WireShark Changelog

What's new in WireShark 4.2.4

Mar 28, 2024
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2024-06[3] T.38 dissector crash. Issue 19695[4]. CVE-2024-2955[5].
  • The following bugs have been fixed:
  • Extcap with configuration never starts; "Configure all extcaps before start of capture." is shown instead. Issue 18487[6].
  • Packet Dissection CSV Export includes last column even if hidden. Issue 19666[7].
  • Inject TLS secrets closes Wireshark on Windows. Issue 19667[8].
  • Fuzz job issue: fuzz-2024-02-27-7196.pcap. Issue 19674[9].
  • Wireshark crashes when adding another port to the HTTP dissector. Issue 19677[10].
  • Fuzz job issue: fuzz-2024-03-03-7204.pcap. Issue 19685[11].
  • Fuzz job issue: randpkt-2024-03-05-8004.pcap. Issue 19688[12].
  • When adding a new row to a table an error report may be inserted. Issue 19705[13].
  • '--export-objects' does not work as expected on tshark version later than 3.2.10. Issue 19715[14].
  • Fuzz job issue: fuzz-2024-03-21-7215.pcap. Issue 19717[15].
  • Updated Protocol Support
  • 5GLI, 6LoWPAN, AFP, AllJoyn, AMQP, ASAP, Babel, BACnet, Banana, BEEP, Bencode, BFCP, BGP, BT BNEP, BT SDP, BT-DHT, BVLC, CFLOW, CIP, CMIP, CMP, COROSYNC/TOTEMSRP, COSE, CQL, CSN.1, DAP, DCCP, DCOM, DHCPv6, DICOM, DISP, DOCSIS MAC MGMT, DOF, DVB-S2, E2AP, EDONKEY, ENRP, ErlDP, Etch, EXTREME MESH, FC-SWILS, GIOP, GLOW, GNW, GOOSE, GQUIC, Gryphon, GSM A-bis OML, GSUP, GTPv2, H.223, H.225.0, H.245, H.248, H.264, H.265, HSMS, ICMPv6, ICQ, IEEE1609dot2, IPP, IPPUSB, ISAKMP, iSCSI, ISIS LSP, ISO 7816, ISUP, ITS, JSON 3GPP, JXTA, Kafka, KINK, KNX/IP, LDAP, LDP, LISP, LISP TCP, LLRP, LwM2M-TLV, M2UA, M3UA, MAC-LTE, MBIM, MMS, MONGO, MPEG PES, MPLS Echo, MQ PCF, MQTT-SN, MS-WSP, MSDP, MsgPack, NAS-5GS, NETLINK, NHRP, OpenFlow, OpenWire, OPSI, OSC, P22, P7, PANA, PIM, PNIO, ProtoBuf, PROXY, Q.2931, QNET, RDP, RESP, RPL, RSL, RSVP, RTLS, RTMPT, RTPS, S7COMM, SCTP, SIMULCRYPT, SMB2, SML, SNA, SNMP, Socks, SolarEdge, SOME/IP, SoulSeek, SUA, T.38, TCAP, TEAP, TFTP, Thread, Thrift, TN5250, USBHID, USBVIDEO, VP9, WASSP, WiMAX ASN CP, WLCCP, WTP, X.509IF, X.509SAT, XML, XMPP, YAMI, Z39.50, and ZigBee ZCL
  • Updated File Format Decoding Support:
  • BLF, JPEG, and RBM

New in WireShark 4.2.3 (Feb 15, 2024)

  • Bug Fixes:
  • If you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will
  • need to download and install[2] Wireshark 4.2.3 or later by hand.
  • The following bugs have been fixed:
  • Capture start fails when file set enabled and file extension not supplied if directory contains a period. Issue 14614[3].
  • Cannot drag and move custom filter buttons in toolbar. Issue 19447[4].
  • Not equal won’t work when used with wlan.addr. Issue 19449[5].
  • sshdump fails to connect with private key (ssh-rsa) Issue 19510[6].
  • ChmodBPF installation fails on macOS Sonoma 14.1.2. Issue 19527[7].
  • Windows installers should check for Windows 8.1. Issue 19569[8].
  • Fuzz job crash output: fuzz-2024-01-05-7725.pcap. Issue 19570[9].
  • Fuzz job crash output: fuzz-2024-01-06-7734.pcap. Issue 19578[10].
  • Incorrect recursion depth assert failure when dissecting a legitimate GOOSE message. Issue 19580[11].
  • OPC UA - large read request is reported as malformed in 4.2.1 but not in 4.0.12. Issue 19581[12].
  • TFTP dissector bug type listed as netscii instead of netascii doesn’t show all TFTP packets including TFTP blocks. Issue 19589[13].
  • SMB1 replies from LAN Drive app only show up as NBSS Continuation Message. Issue 19593[14].
  • ciscodump - older SSH key exchange algorithms not supported. Issue 19594[15].
  • Problem decoding LAPB/X.25/FTAM after adding X.75 decoding. Issue 19595[16].
  • Wireshark Filter not working. Issue 19604[17].
  • CFLOW: failure to decode 0 length data fields of IPFIX variable length data types. Issue 19605[18].
  • Copy …​as Printable Text Feature Missing in 4.1/4.2. Issue 19607[19].
  • Export Objects - HTTP is missing some HTTP/2 files in a two-pass analysis. Issue 19609[20].
  • ASAM-CMP Plugin: Malformed message, length mismatch if vendor defined data of status messages has odd length. Issue 19626[21].
  • OSS-Fuzz 66561: wireshark:fuzzshark_ip_proto-udp: Null-dereference READ in wmem_map_lookup. Issue 19642[22].
  • Updated Protocol Support:
  • ASAM CMP, CAN, CFLOW, CMIP, CMP, DAP, DICOM, DISP, E2AP, GLOW, GOOSE, GTP, GTPv2, H.225, H.245, H.248, HTTP2, IEEE 1609.2, IEEE 1722, IPv4, IPv6, ISO 15765, ISUP, ITS, Kerberos, LDAP, MMS, NBT, NRUP, openSAFETY, P22, P7, PARLAY, RTMPT, RTP, SCSI, SOME/IP, T.38, TCP, TECMP, TFTP, WOW, X.509if, X.509sat, X.75, X11, Z39.50, and ZigBee Green Power
  • New and Updated Capture File Support:
  • pcap and pcapng

New in WireShark 4.2.2 (Jan 5, 2024)

  • Bug Fixes:
  • This release fixes a software update issue on Windows which causes Wireshark to hang if you are upgrading from version 4.2.0 or 4.2.1. If you are experiencing this issue you will need to download and install[2] Wireshark 4.2.2 or later.
  • The following bugs have been fixed:
  • sharkd is not installed by the Windows installer. Issue 19556[3].
  • Fuzz job crash output: fuzz-2024-01-01-7740.pcap. Issue 19558[4].
  • Can’t open a snoop file from the Open dialog box unless I select "All files" as the file type. Issue 19565[5].
  • Add s4607 dissector to "decode as" Issue 19566[6].
  • Updater for 4.2.1 hangs. Issue 19568[7].
  • Updated Protocol Support:
  • RSVP, RTPS, and STANAG 4607

New in WireShark 4.2.0 (Nov 16, 2023)

  • What’s New:
  • This is the first major Wireshark release under the Wireshark Foundation, a nonprofit which hosts Wireshark and promotes protocol analysis education. The foundation depends on your contributions in order to do its work. If you or your employer would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
  • Wireshark supports dark mode on Windows.
  • A Windows installer for Arm64 has been added.
  • Packet list sorting has been improved.
  • Wireshark and TShark are now better about generating valid UTF-8 output.
  • A new display filter feature for filtering raw bytes has been added.
  • Display filter autocomplete is smarter about not suggesting invalid syntax.
  • "Tools › MAC Address Blocks" can lookup a MAC address in the IEEE OUI registry.
  • The enterprises, manuf, and services configuration files have been compiled in for improved start-up times. These files are no longer available in the master branch in our source code repository. You can download the manuf file[2] from our automated build directory.
  • The installation target no longer installs development headers by default.
  • The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs).
  • Wireshark can be compiled on Windows using MSYS2[3]. Check the Developer’s guide for instructions.
  • Wireshark can be cross-compiled for Windows using Linux. Check the Developer’s guide for instructions.
  • "Tools › Browser (SSL Keylog)" can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value.
  • Windows installer file names now have the format Wireshark--.exe.
  • Wireshark now supports the Korean language.
  • Many other improvements have been made. See the “New and Updated Features” section below for more details.
  • Bug Fixes:
  • Issue 18413[4] - RTP player do not play audio frequently on Windows builds with Qt6.
  • Issue 18510[5] - Playback marker does not move after resume with Qt6.

New in WireShark 4.0.10 (Oct 9, 2023)

  • What’s New:
  • We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release.
  • If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon.
  • Bug Fixes:
  • The following bugs have been fixed:
  • Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS.

New in WireShark 4.0.7 (Jul 13, 2023)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-21[3] Kafka dissector crash. Issue 19105[4].
  • wnpa-sec-2023-22[5] iSCSI dissector crash. Issue 19164[6].
  • The following bugs have been fixed:
  • Crash when (re)loading a capture file after renaming a dfilter macro. Issue 13753[7].
  • Moving a column deselects selected packet and moves to beginning of packet list. Issue 16251[8].
  • If you set the default interface in the preferences, it doesn’t work with TShark. Issue 16593[9].
  • Severe performance issues in Follow → Save As raw workflow. Issue 17313[10].
  • TShark doesn’t support the tab character as an aggregator character in "-T fields" Issue 18002[11].
  • On Windows clicking on a link in the 'Software Update' window launches, now unsupported, MS Internet Explorer. Issue 18488[12].
  • Wireshark 4.x.x on Win10-x64 crashes after saving a file with a name already in use. Issue 18679[13].
  • NAS-5GS Operator-defined Access Category: Multiple Criteria values not displayed in dissected packet display. Issue 18941[14].
  • Server Hello Packet Invisible - during 802.1x Authentication- from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) & above. Issue 19071[15].
  • TShark reassembled data is incomplete/truncated. Issue 19107[16].
  • CQL protocol parsing issues with `Result` frames from open source Cassandra. Issue 19119[17].
  • TLS 1.3 second Key Update doesn’t work. Issue 19120[18].
  • HTTP2 dissector reports an assertion error on large data frames. Issue 19121[19].
  • epan: Single letter hostnames aren’t displayed correctly. Issue 19137[20].
  • BLF: CAN-FD-Message format is missing a field. Issue 19146[21].
  • BLF: last parameter of LIN-Message is not mandatory (BUGFIX) Issue 19147[22].
  • PPP IPv6CP: Incorrect payload length warning. Issue 19149[23].
  • INSTALL file needs to be updated for Debian. Issue 19167[24].
  • Some RTP streams make Wireshark crash when trying to play stream. Issue 19170[25].
  • Wrong ordering in OpenFlow 1.0 Datapath unique ID. Issue 19172[26].
  • Incorrect mask in RTCP slice picture ID. Issue 19182[27].
  • Dissection error in AMQP 1.0. Issue 19191[28].
  • Updated Protocol Support:
  • 9P, AMQP, BGP, CQL, DHCPFO, EAP, GlusterFS, GSM MAP, HTTP2, iSCSI, Kafka, Kerberos, NAN, NAS-5GS, OCP.1, OpenFlow 1.0, PDCP-NR, PEAP, PPPoE, RSL, RTCP, rtnetlink, and XMPP

New in WireShark 4.0.6 (May 25, 2023)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-12[3] Candump log file parser crash. Issue 19062[4].
  • wnpa-sec-2023-13[5] BLF file parser crash. Issue 19063[6].
  • wnpa-sec-2023-14[7] GDSDB dissector infinite loop. Issue 19068[8].
  • wnpa-sec-2023-15[9] NetScaler file parser crash. Issue 19081[10].
  • wnpa-sec-2023-16[11] VMS TCPIPtrace file parser crash. Issue 19083[12].
  • wnpa-sec-2023-17[13] BLF file parser crash. Issue 19084[14].
  • wnpa-sec-2023-18[15] RTPS dissector crash. Issue 19085[16]. CVE-2023-0666[17].
  • wnpa-sec-2023-19[18] IEEE C37.118 Synchrophasor dissector crash. Issue 19087[19]. CVE-2023-0668[20].
  • IEEE-C37.118 parsing buffer overflow. Issue 19087[21].
  • The following bugs have been fixed:
  • Conversations list has incorrect unit (bytes) in bit speed columns in the 3.7 development versions. Issue 18211[22].
  • The media_type table should treat media types, e.g. application/3gppHal+json, as case-insensitive. Issue 18611[23].
  • NNTP dissector bug. Issue 18981[24].
  • Incorrect padding in BFCP decoder. Issue 18890[25].
  • SPNEGO dissector bug. Issue 18991[26].
  • SRT values are incorrect when applying a time shift. Issue 18999[27].
  • Add warning that capturing is not supported in Wireshark installed from flatpak. Issue 19008[28].
  • Opening Wireshark with -z io,stat option. Issue 19042[29].
  • batadv dissector bug. Issue 19047[30].
  • radiotap-gen build fails if pcap is not found. Issue 19059[31].
  • [UDS] When filtering the uds.wdbi.data_identifier or uds.iocbi.data_identifier field is interpreted as 1 byte whereas it consists of 2 bytes. Issue 19078[32].
  • Wireshark can’t save this capture in that format. Issue 19080[33].
  • MSMMS parsing buffer overflow. Issue 19086[34].
  • USB HID parser shows wrong label for usages Rx/Vx/Vbrx of usage page Generic Desktop Control. Issue 19095[35].
  • Updated Protocol Support:
  • The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
  • batadv BFCP CommunityID COSE GDSDB H.265 HTTP ILP ISAKMP MSMMS NNTP NR RRC NTLMSSP RTPS SPNEGO Synphasor TCP UDS ULP USB HID
  • New and Updated Capture File Support:
  • BLF, Candump, NetScaler, and VMS TCPIPtrace

New in WireShark 4.0.5 (Apr 15, 2023)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-09[3] RPCoRDMA dissector crash. Issue 18852[4]. CVE-2023-1992[5].
  • wnpa-sec-2023-10[6] LISP dissector large loop. Issue 18900[7]. CVE-2023-1993[8].
  • wnpa-sec-2023-11[9] GQUIC dissector crash Issue 18947[10]. CVE-2023-1994[11].
  • The following bugs have been fixed:
  • Wireshark ITS Dissector RTCMEM wrong protocol version selector 2 - should use 1. Issue 18862[12].
  • Wireshark treats the letter E in SSRC as an exponential representation of a number. Issue 18879[13].
  • VNC RRE Parser skips over data. Issue 18883[14].
  • sshdump coredump when --remote-interface is left empty. Issue 18904[15].
  • Fuzz job crash output: fuzz-2023-03-17-7298.pcap. Issue 18917[16].
  • Fuzz job crash output: fuzz-2023-03-27-7564.pcap. Issue 18934[17].
  • RFC8925 support (dhcp option 108) Issue 18943[18].
  • DIS dissector shows an incorrect state in the packet list info column. Issue 18967[19].
  • RTP analysis shows incorrect timestamp error when timestamp is rolled over. Issue 18973[20].
  • Asterisk (*) key crash on Endpoint/Conversation dialog. Issue 18975[21].
  • The RTP player waveform now synchronizes better with audio.
  • Updated Protocol Support:
  • DHCP, DIS, DNS, ERF, FF, genl, GQUIC, GSM A-bis OML, HL7, IEEE 802.11, ITS, LAPD, netfilter, netlink-route, netlink-sock_diag, nl80211, RLC, RPCoRDMA, RTPS, SCTP, SMB, UDS, VNC, and WCP

New in WireShark 4.0.4 (Mar 3, 2023)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-08[3] ISO 15765 and ISO 10681 dissector crash. Issue 18839[4].
  • The following bugs have been fixed:
  • UTF-8 characters end up escaped in PSML output. Issue 10445[5].
  • Export filtered displayed packets won’t save IP fragments of SCTP fragments needed to reassemble a displayed frame. Issue 12597[6].
  • DICOM dissection in reassembled PDV goes wrong. Issue 13388[7].
  • "Export Objects - IMF" produces incorrect file, TCP reassembly fails with retransmissions that have additional data. Issue 13523[8].
  • The intelligent scroll bar or minimap is not predictable on locating and scrolling. Issue 13989[9].
  • If you mark (or unmark) the currently-selected frame, the packet details still say it’s not marked (or it is marked) Issue 14330[10].
  • An out-of-order packet incorrectly detected as retransmission breaks desegmentation of TCP stream. Issue 15993[11].
  • Sorting Packet Loss Column is not sorting correct. Issue 16785[12].
  • Some HTTPS packets cannot be decrypted. Issue 17406[13].
  • SIP TCP decoding regression from Wireshark 1.99.0 to 3.6.8. Issue 18411[14].
  • Frame comments not preserved when using filter to write new pcap from tshark. Issue 18693[15].
  • ChmodBPF not working on macOS Ventura 13.1. Issue 18734[16].
  • Wireshark GUI and window manager stuck after setting display filter. Issue 18809[17].
  • Dissector bug, protocol H.261. Issue 18812[18].
  • File extension heuristics are case-sensitive. Issue 18821[19].
  • Symbolic links to packages in macOS dmg can’t be double-clicked to install on macOS 13.2. Issue 18830[20].
  • Potential memory leak in tshark.c. Issue 18837[21].
  • Fuzz job crash output: fuzz-2023-02-05-7303.pcap. Issue 18842[22].
  • f5fileinfo: Hardware platforms missing descriptions. Issue 18848[23].
  • The lines in the intelligent scrollbar are off by one. Issue 18850[24].
  • Wireshark crashes on invalid UDS packet in Lua context. Issue 18865[25].
  • TECMP dissector shows the wrong Voltage in Vendor Data. Issue 18871[26].
  • UDS: Names of RDTCI subfunctions 0x0b …​ 0x0e are not correct. Issue 18873[27].

New in WireShark 4.0.3 (Jan 19, 2023)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2023-01[2] EAP dissector crash. Issue 18622[3].
  • wnpa-sec-2023-02[4] NFS dissector memory leak. Issue 18628[5].
  • wnpa-sec-2023-03[6] Dissection engine crash. Issue 18766[7].
  • wnpa-sec-2023-04[8] GNW dissector crash. Issue 18779[9].
  • wnpa-sec-2023-05[10] iSCSI dissector crash. Issue 18796[11].
  • wnpa-sec-2023-06[12] Multiple dissector excessive loops. Issue 18711[13]. Issue 18720[14], Issue 18737[15].
  • wnpa-sec-2023-07[16] TIPC dissector crash. Issue 18770[17].
  • The following bugs have been fixed:
  • Qt: After modifying coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect. Issue 12475[18].
  • Help file doesn’t display for extcap interfaces. Issue 15592[19].
  • For USB traffic on XHC20 interface destination is always given as Host. Issue 16768[20].
  • Wireshark Expert Info - cannot deselect the limit to display filter tick box. Issue 18461[21].
  • Wrong pointer conversion in get_data_source_tvb_by_name() Issue 18517[22].
  • Wrong number of bits skipped while decoding an empty UTF8String on UPER packet. Issue 18702[23].
  • Crash when analyzing protobuf packets. Issue 18730[24].
  • Uninitialized values in various dissectors. Issue 18742[25].
  • String (GeoIP country/city) ordering doesn’t work in Endpoints. Issue 18749[26].
  • Wireshark crashes with an assertion failure on stray minus in filter. Issue 18750[27].
  • IO Graph: Add new graph only works until the 10th graph. Issue 18762[28].
  • Fuzz job crash output: fuzz-2022-12-30-11007.pcap. Issue 18770[29].
  • Q.850 - error in label for cause 0x7F. Issue 18780[30].
  • Uninitialized values in CoAP and RTPS dissectors. Issue 18785[31].
  • Screenshots in AppStream metainfo.xml file not available. Issue 18801[32].
  • Updated Protocol Support:
  • ASTERIX, BEEP, BGP, BPv6, CoAP, EAP, GNW, GSM A-bis P-GSL, iSCSI,
  • ISUP, LwM2M-TLV, MBIM, NBAP, NFS, OBD-II, OPUS, ProtoBuf, RLC, ROHC,
  • RTPS, Telnet, TIPC, and USB

New in WireShark 4.0.2 (Dec 8, 2022)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2022-09[2] Multiple dissector infinite loops.
  • wnpa-sec-2022-10[3] Kafka dissector memory exhaustion.
  • The following bugs have been fixed:
  • Qt: Endpoints dialog - unexpected byte unit suffixes in packet columns. Issue 18229[4].
  • GOOSE: field "floating_point" not working anymore. Issue 18491[5].
  • EVS Header-Full format padding issues. Issue 18498[6].
  • Wireshark 4.0.0 VOIP playback has no sound and can’t resume after pausing. Issue 18510[7].
  • Wireshark crashes when exporting a profile on Mac OSX if there is no extension. Issue 18525[8].
  • EVS dissector missing value description. Issue 18550[9].
  • Qt 6 font descriptions not backward compatible with Qt 5. Issue 18553[10].
  • Wireshark, wrong TCP ACKed unseen segment message. Issue 18558[11].
  • Invalid Cyrillic symbol in timezone at "Arrival Time" field in frame. Issue 18562[12].
  • ProtoBuf parse extension definitions failed. Issue 18599[13].
  • Fuzz job crash output: fuzz-2022-11-09-11134.pcap. Issue 18613[14].
  • Fuzz job crash output: fuzz-2022-11-14-11111.pcap. Issue 18632[15].
  • Wireshark is using old version of ASN (ETSI TS 125 453 V11.2.0) which is imapacting length of param in the messages. Issue 18646[16].
  • BGP: False IGMP flags value in EVPN routes (type 6,7,8) Issue 18660[17].
  • wslog assumes stderr and stdout exist. Issue 18684[18].
  • Editing packet comments, with non-ASCII characters, on Windows saves them in the local code page, not in UTF-8. Issue 18698[19].
  • Unable to decrypt PSK based DTLS traffic which uses Connection ID. Issue 18705[20].
  • HTTP2 tests fail when built without nghttp2. Issue 18707[21].
  • Updated Protocol Support:
  • ASN.1 PER, ASTERIX, BGP, BPv6, DTLS, EVS, GOOSE, GSM Osmux, IPv6, Kafka, Locamation IM, MONGO, NXP 802.15.4, OpenFlow v6, PCAP, Protobuf, RTP, S1AP, SKINNY, TCP, and WASSP

New in WireShark 4.0.1 (Oct 27, 2022)

  • Bug Fixes:
  • Comparing a boolean field against 1 always succeeds on big-endian machines. Issue 12236[2].
  • Qt: MaxMind GeoIP columns not added to Endpoints table. Issue 18320[3].
  • Fuzz job crash output: fuzz-2022-10-04-7131.pcap. Issue 18402[4].
  • The RTP player might not play audio on Windows. Issue 18413[5].
  • Wireshark 4.0 breaks display filter expression with > sign. Issue 18418[6].
  • Capture filters not working when using SSH capture and dumpcap. Issue 18420[7].
  • Packet diagram field values are not terminated. Issue 18428[8].
  • Packet bytes not displayed completely if scrolling. Issue 18438[9].
  • Fuzz job crash output: fuzz-2022-10-13-7166.pcap. Issue 18467[10].
  • Decoding bug H.245 userInput Signal. Issue 18468[11].
  • CFDP dissector doesn’t handle "destination filename" only. Issue 18495[12].
  • Home page capture button doesn’t pop up capture options dialog. Issue 18506[13].
  • Missing dot in H.248 protocol name. Issue 18513[14].
  • Missing dot for protocol H.264 in protocol column. Issue 18524[15].
  • Fuzz job crash output: fuzz-2022-10-23-7240.pcap. Issue 18534[16].
  • Removed Features and Support:
  • The experimental display filter syntax for literals using angle brackets that was introduced in Wireshark 4.0.0 has been removed. For byte arrays a colon prefix can be used instead. See the User’s Guide[17] for details.
  • Updated Protocol Support:
  • ASN.1 PER, CFDP, Diameter, DirectPlay, F5 Ethernet Trailer, GTP, H.223, H.248, H.264, H.265, IEEE 802.11, IPv4, MBIM, O-RAN FH CUS, PFCP, RTCP, SCTP, SMB, TCP, and TRANSUM
  • New and Updated Capture File Support:
  • BLF

New in WireShark 4.0.0 (Oct 5, 2022)

  • What’s New:
  • We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
  • The display filter syntax is more powerful with many new extensions. See below for details.
  • The Conversation and Endpoint dialogs have been redesigned. See below for details.
  • The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
  • Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
  • Speed when using MaxMind geolocation has been greatly improved.
  • The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
  • Many other improvements have been made. See the “New and Updated Features” section below for more details.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 4.0.0rc2:
  • Nothing of note.
  • The following features are new (or have been significantly updated) since version 4.0.0rc1:
  • The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
  • The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
  • The following features are new (or have been significantly updated) since version 3.7.2:
  • The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
  • The following features are new (or have been significantly updated) since version 3.7.1:
  • The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
  • The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
  • New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
  • The following features are new (or have been significantly updated) since version 3.7.0:
  • The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
  • The Conversation and Endpoint dialogs have been redesigned with the following improvements:
  • The context menu now includes the option to resize all columns, as well as copying elements.
  • Data may be exported as JSON.
  • Tabs may be detached and reattached from the dialog.
  • Adding and removing tabs will keep them in the same order all the time.
  • If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets.
  • Columns are now sorted via secondary properties if an identical entry is found.
  • Conversations are sorted via second address and first port number.
  • Endpoints are sorted via port numbers.
  • IPv6 addresses are sorted correctly after IPv4 addresses.
  • The dialog elements have been moved to make it easier to handle for new users.
  • Selection of tap elements is done via a list.
  • All configurations and options are done via a left side button row.
  • Columns for the Conversations and Endpoint dialogs can be hidden by a context menu.
  • TCP and UDP conversations now include the stream ID and allow filtering on it.
  • The following features are new (or have been significantly updated) since version 3.6.0:
  • The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
  • The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
  • The display filter syntax has been updated and enhanced:
  • A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
  • Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
  • Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
  • Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
  • New display filter functions max(), min() and abs() have been added.
  • Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
  • A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
  • The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
  • Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used.
  • Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B".
  • Logical AND now has higher precedence than logical OR, in line with most programming languages.
  • It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
  • Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
  • Support for some additional character escape sequences in double quoted strings has been added. Along with octal () and hex (x) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
  • Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit.
  • Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: , ', ".
  • A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
  • The aliases "any_eq" for "==" and "all_ne" for "!=" have been added.
  • The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead.
  • Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
  • The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
  • Literal strings can handle embedded null bytes (the value '') correctly. This includes regular expression patterns. For example the double-quoted string " is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes.
  • Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0.
  • It is now possible to test for the existence of a slice.
  • All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other.
  • The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
  • text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
  • Consistent with the other command line tools like editcap, mergecap, tshark, and the "Import from Hex Dump" option within Wireshark, the default capture file format for text2pcap is now pcapng. The -n flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release.
  • text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similar to the -T option of editcap.
  • text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
  • text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
  • text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
  • In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
  • The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
  • The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
  • The IEEE 802.11 dissector supports Mesh Connex (MCX).
  • The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
  • The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
  • It is possible to set extcap passwords in tshark and other CLI tools.
  • The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
  • Support to display JSON mapping for Protobuf message has been added.
  • macOS debugging symbols are now shipped in separate packages, similar to Windows packages.
  • In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
  • The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
  • The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
  • ciscodump now supports IOS, IOS-XE and ASA remote capturing
  • Removed Features and Support:
  • The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.
  • New Protocol Support:
  • Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Huawei GRE bonding (GREbond), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Open Control Protocol for OCA/AES70 (OCP.1), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS Network Coprocessor product (ZB NCP)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • There is no new or updated capture file support in this release.
  • Major API Changes:
  • proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.
  • proto.h: The field display types for floats have been extended and refactored. The type BASE_FLOAT has been removed. Use BASE_NONE instead. New display types for floats are BASE_DEC, BASE_HEX, BASE_EXP and BASE_CUSTOM.
  • The Wireshark Lua API now uses the lrexlib bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change.
  • The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated.
  • Other Development Changes:
  • The PCRE2 library is now required to build Wireshark.
  • You must now have a compiler with C11 support in order to build Wireshark.
  • The following libraries and tools have had their minimum required version increased:
  • CMake 3.10 is required on macOS and Linux.
  • Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration.
  • Windows SDK 10.0.18362.0 is required due to issues with C11 support.
  • macOS version 10.11 to 10.14 (was 10.8) is required depending on the version of Qt:
  • Qt 5.10 or higher requires macOS version 10.11
  • Qt 5.12 or higher requires macOS version 10.12
  • Qt 5.14 or higher requires macOS version 10.13
  • Qt 6.0 or higher requires macOS version 10.14
  • GLib version 2.50.0 (was 2.38.0) is required.
  • Libgcrypt version 1.8.0 (was 1.5.0) is required.
  • c-ares version 1.13.0 (was 1.5.0).
  • Python version 3.6.0 (was 3.4.0).
  • GnuTLS version 3.5.8 (was 3.3.0).
  • Nghttp2 minimum version has been set to 1.11.0 (none previous).
  • Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks.

