9826)
  • Wireshark loses windows decorations on second screen when restarting maximized using GNOME. (Bug 11303)
  • Cannot launch GTK+ version of wireshark as a normal user. (Bug 11400)
  • Restart current capture fails with "no interface selected" error when capturing in promiscuous mode. (Bug 11834)
  • Add field completion suggestions when adding a Display filter or Y Field to the IO Graph. (Bug 11899)
  • Wireshark Qt always indicates locale as "C". (Bug 11960)
  • Wireshark crashes every time open Statistics → Conversations | Endpoints. (Bug 12288)
  • Find function within the conversations window does not work. (Bug 12363)
  • Invalid values for USB SET_REQUEST packets. (Bug 12511)
  • Display filter dropdown hides cursor. (Bug 12520)
  • Filter for field name tcp.options.wscale.multiplier cannot exceed 255. (Bug 12525)
  • Ctrl+ shortcuts that are not text-related do not work when focus is on display filter field. (Bug 12533)
  • Closing Statistics window results in black screen. (Bug 12544)
  • OSPF: Incorrect description of N/P-bit in NSSA LSA. (Bug 12555)
  • Inconsistent VHT data rate. (Bug 12558)
  • DCE/RPC malformed error when stub-data is missing but a sub-dissector has been registered. (Bug 12561)
  • Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length is larger than 239 bytes. (Bug 12568)
  • "Edit Resolved Name" is not saved in current pcapng file. (Bug 12629)
  • MPTCP: MP_JOIN B bit not decoded correctly. (Bug 12635)
  • MPTCP MP_PRIO header with AddrID: incorrect AddrID. (Bug 12641)
  • Updated Protocol Support:
  • 802.11 Radiotap, BGP, CAN, CANopen, H.248 Q.1950, IPv4, IPv6, LANforge, LDSS, MPTCP, OSPF, PacketBB, PRP, RLC, RMT-FEC, RSVP, RTP MIDI, T.30, TDS, USB, WAP, WBXML, WiMax RNG-RSP, and WSP
  • New and Updated Capture File Support:
  • and pcapng
  • New and Updated Capture Interfaces support:
  • There are no new or updated capture interfaces supported in this release.

New in Wireshark 2.1.1 Development (Jul 15, 2016)

  • NEW AND UPDATED FEATURES:
  • The following features are new (or have been significantly updated) since version 2.1.0:
  • Added -d option for Decode As support in Wireshark (mimics TShark functionality)
  • The Qt UI, GTK+ UI, and TShark can now export packets as JSON. TShark can additionally export packets as Elasticsearch-compatible JSON.
  • The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
  • The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
  • The RTP player now allows up to 30 minutes of silence frames.
  • Packet bytes can now be displayed as EBCDIC.
  • The Qt UI loads captures faster on Windows.
  • The following features are new (or have been significantly updated) since version 2.0.0:
  • The intelligent scroll bar now sits to the left of a normal scroll bar and provides a clickable map of nearby packets.
  • You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
  • You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.
  • You can now use regular expressions in Find Packet and in the advanced preferences.
  • Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).
  • The byte under the mouse in the Packet Bytes pane is now highlighted.
  • TShark supports exporting PDUs via the -U flag.
  • The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
  • Most dialogs in the Qt UI now save their size and positions.
  • The Follow Stream dialog now supports UTF-16.
  • The Firewall ACL Rules dialog has returned.
  • The Flow (Sequence) Analysis dialog has been improved.
  • We no longer provide packages for 32-bit versions of OS X.
  • The Bluetooth Device details dialog has been added.
  • NEW FILE FORMAT DECODING SUPPORT:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you’re curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file’s format in the Open File dialog.
  • NEW PROTOCOL SUPPORT:
  • Apache Cassandra - CQL version 3.0, Bachmann bluecom Protocol, Bluetooth Pseudoheader for BR/EDR, CISCO ERSPAN3 Marker, Edge Control Protocol (ECP), Ericsson IPOS Kernel Packet Header Dissector Added (IPOS), Extensible Control & Management Protocol (eCMP), FLEXRAY Protocol dissector added (automotive bus), IEEE 802.1BR E-Tag, ISO 8583-1, ISO14443, ITU-T G.7041/Y.1303 Generic Framing Procedure (GFP), LAT protocol (DECNET), Metamako trailers, Network-Based IP Flow Mobility (NBIFOM), Nokia Intelligent Service Interface (ISI), Open Mobile Alliance Lightweight Machine to Machine TLV payload Added (LwM2M TLV), Real Time Location System (RTLS), RTI TCP Transport Layer (RTITCP), STANAG 5602 SIMPLE, USB3 Vision Protocol (USB machine vision cameras), USBIP Protocol, UserLog Protocol, and Zigbee Protocol Clusters Dissectors Added (Closures Lighting General Measurement & Sensing HVAC Security & Safety)
  • UPDATED PROTOCOL SUPPORT:
  • Bluetooth OBEX dissector (btobex) was renamed to Obex Dissector (obex), allow to DecodeAs it over USB, TCP and UDP.
  • A preference was added to TCP dissector for handling IPFIX process information. It has been disabled by default.
  • New and Updated Capture File Support and Micropross mplog
  • NEW AND UPDATED CAPTURE INTERFACES SUPPORT:
  • Non-empty section placeholder.
  • MAJOR API CHANGES:
  • The libwireshark API has undergone some major changes:
  • The address macros (e.g., SET_ADDRESS) have been removed. Use the (lower case) functions of the same names instead.
  • "old style" dissector functions (that don’t return number of bytes used) have been replaced in name with the "new style" dissector functions.
  • tvb_get_string and tvb_get_stringz have been replaced with vb_get_string_enc and tvb_get_stringz_enc respectively.

New in Wireshark 2.1.0 Development (Jun 9, 2016)

  • You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
  • You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.
  • You can now use regular expressions in Find Packet and in the advanced preferences.
  • Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).
  • The byte under the mouse in the Packet Bytes pane is now highlighted.
  • TShark supports exporting PDUs via the -U flag.
  • The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
  • Most dialogs in the Qt UI now save their size and positions.
  • The Follow Stream dialog now supports UTF-16.
  • The Firewall ACL Rules dialog has returned.
  • The Flow (Sequence) Analysis dialog has been improved.

New in Wireshark 2.0.4 (Jun 7, 2016)

  • The following vulnerabilities have been fixed:
  • The SPOOLS dissector could go into an infinite loop.
  • The IEEE 802.11 dissector could crash. (Bug 11585)
  • The IEEE 802.11 dissector could crash.(Bug 12175)
  • The UMTS FP dissector could crash. (Bug 12191)
  • Some USB dissectors could crash. Discovered by Mateusz Jurczyk. (Bug 12356)
  • The Toshiba file parser could crash. Discovered by iDefense Labs. (Bug 12394)
  • The CoSine file parser could crash. Discovered by iDefense Labs. (Bug 12395)
  • The NetScreen file parser could crash. Discovered by iDefense Labs. (Bug 12396)
  • The Ethernet dissector could crash. (Bug 12440)
  • The following bugs have been fixed:
  • Saving pcap capture file with ERF encapsulation creates an invalid pcap file. (Bug 3606)
  • Questionable calling of Ethernet dissector by encapsulating protocol dissectors. (Bug 9933)
  • Wireshark 1.12.0 does not dissect HTTP correctly. (Bug 10335)
  • Don’t copy details of hidden columns. (Bug 11788)
  • RTP audio player crashes. (Bug 12166)
  • Crash when saving RTP audio Telephony→RTP→RTP Streams→Analyze→Save→Audio. (Bug 12211)
  • Edit - preferences - add column field not showing dropdown for choices. (Bug 12321)
  • Using _ws.expert in a filter can cause a crash. (Bug 12335)
  • Crash in SCCP dissector UAT (Qt UI only). (Bug 12364)
  • J1939 frame without data = malformed packet ? (Bug 12366)
  • The stream number in tshark’s "-z follow,tcp," option is 0-origin rather than 1-origin. (Bug 12383)
  • IP Header Length display filter should show calculated value. (Bug 12387)
  • Multiple file radio buttons should be check boxes. (Bug 12388)
  • Wrong check for getaddrinfo and gethostbyname on Solaris 11. (Bug 12391)
  • ICMPv6 dissector doesn’t respect actual packet length. (Bug 12400)
  • Format DIS header timestamp mm:ss.nnnnnn. (Bug 12402)
  • RTP Stream Analysis can no longer be sorted in 2.0.3. (Bug 12405)
  • RTP Stream Analysis fails to complete in 2.0.3 when packets are sliced. (Bug 12406)
  • Network-Layer Name Resolution uses first 32-bits of IPv6 DNS address as IPv4 address in some circumstances. (Bug 12412)
  • BACnet decoder incorrectly flags a valid APDU as a "Malformed Packet". (Bug 12422)
  • Valid ISUP messages marked with warnings. (Bug 12423)
  • Profile command line switch "-C" not working in Qt interface. (Bug 12425)
  • MRCPv2: info column not showing info correctly. (Bug 12426)
  • Diameter: Experimental result code 5142. (Bug 12428)
  • Tshark crashes when analyzing RTP due to pointer being freed not allocated. (Bug 12430)
  • NFS: missing information in getattr for supported exclusive create attributes. (Bug 12435)
  • Ethernet type field with a value of 9100 is shown as "Unknown". (Bug 12441)
  • Documentation does not include support for Windows Server 2012 R2. (Bug 12455)
  • Column preferences ruined too easily. (Bug 12465)
  • SMB Open andX extended response decoded incorrectly. (Bug 12472)
  • SMB NtCreate andX with extended response sometimes incorrect. (Bug 12473)
  • Viewing NFSv3 Data, checking SRTs doesn’t work. (Bug 12478)
  • Make wireshark with Qt enabled buildable on ARM. (Bug 12483)
  • Updated Protocol Support:
  • AFS, ANSI IS-637 A, BACapp, BT BNEP, Cisco FabricPath MiM, CSN.1, DCERPC SPOOLS, DIS, Ethernet, GSM A RR, ICMPv6, IEEE 802.11, IPv4, ISUP, J1939, JXTA, LAPSat, LPADm, LTE-RRC, MRCPv2, NFS, OpenFlow, SGsAP, SMB, STT, TZSP, UMTS FP, and USB
  • New and Updated Capture File Support:
  • Aethra, Catapult DCT2000, CoSine, DBS Etherwatch, ERF, iSeries, Ixia IxVeriWave, NetScreen, Toshiba, and VMS TCPIPtrace

New in Wireshark 2.0.3 (Apr 23, 2016)

  • The following vulnerabilities have been fixed:
  • The NCP dissector could crash.
  • TShark could crash due to a packet reassembly bug.
  • The IEEE 802.11 dissector could crash.
  • The PKTC dissector could crash.
  • The PKTC dissector could crash.
  • The IAX2 dissector could go into an infinite loop.
  • Wireshark and TShark could exhaust the stack.
  • The GSM CBCH dissector could crash.
  • MS-WSP dissector crash.
  • The following bugs have been fixed:
  • Protocol Hierarchy Statistics shows LDAP lines recursively.
  • UTF-8 replacement characters in FT_STRINGs are escaped for presentation.
  • DTLS : reassembly error, protocol DTLS: New fragment overlaps old data.
  • Packet byte pane in Qt version of packet window isn’t being displayed.
  • "wireshark -i usbmon2 -k" results in "No interfaces selected" when restarting a capture.
  • Crash when changing the "which packets to print" radio button in the Print dialog.
  • Selecting packets causes memory leak.
  • Client Hello not dissected when failed SSL handshake fully captured.
  • TCP graphs - wrong stream graphed if stream index > 99.
  • Typo in packet-gsm_a_dtap.c.
  • Lua dot file error.
  • "All Files" does not allow selecting files without period.
  • wlan, wlan_mgt, Length error shown for IE BSS AC Access Delay/WAPI Parameter Set (68).
  • Qt GUI very slow when expanding packet details with a lot of items.
  • Comparing a boolean field against 1 always succeeds on big-endian machines.
  • FIN flag not always correctly passed to subdissectors.
  • Interpretation of BGP NLRI for default route cause malformed packet.
  • Capture Interfaces dialog crashes after clicking the bookmark menu.
  • Wireshark crashes right after a capture filter is selected.
  • GSM GMM Identity Response dissection error
  • Crash reloading "dissector.lua" from the Wireshark website.
  • VoIP calls does not show IAX2 calls.
  • Wireshark CPU usage has dramatically increased.
  • RPC/NFS incorrectly decodes as ACAP.
  • Wireshark mistakenly flags CF-End packets as being Malformed.
  • ASTERIX Category 48 Reserved Expansion Field.
  • It is not possible to enter characters requiring "Alt Gr" in the display filter box such as "[" on a Swedish keyboard.
  • tshark crashes when trying to export to pdml.
  • Build fails on Centos 6.5 with gtk2 in ui/gtk/rtp_player.c rtp_channel_info_r has no no member start_time.
  • TCP Dissector - spurious retransmissions not always recognized. (Bug 12282)
  • PRA Identifier of the IE PRA Action should use 3 octets (6 to 8) and not 2 in GTPv2.
  • Dissector bug, failed assertion, proto_desegment pinfo→can_desegment.
  • Colorize with filter, new coloring rule, is labeled as new conversation rule.
  • Qt Multicast Stream Dialog error in input field Burst alarm threshold and Buffer alarm.
  • 6LoWPAN reassembly incorrect if extension header padding was elided.
  • USBPcap prevents keyboard from working.
  • Crash when reloading Lua script when Field is gone.
  • Wrong display of USSD strings in the GSM 7-bit alphabet for non-ASCII characters in Wireshark 2.0.x.
  • Malformed Packet: RTP.
  • Incorrect error on MPA pdu length on iWARP packets.
  • Endpoints window doesn’t show name resolution.
  • Updated Protocol Support:
  • 6LoWPAN, ACAP, Asterix, BGP, DMP, DNS, DTLS, EAP, FMTP, GPRS LLC, GSM A, GSM A GM, GSM CBCH, GSM MAP, GTPv2, HTTP, IAX2, IEEE 802.11, iWARP MPA, MS-WSP, MySQL, NCP, NFS, PKTC, QUIC, R3, RTP, SMB, SPRT, TCP, ZEP, ZigBee, ZigBee NWK, ZigBee ZCL SE, and ZVT

New in Wireshark 2.0.2 (Feb 26, 2016)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2016-01
  • DLL hijacking vulnerability. CVE-2016-2521
  • wnpa-sec-2016-02
  • ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522
  • wnpa-sec-2016-03
  • DNP dissector infinite loop. (Bug 11938) CVE-2016-2523
  • wnpa-sec-2016-04
  • X.509AF dissector crash. (Bug 12002) CVE-2016-2524
  • wnpa-sec-2016-05
  • HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525
  • wnpa-sec-2016-06
  • HiQnet dissector crash. (Bug 11983) CVE-2016-2526
  • wnpa-sec-2016-07
  • 3GPP TS 32.423 Trace file parser crash. (Bug 11982) CVE-2016-2527
  • wnpa-sec-2016-08
  • LBMC dissector crash. (Bug 11984) CVE-2016-2528
  • wnpa-sec-2016-09
  • iSeries file parser crash. (Bug 11985) CVE-2016-2529
  • wnpa-sec-2016-10
  • RSL dissector crash. (Bug 11829) CVE-2016-2530 CVE-2016-2531
  • wnpa-sec-2016-11
  • LLRP dissector crash. (Bug 12048) CVE-2016-2532
  • wnpa-sec-2016-12
  • Ixia IxVeriWave file parser crash. (Bug 11795)
  • wnpa-sec-2016-13
  • IEEE 802.11 dissector crash. (Bug 11818)
  • wnpa-sec-2016-14
  • GSM A-bis OML dissector crash. (Bug 11825)
  • wnpa-sec-2016-15
  • ASN.1 BER dissector crash. (Bug 12106)
  • wnpa-sec-2016-16
  • SPICE dissector large loop. (Bug 12151)
  • wnpa-sec-2016-17
  • NFS dissector crash.
  • wnpa-sec-2016-18
  • ASN.1 BER dissector crash. (Bug 11822)
  • The following bugs have been fixed:
  • HTTP 302 decoded as TCP when "Allow subdissector to reassemble TCP streams" option is enabled. (Bug 9848)
  • Questionable calling of ethernet dissector by encapsulating protocol dissectors. (Bug 9933)
  • Qt & Legacy & probably TShark too] Delta Time Conversation column is empty. (Bug 11559)
  • extcap: abort when validating capture filter for DLT 147. (Bug 11656)
  • Missing columns in Qt Flow Graph. (Bug 11710)
  • Interface list doesn’t show well when the list is very long. (Bug 11733)
  • Unable to use saved Capture Filters in Qt UI. (Bug 11836)
  • extcap: Capture interface options snaplen, buffer and promiscuous not being used. (Bug 11865)
  • Improper RPC reassembly (Bug 11913)
  • GTPv1 Dual Stack with one static and one Dynamic IP. (Bug 11945)
  • Wireshark 2.0.1 MPLS dissector not decoding payload when control word is present in pseudowire. (Bug 11949)
  • "…using this filter" turns white (not green or red). Plus dropdown arrow does nothing. (Bug 11950)
  • EIGRP field eigrp.ipv4.destination does not show the correct destination. (Bug 11953)
  • tshark -z conv,type[,filter] swapped frame / byte values from / to columns. (Bug 11959)
  • The field name nstrace.tcpdbg.tcpack should be nstrace.tcpdbg.tcprtt. (Bug 11964)
  • 6LoWPAN IPHC traffic class not decompressed correctly. (Bug 11971)
  • Crash with snooping NFS file handles. (Bug 11972)
  • 802.11 dissector fails to decrypt some broadcast messages. (Bug 11973)
  • Wireshark hangs when adding a new profile. (Bug 11979)
  • Issues when closing the application with a running capture without packets. (Bug 11981)
  • New Qt UI lacks ability to step through multiple TCP streams with Analyze > Follow > TCP Stream. (Bug 11987)
  • GTK: plugin_if_goto_frame causes Access Violation if called before capture file is loaded. (Bug 11989)
  • Wireshark 2.0.1 crash on start. (Bug 11992)
  • Wi-Fi 4-way handshake 4/4 is displayed as 2/4. (Bug 11994)
  • ACN: acn.dmx.data has incorrect type. (Bug 11999)
  • editcap packet comment won’t add multiple comments. (Bug 12007)
  • DICOM Sequences no longer able to be expanded. (Bug 12011)
  • Wrong TCP stream when port numbers are reused. (Bug 12022)
  • SSL decryption fails in presence of a Client certificate. (Bug 12042)
  • LUA: TVBs backing a data source is freed too early. (Bug 12050)
  • PIM: pim.group filter have the same name for IPv4 and IPv6. (Bug 12061)
  • Failed to parse M3AP IE (TNL information). (Bug 12070)
  • Wrong interpretation of Instance ID value in OSPFv3 packet. (Bug 12072)
  • MP2T Dissector does parse RTP properly in 2.0.1. (Bug 12099)
  • editcap does not adjust time for frames with absolute timestamp 0 < t < 1 secs. (Bug 12116)
  • Guard Interval is not consistent between Radiotap & wlan_radio. (Bug 12123)
  • Calling dumpcap -i- results in access violation. (Bug 12143)
  • Qt: Friendly Name and Interface Name columns should not be editable. (Bug 12146)
  • PPTP GRE call ID not always decoded. (Bug 12149)
  • Interface list does not show device description anymore. (Bug 12156)
  • Find Packet does not highlight the matching tree item or packet bytes. (Bug 12157)
  • "total block length … is too large" error when opening pcapng file with multiple SHB sections. (Bug 12167)
  • http.request.full_uri is malformed if an HTTP Proxy is used. (Bug 12176)
  • SNMP dissector fails at msgSecurityParameters with long length encoding. (Bug 12181)
  • Windows installers and PortableApps® packages are now dual signed using SHA-1 and SHA-256 in order to comply with Microsoft Authenticode policy. Windows 7 and Windows Server 2008 R2 users should ensure that update 3123479 is installed. Windows Vista and Windows Server 2008 users should ensure that hotfix 2763674 is installed.
  • Updated Protocol Support:
  • 6LoWPAN, ACN, ASN.1 BER, BATADV, DICOM, DNP3, DOCSIS INT-RNG-REQ, E100, EIGRP, GSM A DTAP, GSM SMS, GTP, HiQnet, HTTP, HTTP/2, IEEE 802.11, IKEv2, InfiniBand, IPv4, IPv6, LBMC, LLRP, M3AP, MAC LTE, MP2T, MPLS, NFS, NS Trace, OSPF, PIM, PPTP, RLC LTE, RoHC, RPC, RSL, SNMP, SPICE, SSL, TCP, TRILL, VXLAN, WaveAgent, and X.509AF
  • New and Updated Capture File Support:
  • 3GPP TS 32.423 Trace, iSeries, Ixia IxVeriWave, pcap, and pcapng

New in Wireshark 2.0.1 (Dec 29, 2015)

  • Bug Fixes:
  • [1]wnpa-sec-2015-31 NBAP dissector crashes. ([2]Bug 11602, [3]Bug 11835, [4]Bug 11841)
  • [5]wnpa-sec-2015-37 NLM dissector crash.
  • [6]wnpa-sec-2015-39 BER dissector crash.
  • [7]wnpa-sec-2015-40 Zlib decompression crash. ([8]Bug 11548)
  • [9]wnpa-sec-2015-41 SCTP dissector crash. ([10]Bug 11767)
  • [11]wnpa-sec-2015-42 802.11 decryption crash. ([12]Bug 11790, [13]Bug 11826)
  • [14]wnpa-sec-2015-43 DIAMETER dissector crash. ([15]Bug 11792)
  • [16]wnpa-sec-2015-44 VeriWave file parser crashes. ([17]Bug 11789, [18]Bug 11791)
  • [19]wnpa-sec-2015-45 RSVP dissector crash. ([20]Bug 11793)
  • [21]wnpa-sec-2015-46 ANSI A & GSM A dissector crashes. ([22]Bug 11797)
  • [23]wnpa-sec-2015-47 Ascend file parser crash. ([24]Bug 11794)
  • [25]wnpa-sec-2015-48 NBAP dissector crash. ([26]Bug 11815)
  • [27]wnpa-sec-2015-49 RSL dissector crash. ([28]Bug 11829)
  • [29]wnpa-sec-2015-50 ZigBee ZCL dissector crash. ([30]Bug 11830)
  • [31]wnpa-sec-2015-51 Sniffer file parser crash. ([32]Bug 11827)
  • [33]wnpa-sec-2015-52 NWP dissector crash. ([34]Bug 11726)
  • [35]wnpa-sec-2015-53 BT ATT dissector crash. ([36]Bug 11817)
  • [37]wnpa-sec-2015-54 MP2T file parser crash. ([38]Bug 11820)
  • [39]wnpa-sec-2015-55 MP2T file parser crash. ([40]Bug 11821)
  • [41]wnpa-sec-2015-56 S7COMM dissector crash. ([42]Bug 11823)
  • [43]wnpa-sec-2015-57 IPMI dissector crash. ([44]Bug 11831)
  • [45]wnpa-sec-2015-58 TDS dissector crash. ([46]Bug 11846)
  • [47]wnpa-sec-2015-59 PPI dissector crash. ([48]Bug 11876)
  • [49]wnpa-sec-2015-60 MS-WSP dissector crash. ([50]Bug 11931)
  • The Windows installers are now built using NSIS 2.50 in order to avoid [51]DLL hijacking flaws.
  • The following bugs have been fixed:
  • Zooming out (Ctrl+-) too far crashes Wireshark. ([52]Bug 8854)
  • IPv6 Mobility Header Link-Layer Address Mobility Option is parsed incorrectly. ([53]Bug 10627)
  • About -> Plugins should be a scrollable. ([54]Bug 11427)
  • Profile change leaves prior profile residue. ([55]Bug 11493)
  • Wireshark crashes when using the VoIP player. ([56]Bug 11596)
  • Incorrect presentation of Ascend-Data-Filter (RADIUS attribute 242). ([57]Bug 11630)
  • Not possible to stop a capture with invalid filter. ([58]Bug 11667)
  • "No interface selected" when having a valid capture filter. ([59]Bug 11671)
  • Malformed packet with IPv6 mobility header. ([60]Bug 11728)
  • Wireshark crashes dissecting Profinet NRT (DCE-RPC) packet. ([61]Bug 11730)
  • All fields in the packet detail pane of a "new packet" window are expanded by default. ([62]Bug 11731)
  • Malformed packets with SET_CUR in the USBVIDEO (UVC) decoding. ([63]Bug 11736)
  • Display filters arranges columns incorrectly. ([64]Bug 11737)
  • Scrolling and navigating using the trackpad on Mac OS X could be much better. ([65]Bug 11738)
  • Lua Proto() does not validate arguments. ([66]Bug 11739)
  • Pointers to deallocated memory when redissecting. ([67]Bug 11740)
  • Suggestion for re-phrasing the TCP Window Full message. ([68]Bug 11741)
  • Can't parse MPEG-2 Transport Streams generated by the Logik L26DIGB21 TV. ([69]Bug 11749)
  • Qt UI on Windows crashes when changing to next capture file. ([70]Bug 11756)
  • First displayed frame not updated when changing profile. ([71]Bug 11757)
  • LDAP decode shows invalid number of results for searchResEntry packets. ([72]Bug 11761)
  • Crash when escape to Follow TCP -> Save. ([73]Bug 11763)
  • USBPcap prevents mouse and keyboard from working. ([74]Bug 11766)
  • Y-axis in RTP graph is in microseconds. ([75]Bug 11784)
  • "Delta time displayed" column in Wireshark doesn't work well, but Wireshark-gtk does. ([76]Bug 11786)
  • UDP 12001 SNA Data no longer shown in EBCDIC. ([77]Bug 11787)
  • Wireshark Portable is not starting (no messages at all). ([78]Bug 11800)
  • IPv6 RPL Routing Header with length of 8 bytes still reads an address. ([79]Bug 11803)
  • g_utf8_validate assertion when reassembling GSM SMS messages encoded in UCS2. ([80]Bug 11809)
  • Calling plugin_if_goto_frame when there is no file loaded causes a Protection Exception. ([81]Bug 11810)
  • Qt UI SIGSEGV before main() in initializer for colors_. ([82]Bug 11833)
  • Unable to add a directory to "GeoIP Database Paths". ([83]Bug 11842)
  • C++ Run time error when filtering on Expert limit to display filter. ([84]Bug 11848)
  • Widening the window doesn't correctly widen the rightmost column. ([85]Bug 11849)
  • SSL V2 Client Hello no longer dissected in Wireshark 2.0. ([86]Bug 11851)
  • PacketBB (RFC5444) dissector displays IPv4 addresses incorrectly. ([87]Bug 11852)
  • SMTP over port 587 shows identical content for fields "Username" and "Password" when not decoding base-64-encoded authentication information. ([88]Bug 11853)
  • Converting of EUI64 address to string does not take offset into account. ([89]Bug 11856)
  • CIP segment dissection causes PDML assertion/failure. ([90]Bug 11863)
  • In Import from Hex Dump, an attempt to enter the timestamp format manually crashes the application. ([91]Bug 11873)
  • Follow Stream directional selector not readable. ([92]Bug 11887)
  • Coloring rule custom colors not saved. ([93]Bug 11888)
  • Total number of streams not correct in Follow TCP Stream dialog. ([94]Bug 11889)
  • Command line switch -Y for display filter does not work. ([95]Bug 11891)
  • Creating Debian package doesn't work. ([96]Bug 11893)
  • Visual C++ Runtime Library Error "The application has requested the Runtime to terminate it in an unusual way." when you do not wait until Conversations is completely updated before applying "Limit to display filter". ([97]Bug 11900)
  • dpkg-buildpackage relocation R_X86_64_PC32 against symbol. ([98]Bug 11901)
  • Bits view in Packet Bytes pane is not persistent. ([99]Bug 11903)
  • ICMP Timestamp days, hours, minutes, seconds is incorrect. ([100]Bug 11910)
  • MPEG2TS NULL pkt: AFC: "Should be 0 for NULL packets" wrong. ([101]Bug 11921)
  • New and Updated Features:
  • There are no new features in this release.
  • New File Format Decoding Support:
  • There are no new file formats in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • 6LoWPAN, ANSI A, ASN.1 BER, BT ATT, CIP, CLNP, DIAMETER, DNS, ENIP, ERF, GSM A, GSM SMS, HiSLIP, ICMP, IEEE 802.11, IEEE 802.11 Radio, IPMI, IPv4, IPv6, ISUP, L2TP, LDAP, Link (ethertype), MIP6, MP2T, MS-WSP, NBAP, NWP, PacketBB, PPI, QUIC, RADIUS, RSL, RSVP, S7COMM, SCSI, SCTP, SMTP, SSL, TCP, TDS, USB, VRT, and ZigBee ZCL
  • New and Updated Capture File Support:
  • Ascend, ERF, MP2T, Sniffer, and VeriWave
  • New and Updated Capture Interfaces support:
  • There are no new or updated capture interfaces supported in this release.