New in WireShark 3.6.8 (Sep 8, 2022)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2022-06[2] F5 Ethernet Trailer dissector infinite loop. Issue 18307[3].
  • The following bugs have been fixed:
  • TCAP Malformed exception on externally re-assembled packet Issue 10515[4].
  • Extended 3GPP-GPRS-Negotiated-QoS-profile strings decoded incompletely Issue 10688[5].
  • HTTP2 dissector decodes first SSL record only Issue 11173[6].
  • L2TP improvements - cookie length detection, UDP encapsulation and more Issue 16565[7].
  • USB Truncation of URB_isochronous in frames Issue 18021[8].
  • ISUP/BICC parameter summary text duplication Issue 18094[9].
  • Running rpm-setup.sh shows missing packages that Centos does not need Issue 18166[10].
  • IPX/IPX RIP: Crash on expand subtree Issue 18234[11].
  • Qt: A file or packet comment that is too large will corrupt the pcapng file Issue 18235[12].
  • BGP dissector bug Issue 18248[13].
  • Wrong interpretation of the cbsp.rep_period field in epan/dissectors/packet-gsm_cbsp.c Issue 18254[14].
  • Assertion due to incorrect mask for btatt.battery_power_state.* Issue 18267[15].
  • Qt: Expert Info dialog not showing Malformed Frame when Frame length is less than captured length Issue 18312[16].
  • Wireshark and tshark become non-responsive when reading certain packets Issue 18313[17].
  • Updated Protocol Support:
  • BGP, BICC, BT ATT, CBSP, Couchbase, F5 Ethernet Trailer, Frame, GTP, GTP (prime), IPsec, ISUP, L2TP, NAS-5GS, Protobuf, SCCP, TCP, and TLS
  • New and Updated Capture File Support:
  • pcap, pcapng

New in WireShark 3.6.7 (Jul 28, 2022)

  • The following bugs have been fixed:
  • Multiple Files preference "Create new file automatically…​after" [time] working incorrectly Issue 16783.
  • get_filter Lua function doesn’t return the filter Issue 17188.
  • Dissector bug, protocol HTTP failed assertion "saved_layers_len < 500" with chunked/multipart Issue 18130.
  • Wrong EtherCAT bit label (possible dissector bug) Issue 18132.
  • UDP packets falsely marked as "malformed packet" Issue 18136.
  • TLS certificate parser with filter crash Issue 18155.
  • Incorrect type for the IEC 60870 APDU appears in packet details pane Issue 18167.
  • NHRP Problem Issue 18181.
  • EtherCAT CoE header unknown type Issue 18220.
  • New and Updated Features:
  • Updated Protocol Support:
  • BGP, DTLS, EtherCAT, EtherCAT Mailbox, HTTP, IEC 104, MEGACO, NHRP, PPPoE, QUIC, RTCP, Signal PDU, SOME/IP, and X509IF

New in WireShark 3.6.6 (Jun 16, 2022)

  • Bug Fixes:
  • TLS: RSA decryption fails with Extended Master Secret and renegotiation Issue 18059[2].
  • "dfilter" file on Windows adds carriage returns, and requires line feeds Issue 18082[3].
  • Npcap bundled version needs a bump to v1.60 for Windows 11 compatibility Issue 18084[4].
  • "Browse" button in Prefs/Name Resolution/MaxMind crashes Wireshark on macOS Issue 18088[5].
  • TFTP: some packets are not recognized as TFTP packets with 3.6.5 Issue 18122[6].
  • Updated Protocol Support:
  • DTLS, F5 Capture Information, F5 Ethernet Trailer, FlexRay, MBIM, TFTP, TLS, and ZigBee ZCL

New in WireShark 3.6.3 (Mar 24, 2022)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Fuzz job crash output: fuzz-2022-01-19-7399.pcap Issue 17894[1].
  • TLS dissector incorrectly reports JA3 values Issue 17942[2].
  • "Wiki Protocol page" in packet details menu is broken - wiki pages not migrated to GitLab? Issue 17944[3].
  • Dissector bug, protocol PFCP display Flow Description IE value error in Additional Flow Description of PFD Management Request Message Issue 17951[4].
  • Bluetooth: Fails to open Log file for SCO connection Issue 17964[5].
  • Fuzz job crash output: fuzz-2022-03-07-10896.pcap Issue 17984[6].
  • libwiretap: Save as ERF causes segmentation fault Issue 17989[7].
  • HTTP server returning multiple early hints shows too many responses in "Follow HTTP Stream" Issue 18006[8].
  • Updated Protocol Support:
  • CSN.1, HTTP, IEEE 802.11, NTLM SSP, PFCP, PKTLOG, SSDP, TLS, and USB HID
  • New and Updated Capture File Support:
  • pcap and pcapng

New in WireShark 3.6.2 (Feb 11, 2022)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2022-01[1] RTMPT dissector infinite loop. Issue 17813[2].
  • wnpa-sec-2022-02[3] Large loops in multiple dissectors. Issue 17829[4], Issue 17842[5], Issue 17847[6], Issue 17855[7], Issue 17891[8], Issue 17925[9], Issue 17926[10], Issue 17931[11], Issue 17932[12], Issue 17933[13].
  • wnpa-sec-2022-03[14] PVFS dissector crash. Issue 17840[15].
  • wnpa-sec-2022-04[16] CSN.1 dissector crash. Issue 17882[17].
  • wnpa-sec-2022-05[18] CMS dissector crash. Issue 17935[19].
  • The following bugs have been fixed:
  • Support for GSM SMS TPDU in HTTP2 body Issue 17784[20].
  • Wireshark 3.6.1 broke the ABI by removing ws_log_default_writer from libwsutil Issue 17822[21].
  • Fedora RPM package build failing with RPATH of /usr/local/lib64 Issue 17830[22].
  • macos-setup.sh: ftp.pcre.org no longer exists Issue 17834[23].
  • nmap.org/npcap → npcap.com: domain/URL change Issue 17838[24].
  • MPLS ECHO FEC stack change TLV not dissected correctly Issue 17868[25].
  • Attempting to open a systemd journal export file segfaults Issue 17875[26].
  • Dissector bug on 802.11ac packets Issue 17878[27].
  • The Info column shows only one NGAP/S1AP packet of several packets inside an SCTP packet Issue 17886[28].
  • Uninstalling Wireshark 3.6.1 on Windows 10 fails to remove the installation directory because it doesn’t remove the User’s Guide subdirectory and all its contents. Issue 17898[29].
  • 3.6 doesn’t build without zlib Issue 17899[30].
  • SIP Statistics no longer properly reporting method type accounting Issue 17904[31].
  • Fuzz job crash output: fuzz-2022-01-26-6940.pcap Issue 17909[32].
  • SCTP retransmission detection broken for the first data chunk of each association with relative TSN Issue 17917[33].
  • “Show In Folder” doesn’t work correctly for filenames with spaces Issue 17927[34].

New in WireShark 3.6.1 (Dec 30, 2021)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-17[1] RTMPT dissector infinite loop. Issue 17745[2]. CVE-2021-4185[3].
  • wnpa-sec-2021-18[4] BitTorrent DHT dissector infinite loop. Issue 17754[5]. CVE-2021-4184[6].
  • wnpa-sec-2021-19[7] pcapng file parser crash. Issue 17755[8]. CVE-2021-4183[9].
  • wnpa-sec-2021-20[10] RFC 7468 file parser infinite loop. Issue 17801[11]. CVE-2021-4182[12].
  • wnpa-sec-2021-21[13] Sysdig Event dissector crash. CVE-2021-4181[14].
  • wnpa-sec-2021-22[15] Kafka dissector infinite loop. Issue 17811[16].
  • The following bugs have been fixed:
  • Allow sub-second timestamps in hexdumps Issue 15562[17].
  • GRPC: An unnecessary empty Protobuf tree item is displayed if the GRPC message body length is 0 Issue 17675[18].
  • Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system path.pkg" on M1 MacBook Air Monterey without Rosetta 2 Issue 17757[19].
  • TECMP: LIN Payload is cut off by 1 byte Issue 17760[20].
  • Wireshark crashes if a 64 bit field of type BASE_CUSTOM is applied as a column Issue 17762[21].
  • Command line option "-o console.log.level" causes wireshark and tshark to exit on start Issue 17763[22].
  • Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture Issue 17764[23].
  • Unable to build without tshark Issue 17766[24].
  • IEEE 802.11 action frames are not getting parsed and always seen as malformed Issue 17767[25].
  • IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes Issue 17775[26].
  • dfilter: 'tcp.port not in {1}' crashes Wireshark Issue 17785[27].
  • New and Updated Features:
  • The 'console.log.level' preference was removed in Wireshark 3.6.0. This release adds an '-o console.log.level:' backward-compatibilty option on the CLI that maps to the new logging sub-system. Note that this does not have bitmask semantics and does not correspond to any actual preference. It is just a transition mechanism for users that were relying on this CLI option and will be removed in the future. To see the new diagnostic output options consult the manpages or the output of '--help'.
  • pdated Protocol Support:
  • ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11, IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig Event, and TECMP
  • New and Updated Capture File Support:
  • BLF and RFC 7468

New in WireShark 3.6.0 (Nov 23, 2021)

  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.6.0rc3:
  • The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
  • The following features are new (or have been significantly updated) since version 3.6.0rc2:
  • Display filter set elements must now be comma-separated. See below for more details.
  • The following features are new (or have been significantly updated) since version 3.6.0rc1:
  • The display filter expression “a != b” now has the same meaning as “!(a == b)”.
  • The following features are new (or have been significantly updated) since version 3.4.0:
  • Several changes have been made to the display filter syntax:
  • The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.
  • It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
  • Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
  • Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as …​ in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version.
  • Support for the syntax "a not in b" with the same meaning as "not a in b" has been added.
  • Packaging updates:
  • A macOS Arm 64 (Apple Silicon) package is now available.
  • The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
  • The Windows installers now ship with Npcap 1.55.
  • A 64-bit Windows PortableApps package is now available.
  • TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
  • Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types.
  • Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
  • “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams.
  • Wireshark now supports dissecting RTP packets with OPUS payloads.
  • Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
  • The RTP Player has been significatnly redesigned and improved. See Playing VoIP Calls[1] and RTP Player Window[2] in the User’s Guide for more details.
  • The RTP Player can play many streams in row.
  • The UI is more responsive.
  • The RTP Player maintains playlist and other tools can add and remove streams to and from it.
  • Every stream can be muted or routed to the left or right channel for replay.
  • The option to save audio has been moved from the RTP Analysis dialog to the RTP Player. The RTP Player also saves what was played, and it can save in multichannel .au or .wav.
  • The RTP Player is now accessible from the Telephony › RTP › RTP Player menu.
  • The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal and can stay opened on background.
  • The same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …​)
  • The “Follow Stream” dialog is now able to follow SIP calls based on their Call-ID value.
  • The “Follow Stream” dialog’s YAML output format has been updated to add timestamps and peers information For more details see Following Protocol Streams[3] in the User’s Guide.
  • IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the “Enable stricter conversation tracking heuristics” top level protocol preference.
  • USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures.
  • TShark can now export TLS session keys with the --export-tls-session-keys option.
  • Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated.
  • The “RTP Stream Analysis” dialog CSV export format was slightly changed. The first line of the export contains column titles as in other CSV exports.
  • Wireshark now supports the Turkish language.
  • The settings in the “Import from Hex Dump” dialog is now stored in a profile import_hexdump.json file.
  • Analyze › Reload Lua Plugins has been improved to properly support FileHandler.
  • The “RTP Stream Analysis” and “IAX2 Stream Analysis” dialogs now show correct calculation mean jitter calculations.
  • RTP streams are now created based on Skinny protocol messages in addition to other types of messages.
  • The “VoIP Calls Flow Sequence” window shows more information about various Skinny messages.
  • Initial support for building Wireshark on Windows using GCC and MinGW-w64 has been added. See README.msys2 in the sources for more information.
  • New File Format Decoding Support:
  • Vector Informatik Binary Log File (BLF)
  • New Protocol Support:
  • 5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT LMP), Bundle Protocol version 7 (BPv7), Bundle Protocol version 7 Security (BPSec), CBOR Object Signing and Encryption (COSE), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme extra Eth Header (EXEH), High-Performance Connectivity Tracer (HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol (EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), mSignal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI payload (xIRI)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Vector Informatik Binary Log File (BLF)

New in WireShark 3.4.10 (Nov 18, 2021)

  • What’s New:
  • This release fixes a forward compatibility issue[1] with the I/O Graphs preferences.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-07[2] Bluetooth DHT dissector crash. Issue 17651[3]. CVE-2021-39929[4].
  • wnpa-sec-2021-08[5] Bluetooth HCI_ISO dissector crash. Issue 17649[6]. CVE-2021-39926[7].
  • wnpa-sec-2021-09[8] Bluetooth SDP dissector crash. Issue 17635[9]. CVE-2021-39925[10].
  • wnpa-sec-2021-10[11] Bluetooth DHT dissector large loop. Issue 17677[12]. CVE-2021-39924[13].
  • wnpa-sec-2021-11[14] PNRP dissector large loop. Issue 17684[15].
  • wnpa-sec-2021-12[16] C12.22 dissector crash. Issue 17636[17]. CVE-2021-39922[18].
  • wnpa-sec-2021-13[19] IEEE 802.11 dissector crash. Issue 17704[20]. CVE-2021-39928[21].
  • wnpa-sec-2021-14[22] Modbus dissector crash. Issue 17703[23]. CVE-2021-39921[24].
  • wnpa-sec-2021-15[25] IPPUSB dissector crash. Issue 17705[26]. CVE-2021-39920[27].
  • The following bugs have been fixed:
  • OSS-Fuzz: Heap-use-after-free in ROS Issue 16342[28].
  • Allow for '' (NULL) character as filter instead of requiring 0x00 for the character match Issue 16525[29].
  • Dumpcap with threads reports double received count vs captured Issue 17089[30].
  • I/O Graphs values reset to default with 3.5 due to change of UAT Issue 17623[31].
  • HTTP2 dissector reports an assertion error on large data frames Issue 17633[32].
  • TShark stops capturing when capturing with multiple files and packet printing enabled Issue 17654[33].
  • Wireshark is unable to decode the IMSI IE received in BSSMAP Perform Location request Issue 17667[34].
  • WSLUA: Crash on reload if Proto has no fields Issue 17668[35].
  • Crash in flow analysis for TCP Issue 17722[36].
  • Updated Protocol Support:
  • BT HCI_ISO, BT SDP, BT-DHT, C12.22, CAN FD, CSN1, EAPOL-MKA, EVS, GSM BSSMAP LE, HTTP2, IDMP, IEEE 1905.1a, IEEE 802.11, IPPUSB, Modbus, PNRP, and TCP
  • New and Updated Capture File Support:
  • pcap

New in WireShark 3.4.9 (Oct 8, 2021)

  • Bug Fixes:
  • The following bugs have been fixed:
  • TShark PDML output embeds "proto" elements within other "proto" elements Issue 10588[1].
  • Filter expressions comparing against single-octet hex strings where the hex digit string equals a protocol name don’t work Issue 12810[2].
  • AMQP 0.9: dissector fails to handle Content-Body frame split across TCP packets Issue 14217[3].
  • IEEE 802.15.4: Missing check on "PAN ID Present" bit of the Multipurpose Frame Control field Issue 17496[4].
  • Wireshark ignored some character in filename when exporting SMB objects. Issue 17530[5].
  • tshark -z credentials: assertion failed: (allocator→in_scope) Issue 17576[6].
  • IS-IS Extended IP Reachability Prefix-SID not decoded properly Issue 17610[7].
  • Error when reloading lua plugins with a capture file loaded via a custom lua file handler Issue 17615[8].
  • Absolute time UTC field filters are constructed incorrectly, don’t match the packet Issue 17617[9].
  • GUI freezes when clicking on large (non-capture) file in File chooser Issue 17620[10].
  • Crash after selecting a different profile while capturing Issue 17622[11].
  • BT-DHT reports malformed packets that are actually uTP on same connection Issue 17626[12].

New in WireShark 3.4.8 (Oct 8, 2021)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Dissector bug reported for Bluetooth Cycling Power Measurement characteristic for extreme angles value Issue 17505[1].
  • vcruntime140_1.dll deleted on Wireshark update/install Issue 17506[2].
  • Raknet Addresses are incorrectly identified. Issue 17509[3].
  • Editcap saving files as ethernet when specifying '-T ieee-802-11-*' Issue 17520[4].
  • CoAP dissector confuses Content-Format with Accept Issue 17536[5].
  • Updated Protocol Support:
  • BT ATT, BT LE LL, CoAP, DLM3, GSM SIM, iLBC, and RakNet

New in WireShark 3.4.7 (Jul 15, 2021)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-06[1] DNP dissector crash. Issue 17462[2]. CVE-2021-22235[3].
  • The following bugs have been fixed:
  • TCP dissector - Erroneous DSACK reporting Issue 17315[4].
  • No wlan_radio.duration calculated for PHY type: 802.11ac (VHT). Issue 17419[5].
  • NAN Dissector has wrong minimum length for availability attribute. Issue 17431[6].
  • Updated Protocol Support:
  • ASTERIX, BT LE LL, DCE RPC, DNP, GTPv2, IEEE 802.11 Radio, LDAP, NAN,
  • NORDIC_BLE, NR RRC, OSPF, pcapng, PNIO, RSL, S101, Snort config, and
  • TCP
  • New and Updated Capture File Support:
  • Catapult DCT2000, ERF, and pcap

New in WireShark 3.4.6 (Jun 3, 2021)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Macro filters can’t handle escaped characters Issue 17160[1].
  • Display filter crashes Wireshark Issue 17316[2].
  • IEEE-1588 Signalling Unicast TLV incorrectly reported as being malformed Issue 17355[3].
  • Updated Protocol Support:
  • DNP, ProtoBuf, PTP, and TACACS
  • New and Updated Capture File Support:
  • Ascend, ERF, K12, NetScaler, and pcapng

New in WireShark 3.4.5 (Apr 23, 2021)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-04[1] MS-WSP dissector excessive memory consumption. Issue 17331[2].
  • The following bugs have been fixed:
  • TShark does not print GeoIP information Issue 14691[3].
  • TShark error when piping to "head" Issue 16192[4].
  • Parts of ASCII representation in Packet Bytes pane are missing Issue 17087[5].
  • Buildbot crash output: fuzz-2021-02-22-1012761.pcap Issue 17254[6].
  • NDPE attribute of NAN packet is not dissected Issue 17278[7].
  • TECMP: reserved flag interpreted as part of timestamp Issue 17279[8].
  • Master branch does not compile at least with gcc-11 Issue 17281[9].
  • DNS IXFR/AXFR multiple response Issue 17293[10].
  • File too large Issue 17301[11].
  • Build fails with CMake 3.20 Issue 17314[12].
  • Updated Protocol Support:
  • DECT, DNS, EAP, Kerberos, LDAP, MS-WSP, SMB2, Sysdig, TECMP, and WiFi NAN
  • New and Updated Capture File Support:
  • pcapng

New in WireShark 3.4.4 (Mar 11, 2021)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-03[1] Wireshark could open unsafe URLs. Issue 17232[2]. CVE-2021-22191[3].
  • The following bugs have been fixed:
  • NTP Version 3 Client Decode PDML output issue (Reference ID Issue) Issue 17112[4].
  • 3.4.2: public wireshark include files are including build time "config.h" Issue 17190[5].
  • wireshark-3.4.3/epan/dissectors/packet-s7comm.c:3521: bad array index ? Issue 17198[6].
  • SIP protocol: P-Called-Party-ID header mixed up with P-Charge-Info header Issue 17215[7].
  • Asterix CAT010 Decode Error Issue 17226[8].
  • _ws.expert columns not populated for IPv4 Issue 17228[9].
  • Buildbot crash output: fuzz-2021-02-12-1651908.pcap Issue 17233[10].
  • gQUIC: Wireshark 3.4.3 fails to dissect a packet (gQUIC q024) that v3.2.6 succeeds. Issue 17250[11].
  • Updated Protocol Support:
  • ASTERIX, Frame Relay, GQUIC, NTP, NVMe Fabrics RDMA, S7COMM, and SIP
  • New and Updated Capture File Support:
  • iSeries

New in WireShark 3.4.3 (Feb 1, 2021)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2021-01[1] USB HID dissector memory leak. Bug 17124[2]. CVE-2021-22173[3].
  • wnpa-sec-2021-02[4] USB HID dissector crash. Bug 17165[5]. CVE-2021-22174[6].
  • The following bugs have been fixed:
  • SIP response single-line multiple Contact-URIs decoding error Bug 13752[7].
  • Adding filter while "Telephony→VoIP Calls→Flow Sequence" open causes OOB memory reads and potential crashes. Bug 16952[8].
  • QUIC packet not fully dissected Bug 17077[9].
  • SOMEIP-SD hidden entries are off Bug 17091[10].
  • Problem with calculation on UDP checksum in SRv6 Bug 17097[11].
  • Dark mode not working in Wireshark 3.4.2 on macOS Bug 17098[12].
  • Wireshark 3.4.0: build failure on older MacOS releases, due to 'CLOCK_REALTIME' Bug 17101[13].
  • TECMP: Status Capture Module messages shows 3 instead of 2 bytes for HW version Bug 17133[14].
  • Documentation - editorial error - README.dissector bad reference Bug 17141[15].
  • Cannot save capture with comments to a format that doesn’t support it (no pop-up) Bug 17146[16].
  • AUTOSAR-NM: PNI TF-String wrong way around Bug 17154[17].
  • Fibre Channel parsing errors even with the fix for #17084 Bug 17168[18].
  • f5ethtrailer: Won’t find a trailer after an FCS that begins with a 0x00 byte Bug 17171[19].
  • f5ethtrailer: legacy format, low noise only, no vip name trailers no longer detected Bug 17172[20].
  • Buildbot crash output: fuzz-2021-01-22-3387835.pcap Bug 17174[21].
  • Dissection error on large ZVT packets Bug 17177[22].
  • TShark crashes with -T ek option Bug 17179[23].
  • Updated Protocol Support:
  • AUTOSAR-NM, DHCPv6, DoIP, FC ELS, GQUIC, IPv6, NAS 5GS, NAS EPS,
  • QUIC, SIP, SOME/IP-SD, TECMP, TLS, TPNCP, USB HID, and ZVT
  • New and Updated Capture File Support:
  • f5ethtrailer and pcapng

New in WireShark 3.2.11 (Feb 1, 2021)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Adding filter while "Telephony→VoIP Calls→Flow Sequence" open causes OOB memory reads and potential crashes. Bug 16952[1].
  • SOMEIP-SD hidden entries are off Bug 17091[2].
  • Dark mode not working in Wireshark 3.4.2 on macOS Bug 17098[3].
  • Documentation - editorial error - README.dissector bad reference Bug 17141[4].
  • AUTOSAR-NM: PNI TF-String wrong way around Bug 17154[5].
  • Fibre Channel parsing errors even with the fix for #17084 Bug 17168[6].
  • Buildbot crash output: fuzz-2021-01-22-3387835.pcap Bug 17174[7].
  • Dissection error on large ZVT packets Bug 17177[8].
  • TShark crashes with -T ek option Bug 17179[9].
  • Updated Protocol Support:
  • AUTOSAR-NM, DHCPv6, DoIP, FC ELS, SIP, SOME/IP-SD, and ZVT
  • New and Updated Capture File Support:
  • pcapng

New in WireShark 3.4.2 (Dec 22, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-20[1] QUIC dissector crash Bug 17073[2].
  • New and Updated Features:
  • IETF QUIC TLS decryption errors when packets are coalesced with random data Bug 16914[3].
  • QUIC: missing dissection of some coalesced SH packets Bug 17011[4].
  • macos-setup.sh can’t find SDK on macOS Big Sur, as it went to 11 Bug 17043[5].
  • Mapping endpoints in browser ⇒ Map file error Bug 17074[6].
  • Wireshark 3.4.1 hangs on startup on macOS Big Sur 11.0.1 Bug 17075[7].
  • False expect error seen on FCoE frames (not seen with older release wireshark 1.2.18) Bug 17084[8].
  • • Several libraries missing in 3.4.1 and 3.2.9 installers for macOS Bug 17086[9].
  • Updated Protocol Support:
  • DOCSIS, FC-dNS, FC-SWILS, FCoE, QUIC, SNMP, and USBHID

New in WireShark 3.4.1 (Dec 11, 2020)

  • What’s New:
  • Bug Fixes:
  • wnpa-sec-2020-16[1] Kafka dissector memory leak. Bug 16739[2]. CVE-2020-26418[3].
  • wnpa-sec-2020-17[4] USB HID dissector crash. Bug 16958[5]. CVE-2020-26421[6].
  • wnpa-sec-2020-18[7] RTPS dissector memory leak. Bug 16994[8]. CVE-2020-26420[9].
  • wnpa-sec-2020-19[10] Multiple dissector memory leak. Bug 17032[11]. CVE-2020-26419[12].
  • The following bugs have been fixed:
  • New and Updated Features:
  • Lua TvbRanges do not support truncated captures where tvb_captured_length < tvb_reported_length Bug 15655[13].
  • IETF QUIC TLS decryption errors when a NAT rebinding happens for a connection Bug 16915[14].
  • IETF QUIC TLS decryption error with key update Bug 16916[15].
  • IETF QUIC TLS decryption error after the second key update Bug 16920[16].
  • SOME/IP: Wrong dissection of parameters after Array Bug 16951[17].
  • Can editcap properly corrupt pcapng file with systemd journal export block? Bug 16965[18].
  • Lua: abort() called in lua_tap_draw() and lua_tap_reset() on script errors Bug 16974[19].
  • Crash when a GIOP ior.txt file is present Bug 16984[20].
  • Protobuf: failed to parse .proto file contains negative enum values or option values of number type Bug 16988[21].
  • MMRP dissector bug Bug 17005[22].
  • QUIC: "Loss bits" capability Bug 17010[23].
  • Stdin capture fails on Windows Bug 17018[24].
  • SSTP no longer recognized Bug 17024[25].
  • RFC2190 encapsulated H.263 bitfields masked wrong in Mode A Bug 17025[26].
  • Packet list bytes text character cursor is misaligned Bug 17033[27].
  • SOME/IP: Resetting offset of static_array Bug 17057[28].
  • editcap fails when splitting into multiple pcapng files Bug 17060[29].
  • SMB Dissector for TRANS2_QUERY_FS_INFO displays truncated FS Name & Label Bug 17064[30].
  • Wireshark does not display Arabic, Greek, some other characters correctly Bug 17070[31].
  • Updated Protocol Support:
  • ACDR, DOCSIS, Ericsson HDLC, F5 Ethernet Trailer, GIOP, GSM A, GSM RLC MAC, HTTP, IEEE 802.11, Kafka, LLC, MBIM, MMRP, NAS 5GS, NAS EPS, Nordic BLE, ProtoBuf, QUIC, Radiotap, RFC 2190, RTCP, RTPS, S1AP, SMB, SMB2, SOME/IP, STUN, and USB Video
  • New and Updated Capture File Support:
  • pcapng

New in WireShark 3.4.0 (Nov 4, 2020)

  • The following features are new (or have been significantly updated) since version 3.3.1:
  • The Protobuf fields defined as google.protobuf.Timestamp type of Protobuf standard library can now be dissected as Wireshark fields of absolute time type.
  • The following features are new (or have been significantly updated) since version 3.3.0:
  • The Windows installers now ship with Npcap 1.00. They previously shipped with Npcap 0.9997.
  • The Windows installers now ship with Qt 5.15.1. They previously shipped with Qt 5.12.8.
  • The following features are new (or have been significantly updated) since version 3.2.0:
  • Windows executables and installers are now signed using SHA-2 only[1].
  • Save RTP stream to .au supports any codec with 8000 Hz rate supported by Wireshark (shown in RTP player). If save of audio is not possible (unsupported codec or rate), silence of same length is saved and warning is shown.
  • Asynchronous DNS resolution is always enabled. As a result, the c-ares library is now a required dependency.
  • Protobuf fields can be dissected as Wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching.
  • Dissectors based on Protobuf can register themselves to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYTES or STRING type.
  • Wireshark is able to decode, play, and save iLBC payload on platforms where the iLBC library[2] is available.
  • Wireshark is able to decode, play, and save opus payload on platforms where the opus library[3] is available.
  • “Decode As” entries can now be copied from other profiles using a button in the dialog.
  • sshdump can now be copied to multiple instances. Each instance will show up a different interface and will have its own profile.
  • The main window now supports a packet diagram view, which shows each packet as a textbook-style diagram.
  • Filter buttons (“Preferences → Filter Buttons”) can be grouped by using “//” as a path separator in the filter button label.
  • IPP Over USB packets can now be dissected and displayed
  • New Protocol Support:
  • Arinc 615A (A615A), Asphodel Protocol, AudioCodes Debug Recording (ACDR), Bluetooth HCI ISO (BT HCI ISO), Cisco MisCabling Protocol (MCP), Community ID Flow Hashing (CommunityID), DCE/RPC IRemoteWinspool SubSystem, (IREMOTEWINSPOOL), Dynamic Link Exchange Protocol (DLEP), EAP Generalized Pre-Shared Key (EAP-GPSK), EAP Password Authenticated Exchange (EAP-PAX), EAP Pre-Shared Key (EAP-PSK), EAP Shared-secret Authentication and Key Establishment (EAP-SAKE), Fortinet Single Sign-on (FSSO), FTDI Multi-Protocol Synchronous Serial Engine (FTDI MPSSE), Hypertext Transfer Protocol Version 3 (HTTP3), ILDA Digital Network (IDN), Java Debug Wire Protocol (JDWP), LBM Stateful Resolution Service (LBMSRS), Lithionics Battery Management, OBSAI UDP-based Communication Protocol (UDPCP), Palo Alto Heartbeat Backup (PA-HB-Bak), ScyllaDB RPC, Technically Enhanced Capture Module Protocol (TECMP), Tunnel Extensible Authentication Protocol (TEAP), UDP based FTP w/ multicast V5 (UFTP5), and USB Printer (USBPRINTER)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • MP4 (ISO/IEC 14496-12)

New in WireShark 3.2.7 (Sep 25, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-11[1] MIME Multipart dissector crash. Bug 16741[2]. Fixed in master: 2411eae9ed Fixed in master-3.2: 21f082cb6e Fixed in master-3.0: 14e274f3be Fixed in master-2.6: 5803c7b87b
  • wnpa-sec-2020-12[3] TCP dissector crash. Bug 16816[4]. Fixed in master: c4634b1e99 Fixed in master-3.2: e9b727595b Fixed in master-3.0: 7f3fe6164a Fixed in master-2.6: 9d7ab8b46f
  • wnpa-sec-2020-13[5] BLIP dissector crash. Bug 16866[6]. Fixed in master: 4a94842710 Fixed in master-3.2: 594d312b12 Fixed in master-3.0: 2fb6002559 Fixed in master-2.6: n/a
  • The following bugs have been fixed:
  • HTTP dissector fails to display correct UTF-16 XML Bug 9069[7].
  • TFTP dissector does not track conversations correctly. Source file and Destination File redundant or disagree. Bug 10305[8].
  • Dissector skips DICOM command Bug 13110[9].
  • Editcap time adjustment doesn’t work when both infile and outfile are ERF Bug 16578[10].
  • dissect_tds7_colmetadata_token() has wrong return value if count is 0 Bug 16682[11].
  • "total block length …​ is too small" for Systemd Journal Export Block Bug 16734[12].
  • MNC 11 is showing Mobile Network Code (MNC): NTT DoCoMo Tokai Inc. (11) But its belonging to Rakuten Network Bug 16755[13].
  • DICOM object extraction: discrepancy between tshark and wireshark Bug 16771[14].
  • S1-U data forwarding info and S103 PDN data forwarding info IE’s showing improper value Bug 16777[15].
  • Wireshark crashes while opening a capture Bug 16780[16].
  • Changing preferences via Decode As does not call callback Bug 16787[17].
  • Decoding of PFCP IE 'Remote GTP-U Peer' is incorrect Bug 16805[18].
  • Ng-enb not decoded correctly for Target Identification IE for GTPV2 Bug 16822[19].
  • The client timestamp is parsed error for Google QUIC (version Q039) Bug 16839[20].
  • NAS-5G : PDU session reactivation result Bug 16842[21].
  • Wireshark fails to detect libssh >= 0.9.5 Bug 16845[22].
  • Updated Protocol Support:
  • Aeron, AFP, BLIP, BSSMAP, C12.22, DICOM, E.212, GQUIC, GSM A RR, GTPv2, GVSP, IPX SAP, MIME Multipart, MMS, NAS-5GS, NCP, NDS, PFCP, PROFINET, Q.708, Q.933, RTCP, S1AP, TACACS+, TCP, TDS, TDS7, X2AP, and XML
  • New and Updated Capture File Support:
  • pcapng