New in Wireshark 2.0.0 (Nov 19, 2015)

  • WHAT'S NEW:
  • Wireshark 2.0 features a completely new user interface which should provide a smoother, faster user experience. The new interface should be familiar to current users of Wireshark but provide a faster workflow for many tasks.
  • The Windows installer provides the option of installing either the new interface (“Wirehsark”) or the old interface (“Wireshark Legacy”). Both are installed by default. Note that the legacy interface will be removed in Wireshark 2.2.
  • The OS X installer only provides the new interface. If you need the old interface you can install it via Homebrew or MacPorts.
  • Wireshark’s Debian- and RPM-based package definitions provide the new interface in the “wireshark-qt” package and the old interface in the “wireshark-gtk” package. It is hoped that downstream distributions will follow this convention.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 2.0.0rc3:
  • An RTP player crash has been fixed.
  • Flow graph issues have been fixed. Bug Bug 11710.
  • A Follow Stream dialog crash has been fixed. Bug Bug 11711.
  • An extcap crash has been fixed.
  • A file merge crash has been fixed. Bug Bug 11718.
  • A handle leak crash has been fixed. Bug Bug 11702.
  • Several other crashes and usability issues have been fixed.
  • The following features are new (or have been significantly updated) since version 2.0.0rc2:
  • Column editing now works correctly. Bug Bug 11433.
  • Renaming profiles has been fixed. Bug Bug 11658.
  • “File”→Merge no longer crashes on Windows. Bug Bug 11684.
  • Icons in the main toolbar obey magnification settings on Windows. Bug Bug 11675.
  • The Windows installer does a better job of detecting WinPcap. Bug Bug 10867.
  • The main window no longer appears off-screen on Windows. Bug Bug 11568.
  • The following features are new (or have been significantly updated) since version 2.0.0rc1:
  • For new installations on UN*X, the directory for user preferences is $HOME/.config/wireshark rather than $HOME/.wireshark. If that directory is absent, preferences will still be found and stored under $HOME/.wireshark.
  • Qt port:
  • The SIP Statistics dialog has been added.
  • You can now create filter expressions from the display filter toolbar.
  • Bugs in the UAT preferences dialog has been fixed.
  • Several dissector and Qt UI crash bugs have been fixed.
  • Problems with the OS X application bundle have been fixed.
  • The following features are new (or have been significantly updated) since version 1.99.9:
  • Qt port:
  • The LTE RLC Graph dialog has been added.
  • The LTE MAC Statistics dialog has been added.
  • The LTE RLC Statistics dialog has been added.
  • The IAX2 Analysis dialog has been added.
  • The Conversation Hash Tables dialog has been added.
  • The Dissector Tables dialog has been added.
  • The Supported Protocols dialog has been added.
  • You can now zoom the I/O and TCP Stream graph X and Y axes independently.
  • The RTP Player dialog has been added.
  • Several memory leaks have been fixed.
  • The following features are new (or have been significantly updated) since version 1.99.8:
  • Qt port:
  • The MTP3 statistics and summary dialogs have been added.
  • The WAP-WSP statistics dialog has been added.
  • The UDP multicast statistics dialog has been added.
  • The WLAN statistics dialog has been added.
  • The display filter macros dialog has been added.
  • The capture file properties dialog now includes packet comments.
  • Many more statistics dialogs can be opened from the command line via -z ....
  • Most dialogs now have a cancellable progress bar.
  • Many packet list and packet detail context menus items have been added.
  • Lua plugins can be reloaded from the Analyze menu.
  • Many bug fixes and improvements.
  • The following features are new (or have been significantly updated) since version 1.99.7:
  • Qt port:
  • The Enabled Protocols dialog has been added.
  • Many statistics dialogs have been added, including Service response time, DHCP/BOOTP, and ANSI.
  • The RTP Analysis dialog has been added.
  • Lua dialog support has been added.
  • You can now manually resolve addresses.
  • The Resolved Addresses dialog has been added.
  • The packet list scrollbar now has a minimap.
  • The capture interfaces dialog has been updated.
  • You can now colorize conversations.
  • Welcome screen behavior has been improved.
  • Plugin support has been improved.
  • Many dialogs should now more correctly minimize and maximize.
  • The reload button has been added back to the toolbar.
  • The "Decode As" dialog no longer saves decoding behavior.
  • You can now stop loading large capture files.
  • The Bluetooth HCI Summary has been added.
  • The following features are new (or have been significantly updated) since version 1.99.6:
  • Qt port:
  • The Bluetooth Devices dialog has been added.
  • The wireless toolbar has been added.
  • Opening files via drag and drop is now supported.
  • The Capture Filter and Display Filter dialogs have been added.
  • The Display Filter Expression dialog has been added.
  • Conversation Filter menu items have been added.
  • You can change protocol preferences by right clicking on the packet list and details.
  • The following features are new (or have been significantly updated) since version 1.99.4 and 1.99.5:
  • Qt port:
  • Capture restarts are now supported.
  • Menu items for plugins are now supported.
  • Extcap interfaces are now supported.
  • The Expert Information dialog has been added.
  • Display and capture filter completion is now supported.
  • Many bugs have been fixed.
  • Translations have been updated.
  • The following features are new (or have been significantly updated) since version 1.99.3:
  • Qt port:
  • Several interface bugs have been fixed.
  • Translations have been updated.
  • The following features are new (or have been significantly updated) since version 1.99.2:
  • Qt port:
  • Several bugs have been fixed.
  • You can now open a packet in a new window.
  • The Bluetooth ATT Server Attributes dialog has been added.
  • The Coloring Rules dialog has been added.
  • Many translations have been updated. Chinese, Italian and Polish translations are complete.
  • General user interface and usability improvements.
  • Automatic scrolling during capture now works.
  • The related packet indicator has been updated.
  • The following features are new (or have been significantly updated) since version 1.99.1:
  • Qt port:
  • The welcome screen layout has been updated.
  • The Preferences dialog no longer crashes on Windows.
  • The packet list header menu has been added.
  • Statistics tree plugins are now supported.
  • The window icon is now displayed properly in the Windows taskbar.
  • A packet list an byte view selection bug has been fixed (Bug 10896)
  • The RTP Streams dialog has been added.
  • The Protocol Hierarchy Statistics dialog has been added.
  • The following features are new (or have been significantly updated) since version 1.99.0:
  • Qt port:
  • You can now show and hide toolbars and major widgets using the View menu.
  • You can now set the time display format and precision.
  • The byte view widget is much faster, particularly when selecting large reassembled packets.
  • The byte view is explorable. Hovering over it highlights the corresponding field and shows a description in the status bar.
  • An Italian translation has been added.
  • The Summary dialog has been updated and renamed to Capture File Properties.
  • The VoIP Calls and SIP Flows dialogs have been added.
  • Support for HiDPI / Retina displays has been improved in the official packages.
  • DNS stats: + A new stats tree has been added to the Statistics menu. Now it is possible to collect stats such as qtype/qclass distribution, number of resource record per response section, and stats data (min, max, avg) for values such as query name length or DNS payload.
  • HPFEEDS stats: + A new stats tree has been added to the statistics menu. Now it is possible to collect stats per channel (messages count and payload size), and opcode distribution.
  • HTTP2 stats: + A new stats tree has been added to the statistics menu. Now it is possible to collect stats (type distribution).
  • The following features are new (or have been significantly updated) since version 1.12.0:
  • The I/O Graph in the Gtk+ UI now supports an unlimited number of data points (up from 100k).
  • TShark now resets its state when changing files in ring-buffer mode.
  • Expert Info severities can now be configured.
  • Wireshark now supports external capture interfaces. External capture interfaces can be anything from a tcpdump-over-ssh pipe to a program that captures from proprietary or non-standard hardware. This functionality is not available in the Qt UI yet.
  • Qt port:
  • The Qt UI is now the default (program name is wireshark).
  • A Polish translation has been added.
  • The Interfaces dialog has been added.
  • The interface list is now updated when interfaces appear or disappear.
  • The Conversations and Endpoints dialogs have been added.
  • A Japanese translation has been added.
  • It is now possible to manage remote capture interfaces.
  • Windows: taskbar progress support has been added.
  • Most toolbar actions are in place and work.
  • More command line options are now supported
  • New File Format Decoding Support:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you’re curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file’s format in the Open File dialog.
  • New files that Wireshark can open in this mode include:
  • BTSNOOP, PCAP, and PCAPNG
  • New Protocol Support:
  • Aeron, AllJoyn Reliable Datagram Protocol, Android Debug Bridge, Android Debug Bridge Service, Android Logcat text, Apache Tribes Heartbeat, APT-X Codec, B.A.T.M.A.N. GW, B.A.T.M.A.N. Vis, BGP Monitoring Prototol (BMP), Bluetooth Broadcom HCI, Bluetooth GATT Attributes (many), Bluetooth OBEX Applications (many), BSSAP2, C15 Call History Protocol (C15ch) and others, Celerra VNX, Ceph, Chargen, Classical IP, Concise Binary Object Representation (CBOR) (RFC 7049), Corosync Totem Single Ring Protocol, Corosync Totemnet, Couchbase, CP “Cooper” 2179, CSN.1, dCache, DJI UAV Drone Control Protocol, Dynamic Source Routing (RFC 4728), Elasticsearch, ETSI Card Application Toolkit - Transport Protocol, eXpressive Internet Protocol (XIP), GDB Remote Serial Protocol, Generic Network Virtualization Encapsulation (Geneve), Geospatial and Imagery Access Service (GIAS), Gias Dissector Using GIOP API, GPRS Tunneling Protocol Prim, GVSP GigE Vision ™ Streaming Protocol, H.225 RAS, Harman HiQnet, HCrt, Hotline Command-Response Transaction Protocol, IEEE 802.11 radio information, IP Detail Record (IPDR), IPMI Trace, iSER, KNXnetIP, Link Aggregation Control Protocol, Link Aggregation Marker Protocol, Link Layer Topology Discovery, Link-local Multicast Name Resolution, LISP TCP Control Message, Locator/ID Separation Protocol (Reliable Transport), MACsec Key Agreement - EAPoL-MKA, MCPE (Minecraft Pocket Edition), Message Queuing Telemetry Transport For Sensor Networks (MQTT-SN), Minecraft Pocket Edition, MQ Telemetry Transport Protocol for Sensor Networks, Multicast Domain Name Service (mDNS), Neighborhood Watch Protocol (NWP), Network File System over Remote Direct Memory Access (NFSoRDMA), OAMPDU, OCFS2, OptoMMP, Organization Specific Slow Protocol (OSSP), Packet Cable Lawful Intercept (8 byte CCCID), Packet Cable Lawful Intercept (timestamp), Packet Cable Lawful Intercept (timestamp case ID), PacketCable MTA FQDN, Performance Co-Pilot Proxy, QNEX6 (QNET), RakNet games library, Remote Shared Virtual Disk (RSVD), Riemann, RPC over RDMA (RPCoRDMA), S7 Communication, Secure Socket Tunnel Protocol (SSTP), Shared Memory Communications - RDMA (SMCR), Stateless Transport Tunneling, Sysdig system call events, TCP based Robot Operating System protocol (TCPROS), Thrift, Time Division Multiplexing over Packet Network (TDMoP), Video Services over IP (VSIP), Windows Search Protocol (MS-WSP), XIP Serval, ZigBee ZCL (many), and ZVT Kassenschnittstelle
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • 3GPP TS 32.423 Trace, Android Logcat text files, Colasoft Capsa files, Netscaler 3.5, and Symbian OS BTSNOOP File Format
  • Additionally, Wireshark now supports nanosecond timestamp resolution in PCAP-NG files.
  • New and Updated Capture Interfaces support:
  • Androiddump support now provides interfaces to capture (Logcat, Bluetooth and WiFi) from connected Android devices.
  • Major API Changes:
  • The libwireshark API has undergone some major changes:
  • The emem framework (including all ep_ and se_ memory allocation routines) has been completely removed in favour of wmem which is now fully mature.
  • The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua.
  • Plugins can now create GUI menu items.
  • Heuristic dissectors can now be globally enabled/disabled so heur_dissector_add() has a few more parameters to make that possible
  • proto_tree_add_text has been removed.
  • tvb_length() has been removed in favor of tvb_reported_length() and tvb_captured_length().
  • The API for ONC RPC-based dissectors has changed significantly: the procedure dissectors no longer take an offset, void-argument procedures now need to be declared with a function (use dissect_rpc_void()), and rpc_init_prog() now handles procedure registration too (it takes additional arguments to handle this; rpc_init_proc_table() was removed).

New in Wireshark 2.00 RC 3 (Nov 12, 2015)

  • ”'File” - Merge no longer crashes on Windows. Bug Bug 11684.
  • Icons in the main toolbar obey magnification settings on Windows. Bug Bug 11675.
  • The Windows installer does a better job of detecting WinPcap. Bug Bug 10867.
  • The main window no longer appears off-screen on Windows. Bug Bug 11568.

New in Wireshark 2.00 RC 2 (Oct 31, 2015)

  • Several dissector and Qt UI crash bugs have been fixed
  • Qt port:
  • The SIP Statistics dialog has been added
  • You can now create filter expressions from the display filter toolbar
  • Bugs in the UAT prefererences dialog has been fixed

New in Wireshark 2.00 RC 1 (Oct 31, 2015)

  • Qt port:
  • The LTE RLC Graph dialog has been added
  • The LTE MAC Statistics dialog has been added
  • The LTE RLC Statistics dialog has been added
  • The IAX2 Analysis dialog has been added
  • The Conversation Hash Tables dialog has been added
  • The Dissector Tables dialog has been added
  • The Supported Protocols dialog has been added
  • You can now zoom the I/O and TCP Stream graph X and Y axes independently
  • The RTP Player dialog has been added
  • Several memory leaks have been fixed

New in Wireshark 1.12.8 (Oct 15, 2015)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • Pcapng file parser crash. Discovered by Dario Lombardo and Shannon Sabens. (Bug 11455) CVE-2015-7830
  • The following bugs have been fixed
  • Last Address field for IPv6 RPL routing header is interpreted incorrectly. (Bug 10560)
  • Comparing two capture files crashes Wireshark when navigating the results. (Bug 11098)
  • 802.11 frame is not correctly dissected if it contains HT Control. (Bug 11351)
  • GVCP bit-fields not updated. (Bug 11442)
  • Tshark crash when specifying ssl.keys_list on CLI. (Bug 11443)
  • pcapng: SPB capture length is incorrectly truncated if IDB snaplen = 0. (Bug 11483)
  • pcapng: NRB IPv4 address is endian swapped but shouldn’t be. (Bug 11484)
  • pcapng: NRB with options causes file read failure. (Bug 11485)
  • pcapng: ISB without if_drop option is shown as max value. (Bug 11489)
  • UNISTIM dissector - Message length not included in offset for "Select Adjustable Rx Volume". (Bug 11497)
  • Updated Protocol Support:
  • DIAMETER, GVCP, IEEE 802.11, IPv6, and UNISTIM
  • New and Updated Capture File Support:
  • and pcapng

New in Wireshark 1.99.9 Development (Sep 2, 2015)

  • Qt port:
  • The MTP3 statistics and summary dialogs have been added.
  • The WAP-WSP statistics dialog has been added.
  • The UDP multicast statistics dialog has been added.
  • The WLAN statistics dialog has been added.
  • The display filter macros dialog has been added.
  • The capture file properties dialog now includes packet comments.
  • Many more statistics dialogs can be opened from the command line via -z ....
  • Most dialogs now have a cancellable progress bar.
  • Many packet list and packet detail context menus items have been added.
  • Lua plugins can be reloaded from the Analyze menu.
  • Many bug fixes and improvements.

New in Wireshark 1.12.7 (Aug 13, 2015)

  • BUG FIXES:
  • wnpa-sec-2015-21
  • Protocol tree crash. (Bug 11309)
  • Memory manager crash. (Bug 11373)
  • Dissector table crash. (Bug 11381)
  • ZigBee crash. (Bug 11389)
  • GSM RLC/MAC infinite loop. (Bug 11358)
  • WaveAgent crash. (Bug 11358)
  • OpenFlow infinite loop. (Bug 11358)
  • Ptvcursor crash. (Bug 11358)
  • WCCP crash. (Bug 11358)
  • The following bugs have been fixed:
  • DCE RPC "Decode As" capability is missing. (Bug 10368)
  • Mergecap turns nanosecond-resolution time stamps into microsecond-resolution time stamps. (Bug 11202)
  • The Aruba ERM Type 1 Dissector inconsistent with Type 0 and Type 3. (Bug 11204)
  • Parse CFM Type Test signal (TST) without CRC. (Bug 11286)
  • Tshark: output format of rpc.xid changed from Hex to Integer. (Bug 11292)
  • Not stop -a filecount . (Bug 11305)
  • lldp.ieee.802_3.mdi_power_class display is wrong. (Bug 11330)
  • Powerlink (EPL) SDO packages interpreted as frame dublication. (Bug 11341)
  • Mysql dissector adds packet content to INFO column without scrubbing it. (Bug 11344)
  • PIM null-register according to rfc4601 is incorrectly parsed. (Bug 11354)
  • Wireshark Lua dissectors: both expand together. (Bug 11356)
  • Link-type not retrieved for rpcap interfaces configured with authentication. (Bug 11366)
  • SSL Decryption (RSA private key with p smaller than q) failing on the Windows 7 buildbot. (Bug 11372)
  • [gtpv2]PCSCF ip in the Protocol configuration of update bearer request is not getting populated. (Bug 11378)
  • wpan.src64 (and dst64) filter always gives "is not a valid EUI64 Address" error. (Bug 11380)
  • Websphere MQ Work Information Header incorrectly showing "Reserved". (Bug 11384)
  • DUP ACK Counter resetting after Window Update. (Bug 11397)
  • CSV values missing when using tshark -2 option. (Bug 11401)
  • Ethernet PAUSE frames are decoded incorrectly as PFC. (Bug 11403)
  • SOCKS decoder giving strange values for seemingly normal SOCKS connection. (Bug 11417)
  • 802.11ad decoding error. (Bug 11419)

New in Wireshark 1.99.8 Development (Jul 25, 2015)

  • Qt port:
  • The Enabled Protocols dialog has been added.
  • Many statistics dialogs have been added, including Service response time, DHCP/BOOTP, and ANSI.
  • The RTP Analysis dialog has been added.
  • Lua dialog support has been added.
  • You can now manually resolve addresses.
  • The Resolved Addresses dialog has been added.
  • The packet list scrollbar now has a minimap.
  • The capture interfaces dialog has been updated.
  • You can now colorize conversations.
  • Welcome screen behavior has been improved.
  • Plugin support has been improved.
  • Many dialogs should now more correctly minimize and maximize.
  • The reload button has been added back to the toolbar.
  • The "Decode As" dialog no longer saves decoding behavior.
  • You can now stop loading large capture files.
  • The Bluetooth HCI Summary has been added.

New in Wireshark 1.99.7 Development (Jun 19, 2015)

  • NEW AND UPDATED FEATURES:
  • Qt port:
  • The Bluetooth Devices dialog has been added.
  • The wireless toolbar has been added.
  • Opening files via drag and drop is now supported.
  • The Capture Filter and Display Filter dialogs have been added.
  • The Display Filter Expression dialog has been added.
  • Conversation Filter menu items have been added.
  • You can change protocol preferences by right clicking on the packet list and details.
  • NEW PROTOCOL SUPPORT:
  • (LISP) TCP Control Message, Aeron, AllJoyn Reliable Datagram Protocol, Android ADB, Android Logcat text, Apache Tribes Heartbeat, BGP Monitoring Prototol (BMP), C15 Call History Protocol dissection (C15ch), ceph, corosync/totemnet corosync cluster engine ( lowest levelencryption/decryption protocol), corosync/totemsrp corosync cluster engine ( totem single ring protocol), Couchbase, CP "Cooper" 2179, DJI UAV Drone Control Protocol, Dynamic Source Routing (RFC 4728), Elasticsearch, ETSI Card Application Toolkit - Transport Protocol, Generic Network Virtualization Encapsulation (Geneve), Geospatial and Imagery Access Service (GIAS), GVSP GigE Vision (TM) Streaming Protocol, HCrt, HiQnet, IP Detail Record (IPDR), IPMI Trace, iSER, KNXnetIP, MACsec Key Agreement - EAPoL-MKA, MCPE (Minecraft Pocket Edition), Network File System over Remote Direct Memory Access (NFSoRDMA), OCFS2, OptoMMP, Performance Co-Pilot Proxy, QNEX6 (QNET), RakNet games library, Remote Shared Virtual Disk - RSVD, Riemann, S7 Communication, Secure Socket Tunnel Protocol (SSTP), Shared Memory Communications - RDMA, Stateless Transport Tunneling, Thrift, Video Services over IP (VSIP), and ZVT Kassenschnittstelle
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • 3GPP Nettrace TS 34 423, Android Logcat text files, Colasoft Capsa files, Netscaler 3.5, and Wireshark now supports nanosecond timestamp resolution in PCAP-NG files.
  • NEW AND UPDATED CAPTURE INTERFACES SUPPORT:
  • and Androiddump - provide interfaces to capture (Logcat and Bluetooth) from connected Android devices
  • MAJOR API CHANGES:
  • The libwireshark API has undergone some major changes:
  • The emem framework (including all ep_ and se_ memory allocation routines) has been completely removed in favour of wmem which is now fully mature.
  • The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua.
  • Plugins can now create GUI menu items.

New in Wireshark 1.12.6 (Jun 18, 2015)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • WCCP dissector crash. (Bug 11153)
  • GSM DTAP dissector crash. (Bug 11201)
  • The following bugs have been fixed:
  • Wireshark 1.12.1 crashes on startup on Mac OS X 10.10 (Yosemite). (Bug 10640)
  • Wireshark does not display X.400 addresses correctly. (Bug 11210)
  • Reproducible crash in "Edit column details" dialog. (Bug 11245)
  • Subnet name resolution doesn’t always work. (Bug 11247)
  • SIP MIME body containing ISUP does not decode properly. (Bug 11249)
  • iSCSI: Read(10): shows incorrect "Data In" & "Response" frame number. (Bug 11250)
  • tshark -z io,stat,1,SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun. (Bug 11262)
  • Port Control Protocol packet dissection decodes R bit incorrectly. (Bug 11278)
  • Vendor-supplied Packages:
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system.

New in Wireshark 1.99.6 Development (May 29, 2015)

  • The following features are new (or have been significantly updated):
  • Qt port:
  • Capture restarts are now supported.
  • Menu items for plugins are now supported.
  • Extcap interfaces are now supported.
  • The Expert Information dialog has been added.
  • Display filter completion is now supported.
  • Several interface bugs have been fixed.
  • Translations have been updated.