New in WireShark 3.2.6 (Aug 13, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-10[1] Kafka dissector crash. Bug 16672[2]. CVE-2020-17498[3].
  • The following bugs have been fixed:
  • Kafka dissector fails parsing FETCH responses. Bug 16623[4].
  • Dissector for ASTERIX Category 001 / 210 does not recognize bit 1 as extension. Bug 16662[5].
  • "invalid timestamp" for Systemd Journal Export Block. Bug 16664[6].
  • Decoding Extended Emergency number list IE length. Bug 16668[7].
  • Some macOS Bluetooth PacketLogger capture files aren’t recognized as PacketLogger files (regression, bisected). Bug 16670[8].
  • Short IMSIs (5 digits) lead to wrong decoding+warning. Bug 16676[9].
  • Decoding of PFCP IE 'PFD Contents' results in "malformed packet". Bug 16704[10].
  • RFH2 Header with 32 or less bytes of NameValue will not parse out that info. Bug 16733[11].
  • CDP: Port ID TLV followed by Type 1009 TLV triggers [Malformed Packet]. Bug 16742[12].
  • tshark crashed when processing opcda. Bug 16746[13].
  • tshark with --export-dicom gives “Segmentation fault (core dumped)”. Bug 16748[14].
  • Updated Protocol Support:
  • ASTERIX, BSSAP, CDP, CoAP, DCERPC SPOOLSS, DCOM, DICOM, DVB-S2, E.212, GBCS, GSM RR, GSM SMS, IEEE 802.11, Kafka, MQ, Nano, NAS 5GS, NIS+, NR RRC, PacketLogger, PFCP, RTPS, systemd Journal, TDS, TN3270, and TN5250
  • New and Updated Capture File Support:
  • PacketLogger and pcapng

New in WireShark 3.2.5 (Jul 2, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-09[1] GVCP dissector infinite loop. Bug 16029[2]. CVE-2020-15466[3].
  • The following bugs have been fixed:
  • Add decryption support for QUIC IETF version 0xfaceb001 and 0xfaceb002. Bug 16378[4].
  • The "relative sequence number" is same as "raw sequence number" when tcp.analyze_sequence_numbers:FALSE. Bug 16604[6].
  • Importing profiles from a different Windows PC fails. Bug 16608[7].
  • Decode as not working correctly with multiple user profiles. Bug 16635[8].
  • Wireshark can misdissect the HE Radiotap field if it’s ever dissected one with any value unknown. Bug 16636[9].
  • Buildbot crash output: fuzz-2020-06-19-5981.pcap. Bug 16639[10].
  • Buildbot crash output: fuzz-2020-06-20-7665.pcap. Bug 16642[11].
  • mergecap man page contains invalid formatting. Bug 16652[12].
  • Updated Protocol Support:
  • ASTERIX, CoAP, GSM RR, GTPv2, GVCP, LTE RRC, NAS-5GS, NGAP, QUIC, R3, Radiotap, RTPS, and TCP

New in WireShark 3.2.4 (May 20, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-08[1] The NFS dissector could crash. Bug 16476[2].
  • The following bugs have been fixed:
  • SDP dissector does not parse sprop-parameter-sets field. Bug 16322[3].
  • PVS-Studio analyser long list of issues. Bug 16335[4].
  • Can’t have duplicate personal and global profile names. Bug 16423[5].
  • pcapng file dissector incorrectly computes nanoseconds from timestamps because it assumes the resolution is in nanoseconds. Bug 16440[6].
  • Read of uninitialized memory in detect_camins_file. Bug 16458[7].
  • Read of uninitialized memory in lanalyzer_read_trace_record. Bug 16459[8].
  • capture -> options -> select interface -> (choose) -> SEGV. Bug 16489[9].
  • SOMEIP: SOME/IP dissector ignores the length field configuration of structs. Bug 16490[10].
  • Packet List Pane doesn’t consume the entire pane. Bug 16491[11].
  • Range parameter on numeric parameter in extcap plugin doesn’t work. Bug 16510[12].
  • Export Packet Dissections not working on Windows (Wireshark 3.2.x). Bug 16516[13].
  • capinfos "Capture duration" output is truncated if there are more than 11 digits of seconds and fractions of a second. Bug 16519[14].
  • MIME Files Format/pcapng: Simple Packet Block parsed incorrectly. Bug 16526[15].
  • SOMEIP: SOME/IP-SD unique id is not unique for eventgroup types (BUG). Bug 16549[16].
  • Buildbot crash output: fuzz-2020-05-13-12195.pcap. Bug 16564[17].
  • Updated Protocol Support:
  • AoE, APRS, ASN.1 BER, DIS, DTLS, FTP, GSM SMS, H.264, IMAP,
  • Infiniband, ISObus VT, Kafka, LSD, MAC LTE, NAS 5GS, NFS, ONC RPC,
  • OSC, pcapng, PDCP LTE, RADIUS, RLC LTE, RTSP, SDP, SIP, Snort,
  • SOMEIP, STUN, TLS, and UMTS FP
  • New and Updated Capture File Support:
  • Camins, Catapult DCT 2000, Lanalyzer, and MPEG

New in WireShark 3.2.3 (May 20, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-07[2] The BACapp dissector could crash. Bug 16474[3]. CVE-2020-11647[4].
  • The following bugs have been fixed:
  • Add (IETF) QUIC Dissector. Bug 13881[5].
  • Rename profile name loses list selection. Bug 15966[6].
  • Dissector bug warning dissecting TLS Certificate Request with many names. Bug 16202[7].
  • Only ACKs, but no DATA frames are visible in -> TCP Stream Graph -> Time Sequence (tcptrace). Bug 16281[8].
  • Copy>Description does not work properly for all tree items. Bug 16323[9].
  • Packet List selection is gone when adding or removing a display filter. Bug 16414[11].
  • Check for updates, and auto-update, not working in 3.2.1. Bug 16416[12].
  • f5ethtrailer: TLS trailer creates incorrect CLIENT keylog entries. Bug 16417[13].
  • Buildbot crash output: randpkt-2020-03-04-18423.pcap. Bug 16424[14].
  • File open dialog shows garbled time stamps. Bug 16429[15].
  • RTCP Bye without optional reason reported as [Malformed Packet]. Bug 16434[16].
  • [oss-fuzz] #20732: Undefined-shift in dissect_rtcp. Bug 16445[17].
  • SOMEIP: SOME/IP-SD dissector fails to register SOME/IP ports, if IPv6 is being used (BUG). Bug 16448[18].
  • tshark logs: "…​could not be opened: Too many open files.". Bug 16457[19].
  • Typo in About Wireshark > Keyboard Shortcuts > Unignore All Displayed. Bug 16472[20].
  • Buildbot crash output: randpkt-2020-04-02-31746.pcap. Bug 16477[21].
  • tshark live capture finishes with a use-after-free. Bug 16487[22].
  • Updated Protocol Support:
  • AFS, BACapp, Bluetooth, CoAP, Diameter3GPP, F5 Ethernet trailer, GSM
  • RLC MAC, ISIS, ISIS CLV, ISIS HELLO, ISIS LSP, ISIS SNP, NAS 5GS, NR
  • RRC, pcap, QUIC, RPCAP, RTCP, SOME/IP-SD, TLS, and WSP
  • New and Updated Capture File Support:
  • pcap

New in WireShark 3.2.2 (Feb 27, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-03[2] LTE RRC dissector memory leak. Bug 16341[3].
  • wnpa-sec-2020-04[4] WiMax DLMAP dissector crash. Bug 16368[5].
  • wnpa-sec-2020-05[6] EAP dissector crash. Bug 16397[7].
  • wnpa-sec-2020-06[8] WireGuard dissector crash. Bug 16394[9].
  • The following bugs have been fixed:
  • Add (IETF) QUIC Dissector. Bug 13881[10].
  • Support for CoAP over TCP and WebSockets (RFC 8323). Bug 15910[11].
  • SMB IOCTL response packet with BUFFER_OVERFLOW status is dissected improperly. Bug 16261[12].
  • Wireshark fails to build with GCC-9. Bug 16319[13].
  • NVMe/TCP ICReq PDU Not Interpreted Correctly. Bug 16333[14].
  • ICMP: No response if ICMP reply packet has an ICMP checksum of 0x0000. Bug 16334[15].
  • Display filter parsing broken after upgrade from 3.0.7. Bug 16336[16].
  • IPv4 fragment offset value is incorrect in IPv4 header decode. Bug 16344[17].
  • RTCP frame length warning for SAT>IP APP packets. Bug 16345[18].
  • RTP export to rtpdump file doesn’t work. Bug 16351[19].
  • CFDP dissector skips a byte. Bug 16361[20].
  • ISAKMP: IKEv2 transforms and proposal have critical bit (BUG). Bug 16364[21].
  • No IPv4/IPv6 hosts in Resolved Addresses dialog. Bug 16366[22].
  • Lack of Check for Updates option in the Windows GUI. Bug 16381[23].
  • LLDP dissector consumes all octets to the end of the TVB and the trailer dissector does not get called. Bug 16387[24].
  • LACP dissector consumes all octets to the end of the TVB and the trailer dissector does not get called. Bug 16388[25].
  • Updated Protocol Support:
  • ARTNET, CFDP, CoAP, EAP, GTP, ICMP, ICMPv6, IPv4, ISAKMP, LACP, LLDP, LTE RRC, NBAP, NVME-TCP, QUIC, RDM, RTCP, RTP, SMB, SOME/IP, TLS, WiMax DLMAP, and WireGuard

New in WireShark 3.2.1 (Jan 16, 2020)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2020-01[1] WASSP dissector crash. Bug 16324[2]. CVE-2020-7044[3].
  • The following bugs have been fixed:
  • Incorrect parsing of USB CDC packets. Bug 14587[4].
  • Wireshark fails to create directory if parent directory does not yet exist. Bug 16143[5].
  • Buildbot crash output: randpkt-2019-11-30-22633.pcap. Bug 16240[6].
  • Closing Flow Graph closes (crashes) main GUI window. Bug 16260[7].
  • Wireshark interprets websocket frames after HTTP handshake in a wrong way. Bug 16274[8].
  • A-bis/OML: IPA Destination IP Address attribute contains inverted value (endianness). Bug 16282[9].
  • wiretap/log3gpp.c: 2 * leap before looking ?. Bug 16283[10].
  • Opening shell terminal prints Wireshark: Permission denied. Bug 16284[11].
  • h264: SPS frame_crop_right_offset shown in UI as frame_crop_left_offset. Bug 16285[12].
  • BGP: update of "Sub-TLV Length" by draft-ietf-idr-tunnel-encaps. Bug 16294[13].
  • SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown Bit(s)" expert message. Bug 16301[14].
  • USB Audio feature unit descriptor is incorrectly dissected. Bug 16305[15].
  • Compiling the .y files fails with Berkeley YACC. Bug 16306[16].
  • PDB files in Windows installer. Bug 16307[17].
  • NAS-5GS 5GS network feature support lacks MCSI, EMCN3 two fields (octet 4). Bug 16310[18].
  • Option to change “Packet List” columns header right click pop-up menu behavior. Bug 16317[19].
  • DLT: Dissector does not parse multiple DLT messages in single UDP packet. Bug 16321[20].
  • ISAKMP Dissection: Enhance Source id and Destination ID field of GDOI SA TEK payload for non IP ID type. Bug 16233[21].
  • DOIP: Typo in "identifcation request messages". Bug 16325[22].
  • Toolbar "?" help button - no text/help displayed. Bug 16327[23].

New in WireShark 3.2.0 (Dec 20, 2019)

  • New and Updated Features:
  • You can now follow HTTP/2 and QUIC streams.
  • You can once again mark and unmark packets using the middle mouse button. This feature went missing around 2009 or so.
  • The Windows packages are now built using Microsoft Visual Studio 2019.
  • IOGraph automatically adds a graph for the selected display filter if no previous graph exists
  • Action buttons for the display filter bar may be aligned left via the context menu
  • The "Expression…​" toolbar entry has been moved to "Analyze › Display filter Expression …​" as well as to the context menu of the display filter toolbar
  • Allow extcaps to be loaded from the personal configuration directory
  • The Wireshark 3.1.0 Windows installers ship with Qt 5.12.6. Previous installers shipped with Qt 5.12.4.
  • The following features are new (or have been significantly updated) since version 3.2.0rc2:
  • Minor bug fixes.
  • The following features are new (or have been significantly updated) since version 3.2.0rc1:
  • Minor bug fixes.
  • The following features are new (or have been significantly updated) since version 3.1.1:
  • Miscellaneous UI fixes and updates.
  • The macOS installer now ships with Qt 5.12.6. It previously shipped with Qt 5.12.5.
  • The following features are new (or have been significantly updated) since version 3.1.0:
  • Automatic updates are supported on macOS.
  • You can now select multiple packets in the packet list at the same time
  • They can be exported as Text by “Ctrl+C” or “Cmd+C” and the corresponding menu in “Edit › Copy › As …​”
  • They can be marked/unmarked or ignored/unignored at the same time
  • They can be exported and printed using the corresponding menu entries “File › Export Specified Packets”, “File › Export Packet Dissections” and “File › Print”
  • The following features are new (or have been significantly updated) since version 3.0.0:
  • You can drag and drop a field to a column header to create a column for that field, or to the display filter input to create a display filter. If a display filter is applied, the new filter can be added using the same rules as “Apply Filter”
  • You can drag and drop a column entry to the display filter to create a filter for it.
  • You can import profiles from a .zip archive or an existing directory.
  • Dark mode support on macOS and dark theme support on other platforms has been improved.
  • Brotli decompression support in HTTP/HTTP2 (requires the brotli library).
  • The build system now checks for a SpeexDSP system library installation. The bundled Speex resampler code is still provided as a fallback.
  • WireGuard decryption can now be enabled through keys embedded in a pcapng in addition to the existing key log preference (Bug 15571[1]).
  • A new tap for extracting credentials from the capture file has been added. It can be accessed through the -z credentials option in tshark or from the “Tools › Credentials” menu in Wireshark.
  • Editcap can now split files on floating point intervals.
  • The “Enabled Protocols” Dialog now only enables, disables and inverts protocols based on the set filter selection. The protocol type (standard or heuristic) may also be choosen as a filter value.
  • Save RTP stream to .au supports any codec with 8000 Hz rate supported by Wireshark (shown in RTP player). If save of audio is not possible (unsupported codec or rate), silence of same length is saved and warning is shown.
  • The “Analyze › Apply as Filter” and “Analyze › Prepare a Filter” packet list and detail popup menus now show a preview of their respective filters.
  • Protobuf files (*.proto) can now be configured to enable more precise parsing of serialized Protobuf data (such as gRPC).
  • HTTP2 support streaming mode reassembly. To use this feature, subdissectors can register itself to "streaming_content_type" dissector table and return pinfo→desegment_len and pinfo→desegment_offset to tell HTTP2 when to start and how many additional bytes requires when next called.
  • The message of stream gRPC method can now be parsed with supporting of HTTP2 streaming mode reassembly feature.
  • The Wireshark 3.1.0 Windows installers ship with Qt 5.12.4. Previous installers shipped with Qt 5.12.1.
  • New Protocol Support:
  • 3GPP BICC MST (BICC-MST), 3GPP log packet (LOG3GPP), 3GPP/GSM Cell Broadcast Service Protocol (cbsp), Asynchronous Management Protocol (AMP), Bluetooth Mesh Beacon, Bluetooth Mesh PB-ADV, Bluetooth Mesh Provisioning PDU, Bluetooth Mesh Proxy, CableLabs Layer-3 Protocol IEEE EtherType 0xb4e3 (CL3), DCOM IProvideClassInfo, DCOM ITypeInfo, Diagnostic Log and Trace (DLT), Distributed Replicated Block Device (DRBD), Dual Channel Wi-Fi (CL3DCW), EBHSCR Protocol (EBHSCR), EERO Protocol (EERO), evolved Common Public Radio Interface (eCPRI), File Server Remote VSS Protocol (FSRVP), FTDI FT USB Bridging Devices (FTDI FT), Graylog Extended Log Format over UDP (GELF), GSM/3GPP CBSP (Cell Broadcast Service Protocol), ITS message - CAMv1, ITS message - DENMv1, Linux net_dm (network drop monitor) protocol, MIDI System Exclusive DigiTech (SYSEX DigiTech), Network Controller Sideband Interface (NCSI), NR Positioning Protocol A (NRPPa) TS 38.455, NVM Express over Fabrics for TCP (nvme-tcp), OsmoTRX Protocol (GSM Transceiver control and data), Scalable service-Oriented MiddlewarE over IP (SOME/IP), USB 2.0 Link Layer (USBLL), and Wi-Fi Neighbour Awareness Networking (NAN)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • 3gpp phone, Android Logcat Text, Ascend, Busmaster log file, Candump, Endace ERF, NetScaler, pcapng, and Savvius *Peek

New in WireShark 3.0.7 (Dec 5, 2019)

  • The Windows and macOS installers now ship with Qt 5.12.6. They previously shipped with Qt 5.12.5.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-22[1] CMS dissector crash. Bug 15961[2]. CVE-2019-19553[3].
  • The following bugs have been fixed:
  • ws_pipe_wait_for_pipe() can wait on closed handles. Bug 15696[4].
  • Support for 11ax in PEEKREMOTE. Bug 15740[5].
  • The temporary file …​ could not be opened: Invalid argument. Bug 15751[6].
  • Reassembling of the two TLS records is not working correctly. Bug 16109[7].
  • Display Filter Area: Dropdown Missing pkt_comment and tcp.options.sack_perm (likely others). Bug 16130[8].
  • Display Filter autocompletion should be disabled. Bug 16132[9].
  • BGP Linkstate IP Reachability information is incorrect. Bug 16144[10].
  • NGAP: ExpectedUEActivityBehaviour decode error. Bug 16145[11].
  • HomePlug AV dissector: MMTYPE and FMI fields are dissected incorrectly. Bug 16158[12].
  • JPEG files cannot be saved on Windows with french language. Bug 16165[13].
  • X11 --display interpreted as --display-filter which maps to -Y option. Bug 16167[14].
  • "Create new file automatically after" not working with extcap. Bug 16178[15].
  • Encrypted TLS alerts sometimes listed as decrypted. Bug 16180[16].
  • The "Remove Wireshark from the system path" package has "Add Wireshark to the system PATH" as its title. Bug 16200[17].
  • tshark -T ek -x causes get_field_data: code should not be reached. Bug 16218[18].
  • Crash on Go → Next/Previous Packet in Conversation when no packet is selected. Bug 16228[19].
  • Updated Protocol Support:
  • BGP, HomePlug AV, IEEE 802.11, and TLS

New in WireShark 3.0.3 (Jul 18, 2019)

  • What’s New:
  • The macOS installer now ships with Qt 5.12.4. It previously shipped with Qt 5.12.1.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-20[1] ASN.1 BER and related dissectors crash. Bug 15870[2]. CVE-2019-13619[3].
  • The following bugs have been fixed:
  • "ninja install" installs help/faq.py instead of help/faq.txt. Bug 15543[4].
  • In Wireshark 3.0, encrypted DOCSIS PDU packets no longer match the filter "eth.dst". Bug 15731[5].
  • Developer’s Guide section 3.9 "Contribute your changes" should incorporate or link "Writing a good commit message" from the Wiki. Bug 15752[6].
  • RSL dissector bugs in presence of optional IEs. Bug 15789[7].
  • The "Media Attribute Value" field is missed in rtcp SDP dissection (packet-sdp.c). Bug 15791[8].
  • BTLE doesn’t properly detect start fragment of L2CAP PDUs. Bug 15807[9].
  • Wi-SUN FAN decoder error, Channel Spacing and Reserved fields are swapped. Bug 15821[10].
  • tshark: Display filter error message references "-d" when it should reference "-Y". Bug 15825[11].
  • Open "protocol" preferences …​ does not work for protocol in subtree. Bug 15836[12].
  • Problems with sshdump "Error by extcap pipe: sh: sudo: command not found". Bug 15845[13].
  • editcap won’t change encapsulation type when writing pcap format. Bug 15873[14].
  • ITU-T G.8113.1 MPLS-TP OAM CC,LMM,LMR,DMM and DMR are not seen in the 3.0.2. Bug 15887[15].
  • Updated Protocol Support:
  • AERON, ASN.1, BTLE, CUPS, DNS, DOCSIS, DPNSS, GSM RLC/MAC, HiQnet, ISO 14443, ISObus VT, LDAP, MAC LTE, MIME multipart, MPLS, MQ, RSL, SDP, SMB, TNEF, and Wi-SUN
  • New and Updated Capture File Support:
  • Ascend

New in WireShark 3.0.2 (May 23, 2019)

  • What’s New:
  • The macOS packages are now notarized[1].
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-19[2] Wireshark dissection engine crash. Bug 15778[3].
  • The following bugs have been fixed:
  • Add (IETF) QUIC Dissector. Bug 13881[4].
  • Wireshark Hangs on startup initializing external capture plugins. Bug 14657[5].
  • [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree — possible infinite loop. Bug 14978[6].
  • Wireshark can call extcap with empty multicheck argument. Bug 15065[7].
  • CMPv2 KUR message disection gives unexpected value for serialNumber under OldCertId fields. Bug 15154[8].
  • "(Git Rev Unknown from unknown)" in version string for official tarball. Bug 15544[9].
  • External extcap does not get all arguments sometimes. Bug 15586[10].
  • Help file doesn’t display for extcap interfaces. Bug 15592[11].
  • Buildbot crash output: randpkt-2019-03-14-4670.pcap. Bug 15604[12].
  • Building only libraries on windows fails due to CLEAN_C_FILES empty. Bug 15662[13].
  • Statistics→Conversations→TCP→Follow Stream - incorrect behavior. Bug 15672[14].
  • Wrong NTP timestamp for RTCP XR RR packets (hf_rtcp_xr_timestamp field). Bug 15687[15].
  • ws_pipe: leaks pipe handles on errors. Bug 15689[16].
  • Build issue in Wireshark - 3.0.1 on RHEL6. Bug 15706[17].
  • ISAKMP: Segmentation fault with non-hex string for IKEv1 Decryption Table Initiator Cookie. Bug 15709[18].
  • extcap: non-boolean call arguments can be appended without value on selector Reload. Bug 15725[19].
  • Incorrectly interpreted format of MQTT PUBLISH payload data. Bug 15738[20].
  • print.c: Memory leak in ek_check_protocolfilter. Bug 15758[21].
  • IETF QUIC dissector incorrectly parses retry packet. Bug 15764[22].
  • Bacnet(app): fix wrong value for id 183 (logging-device → logging-object). Bug 15767[23].
  • The SMB2 code to look up decryption keys by session ID assumes it’s running on a little-endian machine. Bug 15772[24].
  • tshark -G folders leaves mmdbresolve process behind. Bug 15777[25].
  • Dissector bug, protocol TLS - failed assertion "data". Bug 15780[26].
  • WSMP : header_opt_ind field is not correctly set. Bug 15786[27].
  • Updated Protocol Support:
  • BACapp, DDP, EPL, Frame, IEEE 802.11, IS-IS CLV, ISAKMP, K12, KNXIP,
  • MQTT, PNIO, QUIC, RTCP XR RR, SCTP, SMB2, TDS, TLS, WSMP, and ZEBRA
  • New and Updated Capture File Support:
  • pcapng

New in WireShark 3.0.1 (Apr 9, 2019)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2019-09[1] NetScaler file parser crash. Bug 15497[2].
  • wnpa-sec-2019-10[4] SRVLOC dissector crash. Bug 15546[5].
  • wnpa-sec-2019-11[7] IEEE 802.11 dissector infinite loop. Bug
  • wnpa-sec-2019-12[10] GSUP dissector infinite loop. Bug 15585[11].
  • wnpa-sec-2019-13[13] Rbm dissector infinite loop. Bug 15612[14].
  • wnpa-sec-2019-14[16] GSS-API dissector crash. Bug 15613[17].
  • wnpa-sec-2019-15[19] DOF dissector crash. Bug 15617[20].
  • wnpa-sec-2019-16[22] TSDNS dissector crash. Bug 15619[23].
  • wnpa-sec-2019-17[25] LDSS dissector crash. Bug 15620[26].
  • wnpa-sec-2019-18[28] DCERPC SPOOLSS dissector crash. Bug
  • The following bugs have been fixed:
  • [oss-fuzz] UBSAN: shift exponent 34 is too large for 32-bit type 'guint32' (aka 'unsigned int') in packet-ieee80211.c:15534:49. Bug 14770[31].
  • [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type 'int' in packet-couchbase.c:1674:37. Bug 15439[32].
  • Duplicated TCP SEQ field in ICMP packets. Bug 15533[33].
  • Wrong length in dhcpv6 NTP Server suboption results in "Malformed Packet" and breaks further dissection. Bug 15542[34].
  • Wireshark’s speaker-to-MaxMind is burning up the CPU. Bug 15545[35].
  • GSM-A-RR variable bitmap decoding may report ARFCNs > 1023. Bug 15549[36].
  • Import hexdump dummy Ethernet header generation ignores direction indication. Bug 15561[37].
  • %T not supported for timestamps. Bug 15565[38].
  • LWM2M: resource with rn badly shown. Bug 15572[39].
  • When selecting BSSAP in 'Decode As' for a SCCP payload, it uses BSSAP+ which is not the same protocol. Bug 15578[40].
  • Possible buffer overflow in function ssl_md_final for crafted SSL 3.0 sessions. Bug 15599[41].
  • Syslog dissector processes the UTF-8 BOM incorrectly. Bug 15607[43].
  • NFS/NLM: Wrong lock byte range in the "Info" column. Bug 15608[44].
  • randpkt -r causes segfault when count > 1. Bug 15627[45].
  • Tshark export to ElasticSearch (-Tek) fails with Bad json_dumper state: illegal transition. Bug 15628[46].
  • Packets with metadata but no data get the Protocol Info column overwritten. Bug 15630[47].
  • BGP MP_REACH_NLRI AFI: Layer-2 VPN, SAFI: EVPN - Label stack not decoded. Bug 15631[48].
  • Buildbot crash output: fuzz-2019-03-23-1789.pcap. Bug 15634[49].
  • Typo: broli → brotli. Bug 15647[50].
  • Wrong dissection of GTPv2 MM Context Used NAS integrity protection algorithm. Bug 15648[51].
  • Windows CHM (help file) title displays quoted HTML characters. Bug 15656[52].
  • Unable to load 3rd party plugins not signed by Wireshark’s codesigning certificate. Bug 15667[53].
  • Updated Protocol Support:
  • BGP, BSSAP, Couchbase, DCERPC SPOOLSS, DHCP, DHCPv6, DOF, FP, GSM A RR, GSS-API, GSUP, GTP, GTPv2, H248C, HL7, IEEE 802.11, IEEE 802.15.4, ISO 14443, LDSS, LwM2M-TLV, NLM, Rbm, SIP, SRVLOC, Syslog, TCP, TLS, and TSDNS
  • New and Updated Capture File Support:
  • NetScaler and pcap

New in WireShark 3.0.0 (Mar 1, 2019)

  • What’s New:
  • Many user interface improvements have been made. See the “New and Updated Features” section below for more details.
  • Support for a number of legacy features and libraries has been removed. See the “Removed Features and Support” section below for more details.
  • Bug Fixes:
  • The following bugs have been fixed:
  • Data following a TCP ZeroWindowProbe is marked as retransmission and not passed to subdissectors (Bug 15427[1])
  • Lua Error on startup: init.lua: dofile has been disabled due to running Wireshark as superuser (Bug 15489[2]).
  • Text and Image columns were handled incorrectly for TDS 7.0 and 7.1. (Bug 3098[3])
  • Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419[4])
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 3.0.0rc1:
  • The IP map feature (the “Map” button in the “Endpoints” dialog) has been added back in a modernized form (Bug 14693[5]).
  • The macOS package now ships with Qt 5.12.1. Previously it shipped with Qt 5.9.7.
  • The macOS package requires version 10.12 or later. If you’re running an older version of macOS, please use Wireshark 2.6.
  • The following features are new (or have been significantly updated) since version 2.9.0:
  • Wireshark now supports the Swedish and Ukrainian languages.
  • Initial support for using PKCS #11 tokens for RSA decryption in TLS. This can be configured at Preferences, RSA Keys.
  • • The build system now produces reproducible builds (Bug 15163[6]).
  • • The Windows installers now ship with Qt 5.12.1. Previously they
  • shipped with Qt 5.12.0.

New in WireShark 2.9.0 (Dec 13, 2018)

  • hat’s New:
  • Many user interface improvements have been made. See the “New and Updated Features” section below for more details.
  • Bug Fixes:
  • The following bugs have been fixed:
  • Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419[1])
  • New and Updated Features:
  • The following features are new (or have been significantly updated)
  • since version 2.6.0:
  • Conversation timestamps are supported for UDP/UDP-Lite protocols
  • TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.
  • The “Capture Information” dialog has been added back (Bug 12004[2]).
  • The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.
  • The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order. See the User’s Guide, chapter TCP Reassembly for details.
  • Decryption support for the new WireGuard dissector (Bug 15011[3], requires Libgcrypt 1.8).
  • The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.
  • The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.
  • Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.
  • APT-X has been renamed to aptX.
  • When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.
  • The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.
  • Dumpcap now supports the -a packets:NUM and -b packets:NUM options.
  • Wireshark now includes a “No Reassembly” configuration profile.
  • Wireshark now supports the Russian language.
  • The build system now supports AppImage packages.
  • Removed Features and Support:
  • The legacy (GTK+) user interface has been removed and is no longer supported.
  • Wireshark requires Qt 5.2 or later. Qt 4 is no longer supported.
  • Wireshark requires GLib 2.32 or later.
  • Building Wireshark requires CMake. Autotools is no longer supported.
  • TShark’s -z compare option was removed.
  • New File Format Decoding Support:
  • Ruby Marshal format
  • New Protocol Support:
  • Apple Wireless Direct Link (AWDL), BLIP Couchbase Mobile (BLIP), CDMA 2000, Cisco Meraki Discovery Protocol (MDP), Distributed Ruby (DRb), DXL, E1AP (5G), EVS (3GPP TS 26.445 A.2 EVS RTP), Exablaze trailers, General Circuit Services Notification Application Protocol (GCSNA), GLOW Lawo Emberplus Data format, GSM-R (User-to-User Information Element usage), HI3CCLinkData, ISO 13400-2 Diagnostic communication over Internet Protocol (DoIP), ITU-t X.696 Octet Encoding Rules (OER), Local Number Portability Database Query Protocol (ANSI), MsgPack, NGAP (5G), NR (5G) PDCP, Osmocom Generic Subscriber Update Protocol (GSUP), PKCS#10 (RFC2986 Certification Request Syntax), PROXY (v2), S101 Lawo Emberplus transport frame, Secure Reliable Transport Protocol (SRT), Spirent Test Center Signature decoding for Ethernet and FibreChannel (STCSIG, disabled by default), Sybase-specific portions of TDS, systemd Journal Export, TeamSpeak 3 DNS, TPM 2.0, Ubiquiti Discovery Protocol (UBDP), WireGuard, and XnAP (5G)
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • RFC 7468 (PEM), Ruby marshal object files, systemd Journal Export, and Unigraf DPA-400 DisplayPort AUX channel monitor
  • New and Updated Capture Interfaces support:
  • dpauxmon, an external capture interface (extcap) that captures DisplayPort AUX channel data from linux kernel drivers.
  • sdjournal, an extcap that captures systemd journal entries.
  • Major API Changes:
  • Lua: the various logging functions (debug, info, message, warn and critical) have been removed. Use the print function instead for debugging purposes.