New in Wireshark 1.12.5 (May 13, 2015)

  • The following vulnerabilities have been fixed:
  • The LBMR dissector could go into an infinite loop. (Bug 11036) CVE-2015-3808 CVE-2015-3809
  • The WebSocket dissector could recurse excessively. (Bug 10989) CVE-2015-3810
  • The WCP dissector could crash while decompressing data. (Bug 10978) CVE-2015-3811
  • The X11 dissector could leak memory. (Bug 11088) CVE-2015-3812
  • The packet reassembly code could leak memory. (Bug 11129) CVE-2015-3813
  • The IEEE 802.11 dissector could go into an infinite loop. (Bug 11110) CVE-2015-3814
  • The Android Logcat file parser could crash. Discovered by Hanno Böck. (Bug 11188) CVE-2015-3815
  • The following bugs have been fixed:
  • Wireshark crashes if "Update list of packets in real time" is disabled and a display filter is applied while capturing. (Bug 6217)
  • EAPOL 4-way handshake information wrong. (Bug 10557)
  • RPC NULL calls incorrectly flagged as malformed. (Bug 10646)
  • Wireshark relative ISN set incorrectly if raw ISN set to 0. (Bug 10713)
  • Buffer overrun in encryption code. (Bug 10849)
  • Crash when use Telephony / Voip calls. (Bug 10885)
  • ICMP Parameter Problem message contains Length of original datagram is treated as the total IPv4 length. (Bug 10991)
  • ICMP Redirect takes 4 bytes for IPv4 payload instead of 8. (Bug 10992)
  • Missing field "tcp.pdu.size" in TCP stack. (Bug 11007)
  • Sierra EM7345 marks MBIM packets as NCM. (Bug 11018)
  • Possible infinite loop DoS in ForCES dissector. (Bug 11037)
  • "Decode As…" crashes when a packet dialog is open. (Bug 11043)
  • Interface Identifier incorrectly represented by Wireshark. (Bug 11053)
  • "Follow UDP Stream" on mpeg packets crashes wireshark v.1.12.4 (works fine on v.1.10.13). (Bug 11055)
  • Annoying popup when trying to capture on bonds. (Bug 11058)
  • Request-response cross-reference in USB URB packets incorrect. (Bug 11072)
  • Right clicking in Expert Infos to create a filter (duplicate IP) results in invalid filters. (Bug 11073)
  • CanOpen dissector fails on frames with RTR and 0 length. (Bug 11083)
  • Typo in secp521r1 curve wrongly identified as sect521r1. (Bug 11106)
  • packet-zbee-zcl.h: IS_ANALOG_SUBTYPE doesn’t filter ENUM. (Bug 11120)
  • Typo: "LTE Positioning Protocol" abbreviated as "LPP", not "LLP". (Bug 11141)
  • Missing Makefile.nmake in ansi1/Kerberos directory. (Bug 11155)
  • Can’t build tshark without the Qt packages installed unless --without-qt is specified. (Bug 11157)
  • Updated Protocol Support:
  • AllJoyn, ASN.1 PER, ATM, CANopen, Diameter, ForCES, GSM RLC/MAC, GSMTAP, ICMP, IEC-60870-5-104, IEEE 802.11, IMF, IP, LBMC, LBMR, LDAP, LPP, MBIM, MEGACO, MP2T, PKCS-1, PPP IPv6CP, RPC, SPNEGO, SRVLOC, SSL, T.38, TCP, USB, WCP, WebSocket, X11, and ZigBee ZCL

New in Wireshark 1.99.5 Development (Mar 20, 2015)

  • The following features are new (or have been significantly updated)
  • Qt port:
  • Several interface bugs have been fixed.
  • Translations have been updated.

New in Wireshark 1.99.3 Development (Mar 6, 2015)

  • The following features are new (or have been significantly updated):
  • Qt port:
  • Several bugs have been fixed.
  • You can now open a packet in a new window.
  • The Bluetooth ATT Server Attributes dialog has been added.
  • The Coloring Rules dialog has been added.
  • Many translations have been updated. Chinese, Italian and Polish translations are complete.
  • General user interface and usability improvements.
  • Automatic scrolling during capture now works.
  • The related packet indicator has been updated.

New in Wireshark 1.12.4 (Mar 5, 2015)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • The ATN-CPDLC dissector could crash. (Bug 9952) CVE-2015-2187
  • The WCP dissector could crash. (Bug 10844) CVE-2015-2188
  • The pcapng file parser could crash. (Bug 10895) CVE-2015-2189
  • The LLDP dissector could crash. (Bug 10983) CVE-2015-2190
  • The TNEF dissector could go into an infinite loop. (Bug 11023) CVE-2015-2191
  • The SCSI OSD dissector could go into an infinite loop. (Bug 11024) CVE-2015-2192
  • The following bugs have been fixed:
  • RTP player crashes on decode of long call: BadAlloc (insufficient resources for operation). (Bug 2630)
  • "Telephony→SCTP→Analyse This Association" crashes Wireshark on manufactured SCTP packet. (Bug 9849)
  • IPv6 Mobility Header Link Layer Address is parsed incorrectly. (Bug 10006)
  • DNS NXT RR is parsed incorrectly. (Bug 10615)
  • IPv6 AUTH mobility option parses Mobility SPI and Authentication Data incorrectly. (Bug 10626)
  • IPv6 Mobility Header Link-Layer Address Mobility Option is parsed incorrectly. (Bug 10627)
  • HTTP chunked response includes data beyond the chunked response. (Bug 10707)
  • DHCP Option 125 Suboption: (1) option-len always expects 1 but specification allows for more. (Bug 10784)
  • Incorrect decoding of IPv4 Interface/Neighbor Address sub-TLVs in Extended IS Reachability TLV of IS-IS. (Bug 10837)
  • Little-endian OS X Bluetooth PacketLogger files aren’t handled. (Bug 10861)
  • X.509 certificate serial number incorrectly interpreted as negative number. (Bug 10862)
  • Malformed Packet on rsync-version with length 2. (Bug 10863)
  • ZigBee epoch time is incorrectly displayed in OTA cluster. (Bug 10872)
  • BGP EVPN - Route Type 4 - "Invalid length of IP Address" - "Expert Info" shows a false error. (Bug 10873)
  • Bad bytes read for extended rnc id value in GTP dissector. (Bug 10877)
  • "ServiceChangeReasonStr" messages are not shown in txt generated by tshark. (Bug 10879)
  • Clang ASAN : AddressSanitizer: global-buffer-overflow ANSI. (Bug 10897)
  • MEGACO wrong decoding on media port. (Bug 10898)
  • Wrong media format. (Bug 10899)
  • BSSGP Status PDU decoding fault (missing Mandatory element (0x04) BVCI for proper packet). (Bug 10903)
  • DNS LOC Precision missing units. (Bug 10940)
  • Packets on OpenBSD loopback decoded as raw not null. (Bug 10956)
  • Display Filter Macro unable to edit. (Bug 10957)
  • IPv6 Local Mobility Anchor Address mobility option code is treated incorrectly. (Bug 10961)
  • SNTP server list improperly formatted in DHCPv6 packet details. (Bug 10964)
  • Juniper Packet Mirror dissector expects ipv6 flow label = 0. (Bug 10976)
  • NS Trace (NetScaler Trace) file format is not able to export specified packets. (Bug 10998)
  • Updated Protocol Support:
  • ACN, ANSI IS-637-A, AppleMIDI, ATN-CPDLC, BGP, BSSGP, CMIP, DHCP, DHCPv6, DIS, DLM3, DMP, DNS, Extreme Networks, ForCES, FTAM, GMHDR, GSM A BSSMAP, GSM A-bis OML, GSM MAP, GSM RLC MAC, GTP, H.248, H.264, HTTP, IEEE 802.11, IPv6, IS-IS, ISMACryp, J1939, Juniper Jmirror, KDP, L2CAP, LDAP, LLDP, MGCP, MIP6, NBNS, NET/ROM, Netflow, Novell PKIS, PANA, PPPoE, RSL, RSYNC, RTMPT, RTP, SCSI OSD, SDP, SMB Pipe, SMPP, SYNCHROPHASOR, TETRA, TiVoConnect, TNEF, USB HID, V.52, VSS-Monitoring, X.509AF, Zebra, and ZigBee
  • New and Updated Capture File Support:
  • NetScaler, PacketLogger, and Pcapng

New in Wireshark 1.99.2 Development (Feb 5, 2015)

  • Qt port:
  • The welcome screen layout has been updated.
  • The Preferences dialog no longer crashes on Windows.
  • The packet list header menu has been added.
  • Statistics tree plugins are now supported.
  • The window icon is now displayed properly in the Windows taskbar.
  • A packet list an byte view selection bug has been fixed
  • The RTP Streams dialog has been added.
  • The Protocol Hierarchy Statistics dialog has been added.

New in Wireshark 1.99.1 Development (Feb 5, 2015)

  • Qt port:
  • You can now show and hide toolbars and major widgets using the View menu.
  • You can now set the time display format and precision.
  • The byte view widget is much faster, particularly when selecting large reassembled packets.
  • The byte view is explorable. Hovering over it highlights the corresponding field and shows a description in the status bar.
  • An Italian translation has been added.
  • The Summary dialog has been updated and renamed to Capture File Properties.
  • The VoIP Calls and SIP Flows dialogs have been added.

New in Wireshark 1.12.3 (Jan 8, 2015)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • wnpa-sec-2015-01
  • The WCCP dissector could crash. (Bug 10720, Bug 10806) CVE-2015-0559, CVE-2015-0560
  • wnpa-sec-2015-02
  • The LPP dissector could crash. (Bug 10773) CVE-2015-0561
  • wnpa-sec-2015-03
  • The DEC DNA Routing Protocol dissector could crash. (Bug 10724) CVE-2015-0562
  • wnpa-sec-2015-04
  • The SMTP dissector could crash. (Bug 10823) CVE-2015-0563
  • wnpa-sec-2015-05
  • Wireshark could crash while decypting TLS/SSL sessions. CVE-2015-0564
  • The following bugs have been fixed:
  • WebSocket dissector: empty payload causes DISSECTOR_ASSERT_NOT_REACHED. (Bug 9332)
  • Wireshark crashes if Lua heuristic dissector returns true. (Bug 10233)
  • Display MEP ID in decimal in OAM Y.1731 Synthetic Loss Message and Reply PDU. (Bug 10500)
  • TCP Window Size incorrectly reported in Packet List. (Bug 10514)
  • Status bar "creeps" to the left a few pixels every time Wireshark is opened. (Bug 10518)
  • E-LMI Message type. (Bug 10531)
  • SMTP decoder can dump binary data to terminal in TShark. (Bug 10536)
  • PTPoE dissector gets confused by packets that include an FCS. (Bug 10611)
  • IPv6 Vendor Specific Mobility Option includes the next mobility option type. (Bug 10618)
  • Save PCAP to PCAPng with commentary fails. (Bug 10656)
  • Display filter "frame contains bytes [2342]" causes a crash. (Bug 10690)
  • Multipath TCP: checksum displayed when it’s not there. (Bug 10692)
  • LTE APN-AMBR is decoded incorrectly. (Bug 10699)
  • DNS NAPTR RR Replacement Length is incorrect. (Bug 10700)
  • IPv6 Experimental mobility header data is interpreted as options. (Bug 10703)
  • Dissector bug, protocol SPDY: tvbuff.c:610: failed assertion "tvb && tvb→initialized". (Bug 10704)
  • BGP: Incorrect decoding AS numbers when mixed AS size. (Bug 10742)
  • BGP update community - incorrect decoding. (Bug 10746)
  • Setting a 6LoWPAN context generates a Wireshark crash. (Bug 10747)
  • FC is not dissected (protocol UNKNOWN). (Bug 10751)
  • Crash when displaying several times INFO column. (Bug 10755)
  • Decoding of longitude value in LCSAP (3GPP TS 29.171) is incorrect. (Bug 10767)
  • Crash when enabling FCoIB manual settings without filling address field. (Bug 10796)
  • RSVP RECORD_ROUTE IPv4 Subobject Flags field incorrect decoding. (Bug 10799)
  • Wireshark Lua engine can’t access protocol field type. (Bug 10801)
  • Field Analysis of OpenFlow v1.4 OFPT_SET_ASYNC. (Bug 10808)
  • Lua: getting fieldinfo.value for FT_NONE causes assert. (Bug 10815)
  • Updated Protocol Support:
  • 6LoWPAN, ADwin, AllJoyn, Art-Net, Asterix, BGP, Bitcoin, Bluetooth OBEX, Bluetooth SDP, CFM, CIP, DCERPC PN-IO, DCERPC SPOOLSS, DEC DNA, DECT, DHCPv6, DNS, DTN, E-LMI, ENIP, Ethernet, Extreme, FCoIB, Fibre Channel, GED125, GTP, H.248, H.264, HiSLIP, IDRP, IEEE 802.11, IEEE P1722.1, Infiniband, IrDA, iSCSI, ISUP, LBMR, LCSAP, LPP, MAC LTE, MAUSB, MBIM, MIM, MIP, MIPv6, MP2T, MPEG-1, NAS EPS, NAT-PMP, NCP, NXP PN532, OpcUa, OpenFlow, PTP, RDM, RPKI-RTR, RSVP, RTnet, RTSP, SCTP, SMPP, SMTP, SPDY, Spice, TCP, WCCP, Wi-Fi P2P, and WiMAX

New in Wireshark 1.12.2 (Nov 13, 2014)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2014-20
  • SigComp UDVM buffer overflow.
  • wnpa-sec-2014-21
  • AMQP crash.
  • wnpa-sec-2014-22
  • NCP crashes.
  • wnpa-sec-2014-23
  • TN5250 infinite loops.
  • The following bugs have been fixed:
  • Wireshark determine packets of MMS protocol as a packets of T.125 protocol. (Bug 10350)
  • 6LoWPAN Mesh headers not treated as encapsulating address. (Bug 10462)
  • UCP dissector bug of operation 31 - PID 0639 not recognized. (Bug 10463)
  • iSCSI dissector rejects PDUs with "expected data transfer length" > 16M. (Bug 10469)
  • GTPv2: trigging_tree under Trace information has wrong length. (Bug 10470)
  • openflow_v1 OFPT_FEATURES_REPLY parsed incorrectly. (Bug 10493)
  • Capture files from a remote virtual interface on MacOS X 10.9.5 aren’t dissected correctly. (Bug 10502)
  • Problem specifying protocol name for filtering. (Bug 10509)
  • LLDP TIA Network Policy Unknown Policy Flag Decode is not correct. (Bug 10512)
  • Decryption of DCERPC with Kerberos encryption fails. (Bug 10538)
  • Dissection of DECRPC NT sid28 shouldn’t show expert info if tree is null. (Bug 10542)
  • Attempt to render an SMS-DELIVER-REPORT instead of an SMS-DELIVER. (Bug 10547)
  • IPv6 Calipso option length is not used properly. (Bug 10561)
  • The SPDY dissector couldn’t dissecting packet correctly. (Bug 10566)
  • IPv6 QuickStart option Nonce is read incorrectly. (Bug 10575)
  • IPv6 Mobility Option IPv6 Address/Prefix marks too many bytes for the address/prefix field. (Bug 10576)
  • IPv6 Mobility Option Binding Authorization Data for FMIPv6 Authenticator field is read beyond the option data. (Bug 10577)
  • IPv6 Mobility Option Mobile Node Link Layer Identifier Link-layer Identifier field is read beyond the option data. (Bug 10578)
  • Wrong offset for hf_mq_id_icf1 in packet-mq.c. (Bug 10597)
  • Malformed PTPoE announce packet. (Bug 10611)
  • IPv6 Permanent Home Keygen Token mobility option includes too many bytes for the token field. (Bug 10619)
  • IPv6 Redirect Mobility Option K and N bits are parsed incorrectly. (Bug 10622)
  • IPv6 Care Of Test mobility option includes too many bytes for the Keygen Token field. (Bug 10624)
  • IPv6 MESG-ID mobility option is parsed incorrectly. (Bug 10625)
  • IPv6 AUTH mobility option parses Mobility SPI and Authentication Data incorrectly. (Bug 10626)
  • IPv6 DNS-UPDATE-TYPE mobility option includes too many bytes for the MD identity field. (Bug 10629)
  • IPv6 Local Mobility Anchor Address mobility option’s code and reserved fields are parsed as 2 bytes instead of 1. (Bug 10630)
  • WCCP v.2.01 extended assignment data element parsed wrong. (Bug 10641)
  • DNS ISDN RR Sub Address field is read one byte early. (Bug 10650)
  • TShark crashes when running with PDML on a specific packet. (Bug 10651)
  • DNS A6 Address Suffix field is parsed incorrectly. (Bug 10652)
  • DNS response time: calculation incorrect. (Bug 10657)
  • SMPP does not display properly the hour field in the Submit_sm Validity Period field. (Bug 10672)
  • DNS Name Length for Zone RR on root is 6 and Label Count is 1. (Bug 10674)
  • DNS WKS RR Protocol field is read as 4 bytes instead of 1. (Bug 10675)
  • IPv6 Mobility Option Context Request reads an extra request. (Bug 10676)
  • Updated Protocol Support:
  • 6LoWPAN, AMQP, ANSI IS-637-A, Bluetooth HCI, CoAP, DCERPC (all), DCERPC NT, DNS, GSM MAP, GTPv2, H.223, HPSW, HTTP2, IEEE 802.11, IPv6, iSCSI, Kerberos, LBT-RM, LLDP, MIH, Mobile IPv6, MQ, NCP, OpcUa, OpenFlow, PKTAP, PTPoE, SigComp, SMB2, SMPP, SPDY, Stanag 4607, T.125, UCP, USB CCID, and WCCP
  • New and Updated Capture File Support:
  • Catapult DCT2000, HP-UX nettl, Ixia IxVeriWave, pcap, pcap-ng, RADCOM, and Sniffer (DOS)

New in Wireshark 1.99.0 Development (Oct 8, 2014)

  • The following features are new (or have been significantly updated):
  • The I/O Graph in the Gtk+ UI now supports an unlimited number of data points (up from 100k).
  • TShark now resets its state when changing files in ring-buffer mode.
  • Expert Info severities can now be configured.
  • Wireshark now supports external capture interfaces.
  • External capture interfaces can be anything from a tcpdump-over-ssh pipe to a program that captures from proprietary or non-standard hardware. This functionality is not available in the Qt UI yet.
  • Qt port:
  • The Qt UI is now the default (program name is wireshark).
  • A Polish translation has been added.
  • The Interfaces dialog has been added.
  • The interface list is now updated when interfaces appear or disappear.
  • The Conversations and Endpoints dialogs have been added.
  • A Japanese translation has been added.
  • It is now possible to manage remote capture interfaces.
  • Windows: taskbar progress support has been added.
  • Most toolbar actions are in place and work.
  • More command line options are now supported
  • New Protocol Support:
  • ceph, corosync/totemnet, corosync/totemsrp, CP "Cooper" 2179, Dynamic Source Routing (RFC 4728), Generic Network Virtualization Encapsulation (Geneve), IPMI Trace, iSER, KNXnetIP, OptoMMP, S7 Communication, and Stateless Transport Tunneling
  • Updated Protocol Support
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support
  • Android logcat text files, and Wireshark now supports
  • nanosecond timestamp resolution in PCAP-NG files.
  • Major API Changes:
  • The libwireshark API has undergone some major changes:
  • Many of the ep_ and se_ memory allocation routines have been removed.
  • The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua.

New in Wireshark 1.12.1 (Sep 17, 2014)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2014-13: MEGACO dissector infinite loop. (Bug 10333) CVE-2014-6423
  • wnpa-sec-2014-14: Netflow dissector crash. (Bug 10370) CVE-2014-6424
  • wnpa-sec-2014-15: CUPS dissector crash. (Bug 10353) CVE-2014-6425
  • wnpa-sec-2014-16: HIP dissector infinite loop. CVE-2014-6426
  • wnpa-sec-2014-17: RTSP dissector crash. (Bug 10381) CVE-2014-6427
  • wnpa-sec-2014-18: SES dissector crash. (Bug 10454) CVE-2014-6428
  • wnpa-sec-2014-19: Sniffer file parser crash. (Bug 10461) CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432
  • The following bugs have been fixed:
  • Wireshark can crash during remote capture (rpcap) configuration. (Bug 3554, Bug 6922, ws-buglink:7021)
  • 802.11 capture does not decrypt/decode DHCP response. (Bug 8734)
  • Extra quotes around date fields (FT_ABSOLUTE_TIME) when using -E quote=d or s. (Bug 10213)
  • No progress line in "VOIP RTP Player". (Bug 10307)
  • MIPv6 Service Selection Identifier parse error. (Bug 10323)
  • Probably wrong length check in proto_item_set_end. (Bug 10329)
  • 802.11 BA sequence number decode is broken. (Bug 10334)
  • wmem_alloc_array() "succeeds" (and clobbers memory) when requested to allocate 0xaaaaaaaa items of size 12. (Bug 10343)
  • Different dissection results for same file. (Bug 10348)
  • Mergecap wildcard breaks in version 1.12.0. (Bug 10354)
  • Diameter TCP reassemble. (Bug 10362)
  • TRILL NLPID 0xc0 unknown to Wireshark. (Bug 10382)
  • BTLE advertising header flags (RxAdd/TxAdd) dissected incorrectly. (Bug 10384)
  • Ethernet OAM (CFM) frames including TLV’s are wrongly decoded as malformed. (Bug 10385)
  • BGP4: Wireshark skipped some potion of AS_PATH. (Bug 10399)
  • MAC address name resolution is broken. (Bug 10344)
  • Wrong decoding of RPKI RTR End of Data PDU. (Bug 10411)
  • SSL/TLS dissector incorrectly interprets length for status_request_v2 hello extension. (Bug 10416)
  • Misparsed NTP control assignments with empty values. (Bug 10417)
  • 6LoWPAN multicast address decompression problems. (Bug 10426)
  • Netflow v9 flowset not decoded if options template has zero-length scope section. (Bug 10432)
  • GUI Hangs when Selecting Path to GeoIP Files. (Bug 10434)
  • AX.25 dissector prints unprintable characters. (Bug 10439)
  • 6LoWPAN context handling not working. (Bug 10443)
  • SIP: When export to a CSV, Info is changed to differ. (Bug 10453)
  • Typo in packet-netflow.c. (Bug 10458)
  • Incorrect MPEG-TS decoding (OPCR field). (Bug 10446)
  • UPDATED PROTOCOL SUPPORT:
  • 6LoWPAN, A21, ACR122, Art-Net, AX.25, BGP, BTLE, CAPWAP, DIAMETER, DICOM, DVB-CI, Ethernet OAM, HIP, HiSLIP, HTTP2, IEEE 802.11, MAUSB, MEGACO, MIPv6, MP2T, Netflow, NTP, openSAFETY, OSI, RDM, RPKI RTR, RTSP, SES, SIP, TLS, and Token Ring MAC
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • DOS Sniffer and NetScaler

New in Wireshark 1.12.0 (Aug 1, 2014)

  • BUG FIXES:
  • "On-the-wire" packet lengths are limited to 65535 bytes. (Bug 8808, Bug 9390)
  • "Follow TCP Stream" shows only the first HTTP request and response. (Bug 9044)
  • Files with pcap-ng Simple Packet Blocks can’t be read. (Bug 9200)
  • MPLS-over-PPP isn’t recognized. (Bug 9492)
  • NEW AND UPDATED FEATURES:
  • The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
  • Expert information is now filterable when the new API is in use.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
  • "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • The Kerberos dissector has been replaced with an auto generated one from ASN1 protocol description, changing a lot of filter names.
  • Additionally the Windows installers have an extra component: a preview of the upcoming user interface for Wireshark 2.0.
  • The following features are new (or have been significantly updated) since version 1.11.3:
  • Transport name resolution is now disabled by default.
  • Support has been added for all versions of the DCBx protocol.
  • Cleanup of LLDP code, all dissected fields are now navigable.
  • The following features are new (or have been significantly updated) since version 1.11.2:
  • Qt port:
  • The About dialog has been added
  • The Capture Interfaces dialog has been added.
  • The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
  • The Export PDU dialog has been added.
  • Several SCTP dialogs have been added.
  • The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
  • The I/O Graph dialog has been added.
  • French translation has updated.
  • The following features are new (or have been significantly updated) since version 1.11.0:
  • Dissector output may be encoded as UTF-8. This includes TShark output.
  • Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.
  • REMOVED DISSECTORS:
  • The ASN1 plugin has been removed as it’s deemed obsolete.
  • The GNM dissector has been removed as it was never used.
  • The Kerberos hand made dissector has been replaced by one generated from ASN1 code.
  • PLATFORM SUPPORT:
  • Support for Windows XP has been deprecated. We will make an effort to support it for as long as possible but our ability to do so depends on upstream packages and other factors beyond our control.
  • U3 packages are no longer supported or provided.
  • NEW PROTOCOL SUPPORT:
  • 29West, 802.1AE Secure tag, A21, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, Ethernet Local Management Interface (E-LMI), Ethernet Passive Optical Network (EPON), EXPORTED PDU, FINGER, HDMI, High-Speed LAN Instrument Protocol (HiSLIP), HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Link16, Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, Media Agnostic USB (MA USB), MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, MS NLB (Rewrite), Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, SPDY, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
  • MAJOR API CHANGES:
  • A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated).
  • A new API for expert information has been added, replacing the old one.
  • The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc.
  • dissector_try_heuristic() signature has been changed to return heur_dtbl_entry_t to make it possible to save it and use it in subsequent calls to avoid the overhead of going trough the heuristics list.

New in Wireshark 1.12.0 RC 2 (Jun 14, 2014)

  • The following bugs have been fixed:
  • "On-the-wire" packet lengths are limited to 65535 bytes.
  • "Follow TCP Stream" shows only the first HTTP req+res.
  • Files with pcap-ng Simple Packet Blocks can't be read.
  • MPLS-over-PPP isn't recognized. ([4]Bug 9492)
  • The following features are new (or have been significantly updated) since version 1.11.3:
  • Transport name resolution is now disabled by default.
  • Support has been added for all versions of the DCBx protocol.
  • Cleanup of LLDP code, all dissected fields are now navigable.
  • The following features are new (or have been significantly updated) since version 1.11.2:
  • Qt port
  • The About dialog has been added
  • The Capture Interfaces dialog has been added
  • The Decode As dialog has been added. It managed to
  • swallow up the User Specified Decodes dialog as well
  • The Export PDU dialog has been added
  • Several SCTP dialogs have been added
  • The statistics tree (the backend for many Statistics
  • and Telephony menu items) dialog has been added
  • The I/O Graph dialog has been added
  • French translation has updated
  • The following features are new (or have been significantly updated) since version 1.11.0:
  • Dissector output may be encoded as UTF-8. This includes TShark output.
  • Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.
  • The following features are new (or have been significantly updated) since version 1.10:
  • Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
  • The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
  • Expert information is now filterable when the new API is in use.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C choplen> and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
  • "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • The Kerberos dissector has been replaced with an auto generated one from ASN1 protocol description, changing a lot of filter names.
  • Removed Dissectors:
  • The ASN1 plugin has been removed as it's deemed obsolete.
  • The GNM dissector has been removed as it was never used.
  • The Kerberos hand made dissector has been replaced by one generated from ASN1 code.
  • Platform Support:
  • Support for Windows XP has been deprecated. We will make an effort to support it for as long as possible but our ability to do so depends on upstream packages and other factors beyond our control.
  • U3 packages are no longer supported or provided.
  • New Protocol Support:
  • 29West, 802.1AE Secure tag, A21, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, Ethernet Local Management Interface (E-LMI), Ethernet Passive Optical Network (EPON), EXPORTED PDU, FINGER, HDMI, High-Speed LAN Instrument Protocol (HiSLIP), HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Link16, Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, Media Agnostic USB (MA USB), MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, MS NLB (Rewrite), Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, SPDY, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
  • New and Updated Capture File Support:
  • Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
  • Major API Changes:
  • The libwireshark API has undergone some major changes: A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated).
  • A new API for expert information has been added, replacing the old one.
  • The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc.
  • dissector_try_heuristic() signature has been changed to return heur_dtbl_entry_t to make it possible to save it and use it in subsequent calls to avoid the overhead of going trough the heuristics list.