New in WireShark 2.6.5 (Dec 13, 2018)

  • What’s New
  • The Windows installers now ship with Qt 5.9.7. Previously they shipped with Qt 5.9.5.
  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2018-51[1] The Wireshark dissection engine could crash. Bug 14466[2]. CVE-2018-19625[3].
  • wnpa-sec-2018-52[4] The DCOM dissector could crash. Bug 15130[5]. CVE-2018-19626[6].
  • wnpa-sec-2018-53[7] The LBMPDM dissector could crash. Bug 15132[8]. CVE-2018-19623[9].
  • wnpa-sec-2018-54[10] The MMSE dissector could go into an infinite loop. Bug 15250[11]. CVE-2018-19622[12].
  • wnpa-sec-2018-55[13] The IxVeriWave file parser could crash. Bug 15279[14]. CVE-2018-19627[15].
  • wnpa-sec-2018-56[16] The PVFS dissector could crash. Bug 15280[17]. CVE-2018-19624[18].
  • wnpa-sec-2018-57[19] The ZigBee ZCL dissector could crash. Bug 15281[20]. CVE-2018-19628[21].
  • The following bugs have been fixed:
  • VoIP Calls dialog doesn’t include RTP stream when preparing a filter. Bug 13440[22].
  • Wireshark installs on macOS with permissions for /Library/Application Support/Wireshark that are too restrictive. Bug 14335[23].
  • Closing Enabled Protocols dialog crashes wireshark. Bug 14349[24].
  • Unable to Export Objects → HTTP after sorting columns. Bug 14545[25].
  • DNS Response to NS query shows as malformed packet. Bug 14574[26].
  • Encrypted Alerts corresponds to a wrong selection in the packet bytes pane. Bug 14712[27].
  • Wireshark crashes/asserts with Qt 5.11.1 and assert/debugsymbols enabled. Bug 15014[28].
  • ESP will not decode since 2.6.2 - works fine in 2.4.6 or 2.4.8. Bug 15056[29].
  • text2pcap generates malformed packets when TCP, UDP or SCTP headers are added together with IPv6 header. Bug 15194[30].
  • Wireshark tries to decode EAP-SIM Pseudonym Identity. Bug 15196[31].
  • Infinite read loop when extcap exits with error and error message. Bug 15205[32].
  • MATE unable to extract fields for PDU. Bug 15208[33].
  • Malformed Packet: SV. Bug 15224[34].
  • OPC UA Max nesting depth exceeded for valid packet. Bug 15226[35].
  • TShark 2.6 does not print GeoIP information. Bug 15230[36].
  • ISUP (ANSI) packets malformed in WS versions later than 2.4.8. Bug 15236[37].
  • Handover candidate enquire message not decoded. Bug 15237[38].
  • TShark piping output in a cmd or PowerShell prompt stops working when GeoIP is enabled. Bug 15248[39].
  • ICMPv6 with routing header incorrectly placed. Bug 15270[40].
  • IEEE 802.11 Vendor Specific fixed fields display as malformed packets. Bug 15273[41].
  • text2pcap -4 and -6 option should require -i as well. Bug 15275[42].
  • text2pcap direction sensitivity does not affect dummy ethernet addresses. Bug 15287[43].
  • MLE security suite display incorrect. Bug 15288[44].
  • Message for incorrect IPv4 option lengths is incorrect. Bug 15290[45].
  • TACACS+ dissector does not properly reassemble large accounting messages. Bug 15293[46].
  • NLRI of S-PMSI A-D BGP route not being displayed. Bug 15307[47].
  • Updated Protocol Support:
  • BGP, DCERPC, DCOM, DNS, EAP, ESP, GSM A BSSMAP, IEEE 802.11, IEEE
  • 802.11 Radiotap, IPv4, IPv6, ISUP, LBMPDM, LISP, MLE, MMSE, OpcUa,
  • PVFS, SLL, SSL/TLS, SV, TACACS+, TCAP, Wi-SUN, XRA, and ZigBee ZCL
  • New and Updated Capture File Support:
  • 3GPP TS 32.423 Trace and IxVeriWave
  • New and Updated Capture Interfaces support:
  • sshdump

New in WireShark 2.6.4 (Oct 12, 2018)

  • Bug Fixes
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2018-47[1] MS-WSP dissector crash. Bug 15119[2]. CVE-2018-18227[3].
  • wnpa-sec-2018-48[4] Steam IHS Discovery dissector memory leak. Bug 15171[5]. CVE-2018-18226[6].
  • wnpa-sec-2018-49[7] CoAP dissector crash. Bug 15172[8]. CVE-2018-18225[9].
  • wnpa-sec-2018-50[10] OpcUA dissector crash. CVE-2018-12086[11].
  • The following bugs have been fixed:
  • HTTP2 dissector decodes first SSL record only. Bug 11173[12].
  • Undocumented sub-option for -N option in man page and tshark -N help. Bug 14826[13].
  • Mishandling of Port Control Protocol option padding. Bug 14950[14].
  • MGCP: parameter lines are case-insensitive. Bug 15008[15].
  • Details of 2nd sub-VSA in bundled RADIUS VSA are incorrect. Bug 15073[16].
  • Heuristic DPLAY dissector fails to recognize DPLAY packets. Bug 15092[17].
  • gsm_rlcmac_dl dissector exception. Bug 15112[18].
  • dfilter_buttons file under user-created profile. Bug 15114[19].
  • Filter buttons disappear when using pre-2.6 profile. Bug 15121[20].
  • PROFINET Information element AM_DeviceIdentification in Asset Management Info block is decoded wrongly. Bug 15140[21].
  • Hw dest addr column shows incorrect address. Bug 15144[22].
  • Windows dumpcap -i TCP@ fails on pcapng stream. Bug 15149[23].
  • Wildcard expansion doesn’t work on Windows 10 for command-line programs in cmd.exe or PowerShell. Bug 15151[24].
  • SSL Reassembly Error New fragment past old data limits. Bug 15158[25].
  • Updated Protocol Support:
  • ASN.1 PER, Bluetooth HCI_SCO, CoAP, DPLAY, IEEE 802.11, Kafka,
  • Message Analyzer, MGCP, MS-WSP, Netmon, OpcUa, PCP, PNIO, RADIUS,
  • Steam IHS Discovery, and TLS
  • New and Updated Capture File Support:
  • Ascend and pcapng

New in WireShark 2.6.3 (Aug 30, 2018)

  • Bug Fixes:
  • wnpa-sec-2018-44: Bluetooth AVDTP dissector crash. Bug 14884. CVE-2018-16058.
  • wnpa-sec-2018-45: Bluetooth Attribute Protocol dissector crash. Bug 14994. CVE-2018-16056.
  • wnpa-sec-2018-46: Radiotap dissector crash. Bug 15022. CVE-2018-16057.
  • The following bugs have been fixed:
  • Wireshark Hangs on startup initializing external capture plugins. Bug 14657.
  • Qt: SCTP Analyse Association Dialog: Segmentation fault when clicking twice the Filter Association button. Bug 14970.
  • Incorrect presentation of dissected data item (NETMASK) in ISAKMP dissector. Bug 14987.
  • Decode NFAPI: CONFIG.request Error. Bug 14988.
  • udpdump frame too long error. Bug 14989.
  • ISDN - LAPD dissector broken since version 2.5.0. Bug 15018.
  • ASTERIX Category 062 / 135 Altitude has wrong value. Bug 15030.
  • Wireshark cannot decrypt SSL/TLS session if it was proxied over HTTP tunnel. Bug 15042.
  • TLS records in a HTTP tunnel are displayed as "Encrypted Handshake Message". Bug 15043.
  • BTATT Dissector: Temperature Measurement: Celsius and Fahrenheit swapped. Bug 15058.
  • Diameter AVP User Location Info, Mobile Network Code decoded not correctly. Bug 15068.
  • Heartbeat message "Info" displayed without comma separator. Bug 15079.
  • Updated Protocol Support:
  • ASTERIX, Bluetooth, Bluetooth ATT, Bluetooth AVDTP, DHCP, DTLS, E.212, FP, GSM A RR, HTTP, HTTP2, IEEE 802.11, ISAKMP, ISDN, K12, NFAPI, Nordic BLE, PFCP, Radiotap, SSL, Steam IHS Discovery, and TLS 1.3
  • New and Updated Capture File Support:
  • pcapng
  • New and Updated Capture Interfaces support:
  • ciscodump, udpdump

New in WireShark 2.6.2 (Jul 19, 2018)

  • BUG FIXES:
  • wnpa-sec-2018-34[1]: BGP dissector large loop. Bug 13741[2]. CVE-2018-14342[3].
  • wnpa-sec-2018-35[4]: ISMP dissector crash. Bug 14672[5]. CVE-2018-14344[6].
  • wnpa-sec-2018-36[7]: Multiple dissectors could crash. Bug 14675[8]. CVE-2018-14340[9].
  • wnpa-sec-2018-37[10]: ASN.1 BER dissector crash. Bug 14682[11]. CVE-2018-14343[12].
  • wnpa-sec-2018-38[13]: MMSE dissector infinite loop. Bug 14738[14]. CVE-2018-14339[15].
  • wnpa-sec-2018-39[16]: DICOM dissector crash. Bug 14742[17]. CVE-2018-14341[18].
  • wnpa-sec-2018-40[19]: Bazaar dissector infinite loop. Bug 14841[20]. CVE-2018-14368[21].
  • wnpa-sec-2018-41[22]: HTTP2 dissector crash. Bug 14869[23]. CVE-2018-14369[24].
  • wnpa-sec-2018-42[25]: CoAP dissector crash. Bug 14966[26]. CVE-2018-14367[27].
  • ISMP.EDP "Tuples" dissected incorrectly. Bug 4943[28].
  • Wireshark - Race issue when switching between files using Wireshark’s "Files in Set" dialog. Bug 10870[29].
  • Sorting on "Source port" or "Destination port" column sorts alphabetically, not numerically. Bug 11460[30].
  • Wireshark crashes when changing profiles. Bug 11648[31].
  • Crash when starting capture while saving capture file or rescanning file after display filter change. Bug 13594[32].
  • Crash when switching to TRANSUM enabled profile. Bug 13697[33].
  • TCP retransmission with additional payload leads to incorrect bytes and length in stream. Bug 13700[34].
  • Wireshark crashes with single quote string display filter. Bug 14084[35].
  • randpkt can write packets that libwiretap can’t read. Bug 14107[36].
  • Wireshark crashes when loading new file before previous load has finished. Bug 14351[37].
  • Valid packet produces Malformed Packet: OpcUa. Bug 14465[38].
  • Error received from dissect_wccp2_hash_assignment_info(). Bug 14573[39].
  • CRC checker wrong for FPP. Bug 14610[40].
  • Cross-build broken due to make-dissectors and make-taps. Bug 14622[41].
  • Extraction of SMB file results in wrong size. Bug 14662[42].
  • 6LoWPAN dissector merges fragments from different sources. Bug 14700[43].
  • IP address to name resolution doesn’t work in TShark. Bug 14711[44].
  • "Decode as" Modbus RTU over USB doesn’t work with 2.6.0 but with 2.4.6. Bug 14717[45].
  • proto_tree_add_protocol_format might leak memory. Bug 14719[46].
  • tostring for NSTime objects in lua gives wrong results. Bug 14720[47].
  • Media type "application/octet-stream" registered for both Thread and UASIP. Bug 14729[48].
  • Crash related to SCTP tap. Bug 14733[49].
  • Formatting of OSI area addresses/address prefixes goes past the end of the area address/address prefix. Bug 14744[50].
  • ICMPv6 Router Renumbering - Packet Dissector - malformed. Bug 14755[51].
  • WiMAX HARQ MAP decoder segfaults when length is too short. Bug 14780[52].
  • HTTP PUT request following a HEAD request is not correctly decoded. Bug 14793[53].
  • SYNC PDU type 3 miss the last PDU length. Bug 14823[54].
  • Reversed 128 bits service UUIDs when Bluetooth Low Energy advertisement data are dissected. Bug 14843[55].
  • Issues with Wireshark when the user doesn’t have permission to capture. Bug 14847[56].
  • Wrong description when LE Bluetooth Device Address type is dissected. Bug 14866[57].
  • LE Role advertisement type (0x1c) is not dissected properly according to the Bluetooth specification. Bug 14868[58].
  • Regression: Wireshark 2.6.0 and 2.6.1 are unable to read NetMon files which were readable by previous versions. Bug 14876[59].
  • Wireshark doesn’t properly display (deliberately) invalid 220 responses from Postfix. Bug 14878[60].
  • Follow TCP Stream and click reassembled content moves you to incorrect current packet. Bug 14898[61].
  • Crash when changing profiles while loading a capture file. Bug 14918[62].
  • Duplicate PDU during C Arrays Output Export. Bug 14933[63].
  • DCE/RPC not dissected when "reserved for use by implementations" flag bits set. Bug 14942[64].
  • Follow TCP Stream truncates output on missing (but ACKed) segments. Bug 14944[65].
  • There’s no option to include column headings when printing packets or exporting packet dissections with Qt Wireshark. Bug 14945[66].
  • Qt: SCTP Graph Dialog: Abort when doing analysis. Bug 14971[67].
  • CMake is unable to find LUA libraries. Bug 14983[68].
  • UPDATED PROTOCOL SUPPORT:
  • 6LoWPAN, ASN.1 BER, Bazaar, BGP, Bluetooth, Bluetooth HCI_CMD, CIGI, Cisco ttag, CoAP, Data, DCERPC, Diameter 3GPP, DICOM, DOCSIS, FPP, GSM A GM, GTPv2, HTTP, HTTP2, IAX2, ICMPv6, IEEE 1722, IEEE 802.11, IPv4, ISMP, LISP, MMSE, MTP3, MySQL, NFS, OpcUa, PPI GPS, Q.931, RNSAP, RPCoRDMA, S1AP, SCTP, SMB, SMTP, STUN, SYNC, T.30, TCP, TRANSUM, WAP, WCCP, Wi-SUN, WiMax HARQ Map Message, and WSP
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Alcatel-Lucent Ascend and Microsoft Network Monitor

New in WireShark 2.6.1 (May 23, 2018)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • The LDSS dissector could crash. (ws-bug14615)
  • The IEEE 1905.1a dissector could crash. (ws-bug14647)
  • The RTCP dissector could crash. (ws-bug14673)
  • Multiple dissectors could consume excessive memory. (ws-bug14678)
  • The DNS dissector could crash. (ws-bug14681)
  • The GSM A DTAP dissector could crash. (ws-bug14688)
  • The Q.931 dissector could crash. (ws-bug14689)
  • The IEEE 802.11 dissector could crash. (ws-bug14686)
  • Multiple dissectors could crash. (ws-bug14703)
  • THE FOLLOWING BUGS HAVE BEEN FIXED:
  • Qt GUI does not snap to exactly half of screen in Windows. (Bug 13516[1])
  • Segmentation fault when switching profiles. (Bug 14316[2])
  • QUIC dissector produces incorrect packet numbers (wrong-endian).(Bug 14462[3])
  • Wrong default file format chosen in when saving a capture with comments added if the original format doesn’t support comments. (Bug 14601[4])
  • Lua: Error during loading [AppData directory]:1: bad argument #1 to dofile (dofile: file does not exist). (Bug 14619[5])
  • Crash when selecting text. (Bug 14620[6])
  • ui/macosx directory missing from source release tarball. (Bug 14627[7])
  • Wireshark 2.9.0 snapshot crashes/segfaults on Windows when launched with -k or -i. (Bug 14632[8])
  • "Copy as printable text" isn’t copying non-alphanumeric characters. (Bug 14633[9])
  • File missing from release tarball. (Bug 14634[10])
  • NEWS is out of date and does not display properly in Notepad. (Bug 14636[11])
  • l16mono.so is installed in the wrong place. (Bug 14638[12])
  • Remove: HACK to support UHD’s weird header offset on data packets. (Bug 14641[13])
  • WinSparkle 0.5.6 is out of date and is buggy. (Bug 14642[14])
  • Unable to create or open VOIP captures. (Bug 14648[15])
  • RTMPT: incorrect dissection of multiple RTMP packets within a single TCP packet. (Bug 14650[16])
  • Endpoints dialog displays invalid GeoIP information due to incorrect byte order. (Bug 14656[17])
  • Qt: Crash in ShowPacketBytesDialog(). (Bug 14658[18])
  • Statistics ? Resolved addresses show IP addresses without domain. (Bug 14667[19])
  • Erroneous MAC-LTE Dissection for Sidelink Shared Channel Packets. (Bug 14669[20])
  • Files missing from docbook CMake file. (Bug 14676[21])
  • Wireshark hangs when opening certain files if it’s been configured to use the new GeoIP databases. (Bug 14701[22])
  • The “Open”, “Save”, and other file dialogs should now be shown at the correct size on HiDPI Windows systems.
  • UPDATED PROTOCOL SUPPORT:
  • BATADV, BT LE LL, CoAP, DNS, DTLS, GSM A DTAP, GSM A GM, GTP, GTPv2, IEEE 1905.1a, IEEE 802.11, LDSS, LwM2M-TLV, MAC LTE, NAS EPS, Q.931, RTCP, RTMPT, SDP, TCP, and VITA 49
  • New and Updated Capture File Support
  • 3GPP TS 32.423 Trace and Android Logcat

New in WireShark 2.6.0 (Apr 25, 2018)

  • Bug Fixes:
  • Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419[1])
  • New and Updated Features:
  • HTTP Request sequences are now supported.
  • Wireshark now supports MaxMind DB files. Support for GeoIP and GeoLite Legacy databases has been removed.
  • The IP map feature (the “Map” button in the “Endpoints” dialog) has been removed.Display filter buttons can now be edited, disabled, and removed via a context menu directly from the toolbar
  • Drag & Drop filter fields to the display filter toolbar or edit to create a button on the fly or apply the filter as a display filter.
  • Application startup time has been reduced.
  • Some keyboard shortcut mix-ups have been resolved by assigning new shortcuts to Edit → Copy methods.
  • TShark now supports color using the --color option.
  • The "matches" display filter operator is now case-insensitive.
  • Display expression (button) preferences have been converted to a UAT. This puts the display expressions in their own file. Wireshark still supports preference files that contain the old preferences, but new preference files will be written without the old fields.
  • SMI private enterprise numbers are now read from the “enterprises.tsv” configuration file.
  • The QUIC dissector has been renamed to Google QUIC (quic → gquic).
  • The selected packet number can now be shown in the Status Bar by enabling Preferences → Appearance → Layout → Show selected packet number.
  • File load time in the Status Bar is now disabled by default and can be enabled in Preferences → Appearance → Layout → Show file load time.
  • Support for the G.729A codec in the RTP Player is now added via the bcg729 library.
  • Support for hardware-timestamping of packets has been added.
  • Improved NetMon .cap support with comments, event tracing, network filter, network info types and some Message Analyzer exported types.
  • The personal plugins folder on Linux/Unix is now ~/.local/lib/wireshark/plugins.
  • TShark can print flow graphs using -z flow…
  • Capinfos now prints SHA256 hashes in addition to RIPEMD160 and SHA1. MD5 output has been removed.
  • The packet editor has been removed. (This was a GTK+ only experimental feature.)
  • Support BBC micro:bit Bluetooth profile
  • The Linux and UNIX installation step for Wireshark will now install headers required to build plugins. A pkg-config file is provided to help with this (see “doc/plugins.example” for details). Note you must still rebuild all plugins between minor releases (X.Y).
  • The Windows installers and packages now ship with Qt 5.9.4.
  • The generic data dissector can now uncompress zlib compressed data.
  • DNS Stats now supports service level statistics.
  • DNS filters for retransmissions and unsolicited responses have been added.
  • The “tcptrace” TCP Stream graph now shows duplicate ACKS and zero window advertisements.
  • The membership operator now supports ranges, allowing display filters such as tcp.port in {4430..4434} to be expressed. See the User’s Guide, chapter Building display filter expressions for details.
  • New Protocol Support:
  • ActiveMQ Artemis Core Protocol, AMT (Automatic Multicast Tunneling), AVSP (Arista Vendor Specific Protocol), Bluetooth Mesh, Broadcom tags (Broadcom Ethernet switch management frames), CAN-ETH, CVS password server, Excentis DOCSIS31 XRA header, F1 Application Protocol, F5ethtrailer, FP Mux, GRPC (gRPC), IEEE 1905.1a, IEEE 802.11ax (High Efficiency WLAN (HEW)), IEEE 802.15.9 IEEE Recommended Practice for Transport of Key Management Protocol (KMP) Datagrams, IEEE 802.3br Frame Preemption Protocol, ISOBUS, LoRaTap, LoRaWAN, Lustre Filesystem, Lustre Network, Nano / RaiBlocks Cryptocurrency Protocol (UDP), Network Functional Application Platform Interface (NFAPI) Protocol, New Radio Radio Link Control protocol, New Radio Radio Resource Control protocol, NR (5G) MAC protocol, NXP 802.15.4 Sniffer Protocol, Object Security for Constrained RESTful Environments (OSCORE), PFCP (Packet Forwarding Control Protocol), Protobuf (Protocol Buffers), QUIC (IETF), RFC 4108 Using CMS to Protect Firmware Packages, Session Multiplex Protocol, SolarEdge monitoring protocol, Steam In-Home Streaming Discovery Protocol, Tibia, TWAMP and OWAMP, Wi-Fi Device Provisioning Protocol, and Wi-SUN FAN Protocol
  • New and Updated Capture File Support:
  • Microsoft Network Monitor
  • New and Updated Capture Interfaces support:
  • LoRaTap

New in WireShark 2.4.6 (Apr 4, 2018)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2018-15: The MP4 dissector could crash. ([2]Bug 13777)
  • [3]wnpa-sec-2018-16: The ADB dissector could crash. ([4]Bug 14460)
  • [5]wnpa-sec-2018-17: The IEEE 802.15.4 dissector could crash. ([6]Bug 14468)
  • [7]wnpa-sec-2018-18: The NBAP dissector could crash. ([8]Bug 14471)
  • [9]wnpa-sec-2018-19: The VLAN dissector could crash. ([10]Bug 14469)
  • [11]wnpa-sec-2018-20: The LWAPP dissector could crash. ([12]Bug 14467)
  • [13]wnpa-sec-2018-21: The TCP dissector could crash. ([14]Bug 14472)
  • [15]wnpa-sec-2018-22: The CQL dissector could to into an infinite loop. ([16]Bug 14530)
  • [17]wnpa-sec-2018-23: The Kerberos dissector could crash. ([18]Bug 14576)
  • [19]wnpa-sec-2018-24: Multiple dissectors and other modules could leak memory. The TN3270: ([20]Bug 14480), ISUP ([21]Bug 14481), LAPD ([22]Bug 14482), SMB2: ([23]Bug 14483), GIOP ([24]Bug 14484), ASN.1 ([25]Bug 14485), MIME: multipart ([26]Bug 14486), H.223 ([27]Bug 14487), and PCP ([28]Bug: 14488) dissectors were susceptible along with Wireshark and TShark: ([29]Bug 14489).
  • The following bugs have been fixed:
  • TRANSUM doesn't account for DNS retries in the Request Spread.: ([30]Bug 14210)
  • BGP: IPv6 NLRI is received with Add-path ID, then Wireshark is not: able to decode the packet correctly. ([31]Bug 14241)
  • Lua script calling Ethernet dissector runs OK in 1.12.4 but crashes: in later releases. ([32]Bug 14293)
  • PEEKREMOTE dissector lacks 80mhz support, short preamble support: and spatial streams encoding. ([33]Bug 14452)
  • Statistics > UDP Multicast Streams > [Copy|Save as..] is broken.: ([34]Bug 14477)
  • Typo error in enumeration value of speech version identifier.: ([35]Bug 14528)
  • In "Unsaved packets" dialog one can NOT use keyboard to choose: "Continue without Saving". ([36]Bug 14531)
  • WCCP logical error in CHECK_LENGTH_ADVANCE_OFFSET macros. ([37]Bug: 14538)
  • Buildbot crash output: fuzz-2018-03-19-19114.pcap. ([38]Bug 14544)
  • alloca() used in wsutil/getopt_long.c without inclusion.: ([39]Bug 14552)
  • HP-UX HP ANSI C requires -Wp,-H200000 flag to compile. ([40]Bug: 14554)
  • Makefile.in uses non-portable "install" command. ([41]Bug 14555)
  • HP-UX HP ANSI C doesn't support assigning {} to a variable in: epan/app_mem_usage.c. ([42]Bug 14556)
  • PPP in SSTP, HDLC framing not parsed properly. ([43]Bug 14559)
  • Using the DIAMETER dictionary causes the standard input to be: closed when the dictionary is read. ([44]Bug 14577)
  • UPDATED PROTOCOL SUPPORT:
  • 6LoWPAN, ADB, BGP, CQL, DNS, Ethernet, GIOP, GSM BSSMAP, H.223, IEEE 802.11, IEEE 802.11 Radiotap, IEEE 802.15.4, ISUP, Kerberos, LAPD, LWAPP, MIME multipart, MP4, NBAP, NORDIC_BLE, PCP, PEEKREMOTE, S1AP, SMB2, SSTP, T.30, TCP, TN3270, TRANSUM, VLAN, WCCP, and WSP.

New in WireShark 2.5.1 Dev (Mar 16, 2018)

  • NEW AND UPDATED FEATURES:
  • The following features are new (or have been significantly updated) since version 2.5.0:
  • HTTP Referer statistics are now supported.
  • Wireshark now supports MaxMind DB files. Support for GeoIP and GeoLite Legacy databases has been removed.
  • The Windows packages are now built using Microsoft Visual Studio 2017.
  • The IP map feature (the “Map” button in the “Endpoints” dialog) has been removed.
  • The following features are new (or have been significantly updated) since version 2.4.0:
  • Display filter buttons can now be edited, disabled, and removed via a context menu directly from the toolbar
  • Drag & Drop filter fields to the display filter toolbar or edit to create a button on the fly or apply the filter as a display filter.
  • Application startup time has been reduced.
  • Some keyboard shortcut mix-ups have been resolved by assigning new shortcuts to Edit → Copy methods.
  • TShark now supports color using the --color option.
  • The "matches" display filter operator is now case-insensitive.
  • Display expression (button) preferences have been converted to a UAT. This puts the display expressions in their own file. Wireshark still supports preference files that contain the old preferences, but new preference files will be written without the old fields.
  • SMI private enterprise numbers are now read from the "enterprises.tsv" configuration file.
  • The QUIC dissector has been renamed to Google QUIC (quic → gquic).
  • The selected packet number can now be shown in the Status Bar by enabling Preferences → Appearance → Layout → Show selected packet number.
  • File load time in the Status Bar is now disabled by default and can be enabled in Preferences → Appearance → Layout → Show file load time.
  • Support for the G.729A codec in the RTP Player is now added via the bcg729 library.
  • Support for hardware-timestamping of packets has been added.
  • Improved NetMon .cap support with comments, event tracing, network filter, network info types and some Message Analyzer exported types.
  • The personal plugins folder on Linux/Unix is now ~/.local/lib/wireshark/plugins.
  • TShark can print flow graphs using -z flow…
  • Capinfos now prints SHA256 hashes in addition to RIPEMD160 and SHA1. MD5 output has been removed.
  • The packet editor has been removed. (This was a GTK+ only experimental feature.)
  • Support BBC micro:bit Bluetooth profile
  • The Linux and UNIX installation step for Wireshark will now install headers required to build plugins. A pkg-config file is provided to help with this (see doc/plugins.example for details). Note you must still rebuild all plugins between minor releases (X.Y).
  • The Windows installers and packages now ship with Qt 5.9.4.
  • The generic data dissector can now uncompress zlib compressed data.
  • NEW PROTOCOL SUPPORT:
  • ActiveMQ Artemis Core Protocol, AMT (Automatic Multicast Tunneling), Bluetooth Mesh, Broadcom tags (Broadcom Ethernet switch management frames), CAN-ETH, CVS password server, Excentis DOCSIS31 XRA header, F5ethtrailer, FP Mux, GRPC (gRPC), IEEE 1905.1a, IEEE 802.11ax (High Efficiency WLAN (HEW)), IEEE 802.15.9 IEEE Recommended Practice for Transport of Key Management Protocol (KMP) Datagrams, IEEE 802.3br Frame Preemption Protocol, ISOBUS, LoRaTap, LoRaWAN, Lustre Filesystem, Lustre Network, Nano / RaiBlocks Cryptocurrency Protocol (UDP), Network Functional Application Platform Interface (NFAPI) Protocol, New Radio Radio Resource Control protocol, NXP 802.15.4 Sniffer Protocol, PFCP (Packet Forwarding Control Protocol), Protobuf (Protocol Buffers), QUIC (IETF), RFC 4108 Using CMS to Protect Firmware Packages, Session Multiplex Protocol, SolarEdge monitoring protocol, Steam In-Home Streaming Discovery Protocol, Tibia, TWAMP and OWAMP, Wi-Fi Device Provisioning Protocol, and Wi-SUN FAN Protocol.
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Microsoft Network Monitor

New in WireShark 2.4.5 (Feb 25, 2018)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2018-05 The IEEE 802.11 dissector could crash. [2]Bug 14442, [3]CVE-2018-7335
  • [4]wnpa-sec-2018-06 Multiple dissectors could go into large infinite loops. All ASN.1 BER dissectors ([5]Bug 14444), along with the DICOM ([6]Bug 14411), DMP ([7]Bug 14408), LLTD ([8]Bug 14419), OpenFlow ([9]Bug 14420), RELOAD ([10]Bug 14445), RPCoRDMA ([11]Bug 14449), RPKI-Router ([12]Bug 14414), S7COMM ([13]Bug 14423), SCCP ([14]Bug 14413), Thread ([15]Bug 14428), Thrift ([16]Bug 14379), USB ([17]Bug 14421), and WCCP ([18]Bug 14412) dissectors were susceptible.
  • [19]wnpa-sec-2018-07 The UMTS MAC dissector could crash. [20]Bug 14339, [21]CVE-2018-7334
  • [22]wnpa-sec-2018-08 The DOCSIS dissector could crash. [23]Bug 14446, [24]CVE-2018-7337
  • [25]wnpa-sec-2018-09 The FCP dissector could crash. [26]Bug 14374, [27]CVE-2018-7336
  • [28]wnpa-sec-2018-10 The SIGCOMP dissector could crash. [29]Bug 14398, [30]CVE-2018-7320
  • [31]wnpa-sec-2018-11 The pcapng file parser could crash. [32]Bug 14403, [33]CVE-2018-7420
  • [34]wnpa-sec-2018-12 The IPMI dissector could crash. [35]Bug 14409, [36]CVE-2018-7417
  • [37]wnpa-sec-2018-13 The SIGCOMP dissector could crash. [38]Bug 14410, [39]CVE-2018-7418
  • [40]wnpa-sec-2018-14 The NBAP disssector could crash. [41]Bug 14443, [42]CVE-2018-7419
  • The following bugs have been fixed:
  • Change placement of "double chevron" in Filter Toolbar to eliminate overlap. ([43]Bug 14121)
  • AutoScroll does not work. ([44]Bug 14257)
  • BOOTP/DHCP: malformed packet -> when user class option (77) is present. ([45]Bug 14312)
  • GET MAX LUN wLength decoded as big-endian - USB Mass Storage. ([46]Bug 14360)
  • Unable to create Filter Expression Button for a yellow filter. ([47]Bug 14369)
  • Buildbot crash output: fuzz-2018-01-28-15874.pcap. ([48]Bug 14371)
  • NetScaler RPC segmentation fault / stack overflow. ([49]Bug 14399)
  • [oss-fuzz] #6028 RPC_NETLOGON: Direct-leak in g_malloc (generate_hash_key). ([50]Bug 14407)
  • Newline "n" in packet list field increase line height for all rows. ([51]Bug 14424)
  • ieee80211-radio.c preamble duration calculation not correct. ([52]Bug 14439)
  • DIS: Malformed packet in SISO-STD-002 transmitter. ([53]Bug 14441)
  • UPDATED PROTOCOL SUPPORT:
  • ASN.1 BER, BOOTP/DHCP, DCE RPC NETLOGON, DICOM, DIS, DMP, DOCSIS, EPL, FCP, GSM A RR, HSRP, IAX2, IEEE 802.11, Infiniband, IPMI, IPv6, LDAP, LLTD, NBAP, NetScaler RPC, OpenFlow, RELOAD, RPCoRDMA, RPKI-Router, S7COMM, SCCP, SIGCOMP, Thread, Thrift, TLS/SSL, UMTS MAC, USB, USB Mass Storage, and WCCP
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • pcap pcapng

New in WireShark 2.5.0 Dev (Feb 7, 2018)

  • NEW AND UPDATED FEATURES:
  • The following features are new (or have been significantly updated)
  • since version 2.4.0:
  • Display filter buttons can now be edited, disabled, and removed via a context menu directly from the toolbar
  • Drag & Drop filter fields to the display filter toolbar or edit to create a button on the fly or apply the filter as a display filter.
  • Application startup time has been reduced.
  • Some keyboard shortcut mix-ups have been resolved by assigning new shortcuts to Edit -> Copy methods.
  • TShark now supports color using the --color option.
  • The "matches" display filter operator is now case-insensitive.
  • Display expression (button) preferences have been converted to a UAT. This puts the display expressions in their own file. Wireshark still supports preference files that contain the old preferences, but new preference files will be written without the old fields.
  • SMI private enterprise numbers are now read from the "enterprises.tsv" configuration file.
  • The QUIC dissector has been renamed to Google QUIC (quic -> gquic).
  • The selected packet number can now be shown in the Status Bar by enabling Preferences -> Appearance -> Layout -> Show selected packet number.
  • File load time in the Status Bar is now disabled by default and can be enabled in Preferences -> Appearance -> Layout -> Show file load time.
  • Support for the G.729A codec in the RTP Player is now added via the bcg729 library.
  • Support for hardware-timestamping of packets has been added.
  • Improved NetMon .cap support with comments, event tracing, network filter, network info types and some Message Analyzer exported types.
  • The personal plugins folder on Linux/Unix is now ~/.local/lib/wireshark/plugins.
  • TShark can print flow graphs using -z flow...
  • Capinfos now prints SHA256 hashes in addition to RIPEMD160 and SHA1. MD5 output has been removed.
  • The packet editor has been removed. (This was a GTK+ only experimental feature.)
  • Support BBC micro:bit Bluetooth profile
  • The Linux and UNIX installation step for Wireshark will now install headers required to build plugins. A pkg-config file is provided to help with this (see doc/plugins.example for details). Note you must still rebuild all plugins between minor releases (X.Y).
  • The Windows installers and packages now ship with Qt 5.9.4.
  • New Protocol Support:
  • 802.11ax (High Efficiency WLAN (HEW)), ActiveMQ Artemis Core Protocol,
  • AMT (Automatic Multicast Tunneling), Bluetooth Mesh, Broadcom tags
  • (Broadcom Ethernet switch management frames), CAN-ETH, CVS password
  • server, FP Mux, GRPC (gRPC), IEEE 1905.1a, IEEE 802.3br Frame
  • Preemption Protocol, ISOBUS, LoRaTap, LoRaWAN, Lustre Filesystem,
  • Lustre Network, Network Functional Application Platform Interface
  • (NFAPI) Protocol, New Radio Radio Resource Control protocol, NXP
  • 802.15.4 Sniffer Protocol, PFCP (Packet Forwarding Control Protocol),
  • Protobuf (Protocol Buffers), QUIC (IETF), Session Multiplex Protocol,
  • SolarEdge monitoring protocol, Tibia, TWAMP and OWAMP, and Wi-Fi Device
  • Provisioning Protocol
  • New and Updated Capture File Support:
  • Microsoft Network Monitor
  • New and Updated Capture Interfaces support:
  • LoRaTap

New in WireShark 2.4.4 (Jan 12, 2018)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2018-01 Multiple dissectors could crash. ([2]Bug 14253) [3]CVE-2018-5336
  • [4]wnpa-sec-2018-03 The IxVeriWave file parser could crash. ([5]Bug 14297) [6]CVE-2018-5334
  • [7]wnpa-sec-2018-04 The WCP dissector could crash. ([8]Bug 14251) [9]CVE-2018-5335
  • The following bugs have been fixed:
  • Some keyboard shortcut mix-up has been resolved by assigning new shortcuts to Edit -> Copy methods.
  • Remote interfaces are not saved. ([12]Bug 8557)
  • Additional grouping in Expert Information dialog. ([13]Bug 11753)
  • First start with non-empty extcap folder after install or reboot hangs at "initializing tap listeners". ([14]Bug 12845)
  • Can't hide expert categories in Expert Information. ([15]Bug 13831)
  • Expert info dialog should have "Collapse All"/"Expand All" options. ([16]Bug 13842)
  • SIP Statistics extract does not work. ([17]Bug 13942)
  • Service Response Time - SCSI dialog crashes. ([18]Bug 14144)
  • Wireshark & Tshark 2.4.2 core dumps with segmentation fault. ([19]Bug 14194)
  • SSH remote capture promiscuous mode. ([20]Bug 14237)
  • SOCKS pseudo header displays incorrect Version value. ([21]Bug 14262)
  • Only first variable of list is dissected in NTP Control request message. ([22]Bug 14268)
  • NTP Authenticator field dissection fails if padding is used. ([23]Bug 14269)
  • BSSAP packet dissector issue - BSSAP_UPLINK_TUNNEL_REQUEST message. ([24]Bug 14289)
  • "[Malformed Packet]" for Mobile IP (MIP) protocol. ([25]Bug 14292)
  • There is a potential buffer underflow in File_read_line function in epan/wslua/wslua_file.c file. ([26]Bug 14295)
  • Saving a temporary capture file may not result in the temporary file being removed. ([27]Bug 14298)
  • Updated Protocol Support:
  • Bluetooth, BSSAP, BT ATT, BT HCI, BT SMP, MIP, NTP, SCTP, SOCKS, UDS, and WCP
  • New and Updated Capture File Support:
  • Ixia IxVeriWave

New in WireShark 2.4.3 (Dec 1, 2017)

  • Bug Fixes:
  • [1]wnpa-sec-2017-47 The IWARP_MPA dissector could crash. ([2]Bug 14236)
  • [3]wnpa-sec-2017-48 The NetBIOS dissector could crash. ([4]Bug 14249)
  • [5]wnpa-sec-2017-49 The CIP Safety dissector could crash. ([6]Bug 14250)
  • "tshark -G ?" doesn't provide expected help. ([7]Bug 13984)
  • File loading is very slow with TRANSUM dissector enabled. ([8]Bug 14094)
  • packet-knxnetip.c:936: bad bitmask ?. ([9]Bug 14115)
  • packet-q931.c:1306: bad compare ?. ([10]Bug 14116)
  • SSL Dissection bug. ([11]Bug 14117)
  • Wireshark crashes when exporting various files to .csv, txt and other `non-capture file' formats. ([12]Bug 14128)
  • RLC reassembly doesn't work for RLC over UDP heuristic dissector. ([13]Bug 14129)
  • HTTP Object export fails with long extension (possibly query string). ([14]Bug 14130)
  • 3GPP Civic Address not displayed in Packet Details. ([15]Bug 14131)
  • Wireshark prefers packet.dll in System32\Npcap over the one in System32. ([16]Bug 14134)
  • PEEKREMOTE dissector does not decode 11ac MCS rates properly. ([17]Bug 14136)
  • Visual Studio Community Edition 2015 lacks tools named in developer guide. ([18]Bug 14147)
  • TCP: Malformed data with Riverbed Probe option. ([19]Bug 14150)
  • Wireshark Crash when trying to use Preferences | Advanced. ([20]Bug 14157)
  • Right click on SMB2 Message ID and then Apply as Column causes Runtime Error. ([21]Bug 14169)
  • Return [Enter] should apply change (Column title - Button Label toolbars). ([22]Bug 14191)
  • Wireshark crashes if "rip.display_routing_domain" is set to TRUE in preferences file. ([23]Bug 14197)
  • Entry point inflatePrime not found for androiddump.exe and randpktdump.exe. ([24]Bug 14207)
  • BGP: IPv6 NLRI is received with Add-path ID, then Wire shark is not able to decode the packet correctly. ([25]Bug 14241)
  • Wrong SSL decryption when using EXTENDED MASTER SECRET and Client certificate request (mutual authentication). ([26]Bug 14243)
  • Frame direction isn't always set if it comes from the pcapng record header rather than the packet pseudo-header. ([27]Bug 14245)
  • Updated Protocol Support:
  • 3GPP NAS, BGP, CIP Safety, DTLS, IEEE 802.11 Radio, IWARP_MPA, KNXnet/IP, LCSAP, MQTT, NetBIOS, PEEKREMOTE, Q.931, RIP, RLC, SIP, SSL/TLS, TCP, and TRANSUM

New in WireShark 2.4.2 (Oct 11, 2017)

  • Bug Fixes:
  • [1]wnpa-sec-2017-42 BT ATT dissector crash ([2]Bug 14049) [3]CVE-2017-15192
  • [4]wnpa-sec-2017-43 MBIM dissector crash ([5]Bug 14056) [6]CVE-2017-15193
  • [7]wnpa-sec-2017-44 DMP dissector crash ([8]Bug 14068) [9]CVE-2017-15191
  • [10]wnpa-sec-2017-45 RTSP dissector crash ([11]Bug 14077) [12]CVE-2017-15190
  • [13]wnpa-sec-2017-46 DOCSIS infinite loop ([14]Bug 14080) [15]CVE-2017-15189
  • Wireshark crash when end capturing with "Update list of packets in real-time" option off. ([16]Bug 13024)
  • Diameter service response time statistics broken in 2.2.4. ([17]Bug 13442)
  • Sequence number isn't shown as the X axis in TCP Stream Graph - RTT. ([18]Bug 13740)
  • Using an SSL subdissector will cause SSL data to not be decoded (related to reassembly of application data). ([19]Bug 13885)
  • Wireshark 2.4.0 doesn't build with Qt 4.8. ([20]Bug 13909)
  • Some Infiniband Connect Req fields are not decoded correctly. ([21]Bug 13997)
  • Voip Flow Sequence button crash. ([22]Bug 14010)
  • wireshark-2.4.1/epan/dissectors/packet-dmp.c:1034: sanity check in wrong place ?. ([23]Bug 14016)
  • wireshark-2.4.1/ui/qt/tcp_stream_dialog.cpp:1206: sanity check in odd place ?. ([24]Bug 14017)
  • [oss-fuzz] ASAN: 232 byte(s) leaked in 4 allocation(s). ([25]Bug 14025)
  • [oss-fuzz] ASAN: 47 byte(s) leaked in 1 allocation(s). ([26]Bug 14032)
  • Own interface toolbar logger dialog for each log command. ([27]Bug 14033)
  • Wireshark crashes when dissecting DOCSIS REGRSPMP which contains UCD. ([28]Bug 14038)
  • Broken installation instructions for Visual Studio Community Edition. ([29]Bug 14039)
  • RTP Analysis "save as CSV" saves twice the forward stream, if two streams are selected. ([30]Bug 14040)
  • VWR file read ends early with vwr: Invalid data length 0. ([31]Bug 14051)
  • reordercap fails with segmentation fault 11 on MacOS. ([32]Bug 14055)
  • Cannot Apply Bitmask to Long Unsigned. ([33]Bug 14063)
  • text2pcap since version 2.4 aborts when there are no arguments. ([34]Bug 14082)
  • gtpprime: Missing in frame.protocols. ([35]Bug 14083)
  • HTTP dissector believes ICY response is a request. ([36]Bug 14091)
  • Updated Protocol Support:
  • 6LoWPAN, Bluetooth, BOOTP/DHCP, BT ATT, BT LE, DCERPC, DMP, DOCSIS,
  • EPL, GTP, H.248, HTTP, InfiniBand, MBIM, RPC, RTSP, SSL, and WSP
  • New and Updated Capture File Support:
  • Ixia IxVeriWave

New in WireShark 2.4.1 (Aug 30, 2017)

  • Bug Fixes:
  • wnpa-sec-2017-38. MSDP dissector infinite loop (Bug 13933)
  • wnpa-sec-2017-39. Profinet I/O buffer overrun (Bug 13847)
  • wnpa-sec-2017-40. Modbus dissector crash (Bug 13925)
  • wnpa-sec-2017-41. IrCOMM dissector buffer overrun (Bug 13929)
  • Incorrect presentation of Ascend-Data-Filter (RADIUS attribute 242). (Bug 11630)
  • Confusing "Apply a display filter " keyboard shortcut. (Bug 12450)
  • Wireshark crashes at startup if it needs to display a dialog early in the startup process. (Bug 13275)
  • RADIUS dictionary: BEGIN-VENDOR does not support format=Extended-Vendor-Specific-*. (Bug 13745)
  • Dumpcap on big-endian machines writes out corrupt, unreadable Enhanced Packet Blocks. (Bug 13802)
  • Interface Toolbar support for Windows. (Bug 13833)
  • Wireshark should behave better on high resolution displays on Windows. (Bug 13877)
  • Udpdump.pod missing from build. (Bug 13903)
  • RTP Player Format Error. (Bug 13906)
  • VNC Protocol disector : Framebuffer Updates. (Bug 13910)
  • DNS LOC RRs with out-of-range longitude or latitude aren’t shown as errors. (Bug 13914)
  • DIS Dissector Entity Appearance Record displayed in wrong location. (Bug 13917)
  • Win64 CMake bug - (CYGWIN_INSTALL_PATH redefinition) causing missing packages when using CMake 3.9.0. (Bug 13922)
  • APL records parsed incorrectly for IPv4 prefixes. (Bug 13923)
  • File→Merge dialog doesn’t show all options. Resizing doesn’t help. (Bug 13924)
  • TCAP SRT Analysis incorrectly matched TCAP begins and ends. (Bug 13926)
  • Error in MKA Distributed SAK parameter set dissection. (Bug 13927)
  • E.212: Check length before trying 3-digits MNC. (Bug 13935)
  • mpeg_descriptor: AC3 System A: Respect descriptor length. (Bug 13939)
  • Crash in Wireshark using Dumper:dump() from Lua. (Bug 13944)
  • MRCPv2 not decoded correctly. (Bug 13952)
  • UDP Checksum verification not working for 0x0000 checksum. (Bug 13955)
  • OSPF v3 LSA Type not well parsed. (Bug 13979)
  • GTPv2 - decoding issue for Packet Flow ID (type 123). (Bug 13987)
  • TRANSUM fails to calculate RTE figures for DCE-RPC where request Packet Type is zero. (Bug 13988)
  • BTLE Hop and SCA fields incorrectly dissected in BLE CONNECT_REQ. (Bug 13990)
  • [oss-fuzz] BGP memleak: ASAN: 276 byte(s) leaked in 5 allocation(s). (Bug 13995)
  • Some Infiniband Connect Req fields are not decoded correctly. (Bug 13997)
  • GTP: gtp.ext_comm_flags_II_pmtsmi bit not decoded correctly. (Bug 14001)
  • InfiniBand: sIP and dIP inside IP CM Private Data are decoded in the wrong order. (Bug 14002)
  • 802.11 wlan.ft.subelem.r0kh_id should be sequence of bytes. (Bug 14004)
  • USB capture: Unrecognized libpcap format or not libpcap data. (Bug 14006)
  • SQ Header Pointer in NVMoF response capsule is decoded with the wrong endian. (Bug 14008)
  • Updated Protocol Support:
  • BGP, BT LE, DIS, DNS, E.212, EPL, GTP, GTPv2, IEEE 802.11, InfiniBand, IPv4, IrCOMM, MKA, Modbus, MPEG Descriptor, MRCPv2, MSDP, MTP2, Nordic BLE, NVMe, OSPF, pcapng MIME, PMIPv6, Profinet I/O, RADIUS, SML, TCAP, TRANSUM, UA3G, UDP, VNC, and ZigBee

New in WireShark 2.4.0 (Jul 21, 2017)

  • New and Updated Features:
  • Experimental 32-bit and 64-bit Windows Installer (.msi) packages are available. It is recommended that you use these independently of the NSIS (.exe) installers. That is, you should make sure the NSIS package is completely uninstalled before installing the Windows Installer package and vice-versa.
  • Source packages are now compressed using xz instead of bzip2.
  • The legacy (GTK+) UI is disabled by default in the Windows installers.
  • The legacy (GTK+) UI is disabled by default in the development environment (Autotools and CMake).
  • SS7 Point Codes can now be resolved into names with a hosts-like file.
  • Wireshark can now go fullscreen to have more room for packets.
  • TShark can now export objects like the other GUI interfaces.
  • Support for G.722 and G.726 codecs in the RTP Player (via the SpanDSP library).
  • You can now choose the output device when playing RTP streams.
  • Added support for dissectors to include a unit name natively in their hf field. A field can now automatically append "seconds" or "ms" to its value without additional printf-style APIs.
  • The Default profile can now be reset to default values.
  • You can move back and forth in the selection history in the Qt UI.
  • IEEE 802.15.4 dissector now uses an UAT for decryption keys. The original decryption key preference has been obsoleted.
  • Extcap utilities can now provide configuration for a GUI interface toolbar to control the extcap utility while capturing.
  • Extcap utilities can now validate the capture filter.
  • Display filter function len() can now be used on all string and byte fields.
  • Added an experimental timeline view for 802.11 wireless packet data which can be enabled via the "802.11 radio information" preferences.
  • Added TLS 1.3 (draft 21) dissection and decryption support (Bug 12779).
  • The (D)TLS Application Layer protocol (e.g. HTTP or CoAP) can now be changed via the Decode As dialog.
  • The RSA keys dialog for SSL keys has improved feedback for invalid settings and no longer requires the IP address, Port or Protocol fields to be set in addition to the Key File.
  • TCP Analysis will detect and flag more spurious retransmissions.
  • New Protocol Support:
  • Bluetooth HCI Vendor Intel, CAN FD, Citrix NetScaler Metric Exchange Protocol, Citrix NetScaler RPC Protocol, DirectPlay 8 protocol, Ericsson A-bis P-GSL, Ericsson A-bis TFP (Traffic Forwarding Protocol), Facebook Zero, Fc00/cjdns Protocol, Generic Netlink (genl), GSM Osmux, GSMTAP based logging, Health Level 7 (HL7), High-speed SECS message service (HSMS), HomePNA, IndigoCare iCall protocol, IndigoCare Netrix protocol, iPerf2, ISO 15765, Linux 802.11 Netlink (nl80211), Local Service Discovery (LSD), M2 Application Protocol, Mesh Link Establishment (MLE), MUDURL, Netgear Ensemble Protocol, NetScaler HA Protocol, NetScaler Metric Exchange Protocol, NetScaler RPC Protocol, NM protocol, Nordic BLE Sniffer, NVMe, NVMe Fabrics RDMA, OBD-II PIDs, OpenThread simulator, RFTap Protocol, SCTE-35 Digital Program Insertion Messages, Snort Post-dissector, Thread CoAP, UDP based FTP w/ multicast (UFTP and UFTP4), Unified Diagnostic Services (UDS), vSocket, Windows Cluster Management API (clusapi), and X-Rite i1 Display Pro (and derivatives) USB protocol
  • New and Updated Capture File Support:
  • ERF, IxVeriWave, Libpcap, and Pcap-ng
  • Major API Changes:
  • IEEE802.11: wlan_mgt display filter element got renamed to wlan.
  • Libgcrypt is now a required dependency.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system.

New in WireShark 2.2.8 (Jul 19, 2017)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2017-13: WBMXL dissector infinite loop ([2]Bug 13477, [3]Bug 13796), [4]CVE-2017-7702, [5]CVE-2017-11410
  • [6]wnpa-sec-2017-28: openSAFETY dissector memory exhaustion ([7]Bug 13649,[8]Bug 13755), [9]CVE-2017-9350, [10]CVE-2017-11411
  • [11]wnpa-sec-2017-34: AMQP dissector crash. ([12]Bug 13780) [13]CVE-2017-11408
  • [14]wnpa-sec-2017-35: MQ dissector crash. ([15]Bug 13792) [16]CVE-2017-11407
  • [17]wnpa-sec-2017-36: DOCSIS infinite loop. ([18]Bug 13797) [19]CVE-2017-11406
  • The following bugs have been fixed:
  • Y.1711 dissector reverses defect type order. ([20]Bug 8292)
  • Packet list keeps scrolling back to selected packet while names are being resolved. ([21]Bug 12074)
  • [REGRESSION] Export Objects do not show files from a SMB2 capture. ([22]Bug 13214)
  • LTE RRC: lte-rrc.q_RxLevMin filter fails on negative values. ([23]Bug 13481)
  • Hexpane showing in proportional font again. ([24]Bug 13638)
  • Regression in SCCP fragments handling. ([25]Bug 13651)
  • TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs. ([26]Bug 13739)
  • Dissector for WSMP (IEEE 1609.3) not current. ([27]Bug 13766)
  • RANAP: possible issue in the heuristic code. ([28]Bug 13770)
  • [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type int in packet-btrfcomm.c:314:37. ([29]Bug 13783)
  • RANAP: false positives on heuristic algorithm. ([30]Bug 13791)
  • Automatic name resolution not saved to PCAP-NG NRB. ([31]Bug 13798)
  • DAAP dissector dissect_daap_one_tag recursion stack exhausted. ([32]Bug 13799)
  • Malformed DCERPC PNIO packet decode, exception handler invalid poionter reference. ([33]Bug 13811)
  • It seems SPVID was decoded from wrong field. ([34]Bug 13821)
  • README.dissectors: Add notes about predefined string structures not available to plugin authors. ([35]Bug 13828)
  • Statistics->Packet Lengths doesn't display details for 5120 or greater. ([36]Bug 13844)
  • cmake/modules/FindZLIB.cmake doesn't find inflatePrime. ([37]Bug 13850)
  • BGP: incorrect decoding COMMUNITIES whose length is larger than 255. ([38]Bug 13872)
  • UPDATED PROTOCOL SUPPORT:
  • AMQP, BGP, BSSMAP, BT RFCOMM, DAAP, DOCSIS, E.212, FDDI, GSM A GM, GSM BSSMAP, IEEE 802.11, IP, ISIS LSP, LTE RRC, MQ, OpenSafety, OSPF, PROFINET IO, RANAP, SCCP, SGSAP, SMB2, TCAP, TCP, UMTS FP, UMTS RLC, WBXML, WSMP, and Y.1711

New in WireShark 2.4.0 RC 2 (Jun 29, 2017)

  • NEW AND UPDATED FEATURES:
  • Experimental 32-bit and 64-bit Windows Installer (.msi) packages are available. It is recommended that you use these independently of the NSIS (.exe) installers. That is, you should make sure the NSIS package is completely uninstalled before installing the Windows Installer package and vice-versa.
  • Source packages are now compressed using xz instead of bzip2.
  • The legacy (GTK+) UI is disabled by default in the Windows installer.
  • The legacy (GTK+) UI is disabled by default in Autotools and CMake.
  • SS7 Point Codes can now be resolved into names with a hosts-like file.
  • Wireshark can now go fullscreen to have more room for packets.
  • TShark can now export objects like the other GUI interfaces.
  • Support for G.722 and G.726 codecs in the RTP Player (via the SpanDSP library).
  • You can now choose the output device when playing RTP streams.
  • Added support for dissectors to include a unit name natively in their hf field. A field can now automatically append "seconds" or "ms" to its value without additional printf-style APIs.
  • The Default profile can now be reset to default values.
  • You can move back and forth in the selection history in the Qt UI.
  • IEEE 802.15.4 dissector now uses an UAT for decryption keys. The original decryption key preference has been obsoleted.
  • Extcap utilities can now provide configuration for a GUI interface toolbar to control the extcap utility while capturing.
  • Extcap utilities can now validate the capture filter.
  • Display filter function len() can now be used on all string and byte fields.
  • Added timeline view for 802.11 wireless packet data.
  • NEW PROTOCOL SUPPORT:
  • Bluetooth HCI Vendor Intel, CAN FD, Citrix NetScaler Metric Exchange Protocol, Citrix NetScaler RPC Protocol, DirectPlay 8 protocol, Ericsson A-bis P-GSL, Ericsson A-bis TFP (Traffic Forwarding Protocol), Facebook Zero, Fc00/cjdns Protocol, Generic Netlink (genl), GSM Osmux, GSMTAP based logging, Health Level 7 (HL7), High-speed SECS message service (HSMS), HomePNA, IndigoCare iCall protocol, IndigoCare Netrix protocol, iPerf2, ISO 15765, Linux 802.11 Netlink (nl80211), Local Service Discovery (LSD), M2 Application Protocol, Mesh Link Establishment (MLE), MUDURL, Netgear Ensemble Protocol, NetScaler HA Protocol, NetScaler Metric Exchange Protocol, NetScaler RPC Protocol, NM protocol, Nordic BLE Sniffer, NVMe, NVMe Fabrics RDMA, OBD-II PIDs, OpenThread simulator, RFTap Protocol, SCTE-35 Digital Program Insertion Messages, Snort Post-dissector, Thread CoAP, UDP based FTP w/ multicast (UFTP and UFTP4), Unified Diagnostic Services (UDS), vSocket, Windows Cluster Management API (clusapi), and X-Rite i1 Display Pro (and derivatives) USB protocol
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • ERF, IxVeriWave, Libpcap, and Pcap-ng IEEE802.11: wlan_mgt display filter element got renamed to wlan. Libgcrypt is now a required dependency.

New in WireShark 2.4.0 RC 1 (Jun 8, 2017)

  • NEW AND UPDATED FEATURES:
  • Source packages are now compressed using xz instead of bzip2.
  • The legacy (GTK+) UI is disabled by default in the Windows installer.
  • The legacy (GTK+) UI is disabled by default in Autotools and CMake.
  • SS7 Point Codes can now be resolved into names with a hosts-like file.
  • Wireshark can now go fullscreen to have more room for packets.
  • TShark can now export objects like the other GUI interfaces.
  • Support for G.722 and G.726 codecs in the RTP Player (via the SpanDSP library).
  • You can now choose the output device when playing RTP streams.
  • Added support for dissectors to include a unit name natively in their hf field. A field can now automatically append "seconds" or "ms" to its value without additional printf-style APIs.
  • The Default profile can now be reset to default values.
  • You can move back and forth in the selection history in the Qt UI.
  • IEEE 802.15.4 dissector now uses an UAT for decryption keys. The original decryption key preference has been obsoleted.
  • Extcap utilities can now provide configuration for a GUI interface toolbar to control the extcap utility while capturing.
  • Extcap utilities can now validate the capture filter.
  • Display filter function len() can now be used on all string and byte fields.
  • Added timeline view for 802.11 wireless packet data.
  • NEW PROTOCOL SUPPORT:
  • (Facebook) Zero, Bluetooth HCI Vendor Intel, CAN FD, DirectPlay 8 protocol, Ericsson A-bis P-GSL, Ericsson A-bis TFP (Traffic Forwarding Protocol), Fc00/cjdns Protocol, Generic Netlink (genl), GSM Osmux, GSMTAP based logging, Health Level 7 (HL7), High-speed SECS message service (HSMS), HomePNA, IndigoCare iCall protocol, IndigoCare Netrix protocol, iPerf2, ISO 15765, Linux 802.11 Netlink (nl80211), Local Service Discovery (LSD), M2 Application Protocol, Mesh Link Establishment (MLE), Netgear Ensemble Protocol, NetScaler HA Protocol, NetScaler Metric Exchange Protocol, NetScaler RPC Protocol, NM protocol, Nordic BLE Sniffer, NVMe, NVMe Fabrics RDMA, OBD-II PIDs, OpenThread simulator, RFTap Protocol, SCTE-35 Digital Program Insertion Messages, Snort Post-dissector, Thread CoAP, Unified Diagnostic Services (UDS), vSocket, Windows Cluster Management API (clusapi), and X-Rite i1 Display Pro (and derivatives) USB protocol
  • NEW AND UPDATED CAPTURE INTERFACES SUPPORT:
  • IEEE802.11: wlan_mgt display filter element got renamed to wlan.
  • Libgcrypt is now a required dependency.