New in Wireshark 1.10.8 (Jun 13, 2014)

  • The following vulnerabilities have been fixed.
  • wnpa-sec-2014-07 - The frame metadissector could crash. (Bug 9999, Bug 10030)
  • The following bugs have been fixed:
  • VoIP flow graph crash upon opening. (Bug 9179)
  • Tshark with "-F pcap" still generates a pcapng file. (Bug 9991)
  • IPv6 Next Header 0x3d recognized as SHIM6. (Bug 9995)
  • Failed to export pdml on large pcap. (Bug 10081)
  • TCAP: set a fence on info column after calling sub dissector (Bug 10091)
  • Dissector bug in JSON protocol. (Bug 10115)
  • GSM RLC MAC: do not skip too many lines of the CSN_DESCR when the field is missing (Bug 10120)
  • Wireshark PEEKREMOTE incorrectly decoding QoS data packets from Cisco Sniffer APs. (Bug 10139)
  • IEEE 802.11: fix dissection of HT Capabilities (Bug 10166)
  • Updated Protocol Support:
  • CIP, EtherNet/IP, GSM RLC MAC, IEEE 802.11, IPv6, and TCAP
  • New and Updated Capture File Support:
  • pcap-ng, and PEEKREMOTE

New in Wireshark 1.10.7 (Apr 23, 2014)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2014-06
  • The RTP dissector could crash. (Bug 9885)
  • Versions affected: 1.10.0 to 1.10.6
  • CVE-2014-2907
  • The following bugs have been fixed:
  • RTP not decoded inside the conversation in v.1.10.1 (Bug 9021)
  • SIP/SDP: disabled second media stream disables all media streams (Bug 9835)
  • Lua: trying to get/access a Preference before its registered causes a segfault (Bug 9853)
  • Some value_string strings contain newlines. (Bug 9878)
  • Tighten the NO_MORE_DATA_CHECK macros (Bug 9932)
  • Fix crash when calling "MAP Summary" dialog when no file is open (Bug 9934)
  • Fix comparing a sequence number of TCP fragment when its value wraps over uint32_t limit (Bug 9936)
  • Updated Protocol Support:
  • ANSI A, DVB-CI, GSM DTAP, GSM MAP, IEEE 802.11, LCSAP, LTE RRC, MAC LTE, Prism, RTP, SDP, SIP, and TCP

New in Wireshark 1.11.3 Development (Apr 16, 2014)

  • Bug fixes:
  • MPLS-over-PPP isn’t recognized. (Bug 9492)
  • The following features are new (or have been significantly updated) since version 1.11.2:
  • Qt port:
  • The About dialog has been added
  • The Capture Interfaces dialog has been added.
  • The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
  • The Export PDU dialog has been added.
  • Several SCTP dialogs have been added.
  • The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
  • The I/O Graph dialog has been added.
  • French translation has updated.
  • Removed dissectors:
  • The ASN1 plugin has been removed as it’s deemed obsolete.
  • The GNM dissector has been removed as it was never used.
  • New Protocol Support:
  • 29West, 802.1AE Secure tag, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, EXPORTED PDU, FINGER, HDMI, HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
  • New and Updated Capture File Support:
  • Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
  • Major API Changes:
  • The libwireshark API has undergone some major changes
  • A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated)
  • A new API for expert information has been added, replacing the old one
  • The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc

New in Wireshark 1.10.6 (Mar 8, 2014)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2014-01
  • The NFS dissector could crash.
  • Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
  • CVE-2014-2281
  • wnpa-sec-2014-02
  • The M3UA dissector could crash.
  • Versions affected: 1.10.0 to 1.10.5
  • CVE-2014-2282
  • wnpa-sec-2014-03
  • The RLC dissector could crash. (Bug 9730)
  • Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
  • CVE-2014-2283
  • wnpa-sec-2014-04
  • The MPEG file parser could overflow a buffer.
  • Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
  • CVE-2014-2299
  • The following bugs have been fixed:
  • Customized OUI is not recognized correctly during dissection. (Bug 9122)
  • Properly decode CAPWAP Data Keep-Alives. (Bug 9165)
  • Build failure with GTK 3.10 - GTK developers have gone insane. (Bug 9340)
  • SIGSEGV/SIGABRT during free of TvbRange using a chained dissector in lua. (Bug 9483)
  • MPLS dissector no longer registers itself in "ppp.protocol" table. (Bug 9492)
  • Tshark doesn’t display the longer data fields (mbtcp). (Bug 9572)
  • DMX-CHAN disector does not clear strbuf between rows. (Bug 9598)
  • Dissector bug, protocol SDP: proto.c:4214: failed assertion "length >= 0". (Bug 9633)
  • False error: capture file appears to be damaged or corrupt. (Bug 9634)
  • SMPP field source_telematics_id field length different from spec. (Bug 9649)
  • Lua: bitop library is missing in Lua 5.2. (Bug 9720)
  • GTPv1-C / MM Context / Authentication quintuplet / RAND is not correct. (Bug 9722)
  • Lua: ProtoField.new() is buggy. (Bug 9725)
  • Lua: ProtoField.bool() VALUESTRING argument is not optional but was supposed to be. (Bug 9728)
  • Problem with CAPWAP Wireshark Dissector. (Bug 9752)
  • nas-eps dissector: CS Service notification dissection stops after Paging identity IE. (Bug 9789)
  • New and Updated Features:
  • IPv4 checksum verfification is now disabled by default.
  • Updated Protocol Support:
  • AppleTalk, CAPWAP, DMX-CHAN, DSI, DVB-CI, ESS, GTPv1, IEEE 802a, M3UA, Modbus/TCP, NAS-EPS, NFS, OpenSafety, SDP, and SMPP
  • New and Updated Capture File Support:
  • libpcap, MPEG, and pcap-ng

New in Wireshark 1.10.5 (Dec 20, 2013)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Wireshark stops showing new packets but dumpcap keeps writing them to the temp file. (Bug 9571)
  • Wireshark 1.10.4 shuts down when promiscuous mode is unchecked. (Bug 9577)
  • Homeplug dissector bug: STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address. (Bug 9578)
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • GSM BSSMAP, GSM BSSMAP LE, GSM SMS, Homeplug, NAS-EPS, and SGSAP
  • New and Updated Capture File Support:
  • There is no updated capture file support in this release

New in Wireshark 1.10.4 (Dec 18, 2013)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2013-66:
  • The SIP dissector could go into an infinite loop
  • Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
  • CVE-2013-7112
  • wnpa-sec-2013-67:
  • The BSSGP dissector could crash.
  • Versions affected: 1.10.0 to 1.10.3
  • CVE-2013-7113
  • wnpa-sec-2013-68:
  • The NTLMSSP v2 dissector could crash.
  • Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
  • CVE-2013-7114
  • The following bugs have been fixed:
  • "On-the-wire" packet lengths are limited to 65535 bytes.
  • Tx MCS set is not interpreted properly in WLAN beacon frame.
  • VoIP Graph Analysis window - some calls are black.
  • Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses.
  • epan/follow.c - Incorrect "bytes missing in capture file" in "check_fragments" due to an unsigned int wraparound?.
  • gsm_map doesn’t decode MAPv3 reportSM-DeliveryStatus result
  • Incorrect NFSv4 FATTR4_SECURITY_LABEL value.
  • Timestamp decoded for Gigamon trailer is not padded correctly.
  • SEL Fast Message Bug-fix for Signed 16-bit Integer Fast Meter Messages.
  • DNP3 Bug Fix for Analog Data Sign Bit Handling.
  • GSM SMS User Data header fill bits are wrong when using a 7 bits ASCII / IA5 encoding.
  • WCDMA RLC dissector cannot assemble PDUs with SNs skipped and wrap-arounded.
  • DTLS: fix buffer overflow in mac check.
  • PATCH] Correct data length in SCSI_DATA_IN packets (within iSCSI).
  • GSM SMS UDH EMS control expects 4 octets instead of 3 with OPTIONAL 4th.
  • Fix "decode as …" for packet-time.c.
  • New and Updated Capture File Support:
  • and Pcap-ng.
  • Updated Protocol Support:
  • ANSI IS-637-A, BSSGP, DNP3, DVB-BAT, DVB-CI, GSM MAP, GSM SMS, IEEE 802.11, iSCSI, NFSv4, NTLMSSP v2, RLC, SEL FM, SIP, and Time

New in Wireshark 1.11.2 Development (Nov 19, 2013)

  • Bug Fixes:
  • The following bugs have been fixed:
  • "On-the-wire" packet lengths are limited to 65535 bytes.
  • "Follow TCP Stream" shows only the first HTTP req+res.
  • Files with pcap-ng Simple Packet Blocks can't be read.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.11.1:
  • The following features are new (or have been significantly updated) since version 1.11.0:
  • Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.
  • The following features are new (or have been significantly updated) since version 1.10:
  • Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
  • A more flexible, modular memory manger (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old API.
  • Expert info is now filterable and now requires a new API.
  • The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C choplen> and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or
  • end. "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • New Protocol Support:
  • 802.1AE Secure tag, ASTERIX, ATN, BT 3DS, CARP, Cisco MetaData, ELF file format, EXPORTED PDU, FINGER, HTTP2, IDRP, ILP, Kafka, Kyoto Tycoon binary protocol, MBIM, MiNT, MP4 / ISOBMFF file format, NXP PN532 HCI, OpenFlow, Picture Transfer Protocol Over IP, QUIC (Quick UDP Internet Connections), SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, STANAG 4607, STANAG 5066 SIS, Tinkerforge, UDT, URL Encoded Form Data, WHOIS, and Wi-Fi Display
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support
  • Netscaler 2.6, and STANAG 4607

New in Wireshark 1.10.3 (Nov 1, 2013)

  • The following vulnerabilities have been fixed:
  • The IEEE 802.15.4 dissector could crash. (Bug 9139)
  • The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9168)
  • The SIP dissector could crash. (Bug 9228)
  • The OpenWire dissector could go into a large loop. Discovered by Murali. (Bug 9248)
  • The TCP dissector could crash. (Bug 9263)
  • The following bugs have been fixed:
  • new_packet_list: EAP-TLS reassemble does not happen when NEW_PACKET_LIST is toggled. (Bug 5349)
  • TLS decryption fails with XMPP start_tls. (Bug 8871)
  • Wrong Interpretation of GTS starting slot. (Bug 8946)
  • "Follow TCP Stream" shows only the first HTTP req+res. (Bug 9044)
  • The value of SEND_TO_UE in the DIAMETER Gx dictionary for Packet-Filter-Usage AVP is 0 instead of 1. (Bug 9126)
  • Crash then try to delete the same entry (length range) twice. (Bug 9129)
  • Crash if wrong "packet lengths range" entered. (Bug 9130)
  • Bssgp ⇒ SGSN-INVOKE-TRACE use the wrong function… (Bug 9157)
  • Minor correction to dissection of DLR frames in Ethernet/IP dissector. (Bug 9186)
  • WebSphere MQ V7 Bug Fix 8322 TSHM_EBCDIC. (Bug 9198)
  • EDNS0 "Higher bits in extended RCODE" incorrectly decoded in packet-dns.c. (Bug 9199)
  • Files with pcap-ng Simple Packet Blocks can’t be read. (Bug 9200)
  • Bug in RTP dissector if RTP extension is present. (Bug 9204)
  • Improve "eHRPD Indicator" NVSE dissection in 3GPP2 A11 Registration Request. (Bug 9206)
  • "make debian-package" fails, missing wsicon32.xpm. (Bug 9209)
  • Fix typo in MODCOD list of DVB-S2 dissector. (Bug 9218)
  • Ring buffer crash when tshark gets too far behind dumpcap. (Bug 9258)
  • PTP Dissector Wrongfully Reports Malformed Packet. (Bug 9262)
  • Wireshark lua dissector unable to load for media_type=application/octet-stream. (Bug 9296)
  • Wireshark crash when dissecting packet with NTLMSSP. (Bug 9299)
  • Padding in uint64 field in DCERPC protocol wrongly reported. (Bug 9300)
  • DCERPC data_blobs are not correctly dissected when NDR64 encoding is used. (Bug 9301)
  • Multiple PDUs in the same DCERPC packet are not correctly decrypted. (Bug 9302)
  • The tshark summary line doesn’t display the frame number or displays it sporadically. (Bug 9317)
  • Bluetooth: SDP improvements and minor fixes. (Bug 9327)
  • Duplicate IRC header field abbreviation breaks filter (example: irc.response.command). (Bug 9360)
  • Updated Protocol Support:
  • 3GPP2 A11, Bluetooth SDP, BSSGP, DCERPC, DCERPC NDR, DCERPC NT, DIAMETER, DNS, DVB-S2, Ethernet, EtherNet/IP, H.225, IEEE 802.15.4, IRC, NBAP, NTLMSSP, OpenWire, PTP, RTP, SIP, TCP, WiMax, and XMPP

New in Wireshark 1.11.0 Development (Oct 16, 2013)

  • Bug Fixes:
  • The following bugs have been fixed:
  • "Follow TCP Stream" shows only the first HTTP req+res.
  • Files with pcap-ng Simple Packet Blocks can't be read.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.10:
  • Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
  • A more flexible, modular memory manger (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old API.
  • Expert info is now filterable and now requires a new API.
  • The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C choplen> and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
  • "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • New Protocol Support:
  • ASTERIX, SEL RTAC (Real Time Automation Controller) EIA-232
  • Serial-Line Dissection, and UDT
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Netscaler 2.6, and STANAG 4607

New in Wireshark 1.10.2 (Sep 11, 2013)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2013-54:
  • The Bluetooth HCI ACL dissector could crash. Discovered by Laurent Butti. (Bug 8827)
  • Versions affected: 1.10.0 to 1.10.1
  • wnpa-sec-2013-55:
  • The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9005)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-56:
  • The ASSA R3 dissector could go into an infinite loop. Discovered by Ben Schmidt. (Bug 9020)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-57:
  • The RTPS dissector could overflow a buffer. Discovered by Ben Schmidt. (Bug 9019)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-58:
  • The MQ dissector could crash. (Bug 9079)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-59:
  • The LDAP dissector could crash. Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-60:
  • The Netmon file parser could crash (Bug 8742)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • The following bugs have been fixed:
  • Lua ByteArray:append() causes wireshark crash. (Bug 4461)
  • Lua script can not get "data-text-lines" protocol data. (Bug 5200)
  • Lua: Trying to use Field.new("tcp.segments") to get reassembled TCP data is failed. (Bug 5201)
  • "Edit Interface Settings": "Capture Filter" combo box is not populated across Wireshark sessions. (Bug 7278)
  • PER normally small non-negative whole number decoding is wrong when >= 64. (Bug 8841)
  • Strange behavior of tree expand/collapse in packet details. (Bug 8908)
  • Incorrect parsing of IPFIX *IpTotalLength elements. (Bug 8918)
  • IO graph/advanced, max/min/summ error on frames with multiple Diameter messages. (Bug 8980)
  • pod2man error on reordercap.pod. (Bug 8982)
  • SGI Nsym disambiguation is unconditionally displayed when dissecting VHT. (Bug 8989)
  • The Wireshark icon doesn’t show up in OS X 10.5. (Bug 8993)
  • Build fails if system Python is version 3+. (Bug 8995)
  • SCSI dissector does not parse PERSISTENT RESERVE commands correctly. (Bug 9012)
  • SDP messages throws an assert. (Bug 9022)
  • Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses. (Bug 9031)
  • PN_MRP LinkUp Message is shown as LinkDown in info. (Bug 9035)
  • Dissector for EtherCAT: ADS highlighting in the Packet Bytes Pane is incorrect. (Bug 9036)
  • 802.11 HT Extended Capabilities B10 decode incorrect. (Bug 9038)
  • Wrong dissection of MSTI Root Identifiers for all MSTIs. (Bug 9088)
  • Weird malformed HTTP error. (Bug 9101)
  • Warning for attempting to install 64-bit Wireshark on a 32-bit machine has an embedded "\n". (Bug 9103)
  • Wireshark crashes when using "Export Specified Packets" > "Displayed". (Bug 9106)
  • Updated Protocol Support:
  • ASN.1 PER, ASSA R3, Bluetooth HCI ACL, EtherCAT AMS, GTPv2, HTTP, IEEE 802.11, IPFIX, ISDN SUP, LDAP, MQ, NBAP, Novell SSS, PROFINET MRP, Radiotap, ROHC, RTPS, SCSI, SIP, and STP
  • New and Updated Capture File Support:
  • and Microsoft Network Monitor, pcap-ng.

New in Wireshark 1.10.1 (Jul 27, 2013)

  • Bug Fixes:
  • The DCP ETSI dissector could crash
  • The P1 dissector could crash
  • The Radiotap dissector could crash
  • The DCOM ISystemActivator dissector could crash
  • The Bluetooth SDP dissector could go into a large loop
  • The Bluetooth OBEX dissector could go into an infinite loop
  • The DIS dissector could go into a large loop
  • The DVB-CI dissector could crash
  • The GSM RR dissector (and possibly others) could go into a large loop
  • The GSM A Common dissector could crash
  • The Netmon file parser could crash
  • The ASN.1 PER dissector could crash
  • The PROFINET Real-Time dissector could crash
  • Mark retransmitted SYN and FIN packets as retransmissions.
  • Wireshark hides under Taskbar.
  • IEEE 802.15.4 frame check sequence in "Chipcon mode" not displayed correctly.
  • Mask in Lua ProtoField.uint32() does not work as expected.
  • Crash when applying filter with Voip calls.
  • Delta time regressions to tshark introduced with SVN 45071.
  • Add MAC-DATA support to TETRA dissector and other minor improvements.
  • Crash analyzing VoIP Calls (T38).
  • Wireshark writes empty NRB FQDN which makes trace unloadable.
  • Quick launch icon is absent, so it shows up as a generic icon.
  • Wrong encoding for 2 pod files, UTF-8 characters in another.
  • SCSI (SPC) sense key specific information field must not include SKSV.
  • Wireshark crashes when closing Flow Graph with Graph Analysis opened.
  • Wrong size of LLRP ProtocolID Parameter in Accessspec Parameter.
  • Detection of IPv6 works only on Solaris 8.
  • ip.opt.type triggers for TCP NOP option.
  • DCOM-SYSACT dissector crash.
  • Incorrect decoding of MPLS Echo Request with BGP FEC.
  • Buggy IEC104 dissector caused by commit r48958.
  • ansi_637_tele dissector displays MSB as MBS for Call-Back Number.
  • LISP Map-Notify flags I and R shown incorrectly.
  • ONTAP_V4 fhandle decoding leads to dissector bug.
  • Dropped bytes in imap dissector.
  • Kismet drone/server dissector improvements.
  • TShark iostat_draw sizeof mismatch.
  • SCTP bytes graph crash.
  • Patch to Wireshark/tshark usage info and man pages to document all timestamp (-t) options.
  • Strange behavior of tree expand/collapse in packet details.
  • Graph Filter field limited to 256 characters.
  • Filter doesn’t support cflow ASN larger than 65535.
  • Wireshark crashes when switching from a v1.11.0 profile to a v1.4.6 prof and then to a v1.5.1 prof.
  • SIP stats shows incorrect values for Max/Ave setup times.
  • NFSv4 delegation not reported correctly.
  • Issue with Capture Options Adapter List.
  • RFC 5844 - IPv4 Support for Proxy Mobile IPv6 - Mobility option IPv4 DHCP Support Mode Option malformed packet.
  • RFC 3775 - Mobility Support in IPv6 - Mobility option PadN incorrectly highlights + 2 bytes.
  • All mongodb query show as [Malformed Packet: MONGO].
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • ANSI IS-637-A, ASN.1, ASN.1 PER, Bluetooth OBEX, Bluetooth SDB, DCERPC NDR, DCOM ISystemActivator, DCP ETSI, Diameter 3GPP, DIS, DVB-CI, Ethernet, GSM Common, GSM SMS, H.235, IEC104, IEEE 802.15.4, IEEE 802a, IMAP, IP, KDSP, LISP, LLRP, MAC-LTE,, Mobile IPv6, MONGO, MPLS Echo, Netflow, NFS, NFSv4, P1, PDCP-LTE, PN-IO, PN-RT, PPP, Radiotap, RLC,, RLC-LTE,, SCSI, SIP, SMTP, SoulSeek, TCP, TETRA, and VNC
  • New and Updated Capture File Support:
  • and Microsoft Network Monitor, pcap-ng.

New in Wireshark 1.10.0 (Jun 6, 2013)

  • Bug Fixes:
  • Redirecting the standard output didn’t redirect the output the of -D or -L flags. This fix means that the output of those flags now goes to the standard output, not the standard error, as it did in previous releases. Bug 8609
  • The following features are new (or have been significantly updated) since version 1.8:
  • Wireshark on 32- and 64-bit Windows supports automatic updates.
  • The packet bytes view is faster.
  • You can now display a list of resolved host names in "hosts" format within Wireshark.
  • The wireless toolbar has been updated.
  • Wireshark on Linux does a better job of detecting interface addition and removal.
  • It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
  • The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
  • USB type and product name support has been improved.
  • All Bluetooth profiles and protocols are now supported.
  • Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • Capinfos now prints human-readable statistics with SI suffixes by default.
  • It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
  • Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • Wireshark can be compiled using GTK+ 3.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
  • Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.
  • Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add "gtk-scrolled-window-placement = top-right" in the config file, which might be called /.gtkrc-2.0 or /.config/gtk-3.0/settings.ini).
  • Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.
  • The LOAD() metric in the IO-graph now shows the load in IO units instead of thousands of IO units.
  • New Protocol Support:
  • Amateur Radio AX.25, Amateur Radio BPQ, Amateur Radio NET/ROM, America Online (AOL), AR Drone, Automatic Position Reporting System (APRS), AX.25 KISS, AX.25 no Layer 3, Bitcoin Protocol, Bluetooth Attribute Protocol, Bluetooth AVCTP Protocol, Bluetooth AVDTP Protocol, Bluetooth AVRCP Profile, Bluetooth BNEP Protocol, Bluetooth HCI USB Transport, Bluetooth HCRP Profile, Bluetooth HID Profile, Bluetooth MCAP Protocol, Bluetooth SAP Profile, Bluetooth SBC Codec, Bluetooth Security Manager Protocol, Cisco GED-125 Protocol, Clique Reliable Multicast Protocol (CliqueRM), D-Bus, Digital Transmission Content Protection over IP, DVB-S2 Baseband, FlexNet, Forwarding and Control Element Separation Protocol (ForCES), Foundry Discovery Protocol (FDP), Gearman Protocol, GEO-Mobile Radio (1) RACH, HoneyPot Feeds Protocol (HPFEEDS), LTE Positioning Protocol Extensions (LLPe), Media Resource Control Protocol Version 2 (MRCPv2), Media-Independent Handover (MIH), MIDI System Exclusive (SYSEX), Mojito DHT, MPLS-TP Fault-Management, MPLS-TP Lock-Instruct, NASDAQ’s OUCH 4.x, NASDAQ’s SoupBinTCP, OpenVPN Protocol, Pseudo-Wire OAM, RPKI-Router Protocol, SEL Fast Message, Simple Packet Relay Transport (SPRT), Skype, Smart Message Language (SML), SPNEGO Extended Negotiation Security Mechanism (NEGOEX), UHD/USRP, USB Audio, USB Video, v.150.1 State Signaling Event (SSE), VITA 49 Radio Transport, VNTAG, WebRTC Datachannel Protocol (RTCDC), and WiMAX OFDMA PHY SAP
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • AIX iptrace, CAM Inspector, Catapult DCT2000, Citrix NetScaler, DBS Etherwatch (VMS), Endace ERF, HP-UX nettl, IBM iSeries, Ixia IxVeriWave, NA Sniffer (DOS), Netscreen, Network Instruments Observer, pcap, pcap-ng, Symbian OS btsnoop, TamoSoft CommView, and Tektronix K12xx

New in Wireshark 1.10.0 RC 2 (May 23, 2013)

  • The following bugs have been fixed:
  • Redirecting the standard output didn't redirect the output the of -D or -L flags. This fix means that the output of those flags now goes to the standard output, not the standard error, as it did in previous releases. [1]Bug 8609
  • New:
  • Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add "gtk-scrolled-window-placement = top-right" in the config file, which might be called [/.gtkrc-2.0 or
  • config/gtk-3.0/settings.ini).
  • Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.