New in WireShark 2.2.7 (Jun 2, 2017)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2017-22
  • Bazaar dissector infinite loop (Bug 13599) CVE-2017-9352
  • wnpa-sec-2017-23
  • DOF dissector read overflow (Bug 13608) CVE-2017-9348
  • wnpa-sec-2017-24
  • DHCP dissector read overflow (Bug 13609, Bug 13628) CVE-2017-9351
  • wnpa-sec-2017-25
  • SoulSeek dissector infinite loop (Bug 13631) CVE-2017-9346
  • wnpa-sec-2017-26
  • DNS dissector infinite loop (Bug 13633) CVE-2017-9345
  • wnpa-sec-2017-27
  • DICOM dissector infinite loop (Bug 13685) CVE-2017-9349
  • wnpa-sec-2017-28
  • openSAFETY dissector memory exhaustion (Bug 13649) CVE-2017-9350
  • wnpa-sec-2017-29
  • BT L2CAP dissector divide by zero (Bug 13701) CVE-2017-9344
  • wnpa-sec-2017-30
  • MSNIP dissector crash (Bug 13725) CVE-2017-9343
  • wnpa-sec-2017-31
  • ROS dissector crash (Bug 13637) CVE-2017-9347
  • wnpa-sec-2017-32
  • RGMP dissector crash (Bug 13646) CVE-2017-9354
  • wnpa-sec-2017-33
  • IPv6 dissector crash (Bug 13675) CVE-2017-9353
  • The following bugs have been fixed:
  • DICOM dissection error. (Bug 13164)
  • Qt: drag & drop of one column header in PacketList moves other columns. (Bug 13183)
  • Can not export captured DICOM objects in version 2.2.5. (Bug 13570)
  • False complain about bad checksum of ICMP extension header. (Bug 13586)
  • LibFuzzer: ISUP dissector bug (isup.number_different_meaning). (Bug 13588)
  • Dissector Bug, protocol BT ATT. (Bug 13590)
  • Wireshark dispalys RRCConnectionReestablishmentRejectRRCConnectionReestablishmentReject in Info column. (Bug 13595)
  • [oss-fuzz] UBSAN: shift exponent 105 is too large for 32-bit type int in packet-ositp.c:551:79. (Bug 13606)
  • [oss-fuzz] UBSAN: shift exponent -77 is negative in packet-netflow.c:7717:23. (Bug 13607)
  • [oss-fuzz] UBSAN: shift exponent 1959 is too large for 32-bit type int in packet-sigcomp.c:2128:28. (Bug 13610)
  • [oss-fuzz] UBSAN: shift exponent 63 is too large for 32-bit type guint32 (aka unsigned int) in packet-rtcp.c:917:24. (Bug 13611)
  • [oss-fuzz] UBSAN: shift exponent 70 is too large for 64-bit type guint64 (aka unsigned long) in dwarf.c:42:43. (Bug 13616)
  • [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type int in packet-xot.c:260:23. (Bug 13618)
  • [oss-fuzz] UBSAN: shift exponent -5 is negative in packet-sigcomp.c:1722:36. (Bug 13619)
  • [oss-fuzz] UBSAN: index 2049 out of bounds for type char [2049] in packet-quakeworld.c:134:5. (Bug 13624)
  • [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type int in packet-netsync.c:467:25. (Bug 13639)
  • [oss-fuzz] UBSAN: shift exponent 32 is too large for 32-bit type int in packet-sigcomp.c:3857:24. (Bug 13641)
  • [oss-fuzz] ASAN: stack-use-after-return epan/dissectors/packet-ieee80211.c:14341:23 in add_tagged_field. (Bug 13662)
  • Welcome screen invalid capture filter wihtout WinPcap installed causes runtime error. (Bug 13672)
  • SMB protocol parser does not parse SMB_COM_TRANSACTION2_SECONDARY (0x33) command correctly. (Bug 13690)
  • SIP packets with SDP marked as malformed. (Bug 13698)
  • [oss-fuzz] UBSAN: index 8 out of bounds for type gboolean const[8] in packet-ieee80211-radiotap.c:1836:12. (Bug 13713)
  • Crash on "Show packet bytes…" context menu item click. (Bug 13723)
  • DNP3 dissector does not properly decode packed variations with prefixed qualifiers. (Bug 13733)
  • Updated Protocol Support:
  • Bazaar, BT ATT, BT L2CAP, DHCP, DICOM, DNP3, DNS, DOF, DWARF, ICMP, IEEE 802.11, IPv6, ISUP, LTE RRC, MSNIP, Netflow, Netsync, openSAFETY, OSITP, QUAKEWORLD, Radiotap, RGMP, ROS, RTCP, SIGCOMP, SMB, SoulSeek, and XOT

New in WireShark 2.2.6 (Apr 13, 2017)

  • The following vulnerabilities have been fixed:
  • IMAP dissector crash
  • WBMXL dissector infinite loop
  • NetScaler file parser infinite loop
  • RPCoRDMA dissector infinite loop
  • BGP dissector infinite loop
  • DOF dissector infinite loop
  • PacketBB dissector crash
  • SLSK dissector long loop
  • SIGCOMP dissector infinite loop
  • WSP dissector infinite loop
  • The following bugs have been fixed:
  • T30 FCF byte decoding masks DTC, CIG and NCS.
  • Wireshark gives decoding error during rnsap message dissection(SCCP reassembly).
  • Added IEEE 802.15.4-2003 AES-CCM security modes (packet-ieee802154).
  • Payload in 2 SCCP DT1 messages in the same frame isn’t (sub)dissected.
  • IEEE 802.15.4: an area of Payload IEs is dissected twice.
  • Qt UI: Wireshark crash when deleting IO graph string while it’s in editing mode.
  • Crash on exit due to an invalid frame data sequence state.
  • Access Violation using Lua dissector.
  • Some bytes ignored in every packet in NetScaler packet trace when vmnames are included in packet headers.
  • VOIP RTP stream Find Reverse button doesn’t work.
  • Lua dissector: ProtoField int&42; do not allow FT_HEX or FT_OCT, crash when set to FT_HEX_DEC or FT_DEC_HEX.
  • GIOP LocateRequest v1.0 is improperly indicated as "malformed".
  • Bug in ZigBee - Zone Status Change Notification.
  • Packet exception in packet-ua3g and incomplete strings in packet-noe.
  • Wrong BGP capability dissect.
  • Endpoint statistics column labels seem incorrect.
  • Strange automatic jump in packet details for a certain DNS response packet.
  • When a Lua enum or bool preference is changed via context menu, prefs_changed isn’t called with Qt Wireshark.
  • IO Graph selects wrong packet or displays "Packet number x isn’t displayed".
  • tshark’s -z endpoints,ip ignores optional filter.
  • SSL: Handshake type in Info column not always separated by comma.
  • libfuzzer: PEEKREMOTE dissector bug.
  • libfuzzer: packetBB dissector bug (packetbb.msg.addr.valuecustom).
  • libfuzzer: WSP dissector bug (wsp.header.x_wap_tod).
  • libfuzzer: MIH dissector bug.
  • libfuzzer: DNS dissector bug.
  • libfuzzer: WLCCP dissector bug.
  • libfuzzer: TAPA dissector bug.
  • libfuzzer: lapsat dissector bug.
  • libfuzzer: wassp dissector bug.
  • Illegal reassembly of GSM SMS packets.
  • SSH Dissector uses incorrect length for protocol field (ssh.protocol).
  • NBAP malformed packet for short Binding ID.
  • libfuzzer: WSP dissector bug (wsp.header.x_up_1.x_up_proxy_tod).
  • libfuzzer: asterix dissector bug (asterix.021_230_RA).
  • RTPproxy dissector adds multi lines to info column.

New in WireShark 2.2.5 (Mar 4, 2017)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2017-03 LDSS dissector crash ([2]Bug 13346)
  • [3]wnpa-sec-2017-04 RTMTP dissector infinite loop ([4]Bug 13347)
  • [5]wnpa-sec-2017-05 WSP dissector infinite loop ([6]Bug 13348)
  • [7]wnpa-sec-2017-06 STANAG 4607 file parser infinite loop ([8]Bug 13416)
  • [9]wnpa-sec-2017-07 NetScaler file parser infinite loop ([10]Bug 13429)
  • [11]wnpa-sec-2017-08 NetScaler file parser crash ([12]Bug 13430)
  • [13]wnpa-sec-2017-09 K12 file parser crash ([14]Bug 13431)
  • [15]wnpa-sec-2017-10 IAX2 dissector infinite loop ([16]Bug 13432)
  • [17]wnpa-sec-2017-11 NetScaler file parser infinite loop ([18]Bug 12083)
  • The following bugs have been fixed:
  • Display filter textbox loses focus during live capturing. ([20]Bug 11890)
  • Wireshark crashes when saving pcaps, opening pcaps, and exporting specified packets. ([21]Bug 12036)
  • tshark stalls on FreeBSD if androiddump is present. ([22]Bug 13104)
  • UTF-8 characters in packet list column title. ([23]Bug 13342)
  • Recent capture file list should appear immediately on startup. ([24]Bug 13352)
  • editcap segfault if a packet length is shorter than ignore bytes parameter. ([25]Bug 13378)
  • dftest segfault with automated build of 2.2.5. ([26]Bug 13387)
  • UMTS MAC Dissector shows Packet size limited for BCCH payload. ([27]Bug 13392)
  • VS2010 win32 ±¥. ([28]Bug 13398)
  • EAP AKA not being decoded properly. ([29]Bug 13411)
  • Dumpcap crashes during rpcap setup. ([30]Bug 13418)
  • Crash on closing SNMP capture file if snmp credentials are present. ([31]Bug 13420)
  • GPRS-NS message PDU type displayed in octal instead of hexadecimal. ([32]Bug 13428)
  • UPDATED PROTOCOL SUPPORT:
  • GPRS-NS, GTPv2, IAX2, IEEE 802.11, LDSS, MS-WSP, OpcUa, ROHC, RTMTP, SNMP, STANAG 4607, T.38, and UMTS FP

New in WireShark 2.2.4 (Jan 24, 2017)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2017-01 The ASTERIX dissector could go into an infinite loop. ([2]Bug 13344)
  • [3]wnpa-sec-2017-02 The DHCPv6 dissector could go into a large loop. ([4]Bug 13345)
  • The following bugs have been fixed:
  • TCP reassembly: tcp.reassembled_in is not set in first packet. ([5]Bug 3264)
  • Duplicated Interfaces instances while refreshing. ([6]Bug 11553)
  • Time zone name needs to be converted to UTF-8 on Windows. ([7]Bug 11785)
  • Crash on fast local interface changes. ([8]Bug 12263)
  • Please align columns in tshark's output. ([9]Bug 12502)
  • Display data rate fields for VHT rates invalid with BCC modulation. ([10]Bug 12859)
  • plugin_if_get_ws_info causes Access Violation if called during rescan. ([11]Bug 12973)
  • SMTP BDAT dissector not reverting to command-code after DATA. ([12]Bug 13030)
  • Wireshark fails to recognize V6 DBS Etherwatch capture files. ([13]Bug 13093)
  • Runtime Error when try to merge .pcap files (Wireshark crashes). ([14]Bug 13175)
  • PPP BCP BPDU size reports not header size, but all data underneath and its header size in UI. ([15]Bug 13188)
  • In-line UDP checksum bytes in 6LoWPAN IPHC are swapped. ([16]Bug 13233)
  • Uninitialized memcmp on data in daintree-sna.c. ([17]Bug 13246)
  • Crash when dissect WDBRPC Version 2 protocol with Dissect unknown program numbers enabled. ([18]Bug 13266)
  • Contents/Resources/bin directory isn't in the app bundle after installation. ([19]Bug 13270)
  • Regression: IEEE17221 (AVDECC) decoded as IEEE1722 (AVB Transportation Protocol). ([20]Bug 13274)
  • Can't decode packets captured with OpenBSD enc(4) encapsulating. ([21]Bug 13279)
  • UDLD flags are at other end of octet. ([22]Bug 13280)
  • MS-WSP dissector no longer works since commit 8c2fa5b5cf789e6d0d19cd0dd34479d0203d177a. ([23]Bug 13299)
  • TBCD string decoded wrongly in MAP ATI message. ([24]Bug 13316)
  • Filter Documentation: The tilde (~) operator is not documented. ([25]Bug 13320)
  • VoIP Flow Sequence Causes Application Crash. ([26]Bug 13329)
  • Updated Protocol Support:
  • 6LoWPAN, DVB-CI, ENC, GSM MAP, IEEE 1722, IEEE 1722.1, ISAKMP, MS-WSP, PPP, QUIC, Radiotap, RPC, SMTP, TCP, UCD, and UDLD
  • New and Updated Capture File Support:
  • Daintree SNA, and DBS Etherwatch

New in WireShark 2.2.3 (Dec 15, 2016)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • Arbitrary file deletion on Windows. ([1]Bug 13217)
  • The following bugs have been fixed:
  • Saving all exported objects (SMB/SMB2) results in out of physical memory. ([2]Bug 11133)
  • Export HTTP Objects - Single file shows as multiple files in 2.0.2. ([3]Bug 12230)
  • Follow Stream and graph buttons remain greyed out in conversation window. ([4]Bug 12893)
  • Dicom list of tags in element of VR=AT not properly decoded. ([5]Bug 13077)
  • Malformed Packet: BGP Update (withdraw) message. ([6]Bug 13146)
  • Install fail on macOS Sierra (error PKInstallErrorDomain Code=112). ([7]Bug 13152)
  • GTP: "Create PDP Context response" message shows back-off timer as malformed when included in the response. ([8]Bug 13153)
  • ICMP dissector fails to properly detect timestamps. ([9]Bug 13161)
  • RLC misdissection. ([10]Bug 13162)
  • Text2pcap on Windows produces corrupt output when writing the capture file to the standard output. ([11]Bug 13165)
  • HTML escaping of quotes in error message. ([12]Bug 13178)
  • TShark doesn't respect protocols.display_hidden_proto_items setting. ([13]Bug 13192)
  • RPC/RDMA dissector should exit when frame is not RPC-over-RDMA. ([14]Bug 13195)
  • Some RPC-over-RDMA frames are not recognized as RPC-over-RDMA. ([15]Bug 13196)
  • RPC-over-RDMA frames with chunk lists are "Malformed". ([16]Bug 13197)
  • TShark fails to pass RPC-over-RDMA frames to RPC subdissector. ([17]Bug 13198)
  • Adding a DOF DPS Identity Secret, session Key, or Mode Template causes Wireshark to crash. ([18]Bug 13209)
  • Wireshark shows "MS Video Source Request" in a RTCP packet as "Malformed". ([19]Bug 13212)
  • Updated Protocol Support:
  • BGP, BOOTP/DHCP, BTLE, DICOM, DOF, Echo, GTP, ICMP, Radiotap, RLC, RPC
  • over RDMA, RTCP, SMB, TCP, UFTP4, and VXLAN

New in WireShark 2.2.2 (Nov 17, 2016)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2016-58: Profinet I/O long loop. ([2]Bug 12851)
  • [3]wnpa-sec-2016-59: AllJoyn crash. ([4]Bug 12953)
  • [5]wnpa-sec-2016-60: OpenFlow crash. ([6]Bug 13071)
  • [7]wnpa-sec-2016-61: DCERPC crash. ([8]Bug 13072)
  • [9]wnpa-sec-2016-62: DTN infinite loop. ([10]Bug 13097)
  • The following bugs have been fixed:
  • TCP: nextseq incorrect if TCP_MAX_UNACKED_SEGMENTS exceeded & FIN true. ([12]Bug 12579)
  • SMPP schedule_delivery_time displayed wrong in Wireshark 2.1.0. ([13]Bug 12632)
  • Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. ([14]Bug 12712)
  • dmg for OS X does not install man pages. ([15]Bug 12746)
  • Fails to compile against Heimdal 1.5.3. ([16]Bug 12831)
  • TCP: Next sequence number off by one when sending payload in SYN packet (e.g. TFO). ([17]Bug 12838)
  • Follow TCP Stream shows duplicate stream data. ([18]Bug 12855)
  • Dissection engine falsely asserts that EIGRP packet's checksum is incorrect. ([19]Bug 12982)
  • IEEE 802.15.4 frames erroneously handed over to ZigBee dissector. ([20]Bug 12984)
  • Capture Filter Bookmark Inactive in Capture Options page. ([21]Bug 12986)
  • CLNP dissector does not parse ER NPDU properly. ([22]Bug 12993)
  • SNMP trap bindings for NON scalar OIDs. ([23]Bug 13013)
  • BGP LS Link Protection Type TLV (1093) decoding. ([24]Bug 13021)
  • Application crash sorting column for tcp.window_size_scalefactor up and down. ([25]Bug 13023)
  • ZigBee Green Power add key during execution. ([26]Bug 13031)
  • Malformed AMPQ packets for session.expected and session.confirmed fields. ([27]Bug 13037)
  • Wireshark 2.2.1 crashes when attempting to merge pcap files. ([28]Bug 13060)
  • [IS-637A] SMS - Teleservice layer parameter --> IA5 encoded text is not correctly displayed. ([29]Bug 13065)
  • Failure to dissect USB Audio feature unit descriptors missing the iFeature field. ([30]Bug 13085)
  • MSISDN not populated/decoded in JSON GTP-C decoding. ([31]Bug 13086)
  • E212: 3 digits MNC are identified as 2 digits long if they end with a 0. ([32]Bug 13092)
  • Exception with last unknown Cisco AVP available in a SCCRQ message. ([33]Bug 13103)
  • TShark stalls on FreeBSD if androiddump is present. ([34]Bug 13104)
  • Dissector skips DICOM command. ([35]Bug 13110)
  • UUID (FT_GUID) filtering isn't working. ([36]Bug 13121)
  • Manufacturer name resolution fail. ([37]Bug 13126)
  • packet-sdp.c allocates transport_info->encoding_name from wrong memory pool. ([38]Bug 13127)
  • Payload type name for dynamic payload is wrong for reverse RTP channels. ([39]Bug 13132)
  • UPDATED PROTOCOL SUPPORT:
  • 6LoWPAN, AllJoyn, AMPQ, ANSI IS-637 A, BGP, CLNP, DCERPC, DICOM, DTN, E.212, EIGRP, ERF, GVSP, IEEE 802.11, IEEE 802.15.4, IP, ISO-8583, Kerberos, L2TP, LACP, MAC LTE, OpenFlow, Profinet I/O, RTPS, SCTP, SDP, Skype, SMPP, SNA, SNMP, SPNEGO, TCP, USB Audio, XML, and ZigBee.

New in WireShark 2.2.1 (Oct 5, 2016)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2016-56 The Bluetooth L2CAP dissector could crash. ([2]Bug 12825)
  • [3]wnpa-sec-2016-57 The NCP dissector could crash. ([4]Bug 12945)
  • The following bugs have been fixed:
  • Flow Graph colored data arrows. ([5]Bug 12065)
  • Capture File Properties under Statistics Grayed Out after Stopping a Capture. ([6]Bug 12071)
  • Qt: Hidden columns displayed during live capture. ([7]Bug 12377)
  • Unable to save changes to coloring rules. ([8]Bug 12814)
  • Bad description for NBSS error code 0x81. ([9]Bug 12835)
  • Live capture from USBPcap fails immediately. ([10]Bug 12846)
  • Cannot decrypt EAP-TTLS traffic (not recognized as conversation). ([11]Bug 12879)
  • Export packet dissections Option disabled after capturing traffic. ([12]Bug 12898)
  • Failure to open file named with Chinese or other multibyte characters. ([13]Bug 12900)
  • k12 text file format causes errors. ([14]Bug 12903)
  • File | File Set | List Files dialog is blank. ([15]Bug 12904)
  • Decoding/Display of an INAP CONNECT message goes wrong for the Destination Routing Address part. ([16]Bug 12911)
  • TLS padding extension dissector length parsing bug. ([17]Bug 12922)
  • Diameter dictionary bugs. ([18]Bug 12927)
  • File open from menu bar with filter in place causes Wireshark to crash. ([19]Bug 12929)
  • Unable to capture USBPcap trace using tshark with extcap built. ([20]Bug 12949)
  • P1 dissector fails a TVB assertion. ([21]Bug 12976)
  • Multiple PortableApps instances can once again be run at the same time.
  • UPDATED PROTOCOL SUPPORT:
  • 6LowPAN, BT L2CAP, CIP, DCOM IRemUnknown, Diameter, DMP, EAP, ISUP, NBT, NCP, NetFlow, SSL / TLS, and U3V
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Ascend, and K12

New in WireShark 2.2.0 (Sep 8, 2016)

  • BUG FIXES:
  • Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. ([1]Bug 12712)
  • Extcap errors not reported back to UI. ([2]Bug 11892)
  • NEW AND UPDATED FEATURES:
  • The following features are new (or have been significantly updated) since version 2.2.0rc1:
  • "Decode As" supports SSL (TLS) over TCP.
  • The following features are new (or have been significantly updated) since version 2.1.1:
  • Invalid coloring rules are now disabled instead of discarded. This will provide backward compatibility with a coloring rule change in Wireshark 2.2.
  • The following features are new (or have been significantly updated) since version 2.1.0:
  • Added -d option for Decode As support in Wireshark (mimics TShark functionality)
  • The Qt UI, GTK+ UI, and TShark can now export packets as JSON. TShark can additionally export packets as Elasticsearch-compatible JSON.
  • The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
  • The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
  • The RTP player now allows up to 30 minutes of silence frames.
  • Packet bytes can now be displayed as EBCDIC.
  • proto_tree_add_checksum was added as an API. This attempts to standardize how checksums are reported and filtered for within *Shark. There are no more individual "good" and "bad" filter fields, protocols now have a "checksum.status" field that records "Good", "Bad" and "Unverified" (neither good or bad). Color filters provided with Wireshark have been adjusted to the new display filter names, but custom ones may need to be updated.
  • The following features are new (or have been significantly updated) since version 2.0.0:
  • The intelligent scroll bar now sits to the left of a normal scroll bar and provides a clickable map of nearby packets.
  • You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
  • You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.
  • You can now use regular expressions in Find Packet and in the advanced preferences.
  • Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).
  • The byte under the mouse in the Packet Bytes pane is now highlighted.
  • TShark supports exporting PDUs via the -U flag.
  • The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
  • Most dialogs in the Qt UI now save their size and positions.
  • The Follow Stream dialog now supports UTF-16.
  • The Firewall ACL Rules dialog has returned.
  • The Flow (Sequence) Analysis dialog has been improved.
  • We no longer provide packages for 32-bit versions of OS X.
  • The Bluetooth Device details dialog has been added.
  • NEW FILE FORMAT DECODING SUPPORT:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you're curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file's format in the Open File dialog.
  • NEW PROTOCOL SUPPORT:
  • Apache Cassandra - CQL version 3.0, Bachmann bluecom Protocol, Bluetooth Pseudoheader for BR/EDR, Cisco ERSPAN3 Marker, Cisco ttag, Digital Equipment Corporation Local Area Transport, Distributed Object Framework, DOCSIS Upstream Channel Descriptor Type 35, Edge Control Protocol (ECP), Encrypted UDP based FTP with multicast, Ericsson IPOS Kernel Packet Header (IPOS), Extensible Control & Management Protocol (eCMP), FLEXRAY Protocol (automotive bus), IEEE 802.1BR E-Tag, Intel Omni-Path Architecture, ISO 8583-1, ISO14443, ITU-T G.7041/Y.1303 Generic Framing Procedure (GFP), LAT protocol (DECNET), Metamako trailers, Network Service Header for Ethernet & GRE, Network-Based IP Flow Mobility (NBIFOM), Nokia Intelligent Service Interface (ISI), Open Mobile Alliance Lightweight Machine to Machine TLV (LwM2M TLV), Real Time Location System (RTLS), RTI TCP Transport Layer (RTITCP), SMB Witness Service, STANAG 5602 SIMPLE, Standard Interface for Multiple Platform Link Evaluation (SIMPLE), USB3 Vision Protocol (USB machine vision cameras), USBIP Protocol, UserLog Protocol, and Zigbee Protocol Clusters (Closures Lighting General Measurement & Sensing HVAC Security & Safety)
  • UPDATED PROTOCOL SUPPORT:
  • Bluetooth OBEX dissector (btobex) was renamed to Obex Dissector (obex), which allows it to be used with "Decode As" over USB, TCP and UDP.
  • A preference was added to TCP dissector for handling IPFIX process information. It has been disabled by default.
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Micropross mplog
  • MAJOR API CHANGES:
  • The libwireshark API has undergone some major changes:
  • The address macros (e.g., SET_ADDRESS) have been removed. Use the (lower case) functions of the same names instead.
  • "old style" dissector functions (that don't return number of bytes used) have been replaced in name with the "new style" dissector functions.
  • tvb_get_string and tvb_get_stringz have been replaced with tvb_get_string_enc and tvb_get_stringz_enc respectively.

New in WireShark 2.2.0 RC 2 (Sep 1, 2016)

  • The following features are new (or have been significantly updated) since version 2.2.0rc1:
  • "Decode As" supports SSL (TLS) over TCP.

New in WireShark 2.2.0 RC1 (Aug 23, 2016)

  • What's New:
  • Invalid coloring rules are now disabled instead of discarded. This will provide backward compatibility with a coloring rule change in Wireshark 2.2.
  • Bug Fixes:
  • Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. ([1]Bug 12712)
  • New and Updated Features:
  • There have been no new or significantly updated features since version 2.1.1.
  • The following features are new (or have been significantly updated) since version 2.1.0:
  • Added -d option for Decode As support in Wireshark (mimics TShark functionality)
  • The Qt UI, GTK+ UI, and TShark can now export packets as JSON. TShark can additionally export packets as Elasticsearch-compatible JSON.
  • The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
  • The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
  • The RTP player now allows up to 30 minutes of silence frames.
  • Packet bytes can now be displayed as EBCDIC.
  • The Qt UI loads captures faster on Windows.
  • proto_tree_add_checksum was added as an API. This attempts to standardize how checksums are reported and filtered for within *Shark. There are no more individual "good" and "bad" filter fields, protocols now have a "checksum.status" field that records "Good", "Bad" and "Unverified" (neither good or bad). Color filters provided with Wireshark have been adjusted to the new display filter names, but custom ones may need to be updated.
  • The following features are new (or have been significantly updated) since version 2.0.0:
  • The intelligent scroll bar now sits to the left of a normal scroll bar and provides a clickable map of nearby packets.
  • You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
  • You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.
  • You can now use regular expressions in Find Packet and in the advanced preferences.
  • Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).
  • The byte under the mouse in the Packet Bytes pane is now highlighted.
  • TShark supports exporting PDUs via the -U flag.
  • The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
  • Most dialogs in the Qt UI now save their size and positions.
  • The Follow Stream dialog now supports UTF-16.
  • The Firewall ACL Rules dialog has returned.
  • The Flow (Sequence) Analysis dialog has been improved.
  • We no longer provide packages for 32-bit versions of OS X.
  • The Bluetooth Device details dialog has been added.
  • New File Format Decoding Support:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you're curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file's format in the Open File dialog.
  • New Protocol Support:
  • Apache Cassandra - CQL version 3.0, Bachmann bluecom Protocol, Bluetooth Pseudoheader for BR/EDR, CISCO ERSPAN3 Marker, Edge Control Protocol (ECP), Encrypted UDP based FTP with multicast, Ericsson IPOS Kernel Packet Header Dissector Added (IPOS), Extensible Control & Management Protocol (eCMP), FLEXRAY Protocol dissector added (automotive bus), IEEE 802.1BR E-Tag, ISO 8583-1, ISO14443, ITU-T G.7041/Y.1303 Generic Framing Procedure (GFP), LAT protocol (DECNET), Metamako trailers, Network-Based IP Flow Mobility (NBIFOM), Nokia Intelligent Service Interface (ISI), Open Mobile Alliance Lightweight Machine to Machine TLV payload Added (LwM2M TLV), Real Time Location System (RTLS), RTI TCP Transport Layer (RTITCP), STANAG 5602 SIMPLE, USB3 Vision Protocol (USB machine vision cameras), USBIP Protocol, UserLog Protocol, and Zigbee Protocol Clusters Dissectors Added (Closures Lighting General Measurement & Sensing HVAC Security & Safety)
  • Updated Protocol Support:
  • Bluetooth OBEX dissector (btobex) was renamed to Obex Dissector (obex), allow to DecodeAs it over USB, TCP and UDP.
  • A preference was added to TCP dissector for handling IPFIX process information. It has been disabled by default.
  • New and Updated Capture File Support:
  • Micropross mplog
  • New and Updated Capture Interfaces support:
  • Non-empty section placeholder.
  • Major API Changes:
  • The libwireshark API has undergone some major changes:
  • The address macros (e.g., SET_ADDRESS) have been removed. Use the (lower case) functions of the same names instead.
  • "old style" dissector functions (that don't return number of bytes used) have been replaced in name with the "new style" dissector functions.
  • tvb_get_string and tvb_get_stringz have been replaced with tvb_get_string_enc and tvb_get_stringz_enc respectively.

New in WireShark 2.0.5 (Jul 27, 2016)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [3]wnpa-sec-2016-41: PacketBB crash. ([4]Bug 12577)
  • [5]wnpa-sec-2016-42: WSP infinite loop. ([6]Bug 12594)
  • [7]wnpa-sec-2016-44: RLC long loop. ([8]Bug 12660)
  • [9]wnpa-sec-2016-45: LDSS dissector crash. ([10]Bug 12662)
  • [11]wnpa-sec-2016-46: RLC dissector crash. ([12]Bug 12664)
  • [13]wnpa-sec-2016-47: OpenFlow long loop. ([14]Bug 12659)
  • [15]wnpa-sec-2016-48: MMSE, WAP, WBXML, and WSP infinite loop. ([16]Bug 12661)
  • [17]wnpa-sec-2016-49: WBXML crash. ([18]Bug 12663)
  • The following bugs have been fixed:
  • T30 FCF byte decoding masks DTC, CIG and NCS. ([19]Bug 1918)
  • TShark crashes with option "-z io,stat,..." in the presence of: negative relative packet timestamps. ([20]Bug 9014)
  • Packet size limited during capture msg is repeated in the Info: column. ([21]Bug 9826)
  • Wireshark loses windows decorations on second screen when: restarting maximized using GNOME. ([22]Bug 11303)
  • Cannot launch GTK+ version of wireshark as a normal user. ([23]Bug: 11400)
  • Restart current capture fails with "no interface selected" error: when capturing in promiscuous mode. ([24]Bug 11834)
  • Add field completion suggestions when adding a Display filter or Y: Field to the IO Graph. ([25]Bug 11899)
  • Wireshark Qt always indicates locale as "C". ([26]Bug 11960)
  • Wireshark crashes every time open Statistics -> Conversations |: Endpoints. ([27]Bug 12288)
  • Find function within the conversations window does not work.: ([28]Bug 12363)
  • Invalid values for USB SET_REQUEST packets. ([29]Bug 12511)
  • Display filter dropdown hides cursor. ([30]Bug 12520)
  • Filter for field name tcp.options.wscale.multiplier cannot exceed: 255. ([31]Bug 12525)
  • Ctrl+ shortcuts that are not text-related do not work when focus is: on display filter field. ([32]Bug 12533)
  • Closing Statistics window results in black screen. ([33]Bug 12544)
  • OSPF: Incorrect description of N/P-bit in NSSA LSA. ([34]Bug 12555)
  • Inconsistent VHT data rate. ([35]Bug 12558)
  • DCE/RPC malformed error when stub-data is missing but a: sub-dissector has been registered. ([36]Bug 12561)
  • Wireshark is marking BGP FlowSpec NLRI as malformed if NLRI length: is larger than 239 bytes. ([37]Bug 12568)
  • "Edit Resolved Name" is not saved in current pcapng file. ([38]Bug: 12629)
  • MPTCP: MP_JOIN B bit not decoded correctly. ([39]Bug 12635)
  • MPTCP MP_PRIO header with AddrID: incorrect AddrID. ([40]Bug 12641)
  • UPDATED PROTOCOL SUPPORT:
  • 802.11 Radiotap, BGP, CAN, CANopen, H.248 Q.1950, IPv4, IPv6, LANforge, LDSS, MPTCP, OSPF, PacketBB, PRP, RLC, RMT-FEC, RSVP, RTP MIDI, T.30, TDS, USB, WAP, WBXML, WiMax RNG-RSP, and WSP

New in WireShark 2.1.1 Dev (Jul 14, 2016)

  • Added -d option for Decode As support in Wireshark (mimics TShark functionality)
  • The Qt UI, GTK+ UI, and TShark can now export packets as JSON. TShark can additionally export packets as Elasticsearch-compatible JSON.
  • The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
  • The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
  • The RTP player now allows up to 30 minutes of silence frames.
  • Packet bytes can now be displayed as EBCDIC.
  • The Qt UI loads captures faster on Windows.

New in WireShark 2.1.0 Dev (Jun 9, 2016)

  • NEW AND UPDATED FEATURES:
  • You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
  • You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.
  • You can now use regular expressions in Find Packet and in the advanced preferences.
  • Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).
  • The byte under the mouse in the Packet Bytes pane is now highlighted.
  • TShark supports exporting PDUs via the -U flag.
  • The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
  • Most dialogs in the Qt UI now save their size and positions.
  • The Follow Stream dialog now supports UTF-16.
  • The Firewall ACL Rules dialog has returned.
  • The Flow (Sequence) Analysis dialog has been improved.
  • MAJOR API CHANGES::
  • The address macros (e.g., SET_ADDRESS) have been removed. Use the (lower case) functions of the same names instead.
  • "old style" dissector functions (that don't return number of bytes used) have been replaced in name with the "new style" dissector functions.
  • tvb_get_string and tvb_get_stringz have been replaced with tvb_get_string_enc and tvb_get_stringz_enc respectively.
  • NEW FILE FORMAT DECODING SUPPORT:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you're curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file's format in the Open File dialog. New files that Wireshark can open in this mode include:
  • NEW PROTOCOL SUPPORT:
  • Apache Cassandra - CQL version 3.0, Bachmann bluecom Protocol, Bluetooth Pseudoheader for BR/EDR, CISCO ERSPAN3 Marker, Edge Control Protocol (ECP), Ericsson IPOS Kernel Packet Header Dissector Added (IPOS), Extensible Control & Management Protocol (eCMP), FLEXRAY Protocol dissector added (automotive bus), ISO 8583-1, ISO14443, ITU-T G.7041/Y.1303 Generic Framing Procedure (GFP), LAT protocol (DECNET), Metamako trailers, Nokia Intelligent Service Interface (ISI), Open Mobile Alliance Lightweight Machine to Machine TLV payload Added (LwM2M TLV), RTI TCP Transport Layer (RTITCP), STANAG 5602 SIMPLE, USB3 Vision Protocol (USB machine vision cameras), USBIP Protocol, UserLog Protocol, and Zigbee Protocol Clusters Dissectors Added (Closures Lighting General Measurement & Sensing HVAC Security & Safety)
  • UPDATED PROTOCOL SUPPORT:
  • Bluetooth OBEX dissector (btobex) was renamed to Obex Dissector (obex), allow to DecodeAs it over USB, TCP and UDP. A preference was added to TCP dissector for handling IPFIX process information. It has been disabled by default.