New in Wireshark 1.8.7 (May 18, 2013)

  • Bug Fixes:
  • wnpa-sec-2013-23
  • The RELOAD dissector could go into an infinite loop. Discovered by Evan Jensen. (Bug 8364, (Bug 8546)
  • Versions affected: 1.8.0 to 1.8.6.
  • CVE-2013-2486
  • CVE-2013-2487
  • wnpa-sec-2013-24
  • The GTPv2 dissector could crash. (Bug 8493)
  • Versions affected: 1.8.0 to 1.8.6.
  • wnpa-sec-2013-25
  • The ASN.1 BER dissector could crash. (Bug 8599)
  • Versions affected: 1.8.0 to 1.8.6, 1.6.0 to 1.6.14.
  • wnpa-sec-2013-26
  • The PPP CCP dissector could crash. (Bug 8638)
  • Versions affected: 1.8.0 to 1.8.6.
  • wnpa-sec-2013-27
  • The DCP ETSI dissector could crash. Discovered by Evan Jensen. (Bug 8231, bug 8540, bug 8541)
  • Versions affected: 1.8.0 to 1.8.6.
  • wnpa-sec-2013-28
  • The MPEG DSM-CC dissector could crash. (Bug 8481)
  • Versions affected: 1.8.0 to 1.8.6.
  • wnpa-sec-2013-29
  • The Websocket dissector could crash. Discovered by Moshe Kaplan. (Bug 8448, Bug 8499)
  • Versions affected: 1.8.0 to 1.8.6.
  • wnpa-sec-2013-30
  • The MySQL dissector could go into an infinite loop.
  • Versions affected: 1.8.0 to 1.8.6.
  • wnpa-sec-2013-31
  • The ETCH dissector could go into a large loop.
  • Versions affected: 1.8.0 to 1.8.6.
  • The following bugs have been fixed:
  • The Windows installer and uninstaller does a better job of detecting running executables.
  • Library mismatch when compiling on a system with an older Wireshark version. (Bug 6011)
  • SNMP dissector bug: STATUS_INTEGER_DIVIDE_BY_ZERO. (Bug 7359)
  • A console window is never opened. (Bug 7755)
  • GSM_MAP show malformed Packets when two IMSI. (Bug 7882)
  • Fix include and libs search path when cross compiling. (Bug 7926)
  • PER dissector crash. (Bug 8197)
  • pcap-ng: name resolution block is not written to file on save. (Bug 8317)
  • Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321)
  • Decoding of GSM MAP E164 Digits. (Bug 8450)
  • Silent installer and uninstaller not silent. (Bug 8451)
  • Replace use of INCLUDES with AM_CPPFLAGS in all Makefiles to placate recent autotools. (Bug 8452)
  • Wifi details are not stored in the Decryption Key Management dialog (post 1.8.x). (Bug 8446)
  • IO Graph should not be limited to 100k points (NUM_IO_ITEMS). (Bug 8460)
  • geographical_description: hf_gsm_a_geo_loc_deg_of_long 24 bit field truncated to 23 bits. (Bug 8532)
  • IRC message with multiple params causes malformed packet exception. (Bug 8548)
  • Part of Ping Reply Message in ICMPv6 Reply Message is marked as "Malformed Packet". (Bug 8554)
  • MP2T wiretap heuristic overriding ERF. (Bug 8556)
  • Cannot read content of Ran Information Application Error Rim Container. (Bug 8559)
  • Endian error and IP:Port error when decoding BT-DHT response message. (Bug 8572)
  • "ACE4_ADD_FILE/ACE4_ADD_SUBDIRECTORY" should be "ACE4_APPEND_DATA / ACE4_ADD_SUBDIRECTORY". (Bug 8575)
  • wireshark crashes while displaying I/O Graph. (Bug 8583)
  • GTPv2 MM Context (UMTS Key, Quad, and Quint Decoded) incorrectly. (Bug 8596)
  • DTLS 1.2 uses wrong PRF. (Bug 8608)
  • RTP DTMF digits are no longer displayed in VoIP graph analysis. (Bug 8610)
  • Universal port not accepted in RSA Keys List window. (Bug 8618)
  • Wireshark Dissector bug with HSRP Version 2. (Bug 8622)
  • LISP control packet incorrectly identified as LISP data based when UDP source port is 4341. (Bug 8627)
  • Bad tcp checksum not detected. (Bug 8629)
  • AMR Frame Type uses wrong Value String. (Bug 8681)
  • Updated Protocol Support:
  • AMR, ASN.1 BER, BAT, Bluetooth DHT, BSSGP, DTLS, E.164, Ericsson A-bis OML, GSM A, GSM MAP, HDFSDATA, ICMP, ICMPv6, ixveriwave, IRC, KDSP, LISP Data, MMS, NFS, OpenWire, PPP, RELOAD, RTP, SASP, SIP, SSL/TLS, TCP, UA3G
  • New and Updated Capture File Support:
  • Endace ERF, NetScreen snoop.

New in Wireshark 1.10.0 RC 1 (Apr 27, 2013)

  • The following features are new (or have been significantly updated) since version 1.8:
  • All Bluetooth profiles and protocols are now supported.
  • Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • Wireshark can be compiled using GTK+ 3.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • Tshark's filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
  • Tshark's -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in
  • many cases it is blank anyway.

New in Wireshark 1.9.2 Development (Mar 29, 2013)

  • The following features are new (or have been significantly updated) since version 1.8:
  • Wireshark on 32- and 64-bit Windows supports automatic updates.
  • The packet bytes view is faster.
  • You can now display a list of resolved host names in "hosts" format within Wireshark.
  • The wireless toolbar has been updated.
  • Wireshark on Linux does a better job of detecting interface addition and removal.
  • It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
  • The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
  • USB type and product name support has been improved.
  • Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request's frame to the response's frame and vice-versa are also added.
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • Capinfos now prints human-readable statistics with SI suffixes by default.
  • It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
  • It is now possible for tshark to display only the hex/ascii packet data without also requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • New Protocol Support
  • Amateur Radio AX.25, Amateur Radio BPQ, Amateur Radio NET/ROM, America Online (AOL), AR Drone, Automatic Position Reporting System (APRS), AX.25 KISS, AX.25 no Layer 3, Bitcoin Protocol, Bluetooth Attribute Protocol, Bluetooth AVCTP Protocol, Bluetooth AVDTP Protocol, Bluetooth AVRCP Profile, Bluetooth BNEP Protocol, Bluetooth HCI USB Transport, Bluetooth HCRP Profile, Bluetooth HID Profile, Bluetooth MCAP Protocol,
  • Bluetooth SAP Profile, Bluetooth SBC Codec, Bluetooth Security Manager Protocol, Cisco GED-125 Protocol, Clique Reliable Multicast Protocol (CliqueRM), D-Bus, Digital Transmission Content Protection over IP, DVB-S2 Baseband, FlexNet, Forwarding and Control Element Separation Protocol (ForCES), Foundry Discovery Protocol (FDP), Gearman Protocol, GEO-Mobile
  • Radio (1) RACH, HoneyPot Feeds Protocol (HPFEEDS), LTE Positioning Protocol Extensions (LLPe), Media Resource Control Protocol Version 2 (MRCPv2), Media-Independent Handover (MIH), MIDI System Exclusive (SYSEX), Mojito DHT, MPLS-TP Fault-Management, MPLS-TP Lock-Instruct, NASDAQ's OUCH 4.x, NASDAQ's SoupBinTCP, OpenVPN Protocol, Pseudo-Wire OAM, RPKI-Router Protocol, SEL Fast Message, Simple Packet Relay
  • Transport (SPRT), Skype, Smart Message Language (SML), SPNEGO Extended Negotiation Security Mechanism (NEGOEX), UHD/USRP, USB Audio, USB Video, v.150.1 State Signaling Event (SSE), VITA 49 Radio Transport, VNTAG, WebRTC Datachannel Protocol (RTCDC), and WiMAX OFDMA PHY SAP
  • New and Updated Capture File Support:
  • AIX iptrace, Catapult DCT2000, Citrix NetScaler, DBS Etherwatch VMS), Endace ERF, HP-UX nettl, IBM iSeries, Ixia IxVeriWave, NA Sniffer (DOS), Netscreen, Network Instruments Observer, pcap, pcap-ng, Symbian OS btsnoop, TamoSoft CommView, and Tektronix K12xx

New in Wireshark 1.8.6 (Mar 7, 2013)

  • Bug Fixes:
  • wnpa-sec-2013-10
  • The TCP dissector could crash. (Bug 8274)
  • Versions affected: 1.8.0 to 1.8.5.
  • CVE-2013-2475
  • wnpa-sec-2013-11
  • The HART/IP dissectory could go into an infinite loop. (Bug 8360)
  • Versions affected: 1.8.0 to 1.8.5.
  • CVE-2013-2476
  • wnpa-sec-2013-12
  • The CSN.1 dissector could crash.
  • Versions affected: 1.8.0 to 1.8.5.
  • CVE-2013-2477
  • wnpa-sec-2013-13
  • The MS-MMS dissector could crash.
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2478
  • wnpa-sec-2013-14
  • The MPLS Echo dissector could go into an infinite loop.
  • Versions affected: 1.8.0 to 1.8.5.
  • CVE-2013-2479
  • wnpa-sec-2013-15
  • The RTPS and RTPS2 dissectors could crash. (Bug 8332)
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2480
  • wnpa-sec-2013-16
  • The Mount dissector could crash. (Bug 8335)
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2481
  • wnpa-sec-2013-17
  • The AMPQ dissector could go into an infinite loop. (Bug 8337)
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2482
  • wnpa-sec-2013-18
  • The ACN dissector could attempt to divide by zero. (Bug 8340)
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2483
  • wnpa-sec-2013-19
  • The CIMD dissector could crash. (Bug 8346)
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2484
  • wnpa-sec-2013-20
  • The FCSP dissector could go into an infinite loop. (Bug 8359)
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2485
  • wnpa-sec-2013-21
  • The RELOAD dissector could go into an infinite loop. (Bug 8364)
  • Versions affected: 1.8.0 to 1.8.5.
  • CVE-2013-2486
  • CVE-2013-2487
  • wnpa-sec-2013-22
  • The DTLS dissector could crash. (Bug 8380)
  • Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
  • CVE-2013-2488
  • The following bugs have been fixed:
  • Lua pinfo.cols.protocol not holding value in postdissector. (Bug 6020)
  • data combined via ssl_desegment_app_data not visible via "Follow SSL Stream" only decrypted ssl data tabs. (Bug 6434)
  • HTTP application/json-rpc should be decoded/shown as application/json. (Bug 7939)
  • Maximum value of 802.11-2012 Duration field should be 32767. (Bug 8056)
  • Voice RTP player crash if player is closed while playing. (Bug 8065)
  • Display Filter Macros crash. (Bug 8073)
  • RRC RadioBearerSetup message decoding issue. (Bug 8290)
  • R-click filters add ! in front of field when choosing "apply as filter>selected". (Bug 8297)
  • BACnet - Loop Object - Setpoint-Reference property does not decode correctly. (Bug 8306)
  • WMM TSPEC Element Parsing is not done is wrong due to a wrong switch case number. (Bug 8320)
  • Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321)
  • Registering ieee802154 dissector for IEEE802.15.4 frames inside Linux SLL frames. (Bug 8325)
  • Version Field is skipped while parsing WMM_TSPEC causing wrong dissecting (1 byte offset missing) of all fields in the TSPEC. (Bug 8330)
  • BACnet] UCS-2 strings longer than 127 characters do not decode correctly. (Bug 8331)
  • Malformed IEEE80211 frame triggers DISSECTOR_ASSERT. (Bug 8345)
  • Decoding of GSM MAP SMS Diagnostics. (Bug 8378)
  • Incorrect packet length displayed for Flight Message Transfer Protocol (FMTP). (Bug 8407)
  • Netflow dissector flowDurationMicroseconds nanosecond conversion wrong. (Bug 8410)
  • BE (3) AC is wrongly named as "Video" in (qos_acs). (Bug 8432)
  • Updated Protocol Support:
  • ACN, AMQP, ASN.1 PER, BACnet, CIMD, CSN.1, DOCSIS TLVs, DTLS, FCSP, FMP/NOTIFY, FMTP, GSM MAP SMS, HART/IP, IEEE 802.11, IEEE 802.15.4, JSON, Linux SLL, LTE RRC, Mount, MPLS Echo, Netflow, RELOAD, RSL, RTP, RTPS, RTPS2, SABP, SIP, SSL, TCP

New in Wireshark 1.9.0 Development (Feb 21, 2013)

  • Wireshark on 32- and 64-bit Windows supports automatic updates.
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • It is now possible to compare two fields in a display filter for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.

New in Wireshark 1.8.5 (Jan 30, 2013)

  • Bug Fixes:
  • wnpa-sec-2013-01
  • Infinite and large loops in the Bluetooth HCI, CSN.1, DCP-ETSI DOCSIS CM-STAUS, IEEE 802.3 Slow Protocols, MPLS, R3, RTPS, SDP, and SIP dissectors. Reported by Laurent Butti. (Bugs 8036, 8037, 8038, 8040, 8041, 8042, 8043, 8198, 8199, 8222)
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-02
  • The CLNP dissector could crash. Discovered independently by Laurent Butti and the Wireshark development team. (Bug 7871)
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-03
  • The DTN dissector could crash. (Bug 7945)
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-04
  • The MS-MMC dissector (and possibly others) could crash. (Bug 8112)
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-05
  • The DTLS dissector could crash. Discovered by Laurent Butti. (Bug 8111)
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-06
  • The ROHC dissector could crash. (Bug 7679)
  • Versions affected: 1.8.0 to 1.8.4.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-07
  • The DCP-ETSI dissector could corrupt memory. Discovered by Laurent Butti. (Bug 8213)
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-08
  • The Wireshark dissection engine could crash. Discovered by Laurent Butti. (Bug 8197)
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • wnpa-sec-2013-09
  • The NTLMSSP dissector could overflow a buffer. Discovered by Ulf Härnhammar.
  • Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
  • GENERIC-MAP-NOMATCH
  • The following bugs have been fixed:
  • SNMPv3 Engine ID registration. (Bug 2426)
  • Wrong decoding of gtp.target identification. (Bug 3974)
  • Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
  • Wireshark crashes when starting due to out-of-date plugin left behind from earlier installation. (Bug 7401)
  • Failed to dissect TLS handshake packets. (Bug 7435)
  • ISUP dissector problem with empty Generic Number. (Bug 7632)
  • Illegal character is used in temporary capture file name. (Bug 7877)
  • Lua code crashes wireshark after update to 1.8.3. (Bug 7976)
  • Timestamp info is not saved correctly when writing DOS Sniffer files. (Bug 7998)
  • 1.8.3 Wireshark User's Guide version is 1.6. (Bug 8009)
  • Core dumped when the file is closed. (Bug 8022)
  • LPP is misspelled in APDU parameter in e-CIDMeasurementInitiation request for LPPA message. (Bug 8023)
  • Wrong packet bytes are selected for ISUP CUG binary code. (Bug 8035)
  • Decodes FCoE Group Multicast MAC address as Broadcom MAC address. (Bug 8046)
  • The SSL dissector stops decrypting the SSL conversation with Malformed Packet:SSL error messages. (Bug 8075)
  • Unable to Save/Apply [Unistim Port] in Preferences. (Bug 8078)
  • Some Information Elements in GTPv2 are not dissected correctly. (Bug 8079)
  • Wrong bytes highlighted with "Find Packet...". (Bug 8085)
  • 3GPP ULI AVP. SAI is not correctly decoded. (Bug 8098)
  • Wireshark does not show "Start and End Time" information for Cisco Netflow/IPFIX with type 154 to 157. (Bug 8105)
  • GPRS Tunnel Protocoll GTP Version 1 does not decode DAF flag in Common Flags IE. (Bug 8193)
  • Wrong parcing of ULI of gtpv2 messages - errors in SAC, RAC & ECI. (Bug 8208)
  • Version Number in EtherIP dissector. (Bug 8211)
  • Warn Dissector bug, protocol JXTA. (Bug 8212)
  • Electromagnetic Emission Parser parses field Event Id as Entity Id. (Bug 8227)
  • Updated Protocol Support:
  • ANSI IS-637-A, ASN.1 PER, AX.25, Bluetooth HCI, CLNP, CSN.1, DCP-ETSI, DIAMETER, DIS PDU, DOCSIS CM-STATUS, DTLS, DTN, EtherIP, Fibre Channel, GPRS, GTP, GTPv2, HomePlug AV, IEEE 802.3 Slow, IEEE 802.15.4, ISUP, JXTA, LAPD, LPPa, MPLS, MS-MMC, NAS-EPS, NTLMSSP, ROHC, RSL, RTPS, SDP, SIP, SNMP, SSL
  • New and Updated Capture File Support:
  • DOS Sniffer

New in Wireshark 1.8.4 (Nov 29, 2012)

  • Bug Fixes:
  • Wireshark could leak potentially sensitive host name resolution information when working with multiple pcap-ng files.
  • Versions affected: 1.8.0 to 1.8.3.
  • The USB dissector could go into an infinite loop. (Bug 7787)
  • Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
  • The sFlow dissector could go into an infinite loop. (Bug 7789)
  • Versions affected: 1.8.0 to 1.8.3.
  • The SCTP dissector could go into an infinite loop. (Bug 7802)
  • Versions affected: 1.8.0 to 1.8.3.
  • The EIGRP dissector could go into an infinite loop. (Bug 7800)
  • Versions affected: 1.8.0 to 1.8.3.
  • The ISAKMP dissector could crash. (Bug 7855)
  • Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
  • The iSCSI dissector could go into an infinite loop. (Bug 7858)
  • Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
  • The WTP dissector could go into an infinite loop. (Bug 7869)
  • Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
  • The RTCP dissector could go into an infinite loop. (Bug 7879)
  • Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
  • The 3GPP2 A11 dissector could go into an infinite loop. (Bug 7801)
  • Versions affected: 1.8.0 to 1.8.3.
  • The ICMPv6 dissector could go into an infinite loop. (Bug 7844)
  • Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
  • Menu and Title bars inaccessible using GTK2 (non-legacy) with two monitors. (Bug 553)
  • 802.11 Probe Response fails to parse. (Bug 1284)
  • Tshark - decimal symbol. (Bug 2880)
  • Malformed tpncp.dat file can crash Wireshark. (Bug 6665)
  • SSL decryption not work even with example capture file and key. (Bug 6869)
  • Info line is incorrect on SIP message containing another SIP message in body. (Bug 7780)
  • OOPS: dissector table "sctp.ppi" doesn't exist Protocol being registered is "Datagram Transport Layer Security". (Bug 7784)
  • Dissection of IEEE 802.11 Channel Switch Announcement element fails. (Bug 7797)
  • Invalid memory accesses when loading RADIUS captures. (Bug 7803)
  • ISUP CIC should have format BASE_DEC, not BASE_HEX. (Bug 7848)
  • We don't handle pcap-ng files with IDBs that come after packet blocks. (Bug 7851)
  • '*' wildcard in the 'Src IP' or 'Dest IP' field of the ESP SA dialog does not work. (Bug 7866)
  • nas_eps dissector does not decode some esm message. (Bug 7912)
  • WLAN decryption status not updated after updating WEP/WPA keys. (Bug 7921)
  • IPv6 Option Pad1 Incorrect dissection. (Bug 7938)
  • Print GNUTLS error message if PEM import fails. (Bug 7948)
  • GSM classmark3 8-PSK decode error. (Bug 7964)
  • Parsing the Server Name Indication extension in SSL/TLS traffic reads some fields incorrectly. (Bug 7967)
  • Lua code crashes wireshark after update to 1.8.3. (Bug 7976)
  • 2 bugs in Ran-Information-Error Rim Container. (Bug 8000)
  • Misspelling (typo) in IPv6 display filter field name. (Bug 8006)
  • Two BSSGP dissector bugs. (Bug 8008)
  • Core dump during SCTP association analysis. (Bug 8011)
  • Updated Protocol Support:
  • 3GPP2 A11, BSSGP, EIGRP, FMP/NOTIFY, GSM A, ICMP, ICMPv6, IEEE 802.11, IPsec, IPv6, ISAKMP, iSCSI, LTE RRC, NAS EPS, NDPS, Prism, RADIUS, RRC, RTCP, SCTP, sFlow, SIP, SMB2, SSL/TLS, TPNCP, USB
  • New and Updated Capture File Support:
  • CommView NCF, iSeries, pcap-ng.

New in Wireshark 1.8.3 (Oct 3, 2012)

  • Bug Fixes:
  • The HSRP dissector could go into an infinite loop. (Bug 7581)
  • Versions affected: 1.8.0 to 1.8.2.
  • The PPP dissector could abort. (Bug 7316, bug 7668)
  • Versions affected: 1.8.0 to 1.8.2.
  • An infinite loop in the DRDA dissector. (Bug 7666)
  • Versions affected: 1.6.0 to 1.6.10, 1.8.0 to 1.8.2.
  • A buffer overflow in the LDP dissector. (Bug 7567)
  • Versions affected: 1.8.0 to 1.8.2.
  • The following bugs have been fixed:
  • The HTTP dissector does not reassemble headers when the first TCP segment does not contain a full header line.
  • HDCP2 uses the wrong protocol id.
  • Several I/O graph problems have been fixed.
  • No markers show up when maps are displayed. (Bug 5016)
  • Assertion when using tshark/wireshark on large captures. (Bug 5699)
  • Volume label field of "SMB/TRANS2-QUERY_FS_INFO/InfoVolume level" reply packet is not displayed correctly due alignment issue. (Bug 5778)
  • 64-bit Wireshark appears to hit 2-Gbyte memory limit on 64-bit Windows. (Bug 5979)
  • Truncated/partial JPEG files are not dissected. (Bug 6230)
  • Support for MPLS Packet Loss and Delay Measurement, RFC 6374. (Bug 6881)
  • Memory leak in voip_calls.c. (Bug 7320)
  • When listing protocols available for "Decode As", plugins are sorted after built-ins. (Bug 7348)
  • Hidden columns should not be printed when printing packet summary line. (Bug 7356)
  • Size wrong in "File Set List" for just-finished captures. (Bug 7370)
  • Error: no dependency information found for debian/wireshark-common/usr/lib/wireshark/libwsutil.so.2 (used by debian/wireshark/usr/bin/wireshark). (Bug 7408)
  • Parse and properly display LTE RADIUS AVP 3GPP-User-Location-Info. (Bug 7474)
  • [PATCH] HomeplugAV dissector: decode device id. (Bug 7548)
  • BACnet GetEnrollmentSummary-ACK does not decode correctly. (Bug 7556)
  • epan/dissectors/packet-per.c dissect_per_constrained_integer_64b fails for 64 bits. (Bug 7624)
  • New SCTP PPID 48. (Bug 7635)
  • dissector of Qos attribute "Reliability Class" in GMM/SM message. (Bug 7670)
  • Performance regression in tshark -z io,stat. (Bug 7674)
  • Incorrect io-stat table format when unsupported "-t" operand is specified and when using AVG of relative_time fields. (Bug 7685)
  • IEEE 802.11 TKIP dissection : wrong IS_TKIP macro. (Bug 7691)
  • Homeplug AV dissectors does not properly dissect short frames. (Bug 7707)
  • mm_context_nas_dl_cnt and mm_context_nas_ul_cnt are not dissected properly in ContextResponse message in Gtpv2. (Bug 7718)
  • This trace causes Wireshark to crash when VoIP Calls selected. (Bug 7724)
  • Some diameter Gx enumerations are missing values or value is incorrect. (Bug 7727)
  • Wireshark 1.8.2 is only displaying 2 filters from the drop-down menu even when preferences are set to higher integer. (Bug 7731)
  • BGP bad decoding for Graceful Restart Capability with only helper support & for Enhanced Route Refresh Capability. (Bug 7734)
  • Dissection error of D-RELEASE and D-CONNECT in TETRA dissector. (Bug 7736)
  • DND can cause Wireshark to crash. (Bug 7744)
  • SCSI: WRITE BUFFER fields always display as zero. (Bug 7753)
  • Updated Protocol Support:
  • ASN.1 PER, BACnet, BGP, DIAMETER, DRDA, DVB CI, DVB, GSM Management, GTP, GTPv2, HDCP2, HomePlug AV, ICMP, ICMPv6, IEEE 802.11, IEEE 802a, Interlink, JPEG, LDP, LPP, MPEG, MPLS, PCAP, PPP, RANAP, RRC, RRLP, SCCP, SCSI, SCTP, SDP, SMB, TETRA

New in Wireshark 1.8.2 (Aug 16, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • wnpa-sec-2012-13
  • The DCP ETSI dissector could trigger a zero division. Reported by Laurent Butti. (Bug 7566)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4285
  • wnpa-sec-2012-14
  • The MongoDB dissector could go into a large loop. Reported by Ben Schmidt. (Bug 7572)
  • Versions affected: 1.8.0 to 1.8.1.
  • CVE-2012-4287
  • wnpa-sec-2012-15
  • The XTP dissector could go into an infinite loop. Reported by Ben Schmidt. (Bug 7571)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4288
  • wnpa-sec-2012-16
  • The ERF dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7563)
  • Versions affected: 1.8.0 to 1.8.1.
  • CVE-2012-4294 CVE-2012-4295
  • wnpa-sec-2012-17
  • The AFP dissector could go into a large loop. Reported by Stefan Cornelius. (Bug 7603)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4289
  • wnpa-sec-2012-18
  • The RTPS2 dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7568)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4296
  • wnpa-sec-2012-19
  • The GSM RLC MAC dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7561)
  • Versions affected: 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4297
  • wnpa-sec-2012-20
  • The CIP dissector could exhaust system memory. Reported by Ben Schmidt. (Bug 7570)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4291
  • wnpa-sec-2012-21
  • The STUN dissector could crash. Reported by Laurent Butti. (Bug 7569)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4292
  • wnpa-sec-2012-22
  • The EtherCAT Mailbox dissector could abort. Reported by Laurent Butti. (Bug 7562)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4293
  • wnpa-sec-2012-23
  • The CTDB dissector could go into a large loop. Reported by Ben Schmidt. (Bug 7573)
  • Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
  • CVE-2012-4290
  • wnpa-sec-2012-24
  • The pcap-ng file parser could trigger a zero division. (Bug 7533)
  • Versions affected: 1.8.0 to 1.8.1.
  • CVE-2012-4286
  • wnpa-sec-2012-25
  • The Ixia IxVeriWave file parser could overflow a buffer. (Bug 7533)
  • Versions affected: 1.8.0 to 1.8.1.
  • CVE-2012-4298
  • The following bugs have been fixed:
  • Move Y.1711 out of MPLS dissector. (Bug 6787)
  • Patch: Add frame.interface_id support for ERF file format. (Bug 7266)
  • Freeze when Resizing or Moving while capturing. (Bug 7305)
  • Wireshark crashes when using multiple files. (Bug 7423)
  • Wireshark crashes on opening very short NFS pcap file. (Bug 7498)
  • Analyze->Apply as Filter and Analyze->Prepare a Filter cause crashes. (Bug 7506)
  • crashes in interface list, pipe handling. (Bug 7511)
  • ISDN LAPD X.31 packet traffic can not be decoded. (Bug 7514)
  • GIOP request_id used for sub dissectors is not assigned when decoding GIOP 1.2 Request message. (Bug 7516)
  • pcap-ng -ISB always writes 0 for isb_ifrecv option. (Bug 7523)
  • GSM classmark3 decode wrong. (Bug 7524)
  • mem corruption\heap corruption\div0 bugs. (Bug 7533)
  • DNS AD flag not shown properly. (Bug 7555)
  • Wireshark and TShark crash at start with invalid color filter on SPARC. (Bug 7634)
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support
  • AFP, Apache JServ Protocol v1.3, Bluetooth L2CAP, CIP, CTDB, DCP ETSI, ERF, EtherCAT Mailbox, FC Link Control, GIOP, GSM A, GSM RLC MAC, GTP, GTPv2, ISDN, LISP, MongoDB, MPLS ITU-T Y.1711 OAM, MPLS PM, NFS, RTPS2, SCTP, STUN, XTP
  • New and Updated Capture File Support
  • Ixia IxVeriWave, pcap-ng
  • Getting Wireshark:
  • Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
  • Vendor-supplied Packages
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.