New in WireShark 2.0.4 (Jun 7, 2016)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2016-29 The SPOOLS dissector could go into an infinite loop. Discovered by the CESG.
  • ]wnpa-sec-2016-30 The IEEE 802.11 dissector could crash. ([3]Bug 11585)
  • ]wnpa-sec-2016-31 The IEEE 802.11 dissector could crash. Discovered by Mateusz Jurczyk. ([5]Bug 12175)
  • ]wnpa-sec-2016-32 The UMTS FP dissector could crash. ([7]Bug 12191)
  • ]wnpa-sec-2016-33 Some USB dissectors could crash. Discovered by Mateusz Jurczyk. ([9]Bug 12356)
  • wnpa-sec-2016-34 The Toshiba file parser could crash. Discovered by iDefense Labs. ([11]Bug 12394)
  • wnpa-sec-2016-35 The CoSine file parser could crash. Discovered by iDefense Labs. ([13]Bug 12395)
  • wnpa-sec-2016-36 The NetScreen file parser could crash. Discovered by iDefense Labs. ([15]Bug 12396)
  • wnpa-sec-2016-37 The Ethernet dissector could crash. ([17]Bug 12440)
  • The following bugs have been fixed:
  • Saving pcap capture file with ERF encapsulation creates an invalid pcap file. ([18]Bug 3606)
  • Questionable calling of Ethernet dissector by encapsulating protocol dissectors. ([19]Bug 9933)
  • Wireshark 1.12.0 does not dissect HTTP correctly. ([20]Bug 10335)
  • Don't copy details of hidden columns. ([21]Bug 11788)
  • RTP audio player crashes. ([22]Bug 12166)
  • Crash when saving RTP audio Telephony->RTP->RTP Streams->Analyze->Save->Audio. ([23]Bug 12211)
  • Edit - preferences - add column field not showing dropdown for choices. ([24]Bug 12321)
  • Using _ws.expert in a filter can cause a crash. ([25]Bug 12335)
  • Crash in SCCP dissector UAT (Qt UI only). ([26]Bug 12364)
  • J1939 frame without data = malformed packet ? ([27]Bug 12366)
  • The stream number in tshark's "-z follow,tcp," option is 0-origin rather than 1-origin. ([28]Bug 12383)
  • IP Header Length display filter should show calculated value. ([29]Bug 12387)
  • Multiple file radio buttons should be check boxes. ([30]Bug 12388)
  • Wrong check for getaddrinfo and gethostbyname on Solaris 11. ([31]Bug 12391)
  • ICMPv6 dissector doesn't respect actual packet length. ([32]Bug 12400)
  • Format DIS header timestamp mm:ss.nnnnnn. ([33]Bug 12402)
  • RTP Stream Analysis can no longer be sorted in 2.0.3. ([34]Bug 12405)
  • RTP Stream Analysis fails to complete in 2.0.3 when packets are sliced. ([35]Bug 12406)
  • Network-Layer Name Resolution uses first 32-bits of IPv6 DNS address as IPv4 address in some circumstances. ([36]Bug 12412)
  • BACnet decoder incorrectly flags a valid APDU as a "Malformed Packet". ([37]Bug 12422)
  • Valid ISUP messages marked with warnings. ([38]Bug 12423)
  • Profile command line switch "-C" not working in Qt interface. ([39]Bug 12425)
  • MRCPv2: info column not showing info correctly. ([40]Bug 12426)
  • Diameter: Experimental result code 5142. ([41]Bug 12428)
  • Tshark crashes when analyzing RTP due to pointer being freed not allocated. ([42]Bug 12430)
  • NFS: missing information in getattr for supported exclusive create attributes. ([43]Bug 12435)
  • Ethernet type field with a value of 9100 is shown as "Unknown". ([44]Bug 12441)
  • Documentation does not include support for Windows Server 2012 R2. ([45]Bug 12455)
  • Column preferences ruined too easily. ([46]Bug 12465)
  • SMB Open andX extended response decoded incorrectly. ([47]Bug 12472)
  • SMB NtCreate andX with extended response sometimes incorrect. ([48]Bug 12473)
  • Viewing NFSv3 Data, checking SRTs doesn't work. ([49]Bug 12478)
  • Make wireshark with Qt enabled buildable on ARM. ([50]Bug 12483)
  • Updated Protocol Support:
  • AFS, ANSI IS-637 A, BACapp, BT BNEP, Cisco FabricPath MiM, CSN.1, DCERPC SPOOLS, DIS, Ethernet, GSM A RR, ICMPv6, IEEE 802.11, IPv4, ISUP, J1939, JXTA, LAPSat, LPADm, LTE-RRC, MRCPv2, NFS, OpenFlow, SGsAP, SMB, STT, TZSP, UMTS FP, and USB
  • New and Updated Capture File Support:
  • Aethra, Catapult DCT2000, CoSine, DBS Etherwatch, ERF, iSeries, Ixia IxVeriWave, NetScreen, Toshiba, and VMS TCPIPtrace

New in WireShark 2.0.3 (Apr 22, 2016)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2016-19 The NCP dissector could crash. ([2]Bug 11591)
  • [3]wnpa-sec-2016-20 TShark could crash due to a packet reassembly bug. ([4]Bug 11799)
  • [5]wnpa-sec-2016-21 The IEEE 802.11 dissector could crash. ([6]Bug 11824, [7]Bug 12187)
  • [8]wnpa-sec-2016-22 The PKTC dissector could crash. ([9]Bug 12206)
  • [10]wnpa-sec-2016-23 The PKTC dissector could crash. ([11]Bug 12242)
  • [12]wnpa-sec-2016-24 The IAX2 dissector could go into an infinite loop. ([13]Bug 12260)
  • [14]wnpa-sec-2016-25 Wireshark and TShark could exhaust the stack. ([15]Bug 12268)
  • [16]wnpa-sec-2016-26 The GSM CBCH dissector could crash. ([17]Bug 12278)
  • [18]wnpa-sec-2016-27 MS-WSP dissector crash. ([19]Bug 12341)
  • The following bugs have been fixed:
  • Protocol Hierarchy Statistics shows LDAP lines recursively. ([20]Bug 1734)
  • UTF-8 replacement characters in FT_STRINGs are escaped for presentation. ([21]Bug 10681)
  • DTLS : reassembly error, protocol DTLS: New fragment overlaps old data. ([22]Bug 11477)
  • Packet byte pane in Qt version of packet window isn't being displayed. ([23]Bug 11760)
  • "wireshark -i usbmon2 -k" results in "No interfaces selected" when restarting a capture. ([24]Bug 11939)
  • Crash when changing the "which packets to print" radio button in the Print dialog. ([25]Bug 12040)
  • Selecting packets causes memory leak. ([26]Bug 12044)
  • Client Hello not dissected when failed SSL handshake fully captured. ([27]Bug 12132)
  • TCP graphs - wrong stream graphed if stream index > 99. ([28]Bug 12163)
  • Typo in packet-gsm_a_dtap.c. ([29]Bug 12186)
  • Lua dot file error. ([30]Bug 12196)
  • "All Files" does not allow selecting files without period. ([31]Bug 12203)
  • wlan, wlan_mgt, Length error shown for IE BSS AC Access Delay/WAPI Parameter Set (68). ([32]Bug 12223)
  • Qt GUI very slow when expanding packet details with a lot of items. ([33]Bug 12228)
  • Comparing a boolean field against 1 always succeeds on big-endian machines. ([34]Bug 12236)
  • FIN flag not always correctly passed to subdissectors. ([35]Bug 12238)
  • Interpretation of BGP NLRI for default route cause malformed packet. ([36]Bug 12240)
  • Capture Interfaces dialog crashes after clicking the bookmark menu. ([37]Bug 12241)
  • Wireshark crashes right after a capture filter is selected. ([38]Bug 12245)
  • GSM GMM Identity Response dissection error. ([39]Bug 12246)
  • Crash reloading "dissector.lua" from the Wireshark website. ([40]Bug 12251)
  • VoIP calls does not show IAX2 calls. ([41]Bug 12254)
  • Wireshark CPU usage has dramatically increased. ([42]Bug 12258)
  • RPC/NFS incorrectly decodes as ACAP. ([43]Bug 12265)
  • Wireshark mistakenly flags CF-End packets as being Malformed. ([44]Bug 12266)
  • ASTERIX Category 48 Reserved Expansion Field. ([45]Bug 12267)
  • It is not possible to enter characters requiring "Alt Gr" in the display filter box such as "[" on a Swedish keyboard. ([46]Bug 12270)
  • tshark crashes when trying to export to pdml. ([47]Bug 12276)
  • Build fails on Centos 6.5 with gtk2 in ui/gtk/rtp_player.c rtp_channel_info_r has no no member start_time. ([48]Bug 12277)
  • TCP Dissector - spurious retransmissions not always recognized. ([49]Bug 12282)
  • PRA Identifier of the IE PRA Action should use 3 octets (6 to 8) and not 2 in GTPv2. ([50]Bug 12284)
  • Dissector bug, failed assertion, proto_desegment pinfo->can_desegment. ([51]Bug 12285)
  • Colorize with filter, new coloring rule, is labeled as new conversation rule. ([52]Bug 12289)
  • Qt Multicast Stream Dialog error in input field Burst alarm threshold and Buffer alarm. ([53]Bug 12309)
  • 6LoWPAN reassembly incorrect if extension header padding was elided. ([54]Bug 12310)
  • USBPcap prevents keyboard from working. ([55]Bug 12316)
  • Crash when reloading Lua script when Field is gone. ([56]Bug 12328)
  • Wrong display of USSD strings in the GSM 7-bit alphabet for non-ASCII characters in Wireshark 2.0.x. ([57]Bug 12337)
  • Malformed Packet: RTP. ([58]Bug 12339)
  • Incorrect error on MPA pdu length on iWARP packets. ([59]Bug 12348)
  • Endpoints window doesn't show name resolution. ([60]Bug 12353)
  • Updated Protocol Support: 6LoWPAN, ACAP, Asterix, BGP, DMP, DNS, DTLS, EAP, FMTP, GPRS LLC, GSM A, GSM A GM, GSM CBCH, GSM MAP, GTPv2, HTTP, IAX2, IEEE 802.11, iWARP MPA, MS-WSP, MySQL, NCP, NFS, PKTC, QUIC, R3, RTP, SMB, SPRT, TCP, ZEP, ZigBee, ZigBee NWK, ZigBee ZCL SE, and ZVT
  • New and Updated Capture File Support:
  • and Gammu DCT3

New in WireShark 2.0.2 (Feb 26, 2016)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2016-01 DLL hijacking vulnerability. [2]CVE-2016-2521
  • [3]wnpa-sec-2016-02 ASN.1 BER dissector crash. ([4]Bug 11828) [5]CVE-2016-2522
  • [6]wnpa-sec-2016-03 DNP dissector infinite loop. ([7]Bug 11938) [8]CVE-2016-2523
  • [9]wnpa-sec-2016-04 X.509AF dissector crash. ([10]Bug 12002) [11]CVE-2016-2524
  • [12]wnpa-sec-2016-05 HTTP/2 dissector crash. ([13]Bug 12077) [14]CVE-2016-2525
  • [15]wnpa-sec-2016-06 HiQnet dissector crash. ([16]Bug 11983) [17]CVE-2016-2526
  • [18]wnpa-sec-2016-07 3GPP TS 32.423 Trace file parser crash. ([19]Bug 11982) [20]CVE-2016-2527
  • [21]wnpa-sec-2016-08 LBMC dissector crash. ([22]Bug 11984) [23]CVE-2016-2528
  • [24]wnpa-sec-2016-09 iSeries file parser crash. ([25]Bug 11985) [26]CVE-2016-2529
  • [27]wnpa-sec-2016-10 RSL dissector crash. ([28]Bug 11829) [29]CVE-2016-2530 [30]CVE-2016-2531
  • [31]wnpa-sec-2016-11 LLRP dissector crash. ([32]Bug 12048) [33]CVE-2016-2532
  • [34]wnpa-sec-2016-12 Ixia IxVeriWave file parser crash. ([35]Bug 11795)
  • [36]wnpa-sec-2016-13 IEEE 802.11 dissector crash. ([37]Bug 11818)
  • [38]wnpa-sec-2016-14 GSM A-bis OML dissector crash. ([39]Bug 11825)
  • [40]wnpa-sec-2016-15 ASN.1 BER dissector crash. ([41]Bug 12106)
  • [42]wnpa-sec-2016-16 SPICE dissector large loop. ([43]Bug 12151)
  • [44]wnpa-sec-2016-17 NFS dissector crash.
  • [45]wnpa-sec-2016-18 ASN.1 BER dissector crash. ([46]Bug 11822)
  • The following bugs have been fixed:
  • HTTP 302 decoded as TCP when "Allow subdissector to reassemble TCP streams" option is enabled. ([47]Bug 9848)
  • Questionable calling of ethernet dissector by encapsulating protocol dissectors. ([48]Bug 9933)
  • [Qt & Legacy & probably TShark too] Delta Time Conversation column is empty. ([49]Bug 11559)
  • extcap: abort when validating capture filter for DLT 147. ([50]Bug 11656)
  • Missing columns in Qt Flow Graph. ([51]Bug 11710)
  • Interface list doesn't show well when the list is very long. ([52]Bug 11733)
  • Unable to use saved Capture Filters in Qt UI. ([53]Bug 11836)
  • extcap: Capture interface options snaplen, buffer and promiscuous not being used. ([54]Bug 11865)
  • Improper RPC reassembly ([55]Bug 11913)
  • GTPv1 Dual Stack with one static and one Dynamic IP. ([56]Bug 11945)
  • Wireshark 2.0.1 MPLS dissector not decoding payload when control word is present in pseudowire. ([57]Bug 11949)
  • "...using this filter" turns white (not green or red). Plus dropdown arrow does nothing. ([58]Bug 11950)
  • EIGRP field eigrp.ipv4.destination does not show the correct destination. ([59]Bug 11953)
  • tshark -z conv,type[,filter] swapped frame / byte values from / to columns. ([60]Bug 11959)
  • The field name nstrace.tcpdbg.tcpack should be nstrace.tcpdbg.tcprtt. ([61]Bug 11964)
  • 6LoWPAN IPHC traffic class not decompressed correctly. ([62]Bug 11971)
  • Crash with snooping NFS file handles. ([63]Bug 11972)
  • 802.11 dissector fails to decrypt some broadcast messages. ([64]Bug 11973)
  • Wireshark hangs when adding a new profile. ([65]Bug 11979)
  • Issues when closing the application with a running capture without packets. ([66]Bug 11981)
  • New Qt UI lacks ability to step through multiple TCP streams with Analyze > Follow > TCP Stream. ([67]Bug 11987)
  • GTK: plugin_if_goto_frame causes Access Violation if called before capture file is loaded. ([68]Bug 11989)
  • Wireshark 2.0.1 crash on start. ([69]Bug 11992)
  • Wi-Fi 4-way handshake 4/4 is displayed as 2/4. ([70]Bug 11994)
  • ACN: acn.dmx.data has incorrect type. ([71]Bug 11999)
  • editcap packet comment won't add multiple comments. ([72]Bug 12007)
  • DICOM Sequences no longer able to be expanded. ([73]Bug 12011)
  • Wrong TCP stream when port numbers are reused. ([74]Bug 12022)
  • SSL decryption fails in presence of a Client certificate. ([75]Bug 12042)
  • LUA: TVBs backing a data source is freed too early. ([76]Bug 12050)
  • PIM: pim.group filter have the same name for IPv4 and IPv6. ([77]Bug 12061)
  • Failed to parse M3AP IE (TNL information). ([78]Bug 12070)
  • Wrong interpretation of Instance ID value in OSPFv3 packet. ([79]Bug 12072)
  • MP2T Dissector does parse RTP properly in 2.0.1. ([80]Bug 12099)
  • editcap does not adjust time for frames with absolute timestamp 0 < t < 1 secs. ([81]Bug 12116)
  • Guard Interval is not consistent between Radiotap & wlan_radio. ([82]Bug 12123)
  • Calling dumpcap -i- results in access violation. ([83]Bug 12143)
  • Qt: Friendly Name and Interface Name columns should not be editable. ([84]Bug 12146)
  • PPTP GRE call ID not always decoded. ([85]Bug 12149)
  • Interface list does not show device description anymore. ([86]Bug 12156)
  • Find Packet does not highlight the matching tree item or packet bytes. ([87]Bug 12157)
  • "total block length ... is too large" error when opening pcapng file with multiple SHB sections. ([88]Bug 12167)
  • http.request.full_uri is malformed if an HTTP Proxy is used. ([89]Bug 12176)
  • SNMP dissector fails at msgSecurityParameters with long length encoding. ([90]Bug 12181)
  • Windows installers and PortableApps® packages are now dual signed using SHA-1 and SHA-256 in order to comply with [91]Microsoft Authenticode policy. Windows 7 and Windows Server 2008 R2 users should ensure that [92]update 3123479 is installed. Windows Vista and Windows Server 2008 users should ensure that [93]hotfix 2763674 is installed.
  • Updated Protocol Support:
  • 6LoWPAN, ACN, ASN.1 BER, BATADV, DICOM, DNP3, DOCSIS INT-RNG-REQ, E100, EIGRP, GSM A DTAP, GSM SMS, GTP, HiQnet, HTTP, HTTP/2, IEEE 802.11, IKEv2, InfiniBand, IPv4, IPv6, LBMC, LLRP, M3AP, MAC LTE, MP2T, MPLS, NFS, NS Trace, OSPF, PIM, PPTP, RLC LTE, RoHC, RPC, RSL, SNMP, SPICE, SSL, TCP, TRILL, VXLAN, WaveAgent, and X.509AF
  • New and Updated Capture File Support:
  • 3GPP TS 32.423 Trace, iSeries, Ixia IxVeriWave, pcap, and pcapng
  • New and Updated Capture Interfaces support:
  • There are no new or updated capture interfaces supported in this release.

New in WireShark 2.0.1 (Dec 29, 2015)

  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2015-31 NBAP dissector crashes. ([2]Bug 11602, [3]Bug 11835, [4]Bug 11841)
  • [5]wnpa-sec-2015-37 NLM dissector crash.
  • [6]wnpa-sec-2015-39 BER dissector crash.
  • [7]wnpa-sec-2015-40 Zlib decompression crash. ([8]Bug 11548)
  • [9]wnpa-sec-2015-41 SCTP dissector crash. ([10]Bug 11767)
  • [11]wnpa-sec-2015-42 802.11 decryption crash. ([12]Bug 11790, [13]Bug 11826)
  • [14]wnpa-sec-2015-43 DIAMETER dissector crash. ([15]Bug 11792)
  • [16]wnpa-sec-2015-44 VeriWave file parser crashes. ([17]Bug 11789, [18]Bug 11791)
  • [19]wnpa-sec-2015-45 RSVP dissector crash. ([20]Bug 11793)
  • [21]wnpa-sec-2015-46 ANSI A & GSM A dissector crashes. ([22]Bug 11797)
  • [23]wnpa-sec-2015-47 Ascend file parser crash. ([24]Bug 11794)
  • [25]wnpa-sec-2015-48 NBAP dissector crash. ([26]Bug 11815)
  • [27]wnpa-sec-2015-49 RSL dissector crash. ([28]Bug 11829)
  • [29]wnpa-sec-2015-50 ZigBee ZCL dissector crash. ([30]Bug 11830)
  • [31]wnpa-sec-2015-51 Sniffer file parser crash. ([32]Bug 11827)
  • [33]wnpa-sec-2015-52 NWP dissector crash. ([34]Bug 11726)
  • [35]wnpa-sec-2015-53 BT ATT dissector crash. ([36]Bug 11817)
  • [37]wnpa-sec-2015-54 MP2T file parser crash. ([38]Bug 11820)
  • [39]wnpa-sec-2015-55 MP2T file parser crash. ([40]Bug 11821)
  • [41]wnpa-sec-2015-56 S7COMM dissector crash. ([42]Bug 11823)
  • [43]wnpa-sec-2015-57 IPMI dissector crash. ([44]Bug 11831)
  • [45]wnpa-sec-2015-58 TDS dissector crash. ([46]Bug 11846)
  • [47]wnpa-sec-2015-59 PPI dissector crash. ([48]Bug 11876)
  • [49]wnpa-sec-2015-60 MS-WSP dissector crash. ([50]Bug 11931)
  • The Windows installers are now built using NSIS 2.50 in order to avoid [51]DLL hijacking flaws.
  • The following bugs have been fixed:
  • Zooming out (Ctrl+-) too far crashes Wireshark. ([52]Bug 8854)
  • IPv6 Mobility Header Link-Layer Address Mobility Option is parsed incorrectly. ([53]Bug 10627)
  • About -> Plugins should be a scrollable. ([54]Bug 11427)
  • Profile change leaves prior profile residue. ([55]Bug 11493)
  • Wireshark crashes when using the VoIP player. ([56]Bug 11596)
  • Incorrect presentation of Ascend-Data-Filter (RADIUS attribute 242). ([57]Bug 11630)
  • Not possible to stop a capture with invalid filter. ([58]Bug 11667)
  • "No interface selected" when having a valid capture filter. ([59]Bug 11671)
  • Malformed packet with IPv6 mobility header. ([60]Bug 11728)
  • Wireshark crashes dissecting Profinet NRT (DCE-RPC) packet. ([61]Bug 11730)
  • All fields in the packet detail pane of a "new packet" window are expanded by default. ([62]Bug 11731)
  • Malformed packets with SET_CUR in the USBVIDEO (UVC) decoding. ([63]Bug 11736)
  • Display filters arranges columns incorrectly. ([64]Bug 11737)
  • Scrolling and navigating using the trackpad on Mac OS X could be much better. ([65]Bug 11738)
  • Lua Proto() does not validate arguments. ([66]Bug 11739)
  • Pointers to deallocated memory when redissecting. ([67]Bug 11740)
  • Suggestion for re-phrasing the TCP Window Full message. ([68]Bug 11741)
  • Can't parse MPEG-2 Transport Streams generated by the Logik L26DIGB21 TV. ([69]Bug 11749)
  • Qt UI on Windows crashes when changing to next capture file. ([70]Bug 11756)
  • First displayed frame not updated when changing profile. ([71]Bug 11757)
  • LDAP decode shows invalid number of results for searchResEntry packets. ([72]Bug 11761)
  • Crash when escape to Follow TCP -> Save. ([73]Bug 11763)
  • USBPcap prevents mouse and keyboard from working. ([74]Bug 11766)
  • Y-axis in RTP graph is in microseconds. ([75]Bug 11784)
  • "Delta time displayed" column in Wireshark doesn't work well, but Wireshark-gtk does. ([76]Bug 11786)
  • UDP 12001 SNA Data no longer shown in EBCDIC. ([77]Bug 11787)
  • Wireshark Portable is not starting (no messages at all). ([78]Bug 11800)
  • IPv6 RPL Routing Header with length of 8 bytes still reads an address. ([79]Bug 11803)
  • g_utf8_validate assertion when reassembling GSM SMS messages encoded in UCS2. ([80]Bug 11809)
  • Calling plugin_if_goto_frame when there is no file loaded causes a Protection Exception. ([81]Bug 11810)
  • Qt UI SIGSEGV before main() in initializer for colors_. ([82]Bug 11833)
  • Unable to add a directory to "GeoIP Database Paths". ([83]Bug 11842)
  • C++ Run time error when filtering on Expert limit to display filter. ([84]Bug 11848)
  • Widening the window doesn't correctly widen the rightmost column. ([85]Bug 11849)
  • SSL V2 Client Hello no longer dissected in Wireshark 2.0. ([86]Bug 11851)
  • PacketBB (RFC5444) dissector displays IPv4 addresses incorrectly. ([87]Bug 11852)
  • SMTP over port 587 shows identical content for fields "Username" and "Password" when not decoding base-64-encoded authentication information. ([88]Bug 11853)
  • Converting of EUI64 address to string does not take offset into account. ([89]Bug 11856)
  • CIP segment dissection causes PDML assertion/failure. ([90]Bug 11863)
  • In Import from Hex Dump, an attempt to enter the timestamp format manually crashes the application. ([91]Bug 11873)
  • Follow Stream directional selector not readable. ([92]Bug 11887)
  • Coloring rule custom colors not saved. ([93]Bug 11888)
  • Total number of streams not correct in Follow TCP Stream dialog. ([94]Bug 11889)
  • Command line switch -Y for display filter does not work. ([95]Bug 11891)
  • Creating Debian package doesn't work. ([96]Bug 11893)
  • Visual C++ Runtime Library Error "The application has requested the Runtime to terminate it in an unusual way." when you do not wait until Conversations is completely updated before applying "Limit to display filter". ([97]Bug 11900)
  • dpkg-buildpackage relocation R_X86_64_PC32 against symbol. ([98]Bug 11901)
  • Bits view in Packet Bytes pane is not persistent. ([99]Bug 11903)
  • ICMP Timestamp days, hours, minutes, seconds is incorrect. ([100]Bug 11910)
  • MPEG2TS NULL pkt: AFC: "Should be 0 for NULL packets" wrong. ([101]Bug 11921)
  • Updated Protocol Support:
  • 6LoWPAN, ANSI A, ASN.1 BER, BT ATT, CIP, CLNP, DIAMETER, DNS, ENIP, ERF, GSM A, GSM SMS, HiSLIP, ICMP, IEEE 802.11, IEEE 802.11 Radio, IPMI, IPv4, IPv6, ISUP, L2TP, LDAP, Link (ethertype), MIP6, MP2T, MS-WSP, NBAP, NWP, PacketBB, PPI, QUIC, RADIUS, RSL, RSVP, S7COMM, SCSI, SCTP, SMTP, SSL, TCP, TDS, USB, VRT, and ZigBee ZCL
  • New and Updated Capture File Support:
  • Ascend, ERF, MP2T, Sniffer, and VeriWave
  • New and Updated Capture Interfaces support:
  • There are no new or updated capture interfaces supported in this release.

New in WireShark 2.0.0 (Nov 19, 2015)