New in Wireshark 1.8.1 (Jul 24, 2012)

  • Bug Fixes:
  • The PPP dissector could crash. (Debian bug 680056) --> Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.
  • The NFS dissector could use excessive amounts of CPU. (Bug 7436) Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.
  • Wireshark crashes on bootp filter. (Bug 7391)
  • Wireshark > 1.4 does not correctly read Association ID for PS Poll packets. (Bug 7429)
  • Radius-EAP broken since 1.8.0 release. (Bug 7430)
  • SNMP incorrectly marks SNMPv3 "discovery" packet as malformed. (Bug 7438)
  • Widgets are not properly expanded in GTK3. (Bug 7377)
  • Find Next Mark duplicated on Edit Menu. (Bug 7445)
  • DVB-CI/CI+: fix offset error in operator_info apdu. (Bug 7468)
  • Unable to correctly identify IEC 61850 MMS packets. (Bug 7488)
  • WinPcap doesn't install if vcredist_x64 requires reboot. (Bug 7507)
  • Updated Protocol Support:
  • BACapp, BOOTP, DCERPC SPOOLSS, DVB-CI, H.248, IEEE 802.11, Jmirror, NAS EPS, NFS, PPP, RELOAD Framing, SES, SNMP, XMPP
  • New and Updated Capture File Support:
  • Microsoft Network Monitor

New in Wireshark 1.8.0 (Jun 22, 2012)

  • The following bugs have been fixed:
  • When saving the displayed packets, packets which are dependencies (e.g., due to reassembly) of the displayed packets are included in the list of saved packets.
  • Rearranging columns in preferences doesn't work on 64-bit Windows.
  • New and Updated Features:
  • Wireshark supports capturing from multiple interfaces at once.
  • You can now add, edit, and save packet and capture file annotations.
  • Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
  • Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
  • OID resolution is now supported on 64-bit Windows.
  • The "Save As" menu item has been split into "Save As", which lets you save a file using a different filename and "Export Specified Packets", which lets you have more control over which packets are saved.
  • TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
  • TCP window updates are no longer colorized as "Bad TCP".
  • TShark's command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
  • GeoIP IPv6 databases are now supported.
  • New Protocol Support:
  • Aastra Signalling Protocol (AASP), ActiveMQ OpenWire, Bandwidth Reservation Protocol (BRP), Bazaar, Binary Floor Control Protocol, BitTorrent DHT, C12.22, CANopen, CIP Motion, CIP Safety, Cisco FabricPath MiM, DMX Channel Data, DMX SIP, DMX Test, DMX Text, DMX, DVB Application Information Table, DVB Bouquet Association Table, DVB Event Information Table, DVB MultiProtocol Encapsulation (DVB-MPE), DVB Network Information Table, DVB Service Description Table, DVB Time and Date Table, DVB Time Offset Table, DVB/ETSI IP Data Cast (IPDC) Electronic Service Guide (ESG), ECP VDP, EIA-709.1 (LonTalk), EIA-852 (CN/IP), ELCOM, Ericsson A-bis OML (OM 2000), Ericsson HDLC, Ericsson Proprietary PCAP, ETSI CAT, ETV-AM Data, ETV-AM EISS Section, Flight Message Transfer Protocol (FMTP), Gadu-Gadu, GEO-Mobile Radio (1) BCCH, GEO-Mobile Radio (1) Common, GEO-Mobile Radio (1) DTAP, GEO-Mobile Radio (1) Radio Resource, Gluster Callback, Gluster CLI, Gluster Dump, Gluster Portmap, GlusterD, GlusterFS Callback, GlusterFS Handshake, GlusterFS, GSM A-bis OML, GSM CBCH, GSM Cell Broadcast Service, GSM SIM, H.248.2, Hadoop Distributed File System (HDFS), HART/IP, Hazelcast, HDFS Data, High bandwidth Digital Content Protection (HDCP), High-availability Seamless Redundancy (HSR), HomePlug AV, HSR/PRP, IEEE 1722.1, ISO 7816, ixveriwave, Kismet drone/server protocol, KristalliNet, LCS-AP, Link Access Procedure, Satellite channel (LAPSat), LLRP, LTE Positioning Protocol A (LPPa), LTE Positioning Protocol, M3 Application Protocol (M3AP), MAC Address Acquisition Protocol, MBMS synchronisation protocol, Microsoft Credential Security Support Provider (CredSSP), MoldUDP, MoldUDP64, MPEG Conditional Access, MPEG descriptors, MPEG DSM-CC, MPEG Program Association Table (PAT), MPEG Program Map Table, MPEG Section, MPLS Packet Loss and Delay Measurement, MPLS-TP Protection State Coordination, Multiple VLAN Registration Protocol (MRVP), Netfilter LOG, NOE, NXP MiFare, NXP PN532, Open IPTV Forum openSAFETY, Performance Co-Pilot (PCP), PPI Sensor, RDP, RTP-MIDI, SBc Application Part (SBc-AP), SDH/SONET, Solaris IP over InfiniBand, Sony FeliCa, T.124, UA (Universal Alcatel), UA3G, UASIP, UAUDP, USB Integrated Circuit Card Interface Device Class (CCID), V5 Data Link Layer (V5DL), V5 Envelope Function (V5EF), Virtual eXtensible Local Area Network (VXLAN), VSS-Monitoring, Vuze DHT, WaveAgent, WebSocket, WSE Remote Ethernet, XMCP, YAMI
  • New and Updated Capture File Support:
  • Aethra Telecommunications' PC108, Catapult DCT2000, Citrix NetScaler, Cisco Secure IDS IPLog, Endace ERF, Gammu DCT3, Generic MIME, IBM iSeries, InfoVista 5View, Ixia IxVeriWave, LANalyzer, Microsoft NetMon, MPEG2-TS, Network Instruments Observer, Nokia DCT3, pcap, pcap-ng, Solaris snoop, TamoSoft CommView, Tektronix K12xx, XML

New in Wireshark 1.6.8 (May 23, 2012)

  • Bug Fixes:
  • wnpa-sec-2012-08
  • Infinite and large loops in the ANSI MAP, ASF, BACapp, Bluetooth HCI, IEEE 802.11, IEEE 802.3, LTP, and R3 dissectors have been fixed. Discovered by Laurent Butti. (Bugs 6805, 7118, 7119, 7120, 7121, 7122, 7124, 7125)
  • Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.
  • wnpa-sec-2012-09
  • The DIAMETER dissector could try to allocate memory improperly and crash. (Bug 7138)
  • Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.
  • wnpa-sec-2012-10
  • Wireshark could crash on SPARC processors due to misaligned memory. Discovered by Klaus Heckelmann. (Bug 7221)
  • Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.
  • The following bugs have been fixed:
  • User-Password - PAP decoding passwords longer than 16 bytes. (Bug 6779)
  • The MSISDN is not seen correctly in GTP packet. (Bug 7042)
  • Wireshark doesn't calculate the right IPv4 destination using source routing options when bad options precede them. (Bug 7043)
  • BOOTP dissector issue with DHCP option 82 - suboption 9. (Bug 7047)
  • MPLS dissector in 1.6.7 and 1.7.1 misdecodes some MPLS CW packets. (Bug 7089)
  • ANSI MAP infinite loop. (Bug 7119)
  • HCIEVT infinite loop. (Bug 7122)
  • Wireshark doesn't decode NFSv4.1 operations. (Bug 7127)
  • LTP infinite loop. (Bug 7124)
  • Wrong values in DNS CERT RR. (Bug 7130)
  • Megaco parser problem with LF in header. (Bug 7198)
  • OPC UA bytestring node id decoding is wrong. (Bug 7226)
  • Updated Protocol Support:
  • ANSI MAP, ASF, BACapp, Bluetooth HCI, DHCP, DIAMETER, DNS, GTP, IEEE 802.11, IEEE 802.3, IPv4, LTP, Megaco, MPLS, NFS, OPC UA, RADIUS
  • New and Updated Capture File Support:
  • 5View, CSIDS, pcap, pcap-ng

New in Wireshark 1.6.7 (Apr 7, 2012)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Wireshark could crash while reading SSL decryption keys on 64-bit Windows.
  • Malformed Packets H263-1996 (RFC2190). (Bug 6996)
  • Wireshark could crash while trying to open an rpcap: URL. (Bug 6922)
  • Updated Protocol Support:
  • H.263
  • Getting Wireshark:
  • Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
  • Vendor-supplied Packages:
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system.

New in Wireshark 1.6.6 (Mar 28, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2012-04
  • The ANSI A dissector could dereference a NULL pointer and crash. (Bug 6823)
  • Versions affected: 1.4.0 to 1.4.11, 1.6.0 to 1.6.5.
  • wnpa-sec-2012-05
  • The IEEE 802.11 dissector could go into an infinite loop. (Bug 6809)
  • Versions affected: 1.6.0 to 1.6.5.
  • wnpa-sec-2012-06
  • The pcap and pcap-ng file parsers could crash trying to read ERF data. (Bug 6804)
  • Versions affected: 1.4.0 to 1.4.11, 1.6.0 to 1.6.5.
  • wnpa-sec-2012-07
  • The MP2T dissector could try to allocate too much memory and crash. (Bug 6833)
  • Versions affected: 1.4.0 to 1.4.11, 1.6.0 to 1.6.5.
  • The Windows installers now include GnuTLS 1.12.18, which fixes several vulnerabilities.
  • The following bugs have been fixed:
  • ISO SSAP: ActivityStart: Invalid decoding the activity parameter as a BER Integer. (Bug 2873)
  • Forward slashes in URI need to be converted to backslashes if WIN32. (Bug 5237)
  • Character echo pauses in Capture Filter field in Capture Options. (Bug 5356)
  • Some PGM options are not parsed correctly. (Bug 5687)
  • dumpcap crashes when capturing from pipe to a pcap-ng file (e.g., when passing data from CACE Pilot to Wireshark). (Bug 5939)
  • Unable to rearrange columns in preferences on Windows. (Bug 6077) (Note: this bug still affects the 64-bit package)
  • No error for UDP/IPv6 packet with zero checksum. (Bug 6232)
  • Wireshark installer doesn't add access_bpf in 10.5.8. (Bug 6526)
  • Corrupted Diameter dictionary file that crashes Wireshark. (Bug 6664)
  • packetBB dissector bug: More than 1000000 items in the tree -- possible infinite loop. (Bug 6687)
  • ZEP dissector: Timestamp not always displayed correctly. Fractional seconds never displayed. (Bug 6703)
  • GOOSE Messages don't use the length field to perform the dissection. (Bug 6734)
  • Ethernet traces in K12 text format sometimes give bogus "malformed frame" errors and other problems. (Bug 6735)
  • max_ul_ext isn't printed/decoded to the packet details log in GTP protocol packet. (Bug 6761)
  • non-IPP packets to or from port 631 are dissected as IPP. (Bug 6765)
  • lua proto registration fails for uppercase proto / g_ascii_strdown problem. (Bug 6766)
  • no menu item Fle->Export->SSL Session Keys in GTK. (Bug 6813)
  • IAX2 dissector reads past end of packet for unknown IEs. (Bug 6815)
  • TShark 1.6.5 immediately crashes on SSL decryption (every time). (Bug 6817)
  • USB: unknown GET DESCRIPTOR response triggers assert failure. (Bug 6826)
  • IEEE1588 PTPv2 over IPv6. (Bug 6836)
  • Patch to fix DTLS decryption. (Bug 6847)
  • Expression... dialog crash. (Bug 6891)
  • display filter "gtp.msisdn" not working. (Bug 6947)
  • Multiprotocol Label Switching Echo - Return Code: Reserved (5). (Bug 6951)
  • ISAKMP : VendorID CheckPoint : Malformed Packet. (Bug 6972)
  • Adding a Custom HTTP Header Field with a trailing colon causes wireshark to immediately crash (and crash upon restart). (Bug 6982)
  • Radiotap dissector lists a bogus "DBM TX Attenuation" bit. (Bug 7000)
  • MySQL dissector assertion. (Ask 8649)
  • Radiotap header format data rate alignment issues. (Ask 8649)
  • Updated Protocol Support:
  • ANSI A, BSSGP, DIAMETER, DTLS, GOOSE, GSM Management, GTP, HTTP, IAX2, IEEE 802.11, IPP, ISAKMP, ISO SSAP, MP2T, MPLS, MySQL, NTP, PacketBB, PGM, Radiotap, SSL, TCP, UDP, USB, WSP
  • New and Updated Capture File Support:
  • Endace ERF, Pcap-NG, Tektronix K12

New in Wireshark 1.6.5 (Jan 11, 2012)

  • The following vulnerabilities have been fixed:
  • Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats.
  • Wireshark could dereference a NULL pointer and crash.
  • The RLC dissector could overflow a buffer.
  • The following bugs have been fixed:
  • "Closing File!" Dialog Hangs.
  • Sub-fields of data field should appear in exported PDML as children of the data field instead of as siblings to it.
  • Incorrect time differences displayed with time reference set.
  • Wrong packet type association of SNMP trap after TFTP transfer.
  • SSL/TLS decryption needs wireshark to be rebooted.
  • Export HTTP Objects -> save all crashes Wireshark.
  • Wireshark Netflow dissector complains there is no template found though the template is exported.
  • DCERPC EPM tower UUID must be interpreted always as little endian.
  • Crash if no recent files.
  • IPv6 frame containing routing header with 0 segments left calculates wrong UDP checksum.
  • IPv4 UDP/TCP Checksum incorrect if routing header present.
  • Incorrect Parsing of SCPS Capabilities Option introduced in response to bug 6194.
  • Various crashes after loading NetMon2.x capture file.
  • Fixed compilation of dumpcap on some systems (when MUST_DO_SELECT is defined).
  • SIGSEGV in SVN 40046.
  • Wireshark dissects TCP option 25 as an "April 1" option.
  • ZigBee ZCL Dissector reports invalid status.
  • ICMPv6 DNSSL option malformed on padding.
  • Wrong tvb_get_bits function call in packet-csn1.c.
  • [UDP] - Length Field of Pseudo Header while computing CheckSum is not correct.
  • pcapio.c: bug in libpcap_write_interface_description_block.
  • Memory leaks in various dissectors.
  • Bytes highlighted in wrong Byte pane when field selected in Details pane.
  • Updated Protocol Support:
  • BGP, BMC CSN1, DCERPC EPM, DCP(ETSI) DMP DTLS GSM Management, H245 HPTEAM, ICMPv6, IEEE 802.15.4 IPSEC IPv4, IPv6, ISAKMP KERBEROS LDSS NFS RLC, RPC-NETLOGON RRC RTMPT SIGCOMP SSL SYSLOG TCP, UDP, XML ZigBee ZCL
  • New and Updated Capture File Support:
  • Accellent 5Views, AIX iptrace, HP-UX nettl, I4B, Microsoft Network Monitor, Novell LANalyzer, PacketLogger, Pcap-ng, Sniffer, Tektronix K12, WildPackets {Airo,Ether}Peek.

New in Wireshark 1.6.4 (Nov 19, 2011)

  • Bug Fixes:
  • Patch to fix memory leaks/errors in Lua plugin. (Bug 5575)
  • Wireshark crashes if a field of type BASE_CUSTOM is applied as a column. (Bug 6503)
  • Filter Expression dialog can only be opened once. (Bug 6537)
  • Wireshark crashes if compiled without GLib thread support. (Bug 6540)
  • 80211 QoS Control: Add Raw TID. (Bug 6548)
  • SNMP length check error. (Bug 6564)
  • UCP dissector bug of operation 61. (Bug 6570)

New in Wireshark 1.6.3 (Nov 2, 2011)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2011-17
  • The CSN.1 dissector could crash. (Bug 6351)
  • Versions affected: 1.6.0 to 1.6.2.
  • wnpa-sec-2011-18
  • Huzaifa Sidhpurwala of Red Hat Security Response Team discovered that the Infiniband dissector could dereference a NULL pointer. (Bug 6476)
  • Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
  • wnpa-sec-2011-19
  • Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a buffer overflow in the ERF file reader. (Bug 6479)
  • Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
  • The following bugs have been fixed:
  • Assertion failed when doing File->Quit->Save during live capture. (Bug 1710)
  • Wrong PCEP XRO sub-object decoding. (Bug 3778)
  • Wireshark window takes very long time to show up if invalid network file path is at recent file list (Bug 3810)
  • Decoding [Status Records] Timestamp Sequence Field in Bundle Protocol fails if over 32 bits. (Bug 4109)
  • ISUP party number dissection. (Bug 5221)
  • wireshark-1.4.2 crashes when testing the example python dissector because of a dissector count assertion. (Bug 5431)
  • Ethernet packets with both VLAN tag and LLC header no longer displayed correctly. (Bug 5645)
  • SLL encapsuled 802.1Q VLAN is not dissected. (Bug 5680)
  • Wireshark crashes when attempting to open a file via drag & drop when there's already a file open. (Bug 5987)
  • Adding and removing custom HTTP headers requires a restart. (Bug 6241)
  • Can't read full 64-bit SNMP values. (Bug 6295)
  • Dissection fails for frames with Gigamon Header and VLAN. (Bug 6305)
  • RTP Stream Analysis does not work for TURN-encapsulated RTP. (Bug 6322)
  • packet-csn1.c doesn't process CSN_CHOICE entries properly. (Bug 6328)
  • BACnet property time-synchronization-interval (204) name shown incorrectly as time-synchronization-recipients. (Bug 6336)
  • GUI crash on invalid IEEE 802.11 GAS frame. (Bug 6345)
  • [ASN.1 PER] Incorrect decoding of BIT STRING type. (Bug 6347)
  • ICMPv6 router advertisement Prefix Information Flag R "Router Address" missing. (Bug 6350)
  • Export -> Object -> HTTP -> save all: Error on saving files. (Bug 6362)
  • Inner tag of 802.1ad frames not parsed properly. (Bug 6366)
  • Added cursor type decoding to MySQL dissector. (Bug 6396)
  • Incorrect identification of UDP-encapsulated NAT-keepalive packets. (Bug 6414)
  • WPA IE pairwise cipher suite dissector uses incorrect value_string list. (Bug 6420)
  • S1AP protocol can't decode IPv6 transportLayerAddress. (Bug 6435)
  • RTPS2 dissector doesn't handle 0 in the octestToNextHeader field. (Bug 6449)
  • packet-ajp13 fix, cleanup, and enhancement. (Bug 6452)
  • Network Instruments Observer file format bugs. (Bug 6453)
  • Wireshark crashes when using "Open Recent" 2 times in a row. (Bug 6457)
  • Wireshark packet_gsm-sms, display bug: Filler bits in TP-User Data Header. (Bug 6469)
  • wireshark unable to decode NetFlow options which have system scope size != 4 bytes. (Bug 6471)
  • Display filter Expression Dialog Box Error. (Bug 6472)
  • text_import_scanner.l missing. (Bug 6531)
  • Updated Protocol Support:
  • AJP13, ASN.1 PER, BACnet, CSN.1, DTN, Ethernet, ICMPv6, IEEE 802.11, IEEE 802.1q, Infiniband, IPsec, MySQL, PCEP, PN-RT, RTP, S1AP, SSL
  • New and Updated Capture File Support:
  • Endace ERF.

New in Wireshark 1.6.2 (Sep 9, 2011)

  • The following vulnerabilities have been fixed. :
  • A large loop in the OpenSafety dissector could cause a crash. (Bug 6138)
  • A malformed IKE packet could consume excessive resources.
  • A malformed capture file could result in an invalid root tvbuff and cause a crash. (Bug 6135)
  • Wireshark could run arbitrary Lua scripts. (Bug 6136)
  • The CSN.1 dissector could crash. (Bug 6139)
  • Versions affected: 1.6.0 to 1.6.1.
  • The following bugs have been fixed:
  • configure ignores (partially) LDFLAGS. (Bug 5607)
  • Build fails when it tries to #include , not present in Solaris 9. (Bug 5608)
  • Unable to configure zero length SNMP Engine ID. (Bug 5731)
  • BACnet who-is request device range values are not decoded correctly in the packet details window. (Bug 5769)
  • H.323 RAS packets missing from packet counts in "Telephony->VoIP Calls" and the "Flow Graph" for the call. (Bug 5848)
  • Wireshark crashes if sercosiii module isn't installed. (Bug 6006)
  • Editcap could create invalid pcap files when converting from JPEG. (Bug 6010)
  • Timestamp is incorrectly decoded for ICMP Timestamp Response packets from MS Windows. (Bug 6114)
  • Malformed Packet in decode for BGP-AD update. (Bug 6122)
  • Wrong display of CSN_BIT in CSN.1. (Bug 6151)
  • Fix CSN_RECURSIVE_TARRAY last bit error in packet-csn1.c. (Bug 6166)
  • Wireshark cannot display Reachable time & Retrans timer in IPv6 RA messages. (Bug 6168)
  • ReadPropertyMultiple-ACK not correctly dissected. (Bug 6178)
  • GTPv2 dissectors should treat gtpv2_ccrsi as optional. (Bug 6183)
  • BGP : AS_PATH attribute was decode wrong. (Bug 6188)
  • Fixes for SCPS TCP option. (Bug 6194)
  • Offset calculated incorrectly for sFlow extended data. (Bug 6219)
  • Enter] key behavior varies when manually typing display filters. (Bug 6228)
  • Contents of pcapng EnhancedPacketBlocks with comments aren't displayed. (Bug 6229)
  • Misdecoding 3G Neighbour Cell Information Element in SI2quater message due to a coding typo. (Bug 6237)
  • Mis-spelled word "unknown" in assorted files. (Bug 6244)
  • tshark run with -Tpdml makes a seg fault. (Bug 6245)
  • btl2cap extended window shows wrong bit. (Bug 6257)
  • NDMP dissector incorrectly represents "ndmp.bytes_left_to_read" as signed. (Bug 6262)
  • TShark/dumpcap skips capture duration flag occasionally. (Bug 6280)
  • File types with no snaplen written out with a zero snaplen in pcap-ng files. (Bug 6289)
  • Wireshark improperly parsing 802.11 Beacon Country Information tag. (Bug 6264)
  • ERF records with extension headers not written out correctly to pcap or pcap-ng files. (Bug 6265)
  • RTPS2: MAX_BITMAP_SIZE is defined incorrectly. (Bug 6276)
  • Copying from RTP stream analysis copies 1st line many times. (Bug 6279)
  • Wrong display of CSN_BIT under CSN_UNION. (Bug 6287)
  • MEGACO context tracking fix - context id reuse. (Bug 6311)
  • Updated Protocol Support:
  • BACapp, Bluetooth L2CAP, CSN.1, DCERPC, GSM A RR, GTPv2, ICMP, ICMPv6, IKE, MEGACO, MSISDN, NDMP, OpenSafety, RTPS2, sFlow, SNMP, TCP
  • New and Updated Capture File Support:
  • CommView, pcap-ng, JPEG.

New in Wireshark 1.6.1 (Jul 19, 2011)

  • The following vulnerabilities have been fixed:
  • The Lucent/Ascend file parser was susceptible to an infinite loop.
  • Versions affected: 1.2.0 to 1.2.17, 1.4.0 to 1.4.7, and 1.6.0.
  • CVE-2011-2597
  • The ANSI MAP dissector was susceptible to an infinite loop.
  • Versions affected: 1.4.0 to 1.4.7, and 1.6.0.
  • The following bugs have been fixed:
  • TCP dissector doesn't decode TCP segments of length 1.
  • wireshark 1.4.0rc1 and python - spurious message.
  • Missing LUA function.
  • Lua API description about creating a new Tvb from a bytearray is not correct in wireshark's user guide.
  • Character echo pauses in Capture Filter field in Capture Options.
  • White space in protocol field abbreviation causes runtime failure while registering Lua dissector.
  • "File not found" box uses wrong filename encoding.
  • capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too many .
  • Wireshark crashes if Lua contains "Pref.range()" with missing arguments.
  • The "range" field in Lua's "Pref.range()" serves as default while the "default" field does nothing .
  • Wireshark crashes when calling TreeItem:set_len() on TreeItem without tvb.
  • TvbRange_string(lua_State* L) call a wrong function.
  • VoIP call flow graph displays BICC APM as a BICC ANM.
  • Cannot Live-capture VirtualBox network packets with Wireshark; pipe problem.
  • Interface list in Capture Options isn't cleared when selecting other host.
  • H323 rate multiplier wrong.
  • Inclusion of config.h is too late in lex-files resulting in wrong definition of _FILE_OFFSET_BITS.
  • tshark crashes when loading Lua script that contains GUI function.
  • 802.11 Disassociation Packet's "Reason Code" field is imprecisely decoded/described.
  • Wireshark crashes when setting custom column's field name with conditional.
  • Crash after applying "expert.severity" field as column.
  • GTS Descriptor count limited to 3 instead of 7.
  • The SSL dissector can not resemble correctly the frames after TCP zero window probe packet.
  • Packet parser takes too long for this trace.
  • The SSL dissector can not resemble correctly the frames after TCP zero window probe packet.
  • Wireshark crashes after repeating "File -> Import -> Cancel". (Bug 6080)
  • Decoding of MQ ASCII and EBCDIC Traffic Flow - ASCII shows fine, EBCDIC does not.
  • 802.11 Association Response Packet's "Status Code" field is imprecisely decoded/described.
  • Abis interface not correctly handled in gsmtap dissector.
  • Wrong decoding of RLC/MAC EGPRS Packet Downlink Ack/Nack (3GPP TS 44.060).
  • CSN Ack/Nack Description wrongly handled in gsm_rlcmac_dl dissector (3GPP TS 44.060).
  • wireshark 1.6.0 and python support: installer fails to create the wspy_dissectors subdirectory and .
  • Wireshark crash during RTP stream analysis.

New in Wireshark 1.5.1 (Jun 8, 2011)

  • Bug Fixes:
  • Wireshark is unresponsive when capturing from named pipes on Windows.
  • Ring buffers are no longer turned on by default when using multiple capture files.
  • New and Updated Features:
  • Wireshark can import text dumps, similar to text2pcap.
  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
  • TShark can show a specific occurrence of a field when using '-T fields'.
  • Custom columns can show a specific occurrence of a field.
  • You can hide columns in the packet list.
  • Wireshark can now export SMB objects.
  • dftest and randpkt now have manual pages.
  • TShark can now display iSCSI service response times.
  • Dumpcap can now save files with a user-specified group id.
  • Syntax checking is done for capture filters.
  • You can display the compiled BPF code for capture filters in the Capture Options dialog.
  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
  • Packet length is (finally) a default column.
  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
  • 802.1q VLAN tags are now shown by the Ethernet II dissector.
  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
  • The RTP player now shows why media interruptions occur.
  • Graphs now save as PNG images by default.
  • TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via
  • [-z hosts]
  • The tshark -z option now uses the
  • [-z ,srt]
  • syntax instead of
  • [-z ,rtt]
  • for all protocols that support service response time statistics. This syntax now matches Wireshark's syntax for this option.
  • New Protocol Support:
  • ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
  • Updated Protocol Support:
  • New and Updated Capture File Support
  • Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

New in Wireshark 1.4.7 (Jun 1, 2011)

  • The following bugs have been fixed:
  • AIM dissector has some endian issues. (Bug 5464)
  • Telephony?MTP3?MSUS doesn't display window. (Bug 5605)
  • Support for MS NetMon 3.x traces containing raw IPv6 ("Type 7") packets. (Bug 5817)
  • Service Indicator in M3UA protocol data. (Bug 5834)
  • IEC60870-5-104 protocol, incorrect decoding of timestamp type CP56Time2a. (Bug 5889)
  • DNP3 dissector incorrect constants AL_OBJ_FCTR_16NF _FDCTR_32NF _FDCTR_16NF. (Bug 5920)
  • 3GPP QoS: Traffic class is not decoded properly. (Bug 5928)
  • Wireshark crashes when creating ProtoField.framenum in Lua. (Bug 5930)
  • Fix a wrong mask to extract FMID from DECT packets dissector. (Bug 5947)
  • Incorrect DHCPv6 remote identifier option parsing. (Bug 5962)
  • Updated Protocol Support:
  • DICOM, IEC104, M3UA, TCP,
  • New and Updated Capture File Support:
  • Network Monitor.

New in Wireshark 1.6.0 RC1 (May 17, 2011)

  • The following bugs have been fixed:
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Ring buffers are no longer turned on by default when using multiple capture files.
  • New and Updated Features:
  • Wireshark can import text dumps, similar to text2pcap.
  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
  • TShark can show a specific occurrence of a field when using '-T fields'.
  • Custom columns can show a specific occurrence of a field.
  • You can hide columns in the packet list.
  • Wireshark can now export SMB objects.
  • dftest and randpkt now have manual pages.
  • TShark can now display iSCSI, ICMP and ICMPv6 service response times.
  • Dumpcap can now save files with a user-specified group id.
  • Syntax checking is done for capture filters.
  • You can display the compiled BPF code for capture filters in the Capture Options dialog.
  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
  • Packet length is (finally) a default column.
  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
  • 802.1q VLAN tags are now shown by the Ethernet II dissector.
  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
  • The RTP player now shows why media interruptions occur.
  • Graphs now save as PNG images by default.
  • TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via [-z hosts]
  • The tshark -z option now uses the [-z ,srt] syntax instead of [-z ,rtt] for all protocols that support service response time statistics. This syntax now matches Wireshark's syntax for this option.
  • New Protocol Support:
  • ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Broadcast/Multicast Control, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet, MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol, MUX27010, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, GPPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink, USB/AT Commands, uTorrent Transport Protocol, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
  • New and Updated Capture File Support:
  • Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

New in Wireshark 1.4.6 (Apr 19, 2011)

  • Bug Fixes:
  • Wireshark and TShark can crash while analyzing TCP packets. (Bug 5837)

New in Wireshark 1.4.5 (Apr 16, 2011)

  • The following vulnerabilities have been fixed:
  • The NFS dissector could crash on Windows. (Bug 5209)
  • The X.509if dissector could crash. (Bug 5754, Bug 5793)
  • Paul Makowski from SEI/CERT discovered that the DECT dissector could overflow a buffer. He verified that this could allow remote code execution on many platforms.
  • The following bugs have been fixed:
  • Cygwin make fails after updating to bash v 4.1.9.2
  • Export HTTP > All - System Appears Hung (but isn't). (Bug 1671)
  • Some HTTP responses don't decode with TCP reassembly on. (Bug 3785)
  • Wireshark crashes when cancelling a large sort operation. (Bug 5189)
  • Wireshark crashes if SSL preferences RSA key is actually a DSA key. (Bug 5662)
  • tshark incorrectly calculates TCP stream for some syn packets. (Bug 5743)
  • Wireshark not able to decode the PPP frame in a sflow (RFC3176) flow sample packet because Wireshark incorrectly read the protocol in PPP frame header. (Bug 5746)
  • Mysql protocol dissector: all fields should be little endian. (Bug 5759)
  • Error when opening snoop from Juniper SSG-140. (Bug 5762)
  • svnversion: command not found. (Bug 5798)
  • capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too many. (Bug 5803)
  • Value of TCP segment data cannot be copied. (Bug 5811)
  • proto_field_is_referenced() is not exported in libwireshark.dll. (Bug 5816)
  • Wireshark ver. 1.4.4 not displayed "Granted QoS" field in a A11 packet. (Bug 5822)

New in Wireshark 1.5.1 Development (Apr 12, 2011)

  • Bug Fixes:
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Ring buffers are no longer turned on by default when using multiple capture files.

New in Wireshark 1.4.4 (Mar 2, 2011)

  • The following bugs have been fixed:
  • A TCP stream would not always be recognized as the same stream. (Bug 2907)
  • Wireshark Crashing by pressing 2 Buttons. (Bug 4645)
  • A crash can occur in the NTLMSSP dissector. (Bug 5157)
  • The column texts from a Lua dissector could be mangled. (Bug 5326) (Bug 5630)
  • Corrections to ANSI MAP ASN.1 specifications. (Bug 5584)
  • When searching in packet bytes, the field and bytes are not immediately shown. (Bug 5585)
  • Malformed Packet: ULP reported when dissecting ULP SessionID PDU. (Bug 5593)
  • Wrong IEI in container of decode_gtp_mm_cntxt. (Bug 5598)
  • Display filter does not work for expressions of type BASE_DEC, BASE_DEC_HEX and BASE_HEX_DEC. (Bug 5606)
  • NTLMSSP dissector may fail to compile due to space embedded in C comment delimiters. (Bug 5614)
  • Allow for name resolution of link-scope and multicast IPv6 addresses from local host file. (Bug 5615)
  • DHCPv6 dissector formats DUID_LLT time incorrectly. (Bug 5627)
  • Allow for IEEE 802.3bc-2009 style PoE TLVs. (Bug 5639)
  • Various fixes to the HIP packet dissector. (Bug 5646)
  • Display "Day of Year" for January 1 as 1, not 0. (Bug 5653)
  • Accommodate the CMake build on Ubuntu 10.10. (Bug 5665)
  • E.212 MCC 260 Poland update according to local national regulatory. (Bug 5668)
  • IPP on ports other than 631 not recognized. (Bug 5677)
  • Potential access violation when writing to LANalyzer files. (Bug 5698)
  • IEEE 802.15.4 Superframe Specification - Final CAP Slot always 0. (Bug 5700)
  • Peer SRC and DST AS numbers are swapped for cflow. (Bug 5702)
  • dumpcap: -q option behavior doesn't match documentation. (Bug 5716)
  • Updated Protocol Support:
  • ANSI MAP, BitTorrent, DCM, DHCPv6, DTAP, DTPT, E.212, GSM Management, GTP, HIP, IEEE 802.15.4, IPP, LDAP, LLDP, Netflow, NTLMSSP, P_Mul, Quake, Skinny, SMB, SNMP, ULP
  • New and Updated Capture File Support:
  • LANalyzer, Nokia DCT3, Pcap-ng

New in Wireshark 1.5.0 Development (Jan 25, 2011)

  • New and Updated Features:
  • Wireshark can import text dumps, similar to text2pcap.
  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
  • TShark can show a specific occurrence of a field when using '-T fields'.
  • Custom columns can show a specific occurrence of a field.
  • You can hide columns in the packet list.
  • Wireshark can now export SMB objects.
  • dftest and randpkt now have manual pages.
  • TShark can now display iSCSI service response times.
  • Dumpcap can now save files with a user-specified group id.
  • Syntax checking is done for capture filters.
  • You can display the compiled BPF code for capture filters in the Capture Options dialog.
  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
  • Packet length is (finally) a default column.
  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
  • 802.1q VLAN tags are now shown by the Ethernet II dissector.
  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
  • The RTP player now shows why media interruptions occur.
  • Graphs now save as PNG images by default.
  • New Protocol Support:
  • ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Constrained Application Protocol (COAP), Digium TDMoE, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, SAMETIME, SCoP, SGSAP, Tektronix Teklink, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
  • New and Updated Capture File Support:
  • Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

New in Wireshark 1.4.3 (Jan 12, 2011)

  • Bug Fixes
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • FRAsse discovered that the MAC-LTE dissector could overflow a buffer. (Bug 5530)
  • Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
  • FRAsse discovered that the ENTTEC dissector could overflow a buffer. (Bug 5539)
  • Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
  • CVE-2010-4538
  • The ASN.1 BER dissector could assert and make Wireshark exit prematurely. (Bug 5537)
  • Versions affected: 1.4.0 to 1.4.2.
  • The following bugs have been fixed:
  • AMQP failed assertion. (Bug 4048)
  • Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
  • Fuzz testing reports possible dissector bug: TCP. (Bug 4211)
  • Wrong length calculation in new_octet_aligned_subset_bits() (PER dissector). (Bug 5393)
  • Function dissect_per_bit_string_display might read more bytes than available (PER dissector). (Bug 5394)
  • Cannot load wpcap.dll & packet.dll from Wireshark program directory. (Bug 5420)
  • Wireshark crashes with Copy -> Description on date/time fields. (Bug 5421)
  • DHCPv6 OPTION_CLIENT_FQDN parse error. (Bug 5426)
  • Information element Error for supported channels. (Bug 5430)
  • Assert when using ASN.1 dissector with loading a 'type table'. (Bug 5447)
  • Bug with RWH parsing in Infiniband dissector. (Bug 5444)
  • Help->About Wireshark mis-reports OS. (Bug 5453)
  • Delegated-IPv6-Prefix(123) is shown incorrect as X-Ascend-Call-Attempt-Limit(123). (Bug 5455)
  • "tshark -r file -T fields" is truncating exported data. (Bug 5463)
  • gsm_a_dtap: incorrect "Extraneous Data" when decoding Packet Flow Identifier. (Bug 5475)
  • Improper decode of TLS 1.2 packet containing both CertificateRequest and ServerHelloDone messages. (Bug 5485)
  • LTE-PDCP UL and DL problem. (Bug 5505)
  • CIGI 3.2/3.3 support broken. (Bug 5510)
  • Prepare Filter in RTP Streams dialog does not work correctly. (Bug 5513)
  • Wrong decode at ethernet OAM Y.1731 ETH-CC. (Bug 5517)
  • WPS: RF bands decryption. (Bug 5523)
  • Incorrect LTP SDNV value handling. (Bug 5521)
  • LTP bug found by randpkt. (Bug 5323)
  • Buffer overflow in SNMP EngineID preferences. (Bug 5530)
  • New and Updated Features
  • There are no new features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • AMQP, ASN.1 BER, ASN.1 PER, CFM, CIGI, DHCPv6, Diameter, ENTTEC, GSM A GM, IEEE 802.11, InfiniBand, LTE-PDCP, LTP, MAC-LTE, MP2T, RADIUS, SAMR, SCCP, SIP, SNMP, TCP, TLS, TN3270, UNISTIM, WPS
  • New and Updated Capture File Support
  • Endace ERF, Microsoft Network Monitor, VMS TCPtrace.

New in Wireshark 1.4.1 (Oct 12, 2010)

  • Bug Fixes:
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The Penetration Test Team of NCNIPC (China) discovered that the ASN.1 BER dissector was susceptible to a stack overflow. (Bug 5230)
  • Versions affected: All previous versions up to and including 1.2.11 and 1.4.0.
  • The following bugs have been fixed:
  • Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
  • Incorrect behavior using sorting in the packet list. (Bug 2225)
  • Cooked-capture dissector should omit the source address field if empty. (Bug 2519)
  • MySQL dissector doesn't dissect MySQL stream. (Bug 2691)
  • Wireshark crashes if active display filter macro is renamed. (Bug 5002)
  • Incorrect dissection of MAP V2 PRN_ACK. (Bug 5076)
  • TCP bytes_in_flight becomes inflated with lost packets. (Bug 5132)
  • Wireshark fails to start on Windows XP 64bit. (Bug 5160)
  • GTP header is exported in PDML with an incorrect size. (Bug 5162)
  • Packet list hidden columns will not be parsed correctly from preferences file. (Bug 5163)
  • Wireshark does not display the t.38 graph. (Bug 5165)
  • Wireshark don't show mgcp calls in "Telephony → VoIP calls". (Bug 5167)
  • Wireshark 1.4.0 & VoIP calls "Prepare Filter" problem. (Bug 5172)
  • GTPv2: IMSI is decoded improperly. (Bug 5179)
  • [NAS EPS] EPS Quality of Service IE decoding is wrong. (Bug 5186)
  • Wireshark mistakenly writes "not all data available" for IPv4 checksum. (Bug 5194)
  • GSM: Cell Channel Description, range 1024 format. (Bug 5214)
  • Wrong SDP interpretation on VoIP call flow chart. (Bug 5220)
  • The CLDAP attribute value on a CLDAP reply is no longer being decoded. (Bug 5239)
  • [NAS EPS] Traffic Flow Template IE dissection bugs. (Bug 5243)
  • [NAS EPS] Use Request Type IE defined in 3GPP 24.008. (Bug 5246)
  • NTLMSSP_AUTH domain and username truncated to first letter with IE8/Windows7 (generating the NTLM packet). (Bug 5251)
  • IPv6 RH0: dest addr is to be used i.s.o. last RH address when 0 segments remain. (Bug 5252)
  • EIGRP dissection error in Flags field in external route TLVs. (Bug 5261)
  • MRP packet is not correctly parsed in PROFINET multiple write record request. (Bug 5267)
  • MySQL Enhancement: support of Show Fields and bug fix. (Bug 5271)
  • [NAS EPS] Fix TFT decoding when having several Packet Filters defined. (Bug 5274)
  • Crash if using ssl.debug.file with no password for ssl.keys_list. (Bug 5277)
  • Updated Protocol Support:
  • ASN.1 BER, ASN.1 PER, EIGRP, GSM A RR, GSM Management, GSM MAP, GTP, GTPv2, ICMPv6, Interlink, IPv4, IPv6, IPX, LDAP, LLC, MySQL, NAS EPS, NTLMSSP, PN-IO, PPP, RPC, SDP, SLL, SSL, TCP.

New in Wireshark 1.4.0 (Aug 31, 2010)

  • Bug Fixes:
  • Update time display in background. (Bug 1275)
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Tshark returns 0 even with an invalid interface or capture filter. (Bug 4735)
  • New and Updated Features:
  • The packet list internals have been rewritten and are now more efficient.
  • Columns are easier to use. You can add a protocol field as a column by right-clicking on its packet detail item, and you can adjust some column preferences by right-clicking the column header.
  • Preliminary Python scripting support has been added.
  • Many memory leaks have been fixed.
  • Wireshark 1.4 does not support Windows 2000. Please use Wireshark 1.2 or 1.0 on those systems.
  • Packets can now be ignored (excluded from dissection), similar to the way they can be marked.
  • Manual IP address resolution is now supported.
  • Columns with seconds can now be displayed as hours, minutes and seconds.
  • You can now set the capture buffer size on UNIX and Linux if you have libpcap 1.0.0 or greater.
  • TShark no longer needs elevated privileges on UNIX or Linux to list interfaces. Only dumpcap requires privileges now.
  • Wireshark and TShark can enable 802.11 monitor mode directly if you have libpcap 1.0.0 or greater.
  • You can play RTP streams directly from the RTP Analysis window.
  • Capinfos and editcap now respectively support time order checking and forcing.
  • Wireshark now has a "jump to timestamp" command-line option.
  • You can open JPEG files directly in Wireshark.
  • New Protocol Support:
  • 3GPP Nb Interface RTP Multiplex, Access Node Control Protocol, Apple Network-MIDI Session Protocol, ARUBA encapsulated remote mirroring, Assa Abloy R3, Asynchronous Transfer Mode, B.A.T.M.A.N. Advanced Protocol, Bluetooth AMP Packet, Bluetooth OBEX, Bundle Protocol, CIP Class Generic, CIP Connection Configuration Object, CIP Connection Manager, CIP Message Router, collectd network data, Control And Provisioning of Wireless Access Points, Controller Area Network, Device Level Ring, DOCSIS Bonded Initial Ranging Message, Dropbox LAN sync Discovery Protocol, Dropbox LAN sync Protocol, DTN TCP Convergence Layer Protocol, EtherCAT Switch Link, Fibre Channel Delimiters, File Replication Service DFS-R, Gateway Load Balancing Protocol, Gigamon Header, GigE Vision Control Protocol, Git Smart Protocol, GSM over IP ip.access CCM sub-protocol, GSM over IP protocol as used by ip.access, GSM Radiotap, HI2Operations, Host Identity Protocol, HP encapsulated remote mirroring, HP NIC Teaming Heartbeat, IEC61850 Sampled Values, IEEE 1722 Protocol, InfiniBand Link, Interlink Protocol, IPv6 over IEEE 802.15.4, ISO 10035-1 OSI Connectionless Association Control Service, ISO 9548-1 OSI Connectionless Session Protocol, ISO 9576-1 OSI Connectionless Presentation Protocol, ITU-T Q.708 ISPC Analysis, Juniper Packet Mirror, Licklider Transmission Protocol, MPLS PW ATM AAL5 CPCS-SDU mode encapsulation, MPLS PW ATM Cell Header, MPLS PW ATM Control Word, MPLS PW ATM N-to-One encapsulation, no CW, MPLS PW ATM N-to-One encapsulation, with CW, MPLS PW ATM One-to-One or AAL5 PDU encapsulation, Multiple Stream Reservation Protocol, NetPerfMeter Protocol, NetScaler Trace, NexusWare C7 MTP, NSN FLIP, OMRON FINS Protocol, packetbb Protocol, Peer Network Resolution Protocol, PKIX Attribute Certificate, Pseudowire Padding, Server/Application State Protocol, Solaris IPNET, TN3270 Protocol, TN5250 Protocol, TRILL, Twisted Banana, UMTS FP Hint, UMTS MAC, UMTS Metadata, UMTS RLC, USB HID, USB HUB, UTRAN Iuh interface HNBAP signalling, UTRAN Iuh interface RUA signalling, V5.2, Vendor Specific Control Protocol, Vendor Specific Network Protocol, VMware Lab Manager, VXI-11 Asynchronous Abort, VXI-11 Core Protocol, VXI-11 Interrupt, X.411 Message Access Service, ZigBee Cluster Library
  • New and Updated Capture File Support:
  • Accellent 5Views, ASN.1 Basic Encoding Rules, Catapult DCT2000, Daintree SNA, Endace ERF, EyeSDN, Gammu DCT3 trace, IBM iSeries, JPEG/JFIF, libpcap, Lucent/Ascend access server trace, NetScaler, PacketLogger, pcapng, Shomiti/Finisar Surveyor, Sun snoop, Symbian OS btsnoop, Visual Networks

New in Wireshark 1.2.10 (Jul 30, 2010)

  • Bug Fixes:
  • The SigComp Universal Decompressor Virtual Machine could overrun a buffer. The GSM A RR dissector could crash.
  • Due to a regression the ASN.1 BER dissector could overrun the stack.
  • The IPMI dissector could go into an infinite loop.
  • Wireshark crashes after configuring new Information column.
  • Crash triggered when changing display filter from right-mouse pop-up menu via packet-list.
  • Wireshark crash selecting Inter-Asterisk exchange v2 packet data.
  • zlib-1.2.5 cause tshark to stop live capture.
  • Crash when adding SNMP users.
  • Wireshark via ssh -X on ipv6 link-local address fails to allow capture.
  • OMAPI dissector fails to parse combined initialization messages.
  • QUERY_FS_INFO for Macintosh level 0x301 - MacSupportFlags decodes wrong.
  • SCSI dissector misidentifies ATA PASSTHROUGH command as ACCESS CONTROL IN.
  • Wrong decoding of GTP Prime (GTP') packets.
  • Updated Protocol Support:
  • ASN.1 BER, GSM A RR, GTP, IAX2, IPMI, OMAPI, PRES, SCSI, SMB, UNISTIM

New in Wireshark 1.2.8 (May 6, 2010)

  • Bug Fixes:
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The DOCSIS dissector could crash. (Bug 4644), (bug 4646)
  • Versions affected: 0.9.6 to 1.0.12, 1.2.0 to 1.2.7
  • The following bugs have been fixed:
  • HTTP parser limits with Content-Length. (Bug 1958)
  • MATE dissector bug with GOGs. (Bug 3010)
  • Changing fonts and deleting system time from preferences, results in wireshark crash. (Bug 3387)
  • ERF file starting with record with timestamp=0,1 or 2 not recognized as ERF file. (Bug 4503)
  • The SSL dissector can not correctly resemple SSL records when the record header is spit between packets. (Bug 4535)
  • TCP reassembly can call subdissector with incorrect TCP sequence number. (Bug 4624)
  • PTP dissector displays big correction field values wrong. (Bug 4635)
  • MSF is at Anthorn, not Rugby. (Bug 4678)
  • ProtoField __tostring() description is missing in Wireshark's Lua API Reference Manual. (Bug 4695)
  • EVRC packet bundling not handled correctly. (Bug 4718)
  • Completely unresponsive when run very first time by root user. (Bug 4308)
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • DOCSIS, HTTP, SSL
  • Updated Capture File Support:
  • ERF, PacketLogger.
  • Vendor-supplied Packages:
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

New in Wireshark 1.2.7 (Apr 1, 2010)

  • Bug Fixes:
  • SNMPv3 Engine ID registration. (Bug 2426)
  • Open file dialog always displayed when clicking anywhere on Wireshark. (Bug 2478)
  • tshark reports wrong number of bytes on big dumpfiles with -z io,stat. (Bug 3205)
  • Negative INTEGER number displayed as positive number in SNMP dissector. (Bug 3230)
  • Add support for FT_BOOLEAN fields to wslua FieldInfo. (Bug 4049)
  • Wireshark crashes w/ GLib error when trying to play RTP stream. (Bug 4119)
  • Windows 2000 support has been restored. (Bug 4176)
  • Wrong dissection on be_cell_id_list for bssmap. (Bug 4437)
  • I/O Graph dropdown boxes not working correctly. (Bug 4487)
  • Runtime Error when right-clicking field and selecting "Filter Field Reference". (Bug 4522)
  • In GSM SMS PDU TPVPF showing wrong. (Bug 4524)
  • Profinet: May be wrong defined byte meaning. (Bug 4525)
  • GLib-CRITICAL ** Message. (Bug 4547)
  • Certain EDP display filters trigger Wireshark/tshark runtime error. (Bug 4563)
  • Some NCP frames trigger "Dissector bug, protocol NCP". (Bug 4565)
  • The encapsulation abbreviation "bluetooth-h4" is ambiguous. (Bug 4613)
  • Updated Protocol Support:
  • BSSMAP, DMP, GSM SMS, LDSS, NCP, PN/IO, PPP, SIP, SNMP
  • Updated Capture File Support:
  • There are no updated capture file formats in this release.

New in Wireshark 1.3.3 Beta (Feb 12, 2010)

  • The rewritten packet list internals have been greatly improved.
  • You can now ignore packets, similar to the way you can mark them.

New in Wireshark 1.2.6 (Jan 28, 2010)

  • The following bugs have been fixed:
  • Wireshark could crash while decrypting Kerberos data.
  • Address display filters hang Wireshark. (Bug 658)
  • PSML - structure context node missing. (Bug 1564)
  • Wireshark doesn't dynamically update the packet list. (Bug 1605)
  • LUA: There's no tvb_get_stringz() equivalent. (Bug 2244)
  • tvb_new_real_data is prone to memory leak. (Bug 3917)
  • Malformed OPC UA traffic makes Wireshark "freeze". (Bug 3986)
  • Analyze→Expert... doesn't show IP "Bad Checksum" errors. (Bug 4177)
  • Wireshark can't decrypt WPA(2)-PSK when passphrase is 63 bytes. (Bug 4183)
  • RTP stream analysis: Wrong jitter values after clicking the refresh button. (Bug 4340)
  • Wireshark decodes bootp option 2 incorrectly. (Bug 4342)
  • Deleting SMI modules causes Wireshark to crash. (Bug 4354)
  • Wireshark decodes kerberos AS-REQ PADATA incorrect. (Bug 4363)
  • PDML output from TShark includes invalid characters. (Bug 4402)
  • Empty GPRS LLC S frames cause truncated data exception. (Bug 4417)
  • New and Updated Features:
  • Feature parity between the 64- and 32-bit Windows installer has been improved. The 64-bit installer now supports the "matches" operator, GeoIP location, and most types of decryption. Kerberos decryption and OID resolution are still not supported.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • BJNP, BOOTP/DHCP, DHCPv6, FIP, GPRS LLC, IEEE 802.11, IP, Kerberos, OPCUA, SCTP, SSL, ZRTP
  • Updated Capture File Support:
  • There are no updated capture file formats in this release.

New in Wireshark 1.2.5 (Dec 18, 2009)

  • Bug Fixes
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The Daintree SNA file parser could overflow a buffer. (Bug 4294)
  • Versions affected: 1.2.0 to 1.2.4
  • The SMB and SMB2 dissectors could crash. (Bug 4301)
  • Versions affected: 0.9.0 to 1.2.4
  • The IPMI dissector could crash on Windows. (Bug 4319)
  • Versions affected: 1.2.0 to 1.2.4
  • The following bugs have been fixed:
  • Wireshark does not graph rtp streams. (Bug 3801)
  • Wireshark showing extraneous data in a TCP stream. (Bug 3955)
  • Wrong decoding of gtp.target identification. (Bug 3974)
  • TTE dissector bug. (Bug 4247)
  • Upper case in Lua pref symbol causes Wireshark to crash. (Bug 4255)
  • OpenBSD 4.5 build fails at epan/dissectors/packet-rpcap.c. (Bug 4258)
  • Incorrect display of stream data using "Follow tcp stream" option. (Bug 4288)
  • Custom RADIUS dictionary can cause a crash. (Bug 4316)
  • New and Updated Features
  • There are no new features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • DAP, eDonkey, GTP, IPMI, MIP, RADIUS, RANAP, SMB, SMB2, TCP, TTE, VNC, X.509sat
  • Updated Capture File Support
  • Daintree SNA.

New in Wireshark 1.2.4 (Nov 17, 2009)

  • Bug Fixes
  • The following bugs have been fixed:
  • Can't save RTP stream in both directions. (Bug 4120)
  • Wireshark could crash at startup on Windows. (Bug 4155)
  • Updated Protocol Support
  • DCERPC, IPFIX/Netflow, IPv4, NAS EPS, RTCP, TIPC
  • Updated Capture File Support
  • Capture file support is unchanged in this release.

New in Wireshark 1.2.3 (Oct 28, 2009)

  • Bug Fixes
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The Paltalk dissector could crash on alignment-sensitive processors. (Bug 3689)
  • Versions affected: 1.2.0 to 1.2.2
  • The DCERPC/NT dissector could crash.
  • Versions affected: 0.10.10 to 1.2.2
  • The SMB dissector could crash.
  • Versions affected: 1.2.0 to 1.2.2
  • The following bugs have been fixed:
  • Wireshark memory leak with each file open and/or display filter change. (Bug 2375)
  • DHCP Dissector displays negative lease time. (Bug 2733)
  • Invalid advertised window line on tcptrace style graph. (Bug 3417)
  • SMB get_dfs_referral referral entry is not dissected correctly. (Bug 3542)
  • Error dissecting eMule sourceOBFU message. (Bug 3848)
  • Typos in Diameter XML files. (Bug 3878)
  • RSL dissector for MS Power IE is broken. (Bug 4017)
  • Manifest problem in 1.2.2 Win64 build. (Bug 4024)
  • FIP dissector throws assertion. (Bug 4046)
  • TCAP problem with indefinite length 'components' SEQ OF. (Bug 4053)
  • GSM MAP: an-APDU not decoded. (Bug 4095)
  • Add "Drag and Drop entries..." message on Columns preferences page. (Bug 4099)
  • Editcap -t and -w option parses fractional digits incorrectly. (Bug 4162)
  • New and Updated Features
  • The 32-bit and 64-bit Windows packages now include WinPcap 4.1.1. .
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • DCERPC NT, DHCP, Diameter, E.212, eDonkey, FIP, IPsec, MGCP, NCP, Paltalk, RADIUS, RSL, SBus, SMB, SNMP, SSL, TCP, Teamspeak2, WPS
  • Updated Capture File Support
  • Capture file support is unchanged in this release.

New in Wireshark 1.2.2 (Sep 15, 2009)

  • Bug Fixes
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The GSM A RR dissector could crash. (Bug 3893)
  • Versions affected: 1.2.0 to 1.2.1
  • The OpcUa dissector could use excessive CPU and memory. (Bug 3986)
  • Versions affected: 0.99.6 to 1.0.8, 1.2.0 to 1.2.1
  • The TLS dissector could crash on some platforms. (Bug 4008)
  • Versions affected: 1.2.0 to 1.2.1
  • The following bugs have been fixed:
  • The "Capture->Interfaces" window can't be closed. (Bug 1740)
  • tshark-1.0.2 (dumpcap) signal abort core saved. (Bug 2767)
  • Memory leak fixes. (Bug 3330)
  • Display filter autocompletion doesn't work for some RADIUS and WiMAX ASNCP fields. (Bug 3538)
  • Wireshark Portable includes wrong WinPcap installer. (Bug 3547)
  • Crash when loading a profile. (Bug 3640)
  • The proto,colinfo tap doesn't work if the INFO column isn't being printed. (Bug 3675)
  • Flow Graph adds too much unnecessary garbage. (Bug 3693)
  • The EAP Diameter dictionary file was missing in the distribution. (Bug 3761)
  • Graph analysis window is behind other window. (Bug 3773)
  • IKEv2 Cert Request payload dissection error. (Bug 3782)
  • DNS NAPTR RR (RFC 3403) replacement MUST be a fully qualified domain-name. (Bug 3792)
  • Malformed RTCP Packet error while sending Payload specific RTCP feedback packet( as per RFC 4585). (Bug 3800)
  • 802.11n Block Ack packet Bitmap field missing. (Bug 3806)
  • Wireshark doesn't decode WBXML/ActiveSync information correctly. (Bug 3811)
  • Malformed packet when IPv6 packet has Next Header == 59. (Bug 3820)
  • Wireshark could crash while reading an ERF file. (Bug 3849)
  • Minor errors in gsm rr dissectors. (Bug 3889)
  • WPA Decryption Issues. (Bug 3890)
  • GSM A RR sys info dissection problem. (Bug 3901)
  • GSM A RR inverts MEAS-VALID values. (Bug 3915)
  • PDML output leaks ~300 bytes / packet. (Bug 3913)
  • Incorrect station identifier parsing in Kingfisher dissector. (Bug 3946)
  • DHCPv6, Vendor-Specific Informantion, SubOption"Option Request" parser incorrect. (Bug 3987)
  • Wireshark could leak memory while analyzing SSL.
  • Wireshark could crash while updating menu items after reading a file in some cases.
  • The Mac OS X ChmodBPF script now works correctly under Snow Leopard.
  • New and Updated Features
  • There are no new or updated features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • DCERPC, DHCPv6, DNS, E.212, GSM A RR, GTPv2, H.248, IEEE 802.11, IPMI, ISAKMP/IKE, ISUP, Kingfisher, LDAP, OpcUA, RTCP, SCTP, SIP, SSL, TCP, WBXML, ZRTP
  • Updated Capture File Support
  • ERF

New in Wireshark 1.2.1 (Jul 20, 2009)

  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The IPMI dissector could overrun a buffer.
  • Versions affected: 1.2.0
  • The AFS dissector could crash.
  • Versions affected: 0.9.2 to 1.2.0
  • The Infiniband dissector could crash on some platforms.
  • Versions affected: 1.0.6 to 1.2.0
  • The Bluetooth L2CAP dissector could crash.
  • Versions affected: 1.2.0
  • The RADIUS dissector could crash.
  • Versions affected: 1.2.0
  • The MIOP dissector could crash.
  • Versions affected: 1.2.0
  • The sFlow dissector could use excessive CPU and memory.
  • Versions affected: 1.2.0
  • The following bugs have been fixed:
  • Wireshark could crash while reading a pcap-ng file.
  • Wireshark could crash while reading a PacketLogger file.
  • CFLOW decoding is wrong for IPv6 fields (Bug 3328)
  • Buildbot crash output: fuzz-2009-04-24-2891.pcap (Bug 3438)
  • packet-dcm, corrupt DICOM export files (Bug 3493)
  • GeoIP map should use random temporary file name (Bug 3530)
  • Wireshark crashes when range_string is the data type (Bug 3536)
  • Pcap-ng breaks VoIP call data (Bug 3539)
  • ANSI MAP legInformation BER Error (Bug 3541)
  • Starting Wireshark Portable 1.2.0 gives error message. (Bug 3547)
  • On Windows, Wireshark could crash on startup. (Bug 3555)
  • The title in the TCP sequence graphs is too short. (Bug 3556)
  • USB Packets in pcap-ng Files Not Dissected Properly (Bug 3560)
  • 802.11 decryption is broken (Bug 3590)
  • SMB2 Error Response doesn't decode properly (Bug 3609)
  • configure.in uses deprecated autoconf test for gnutls detection (Bug 3627)
  • Radius Malformed Packet error message (Bug 3635)
  • Wireshark could crash when loading a profile. (Bug 3640)
  • Analyze->Decode as... menu item becomes unavailable (Bug 3642)
  • btsnoop: Incorrect error message for not supported datalink type (Bug 3645)
  • Decode error for network-id in BICC BCU-ID (Bug 3648)
  • IEC 60870-5-104 dissector decodes nothing (Bug 3650)
  • radius_register_avp_dissector() can stop RADIUS dissector from working correctly (Bug 3651)
  • ANSI ISUP Cause indicators with coding standard=ANSI fail to dissect. (Bug 3654)
  • Wrong field position in PacketCable Multimedia Extended Classifier (Bug 3656)
  • FF Protocol "FMS Initiate - Version OD Calling" field packet data not unpacked properly (Bug 3694)
  • hci_h4: Optimize column/field handling (Bug 3703)
  • BSSLAP Protocol Not Decoded In BSSMAP-LE Messages (Bug 3711)
  • Description of tshark -t dd missing from tshark.pod (Bug 3723)
  • Problem in packet-per.c for ASN.1 PER Encoding (Bug 3733)
  • [SNMP] Crash when dissecting packet (custom MIB) (Bug 3746)
  • New and Updated Features
  • There are no new or updated features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • AFS, ANSI ISUP, ANSI MAP, ASN.1 PER, Bluetooth HCI H4, Bluetooth L2CAP, BSS CFLOW, COPS, Diameter, DICOM, FF-HSE, ICMPv6, IEC-60870-5-104, IEEE 802.11, Infiniband, IPMI, MIOP, RADIUS, RSVP, sFlow, SNMP, SMB2, ZIOP
  • New Capture File Support
  • Btsnoop, DCT3, Packetlogger, pcap-ng.

New in Wireshark 1.2.0 (Jun 16, 2009)

  • Bug Fixes:
  • Type-ahead search now works properly.
  • Several bugs that affected capture from pipes have been fixed.
  • Many Lua-related bugs have been fixed.
  • Several memory leaks have been found and fixed.
  • The "Follow TCP Stream" feature could show two streams at the same time The hex dump view has been narrowed.
  • WPA and SSL decryption bugs have been fixed.
  • Readability problems on 256-color displays on Windows have been fixed.
  • New and Updated Features:
  • Wireshark has a spiffy new start page.
  • Display filters now autocomplete.
  • A 64-bit Windows (x64) installer is now provided.
  • Support for the c-ares resolver library has been added. It has many advantages over ADNS.
  • Many new protocol dissectors and capture file formats have been added (see below for a complete list).
  • Macintosh OS X support has been improved.
  • GeoIP database lookups.
  • OpenStreetMap + GeoIP integration.
  • Improved Postscript print output.
  • The preference handling code is now much smarter about changes.
  • Support for Pcap-ng, the next-generation capture file format.
  • Support for process information correlation via IPFIX.
  • Column widths are now saved.
  • The last used configuration profile is now saved.
  • Protocol preferences are changeable from the packet details context menu.
  • Support for IP packet comparison.
  • Capinfos now shows the average packet rate.
  • GTK1 is no longer supported. (Yes, this is a feature.)
  • Official Windows packages are now built using Microsoft Visual C++ 2008 SP1.
  • New Protocol Support:
  • Anything in Anything Protocol, ATM PW, N-to-one Cell Mode, B.A.T.M.A.N. Layer 3 Protocol, BACnet MS/TP, BSS LCS Assistance Protocol, Canon BJNP, CESoPSN basic NxDS0 mode (no RTP support), Charging ASE, Cimetrics MS/TP, DECT Protocol, Digital Private Signalling System No 1 Link Layer, DOCSIS Mac Domain Description, DOCSIS Registration Request Multipart, DOCSIS Registration Response Multipart, DOCSIS Synchronisation Message, E100 Encapsulation, EHS, Enhanced Variable Rate Codec, Ethernet Global Data, Ethernet PW, Exchange 2003 Directory Request For Response, Far End Failure Detection, FCoE Initialization Protocol, GOOSE, GPEF, GPRS Tunneling Protocol V2, GSM A-I/F COMMON, GSM A-I/F GPRS Mobility and Session Management, GSM SACCH, GSM Um Interface, HDLC PW, FR port mode (no CW), HDLC-like framing for PPP, IEC 60870-5-104,Apci, IEC 60870-5-104,Asdu, IEEE 802.15.4 Low-Rate Wireless PAN non-ASK PHY, IEEE C37.118 Synchrophasor Protocol, Intelligent Platform Management Interface (Session Wrapper), Inter-Integrated Circuit, Internal TDM, IPSICTL, ISMACryp Protocol, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, iWARP Marker Protocol data unit Aligned framing, Kontiki Delivery Protocol, LANforge Traffic Generator, Layer 1 Event Messages, Lb-I/F BSSMAP LE, LeCroy VICP, Link Access Procedure, Channel Dm (LAPDm), Local Download Sharing Service, LTE Radio Resource Control (RRC) protocol, MAC-LTE, Memcache Protocol, Mesh Header, MP4V-ES, Nasdaq TotalView-ITCH, Nasdaq-SoupTCP version 2.0, NAT Port Mapping Protocol, Netdump Protocol, Non-Access-Stratum (NAS)PDU, PacketLogger, Paltalk Messenger Protocol, PDCP-LTE, PW Associated Channel Header, PW Ethernet Control Word, PW Frame Relay DLCI Control Word, PW MPLS Control Word (generic/preferred), Real-Time Publish-Subscribe Wire Protocol 2.x, Remote Packet Capture, RLC-LTE, SAToP (no RTP support), SERCOS III V1.1, SIMULCRYPT Protocol, Subnetwork Dependent Convergence Protocol XID, Teamspeak2 Protocol, TTEthernet, TTEthernet Protocol Control Frame, Turbocell Aggregate Data, Turbocell Header, TURN Channel, Unreliable Multicast Inter-ORB Protocol, VCDU, Wave Short Message Protocol(IEEE P1609.3), Wireless Access Station Session Protocol, Wireshark Expert Info, World of Warcraft, Xpress Transport Protocol, ZigBee Application Framework, ZigBee Application Support Layer, ZigBee Device Profile, ZigBee Encapsulation Protocol, ZigBee Network Layer, Zipped Inter-ORB Protocol, ZRTP
  • Updated Protocol Support:
  • There are too many updates to list here.
  • New Capture File Support:
  • Apple Bluetooth PacketLogger, Daintree's Sensor Network Analyzer, dct3trace, Pcap-NG, TNEF (yes, those silly winmail.dat attachments)

New in Wireshark 1.0.8 (May 22, 2009)

  • Bug Fixes
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The PCNFSD dissector could crash.
  • Versions affected: 0.8.20 to 1.0.7
  • CVE-2009-????
  • The following bugs have been fixed:
  • Lua integration could crash. (Bug 2453)
  • The SCCP dissector could crash when loading more than one file in a single session. (Bug 3409)
  • The NDMP dissector could crash if reassembly was enabled. (Bug 3470)
  • New and Updated Features
  • There are no new or updated features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • All ASN.1 protocols, DICOM, NDMP, PCNFSD, RTCP, SCCP, SSL, STANAG 5066
  • New and Updated Capture File Support
  • There are no new or updated capture file formats in this release.

New in Wireshark 1.0.7 (Apr 9, 2009)

  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The PROFINET dissector was vulnerable to a format string overflow. (Bug 3382)
  • Versions affected: 0.99.6 to 1.0.6
  • CVE-2009-1210
  • The LDAP dissector could crash on Windows. (Bug 3262)
  • Versions affected: 0.99.2 to 1.0.6
  • CVE-2009-1267
  • The Check Point High-Availability Protocol (CPHAP) dissector could crash. (Bug 3269)
  • Versions affected: 0.9.6 to 1.0.6
  • CVE-2009-1268
  • Wireshark could crash while loading a Tektronix .rf5 file. (Bug 3366)
  • Versions affected: 0.99.6 to 1.0.6
  • CVE-2009-1269
  • The following bugs have been fixed:
  • Correct use of proto_tree_add_int_format() (Bug 3048)
  • RTP dynamic payload clock rates incorrectly determined (Bug 3067)
  • TShark fails to properly close capture files when opening new ones (Bug 3172)
  • ANSI MAP digits type decode and bitmask corrections (Bug 3233)
  • Two small patches for ipvs-syncd dissector (Bug 3236)
  • BGP capability dissection failure (Bug 3247)
  • ANSI MAP fix for missing MEID/MSC ID number in RegNot (Bug 3255)
  • BACnet PrivateTransferError shows malformed packet (Bug 3257)
  • Windows silent installer is not that silent (Bug 3260)
  • Crash in ASN.1 dissector when using 'type table' (Bug 3271)
  • .11n SM Power save mode value 0x3 label is incorrect (Bug 3276)
  • .11 WME ie displayed incorrectly (Bug 3284)
  • "Copy as filter" from the packet list has been fixed.
  • New and Updated Features
  • There are no new or updated features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • ACN, ANSI MAP, ASN.1 BACnet, BGP, CPHAP, GSM MAP, IEEE 802.11, IPVS, LDAP, NetFlow/IPFIX, PROFINET, RTP, SNMP, WSP
  • New and Updated Capture File Support
  • (TBD)

New in Wireshark 1.0.6 (Feb 7, 2009)

  • Bug Fixes
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • On non-Windows systems, Wireshark could crash if the HOME environment variable contained sprintf-style string formatting characters. Discovered by babi. (Bug 3150)
  • Versions affected: 0.99.8 to 1.0.5
  • Wireshark could crash while reading a malformed NetScreen snoop file. Discovered by babi. (Bug 3151)
  • Versions affected: 0.99.7 to 1.0.5
  • Wireshark could crash while reading a Tektronix K12 text capture file. (Bug 1937)
  • Versions affected: 0.99.6 to 1.0.5
  • The following bugs have been fixed:
  • Crash when loading capture file and Preferences: NO Info column (Bug 2902)
  • Some Lua scripts may lead to corruption via out of bounds stack (Bug 3062)
  • Build with GLib 1.2 fails with error: 'G_MININT32' undeclared (Bug 3109)
  • Wrong decoding IMSI with GSM MAP protocol (Bug 3116)
  • Segmentation fault for "Follow TCP stream" (Bug 3119)
  • SMPP optional parameter 'network_error_code' incorrectly decoded (Bug 3128)
  • DHCPv6 dissector doesn't handle malformed FQDN (Bug 3134)
  • WCCP overrides CFLOW as decoded protocol (Bug 3175)
  • Improper decoding of MPLS echo reply IPv4 Interface and Label Stack Object (Bug 3179)
  • ANSI MAP fix for TRN digits/SMS and OTA subdissection (Bug 3214)
  • The 1.0 branch can now be built with Visual Studio 2008.
  • New and Updated Features
  • The version of GNUTLS included with the Windows packages has been updated from 2.3.8 to 2.6.3.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • AFS, ATM, DHCPv6, DIS, E.212, RTP, UDP, USB, WCCP, WPS
  • New and Updated Capture File Support
  • NetScreen snoop
  • Getting Wireshark
  • Wireshark source code and installation packages are available from the download page on the main web site.
  • Vendor-supplied Packages
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.
  • Known Problems
  • Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
  • Wireshark might make your system disassociate from a wireless network on OS X. (Bug 1315)
  • Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
  • The BER dissector might infinitely loop. (Bug 1516)
  • Wireshark can't dynamically update the packet list. This means that host name resolutions above a certain response time threshold won't show up in the packet list. (Bug 1605)
  • Capture filters aren't applied when capturing from named pipes. (Bug 1814)
  • Wireshark might freeze when reading from a pipe. (Bug 2082)
  • Capturing from named pipes might be delayed on Windows. (Bug 2200)
  • Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)

New in Wireshark 1.0.5 (Dec 10, 2008)

  • The SMTP dissector could consume excessive amounts of CPU and memory.
  • Versions affected: 1.0.4
  • The WLCCP dissector could go into an infinte loop.
  • Versions affected: 0.99.7 to 1.0.4
  • The following bugs have been fixed:
  • Missing CRLF during HTTP POST in the "packet details" window (Bug 2534)
  • Memory assertion in time_secs_to_str_buf() when compiled with GCC 4.2.3 (Bug 2777)
  • Diameter dissector fails RFC 4005 compliance (Bug 2828)
  • LDP vendor private TLV type is not correctly shown (Bug 2832)
  • Wireshark on MacOS does not run when there are spaces in its path (Bug 2844)
  • OS X Intel package incorrectly claims to be Universal (Bug 2979)
  • Compilation broke when compiling without zlib (Bug 2993)
  • Memory leak: saved_repoid (Bug 3017)
  • Memory leak: follow_info (Bug 3018)
  • Memory leak: follow_info (Bug 3019)
  • Memory leak: tacplus_data (Bug 3020)
  • Memory leak: col_arrows (Bug 3021)
  • Memory leak: col_arrows (Bug 3022)
  • Incorrect address structure assigned for find_conversation() in WSP (Bug 3071)
  • Memory leak with unistim in voip_calls (Bug 3079)
  • Error parsing the BSSGP protocol (Bug 3085)
  • Assertion thrown in fvalue_get_uinteger when decoding TIPC (Bug 3086)
  • LUA script : Wireshark crashes after closing and opening again a window used by a listener.draw() function. (Bug 3090)

New in Wireshark 1.0.3 (Sep 4, 2008)

  • The following vulnerabilities have been fixed:
  • The NCP dissector was susceptible to a number of problems, including buffer overflows and an infinite loop. Versions affected: 0.9.7 to 1.0.2
  • Wireshark could crash while uncompressing zlib-compressed packet data. Versions affected: 0.10.14 to 1.0.2
  • Wireshark could crash while reading a Tektronix .rf5 file. Versions affected: 0.99.6 to 1.0.2
  • The following bugs have been fixed:
  • 802.11 WPA/WPA2-PSK Unable to decode Group Keys. (Bug 1420)
  • Packets could wrongly be dissected as "Redback Lawful Intercept" (Bug 2376)
  • MIKEY dissector improvements (Bug 2400)
  • tvb_get_bits{16|32} could read past the end of a tvbuff (Bug 2439)
  • Incorrect wslua function names. (Bug 2448)
  • Memory corruption in wslua. (Bug 2453)
  • Unknown PPPoE TAGs which are present in a PPPoE discovery packet are not displayed under "PPPoE Tags" subtree/section. (Bug 2458)
  • Following a TCP stream could incorrectly reassemble packets. (Bug 2606)
  • SIP decode shows fully expanded "Content-Length" header instead of compact form. (Bug 2635)
  • Segmentation fault loading trace containing NCP packets. (Bug 2675)
  • SIP packets might incorrectly be displayed as malformed. (Bug 2729)
  • RTCP BYE padding interpreted incorrectly. (Bug 2778)
  • Reversed RTP stream is saved as silent .au file, forward stream saves correctly. (Bug 2780)
  • Fix some lint warnings. (Bug 2822)
  • Setting a duration on a capture file would capture for an extra second.

New in Wireshark 1.0.2 (Jul 11, 2008)

  • Bug Fixes
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • Wireshark could crash while reassembling packets.
  • Versions affected: 0.8.19 to 1.0.1
  • The following bugs have been fixed:
  • Dumpcap could crash on some versions of Windows (primarily Vista). (Bug 2677)
  • New and Updated Features
  • There are no new or updated features in this release.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • There are no updated protocols in this release.
  • New and Updated Capture File Support
  • There is no new or updated capture file support in this release.

New in Wireshark 1.00 (Mar 31, 2008)

  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The X.509sat dissector could crash.
  • Versions affected: 0.99.5 to 0.99.8
  • The Roofnet dissector could crash on Windows, Solaris, and possibly other platforms.
  • Versions affected: 0.99.5 to 0.99.8
  • The LDAP dissector could crash on Windows and possibly other platforms.
  • Versions affected: 0.99.2 to 0.99.8
  • The SCCP dissector could crash while using the "decode as" feature.
  • Versions affected: 0.99.6 to 0.99.8
  • The following bugs have been fixed:
  • Several SNMP-related bugs have been fixed.
  • Several memory-related bugs have been fixed.
  • New and Updated Features
  • The following features are new (or have been significantly updated) since the last release:
  • The "About" box finally displays version 1.0.
  • Wireshark now supports custom columns.
  • This release includes an experimental Mac OS X package.
  • New Protocol Support
  • IEEE 802.15.4, Infiniband, Parallel Redundancy Protocol, RedBack Lawful Intercept, Xcsl
  • Updated Protocol Support
  • AFS, ALCAP, ATM, BACapp, CIGI, DCC (renamed from DCCP), DCCP (renamed from DCP), DCERPC SPOOLSS, DCERPC NT, DHCP, DirectPlay, EtherCAT, FIX, GIOP, GTP, H.248, HTTP, ICMPv6, ICQ, IPv6, ISIS, JXTA, NCP, P_Mul, PCAP, PKIX1Explicit, PTP, RADIUS, Roofnet, RTCP, RTMPT, RTP, RX, SABP, SCSI OSD, sFlow, SMPP, SNMP, SSCOP, TAPA, TIPC, TPNCP, UNISTIM, X.25, X.509sat, XML
  • New and Updated Capture File Support
  • Hilscher Analyzer