  • WHAT'S NEW:
  • Wireshark 2.0 features a completely new user interface which should provide a smoother, faster user experience. The new interface should be familiar to current users of Wireshark but provide a faster workflow for many tasks.
  • The Windows installer provides the option of installing either the new interface (“Wirehsark”) or the old interface (“Wireshark Legacy”). Both are installed by default. Note that the legacy interface will be removed in Wireshark 2.2.
  • The OS X installer only provides the new interface. If you need the old interface you can install it via Homebrew or MacPorts.
  • Wireshark’s Debian- and RPM-based package definitions provide the new interface in the “wireshark-qt” package and the old interface in the “wireshark-gtk” package. It is hoped that downstream distributions will follow this convention.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 2.0.0rc3:
  • An RTP player crash has been fixed.
  • Flow graph issues have been fixed. Bug Bug 11710.
  • A Follow Stream dialog crash has been fixed. Bug Bug 11711.
  • An extcap crash has been fixed.
  • A file merge crash has been fixed. Bug Bug 11718.
  • A handle leak crash has been fixed. Bug Bug 11702.
  • Several other crashes and usability issues have been fixed.
  • The following features are new (or have been significantly updated) since version 2.0.0rc2:
  • Column editing now works correctly. Bug Bug 11433.
  • Renaming profiles has been fixed. Bug Bug 11658.
  • “File”→Merge no longer crashes on Windows. Bug Bug 11684.
  • Icons in the main toolbar obey magnification settings on Windows. Bug Bug 11675.
  • The Windows installer does a better job of detecting WinPcap. Bug Bug 10867.
  • The main window no longer appears off-screen on Windows. Bug Bug 11568.
  • The following features are new (or have been significantly updated) since version 2.0.0rc1:
  • For new installations on UN*X, the directory for user preferences is $HOME/.config/wireshark rather than $HOME/.wireshark. If that directory is absent, preferences will still be found and stored under $HOME/.wireshark.
  • Qt port:
  • The SIP Statistics dialog has been added.
  • You can now create filter expressions from the display filter toolbar.
  • Bugs in the UAT preferences dialog has been fixed.
  • Several dissector and Qt UI crash bugs have been fixed.
  • Problems with the OS X application bundle have been fixed.
  • The following features are new (or have been significantly updated) since version 1.99.9:
  • Qt port:
  • The LTE RLC Graph dialog has been added.
  • The LTE MAC Statistics dialog has been added.
  • The LTE RLC Statistics dialog has been added.
  • The IAX2 Analysis dialog has been added.
  • The Conversation Hash Tables dialog has been added.
  • The Dissector Tables dialog has been added.
  • The Supported Protocols dialog has been added.
  • You can now zoom the I/O and TCP Stream graph X and Y axes independently.
  • The RTP Player dialog has been added.
  • Several memory leaks have been fixed.
  • The following features are new (or have been significantly updated) since version 1.99.8:
  • Qt port:
  • The MTP3 statistics and summary dialogs have been added.
  • The WAP-WSP statistics dialog has been added.
  • The UDP multicast statistics dialog has been added.
  • The WLAN statistics dialog has been added.
  • The display filter macros dialog has been added.
  • The capture file properties dialog now includes packet comments.
  • Many more statistics dialogs can be opened from the command line via -z ....
  • Most dialogs now have a cancellable progress bar.
  • Many packet list and packet detail context menus items have been added.
  • Lua plugins can be reloaded from the Analyze menu.
  • Many bug fixes and improvements.
  • The following features are new (or have been significantly updated) since version 1.99.7:
  • Qt port:
  • The Enabled Protocols dialog has been added.
  • Many statistics dialogs have been added, including Service response time, DHCP/BOOTP, and ANSI.
  • The RTP Analysis dialog has been added.
  • Lua dialog support has been added.
  • You can now manually resolve addresses.
  • The Resolved Addresses dialog has been added.
  • The packet list scrollbar now has a minimap.
  • The capture interfaces dialog has been updated.
  • You can now colorize conversations.
  • Welcome screen behavior has been improved.
  • Plugin support has been improved.
  • Many dialogs should now more correctly minimize and maximize.
  • The reload button has been added back to the toolbar.
  • The "Decode As" dialog no longer saves decoding behavior.
  • You can now stop loading large capture files.
  • The Bluetooth HCI Summary has been added.
  • The following features are new (or have been significantly updated) since version 1.99.6:
  • Qt port:
  • The Bluetooth Devices dialog has been added.
  • The wireless toolbar has been added.
  • Opening files via drag and drop is now supported.
  • The Capture Filter and Display Filter dialogs have been added.
  • The Display Filter Expression dialog has been added.
  • Conversation Filter menu items have been added.
  • You can change protocol preferences by right clicking on the packet list and details.
  • The following features are new (or have been significantly updated) since version 1.99.4 and 1.99.5:
  • Qt port:
  • Capture restarts are now supported.
  • Menu items for plugins are now supported.
  • Extcap interfaces are now supported.
  • The Expert Information dialog has been added.
  • Display and capture filter completion is now supported.
  • Many bugs have been fixed.
  • Translations have been updated.
  • The following features are new (or have been significantly updated) since version 1.99.3:
  • Qt port:
  • Several interface bugs have been fixed.
  • Translations have been updated.
  • The following features are new (or have been significantly updated) since version 1.99.2:
  • Qt port:
  • Several bugs have been fixed.
  • You can now open a packet in a new window.
  • The Bluetooth ATT Server Attributes dialog has been added.
  • The Coloring Rules dialog has been added.
  • Many translations have been updated. Chinese, Italian and Polish translations are complete.
  • General user interface and usability improvements.
  • Automatic scrolling during capture now works.
  • The related packet indicator has been updated.
  • The following features are new (or have been significantly updated) since version 1.99.1:
  • Qt port:
  • The welcome screen layout has been updated.
  • The Preferences dialog no longer crashes on Windows.
  • The packet list header menu has been added.
  • Statistics tree plugins are now supported.
  • The window icon is now displayed properly in the Windows taskbar.
  • A packet list an byte view selection bug has been fixed (Bug 10896)
  • The RTP Streams dialog has been added.
  • The Protocol Hierarchy Statistics dialog has been added.
  • The following features are new (or have been significantly updated) since version 1.99.0:
  • Qt port:
  • You can now show and hide toolbars and major widgets using the View menu.
  • You can now set the time display format and precision.
  • The byte view widget is much faster, particularly when selecting large reassembled packets.
  • The byte view is explorable. Hovering over it highlights the corresponding field and shows a description in the status bar.
  • An Italian translation has been added.
  • The Summary dialog has been updated and renamed to Capture File Properties.
  • The VoIP Calls and SIP Flows dialogs have been added.
  • Support for HiDPI / Retina displays has been improved in the official packages.
  • DNS stats: + A new stats tree has been added to the Statistics menu. Now it is possible to collect stats such as qtype/qclass distribution, number of resource record per response section, and stats data (min, max, avg) for values such as query name length or DNS payload.
  • HPFEEDS stats: + A new stats tree has been added to the statistics menu. Now it is possible to collect stats per channel (messages count and payload size), and opcode distribution.
  • HTTP2 stats: + A new stats tree has been added to the statistics menu. Now it is possible to collect stats (type distribution).
  • The following features are new (or have been significantly updated) since version 1.12.0:
  • The I/O Graph in the Gtk+ UI now supports an unlimited number of data points (up from 100k).
  • TShark now resets its state when changing files in ring-buffer mode.
  • Expert Info severities can now be configured.
  • Wireshark now supports external capture interfaces. External capture interfaces can be anything from a tcpdump-over-ssh pipe to a program that captures from proprietary or non-standard hardware. This functionality is not available in the Qt UI yet.
  • Qt port:
  • The Qt UI is now the default (program name is wireshark).
  • A Polish translation has been added.
  • The Interfaces dialog has been added.
  • The interface list is now updated when interfaces appear or disappear.
  • The Conversations and Endpoints dialogs have been added.
  • A Japanese translation has been added.
  • It is now possible to manage remote capture interfaces.
  • Windows: taskbar progress support has been added.
  • Most toolbar actions are in place and work.
  • More command line options are now supported
  • New File Format Decoding Support:
  • Wireshark is able to display the format of some types of files (rather than displaying the contents of those files). This is useful when you’re curious about, or debugging, a file and its format. To open a capture file (such as PCAP) in this mode specify "MIME Files Format" as the file’s format in the Open File dialog.
  • New files that Wireshark can open in this mode include:
  • BTSNOOP, PCAP, and PCAPNG
  • New Protocol Support:
  • Aeron, AllJoyn Reliable Datagram Protocol, Android Debug Bridge, Android Debug Bridge Service, Android Logcat text, Apache Tribes Heartbeat, APT-X Codec, B.A.T.M.A.N. GW, B.A.T.M.A.N. Vis, BGP Monitoring Prototol (BMP), Bluetooth Broadcom HCI, Bluetooth GATT Attributes (many), Bluetooth OBEX Applications (many), BSSAP2, C15 Call History Protocol (C15ch) and others, Celerra VNX, Ceph, Chargen, Classical IP, Concise Binary Object Representation (CBOR) (RFC 7049), Corosync Totem Single Ring Protocol, Corosync Totemnet, Couchbase, CP “Cooper” 2179, CSN.1, dCache, DJI UAV Drone Control Protocol, Dynamic Source Routing (RFC 4728), Elasticsearch, ETSI Card Application Toolkit - Transport Protocol, eXpressive Internet Protocol (XIP), GDB Remote Serial Protocol, Generic Network Virtualization Encapsulation (Geneve), Geospatial and Imagery Access Service (GIAS), Gias Dissector Using GIOP API, GPRS Tunneling Protocol Prim, GVSP GigE Vision ™ Streaming Protocol, H.225 RAS, Harman HiQnet, HCrt, Hotline Command-Response Transaction Protocol, IEEE 802.11 radio information, IP Detail Record (IPDR), IPMI Trace, iSER, KNXnetIP, Link Aggregation Control Protocol, Link Aggregation Marker Protocol, Link Layer Topology Discovery, Link-local Multicast Name Resolution, LISP TCP Control Message, Locator/ID Separation Protocol (Reliable Transport), MACsec Key Agreement - EAPoL-MKA, MCPE (Minecraft Pocket Edition), Message Queuing Telemetry Transport For Sensor Networks (MQTT-SN), Minecraft Pocket Edition, MQ Telemetry Transport Protocol for Sensor Networks, Multicast Domain Name Service (mDNS), Neighborhood Watch Protocol (NWP), Network File System over Remote Direct Memory Access (NFSoRDMA), OAMPDU, OCFS2, OptoMMP, Organization Specific Slow Protocol (OSSP), Packet Cable Lawful Intercept (8 byte CCCID), Packet Cable Lawful Intercept (timestamp), Packet Cable Lawful Intercept (timestamp case ID), PacketCable MTA FQDN, Performance Co-Pilot Proxy, QNEX6 (QNET), RakNet games library, Remote Shared Virtual Disk (RSVD), Riemann, RPC over RDMA (RPCoRDMA), S7 Communication, Secure Socket Tunnel Protocol (SSTP), Shared Memory Communications - RDMA (SMCR), Stateless Transport Tunneling, Sysdig system call events, TCP based Robot Operating System protocol (TCPROS), Thrift, Time Division Multiplexing over Packet Network (TDMoP), Video Services over IP (VSIP), Windows Search Protocol (MS-WSP), XIP Serval, ZigBee ZCL (many), and ZVT Kassenschnittstelle
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • 3GPP TS 32.423 Trace, Android Logcat text files, Colasoft Capsa files, Netscaler 3.5, and Symbian OS BTSNOOP File Format
  • Additionally, Wireshark now supports nanosecond timestamp resolution in PCAP-NG files.
  • New and Updated Capture Interfaces support:
  • Androiddump support now provides interfaces to capture (Logcat, Bluetooth and WiFi) from connected Android devices.
  • Major API Changes:
  • The libwireshark API has undergone some major changes:
  • The emem framework (including all ep_ and se_ memory allocation routines) has been completely removed in favour of wmem which is now fully mature.
  • The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua.
  • Plugins can now create GUI menu items.
  • Heuristic dissectors can now be globally enabled/disabled so heur_dissector_add() has a few more parameters to make that possible
  • proto_tree_add_text has been removed.
  • tvb_length() has been removed in favor of tvb_reported_length() and tvb_captured_length().
  • The API for ONC RPC-based dissectors has changed significantly: the procedure dissectors no longer take an offset, void-argument procedures now need to be declared with a function (use dissect_rpc_void()), and rpc_init_prog() now handles procedure registration too (it takes additional arguments to handle this; rpc_init_proc_table() was removed).

New in WireShark 2.0.0 RC3 (Nov 12, 2015)

  • New (or have been significantly updated):
  • "File->Merge" no longer crashes on Windows. Bug [1]Bug 11684.
  • Icons in the main toolbar obey magnification settings on Windows. Bug [2]Bug 11675.
  • The Windows installer does a better job of detecting WinPcap. Bug [3]Bug 10867.
  • The main window no longer appears off-screen on Windows. Bug [4]Bug 11568.

New in WireShark 2.0.0 RC2 (Oct 31, 2015)

  • Several dissector and Qt UI crash bugs have been fixed.
  • Problems with the Mac OS X application bundle have been fixed.
  • Qt port:
  • The SIP Statistics dialog has been added.
  • You can now create filter expressions from the display filter toolbar.
  • Bugs in the UAT prefererences dialog has been fixed.

New in WireShark 2.0.0 RC1 (Oct 15, 2015)

  • The following features are new (or have been significantly updated) since version 1.99.9:
  • Qt port:
  • The LTE RLC Graph dialog has been added.
  • The LTE MAC Statistics dialog has been added.
  • The LTE RLC Statistics dialog has been added.
  • The IAX2 Analysis dialog has been added.
  • The Conversation Hash Tables dialog has been added.
  • The Dissector Tables dialog has been added.
  • The Supported Protocols dialog has been added.
  • You can now zoom the I/O and TCP Stream graph X and Y axes independently.
  • The RTP Player dialog has been added.
  • Several memory leaks have been fixed.

New in WireShark 1.12.8 (Oct 14, 2015)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • [1]wnpa-sec-2015-30: Pcapng file parser crash. Discovered by Dario Lombardo and Shannon Sabens. ([2]Bug 11455) [3]CVE-2015-7830
  • The following bugs have been fixed:
  • Last Address field for IPv6 RPL routing header is interpreted incorrectly. ([4]Bug 10560)
  • Comparing two capture files crashes Wireshark when navigating the results. ([5]Bug 11098)
  • 802.11 frame is not correctly dissected if it contains HT Control. ([6]Bug 11351)
  • GVCP bit-fields not updated. ([7]Bug 11442)
  • Tshark crash when specifying ssl.keys_list on CLI. ([8]Bug 11443)
  • pcapng: SPB capture length is incorrectly truncated if IDB snaplen = 0. ([9]Bug 11483)
  • pcapng: NRB IPv4 address is endian swapped but shouldn't be. ([10]Bug 11484)
  • pcapng: NRB with options causes file read failure. ([11]Bug 11485)
  • pcapng: ISB without if_drop option is shown as max value. ([12]Bug 11489)
  • UNISTIM dissector - Message length not included in offset for "Select Adjustable Rx Volume". ([13]Bug 11497)

New in WireShark 1.99.9 Dev (Sep 3, 2015)

  • Qt port:
  • The MTP3 statistics and summary dialogs have been added.
  • The WAP-WSP statistics dialog has been added.
  • The UDP multicast statistics dialog has been added.
  • The WLAN statistics dialog has been added.
  • The display filter macros dialog has been added.
  • The capture file properties dialog now includes packet comments.
  • Many more statistics dialogs can be opened from the command line via -z ....
  • Most dialogs now have a cancellable progress bar.
  • Many packet list and packet detail context menus items have been added.
  • Lua plugins can be reloaded from the Analyze menu.
  • Many bug fixes and improvements.

New in WireShark 1.12.7 (Aug 13, 2015)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • [1]wnpa-sec-2015-21 Protocol tree crash. ([2]Bug 11309)
  • [3]wnpa-sec-2015-22 Memory manager crash. ([4]Bug 11373)
  • [5]wnpa-sec-2015-23 Dissector table crash. ([6]Bug 11381)
  • [7]wnpa-sec-2015-24 ZigBee crash. ([8]Bug 11389)
  • [9]wnpa-sec-2015-25 GSM RLC/MAC infinite loop. ([10]Bug 11358)
  • [11]wnpa-sec-2015-26 WaveAgent crash. ([12]Bug 11358)
  • [13]wnpa-sec-2015-27 OpenFlow infinite loop. ([14]Bug 11358)
  • [15]wnpa-sec-2015-28 Ptvcursor crash. ([16]Bug 11358)
  • [17]wnpa-sec-2015-29 WCCP crash. ([18]Bug 11358)
  • The following bugs have been fixed:
  • DCE RPC "Decode As" capability is missing. ([19]Bug 10368)
  • Mergecap turns nanosecond-resolution time stamps into microsecond-resolution time stamps. ([20]Bug 11202)
  • The Aruba ERM Type 1 Dissector inconsistent with Type 0 and Type 3. ([21]Bug 11204)
  • Parse CFM Type Test signal (TST) without CRC. ([22]Bug 11286)
  • Tshark: output format of rpc.xid changed from Hex to Integer. ([23]Bug 11292)
  • Not stop -a filecount . ([24]Bug 11305)
  • lldp.ieee.802_3.mdi_power_class display is wrong. ([25]Bug 11330)
  • Powerlink (EPL) SDO packages interpreted as frame duplication. ([26]Bug 11341)
  • Mysql dissector adds packet content to INFO column without scrubbing it. ([27]Bug 11344)
  • PIM null-register according to rfc4601 is incorrectly parsed. ([28]Bug 11354)
  • Wireshark Lua dissectors: both expand together. ([29]Bug 11356)
  • Link-type not retrieved for rpcap interfaces configured with authentication. ([30]Bug 11366)
  • SSL Decryption (RSA private key with p smaller than q) failing on the Windows 7 buildbot. ([31]Bug 11372)
  • [gtpv2]PCSCF ip in the Protocol configuration of update bearer request is not getting populated. ([32]Bug 11378)
  • wpan.src64 (and dst64) filter always gives "is not a valid EUI64 Address" error. ([33]Bug 11380)
  • Websphere MQ Work Information Header incorrectly showing "Reserved". ([34]Bug 11384)
  • DUP ACK Counter resetting after Window Update. ([35]Bug 11397)
  • CSV values missing when using tshark -2 option. ([36]Bug 11401)
  • Ethernet PAUSE frames are decoded incorrectly as PFC. ([37]Bug 11403)
  • SOCKS decoder giving strange values for seemingly normal SOCKS connection. ([38]Bug 11417)
  • 802.11ad decoding error. ([39]Bug 11419)
  • Updated Protocol Support:
  • Aruba ERM, CFM, EPL, GSM A-bis OML, GSM MAP, GSM RLC/MAC, GTPv2, IEEE
  • 802.11, LLDP, LTE RRC, MAC Control, MQ, MySQL, OpcUa, OpenFlow,
  • Radiotap, SCCP, SOCKS, TCP, WaveAgent, WCCP, and ZigBee

New in WireShark 1.99.8 Dev (Jul 25, 2015)

  • Qt port:
  • The Enabled Protocols dialog has been added.
  • Many statistics dialogs have been added, including Service response time, DHCP/BOOTP, and ANSI.
  • The RTP Analysis dialog has been added.
  • Lua dialog support has been added.
  • You can now manually resolve addresses.
  • The Resolved Addresses dialog has been added.
  • The packet list scrollbar now has a minimap.
  • The capture interfaces dialog has been updated.
  • You can now colorize conversations.
  • Welcome screen behavior has been improved.
  • Plugin support has been improved.
  • Many dialogs should now more correctly minimize and maximize.
  • The reload button has been added back to the toolbar.
  • The "Decode As" dialog no longer saves decoding behavior.
  • You can now stop loading large capture files.
  • The Bluetooth HCI Summary has been added.

New in WireShark 1.99.7 Dev (Jun 19, 2015)

  • NEW AND UPDATED FEATURES:
  • Qt port:
  • The Bluetooth Devices dialog has been added.
  • The wireless toolbar has been added.
  • Opening files via drag and drop is now supported.
  • The Capture Filter and Display Filter dialogs have been added.
  • The Display Filter Expression dialog has been added.
  • Conversation Filter menu items have been added.
  • You can change protocol preferences by right clicking on the packet list and details.
  • NEW PROTOCOL SUPPORT:
  • (LISP) TCP Control Message, Aeron, AllJoyn Reliable Datagram Protocol, Android ADB, Android Logcat text, Apache Tribes Heartbeat, BGP Monitoring Prototol (BMP), C15 Call History Protocol dissection (C15ch), ceph, corosync/totemnet corosync cluster engine ( lowest levelencryption/decryption protocol), corosync/totemsrp corosync cluster engine ( totem single ring protocol), Couchbase, CP "Cooper" 2179, DJI UAV Drone Control Protocol, Dynamic Source Routing (RFC 4728), Elasticsearch, ETSI Card Application Toolkit - Transport Protocol, Generic Network Virtualization Encapsulation (Geneve), Geospatial and Imagery Access Service (GIAS), GVSP GigE Vision (TM) Streaming Protocol, HCrt, HiQnet, IP Detail Record (IPDR), IPMI Trace, iSER, KNXnetIP, MACsec Key Agreement - EAPoL-MKA, MCPE (Minecraft Pocket Edition), Network File System over Remote Direct Memory Access (NFSoRDMA), OCFS2, OptoMMP, Performance Co-Pilot Proxy, QNEX6 (QNET), RakNet games library, Remote Shared Virtual Disk - RSVD, Riemann, S7 Communication, Secure Socket Tunnel Protocol (SSTP), Shared Memory Communications - RDMA, Stateless Transport Tunneling, Thrift, Video Services over IP (VSIP), and ZVT Kassenschnittstelle
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • 3GPP Nettrace TS 34 423, Android Logcat text files, Colasoft Capsa files, Netscaler 3.5, and Wireshark now supports nanosecond timestamp resolution in PCAP-NG files.
  • NEW AND UPDATED CAPTURE INTERFACES SUPPORT:
  • and Androiddump - provide interfaces to capture (Logcat and Bluetooth) from connected Android devices
  • MAJOR API CHANGES:
  • The libwireshark API has undergone some major changes:
  • The emem framework (including all ep_ and se_ memory allocation routines) has been completely removed in favour of wmem which is now fully mature.
  • The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua.
  • Plugins can now create GUI menu items.

New in WireShark 1.12.6 (Jun 18, 2015)

  • BUG FIXES:
  • The following vulnerabilities have been fixed.
  • [1]wnpa-sec-2015-19 WCCP dissector crash. ([2]Bug 11153)
  • [3]wnpa-sec-2015-20 GSM DTAP dissector crash. ([4]Bug 11201)
  • The following bugs have been fixed:
  • Wireshark 1.12.1 crashes on startup on Mac OS X 10.10 (Yosemite). ([5]Bug 10640)
  • Wireshark does not display X.400 addresses correctly. ([6]Bug 11210)
  • Reproducible crash in "Edit column details" dialog. ([7]Bug 11245)
  • Subnet name resolution doesn't always work. ([8]Bug 11247)
  • SIP MIME body containing ISUP does not decode properly. ([9]Bug 11249)
  • iSCSI: Read(10): shows incorrect "Data In" & "Response" frame number. ([10]Bug 11250)
  • tshark -z io,stat,1,SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun. ([11]Bug 11262)
  • Port Control Protocol packet dissection decodes R bit incorrectly. ([12]Bug 11278)
  • UPDATED PROTOCOL SUPPORT:
  • GSM DTAP, iSCSI, P1, PCP, SIP, and WCCP

New in WireShark 1.99.6 Dev (May 29, 2015)

  • Qt port:
  • Capture restarts are now supported.
  • Menu items for plugins are now supported.
  • Extcap interfaces are now supported.
  • The Expert Information dialog has been added.
  • Display filter completion is now supported.
  • Several interface bugs have been fixed.
  • Translations have been updated.

New in WireShark 1.12.5 (May 13, 2015)

  • The following vulnerabilities have been fixed:
  • The LBMR dissector could go into an infinite loop. (Bug 11036) CVE-2015-3808 CVE-2015-3809
  • The WebSocket dissector could recurse excessively. (Bug 10989) CVE-2015-3810
  • The WCP dissector could crash while decompressing data. (Bug 10978) CVE-2015-3811
  • The X11 dissector could leak memory. (Bug 11088) CVE-2015-3812
  • The packet reassembly code could leak memory. (Bug 11129) CVE-2015-3813
  • The IEEE 802.11 dissector could go into an infinite loop. (Bug 11110) CVE-2015-3814
  • The Android Logcat file parser could crash. Discovered by Hanno Böck. (Bug 11188) CVE-2015-3815
  • The following bugs have been fixed:
  • Wireshark crashes if "Update list of packets in real time" is disabled and a display filter is applied while capturing. (Bug 6217)
  • EAPOL 4-way handshake information wrong. (Bug 10557)
  • RPC NULL calls incorrectly flagged as malformed. (Bug 10646)
  • Wireshark relative ISN set incorrectly if raw ISN set to 0. (Bug 10713)
  • Buffer overrun in encryption code. (Bug 10849)
  • Crash when use Telephony / Voip calls. (Bug 10885)
  • ICMP Parameter Problem message contains Length of original datagram is treated as the total IPv4 length. (Bug 10991)
  • ICMP Redirect takes 4 bytes for IPv4 payload instead of 8. (Bug 10992)
  • Missing field "tcp.pdu.size" in TCP stack. (Bug 11007)
  • Sierra EM7345 marks MBIM packets as NCM. (Bug 11018)
  • Possible infinite loop DoS in ForCES dissector. (Bug 11037)
  • "Decode As…" crashes when a packet dialog is open. (Bug 11043)
  • Interface Identifier incorrectly represented by Wireshark. (Bug 11053)
  • "Follow UDP Stream" on mpeg packets crashes wireshark v.1.12.4 (works fine on v.1.10.13). (Bug 11055)
  • Annoying popup when trying to capture on bonds. (Bug 11058)
  • Request-response cross-reference in USB URB packets incorrect. (Bug 11072)
  • Right clicking in Expert Infos to create a filter (duplicate IP) results in invalid filters. (Bug 11073)
  • CanOpen dissector fails on frames with RTR and 0 length. (Bug 11083)
  • Typo in secp521r1 curve wrongly identified as sect521r1. (Bug 11106)
  • packet-zbee-zcl.h: IS_ANALOG_SUBTYPE doesn’t filter ENUM. (Bug 11120)
  • Typo: "LTE Positioning Protocol" abbreviated as "LPP", not "LLP". (Bug 11141)
  • Missing Makefile.nmake in ansi1/Kerberos directory. (Bug 11155)
  • Can’t build tshark without the Qt packages installed unless --without-qt is specified. (Bug 11157)
  • Updated Protocol Support:
  • AllJoyn, ASN.1 PER, ATM, CANopen, Diameter, ForCES, GSM RLC/MAC, GSMTAP, ICMP, IEC-60870-5-104, IEEE 802.11, IMF, IP, LBMC, LBMR, LDAP, LPP, MBIM, MEGACO, MP2T, PKCS-1, PPP IPv6CP, RPC, SPNEGO, SRVLOC, SSL, T.38, TCP, USB, WCP, WebSocket, X11, and ZigBee ZCL

New in WireShark 1.99.5 Dev (Mar 20, 2015)

  • NEW AND UPDATED FEATURES:
  • Qt port:
  • Several interface bugs have been fixed.
  • Translations have been updated.
  • NEW PROTOCOL SUPPORT:
  • (LISP) TCP Control Message, AllJoyn Reliable Datagram Protocol, Android ADB, Android Logcat text, BGP Monitoring Prototol (BMP), ceph, corosync/totemnet corosync cluster engine ( lowest levelencryption/decryption protocol), corosync/totemsrp corosync cluster engine ( totem single ring protocol), Couchbase, CP "Cooper" 2179, DJI UAV Drone Control Protocol, Dynamic Source Routing (RFC 4728), Elasticsearch, ETSI Card Application Toolkit - Transport Protocol, Generic Network Virtualization Encapsulation (Geneve), GVSP GigE Vision (TM) Streaming Protocol, HCrt, HiQnet, IPMI Trace, iSER, KNXnetIP, MACsec Key Agreement - EAPoL-MKA, MCPE (Minecraft Pocket Edition), OptoMMP, QNEX6 (QNET), RakNet games library, Remote Shared Virtual Disk - RSVD, Riemann, S7 Communication, Secure Socket Tunnel Protocol (SSTP), Shared Memory Communications - RDMA, Stateless Transport Tunneling, Video Services over IP (VSIP), and ZVT Kassenschnittstelle
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Android Logcat text files, Colasoft Capsa files, and Wireshark now supports nanosecond timestamp resolution in PCAP-NG files.
  • MAJOR API CHANGES:
  • The libwireshark API has undergone some major changes:
  • The emem framework (including all ep_ and se_ memory allocation routines) has been completely removed in favour of wmem which is now fully mature.
  • The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua.

New in WireShark 1.99.3 Dev (Mar 6, 2015)

  • Qt port:
  • Several bugs have been fixed.
  • You can now open a packet in a new window.
  • The Bluetooth ATT Server Attributes dialog has been added.
  • The Coloring Rules dialog has been added.
  • Many translations have been updated. Chinese, Italian and Polish translations are complete.
  • General user interface and usability improvements.
  • Automatic scrolling during capture now works.
  • The related packet indicator has been updated.

New in WireShark 1.12.4 (Mar 5, 2015)

  • The following vulnerabilities have been fixed:
  • The ATN-CPDLC dissector could crash. (Bug 9952) CVE-2015-2187
  • The WCP dissector could crash. (Bug 10844) CVE-2015-2188
  • The pcapng file parser could crash. (Bug 10895) CVE-2015-2189
  • The LLDP dissector could crash. (Bug 10983) CVE-2015-2190
  • The TNEF dissector could go into an infinite loop. (Bug 11023) CVE-2015-2191
  • The SCSI OSD dissector could go into an infinite loop. (Bug 11024) CVE-2015-2192
  • The following bugs have been fixed:
  • RTP player crashes on decode of long call: BadAlloc (insufficient resources for operation). (Bug 2630)
  • "Telephony→SCTP→Analyse This Association" crashes Wireshark on manufactured SCTP packet. (Bug 9849)
  • IPv6 Mobility Header Link Layer Address is parsed incorrectly. (Bug 10006)
  • DNS NXT RR is parsed incorrectly. (Bug 10615)
  • IPv6 AUTH mobility option parses Mobility SPI and Authentication Data incorrectly. (Bug 10626)
  • IPv6 Mobility Header Link-Layer Address Mobility Option is parsed incorrectly. (Bug 10627)
  • HTTP chunked response includes data beyond the chunked response. (Bug 10707)
  • DHCP Option 125 Suboption: (1) option-len always expects 1 but specification allows for more. (Bug 10784)
  • Incorrect decoding of IPv4 Interface/Neighbor Address sub-TLVs in Extended IS Reachability TLV of IS-IS. (Bug 10837)
  • Little-endian OS X Bluetooth PacketLogger files aren’t handled. (Bug 10861)
  • X.509 certificate serial number incorrectly interpreted as negative number. (Bug 10862)
  • Malformed Packet on rsync-version with length 2. (Bug 10863)
  • ZigBee epoch time is incorrectly displayed in OTA cluster. (Bug 10872)
  • BGP EVPN - Route Type 4 - "Invalid length of IP Address" - "Expert Info" shows a false error. (Bug 10873)
  • Bad bytes read for extended rnc id value in GTP dissector. (Bug 10877)
  • "ServiceChangeReasonStr" messages are not shown in txt generated by tshark. (Bug 10879)
  • Clang ASAN : AddressSanitizer: global-buffer-overflow ANSI. (Bug 10897)
  • MEGACO wrong decoding on media port. (Bug 10898)
  • Wrong media format. (Bug 10899)
  • BSSGP Status PDU decoding fault (missing Mandatory element (0x04) BVCI for proper packet). (Bug 10903)
  • DNS LOC Precision missing units. (Bug 10940)
  • Packets on OpenBSD loopback decoded as raw not null. (Bug 10956)
  • Display Filter Macro unable to edit. (Bug 10957)
  • IPv6 Local Mobility Anchor Address mobility option code is treated incorrectly. (Bug 10961)
  • SNTP server list improperly formatted in DHCPv6 packet details. (Bug 10964)
  • Juniper Packet Mirror dissector expects ipv6 flow label = 0. (Bug 10976)
  • NS Trace (NetScaler Trace) file format is not able to export specified packets. (Bug 10998)
  • Updated Protocol Support:
  • ACN, ANSI IS-637-A, AppleMIDI, ATN-CPDLC, BGP, BSSGP, CMIP, DHCP, DHCPv6, DIS, DLM3, DMP, DNS, Extreme Networks, ForCES, FTAM, GMHDR, GSM A BSSMAP, GSM A-bis OML, GSM MAP, GSM RLC MAC, GTP, H.248, H.264, HTTP, IEEE 802.11, IPv6, IS-IS, ISMACryp, J1939, Juniper Jmirror, KDP, L2CAP, LDAP, LLDP, MGCP, MIP6, NBNS, NET/ROM, Netflow, Novell PKIS, PANA, PPPoE, RSL, RSYNC, RTMPT, RTP, SCSI OSD, SDP, SMB Pipe, SMPP, SYNCHROPHASOR, TETRA, TiVoConnect, TNEF, USB HID, V.52, VSS-Monitoring, X.509AF, Zebra, and ZigBee
  • New and Updated Capture File Support:
  • NetScaler, PacketLogger, and Pcapng

New in WireShark 1.99.2 Dev (Feb 5, 2015)

  • THE FOLLOWING FEATURES ARE NEW (OR HAVE BEEN SIGNIFICANTLY UPDATED) SINCE VERSION 1.99.1:
  • Qt port:
  • The welcome screen layout has been updated.
  • The Preferences dialog no longer crashes on Windows.
  • The packet list header menu has been added.
  • Statistics tree plugins are now supported.
  • The window icon is now displayed properly in the Windows taskbar.
  • A packet list an byte view selection bug has been fixed (Bug 10896)
  • The RTP Streams dialog has been added.
  • The Protocol Hierarchy Statistics dialog has been added.
  • THE FOLLOWING FEATURES ARE NEW (OR HAVE BEEN SIGNIFICANTLY UPDATED) SINCE VERSION 1.99.0:
  • Qt port:
  • You can now show and hide toolbars and major widgets using the View menu.
  • You can now set the time display format and precision.
  • The byte view widget is much faster, particularly when selecting large reassembled packets.
  • The byte view is explorable. Hovering over it highlights the corresponding field and shows a description in the status bar.
  • An Italian translation has been added.
  • The Summary dialog has been updated and renamed to Capture File Properties.
  • The VoIP Calls and SIP Flows dialogs have been added.
  • THE FOLLOWING FEATURES ARE NEW (OR HAVE BEEN SIGNIFICANTLY UPDATED) SINCE VERSION 1.12.0:
  • The I/O Graph in the Gtk+ UI now supports an unlimited number of data points (up from 100k).
  • TShark now resets its state when changing files in ring-buffer mode.
  • Expert Info severities can now be configured.
  • Wireshark now supports external capture interfaces. External capture interfaces can be anything from a tcpdump-over-ssh pipe to a program that captures from proprietary or non-standard hardware. This functionality is not available in the Qt UI yet.
  • Qt port:
  • The Qt UI is now the default (program name is wireshark).
  • A Polish translation has been added.
  • The Interfaces dialog has been added.
  • The interface list is now updated when interfaces appear or disappear.
  • The Conversations and Endpoints dialogs have been added.
  • A Japanese translation has been added.
  • It is now possible to manage remote capture interfaces.
  • Windows: taskbar progress support has been added.
  • Most toolbar actions are in place and work.
  • More command line options are now supported

New in WireShark 1.12.3 (Feb 5, 2015)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2015-01: The WCCP dissector could crash. (Bug 10720, Bug 10806) CVE-2015-0559, CVE-2015-0560
  • wnpa-sec-2015-02: The LPP dissector could crash. (Bug 10773) CVE-2015-0561
  • wnpa-sec-2015-03: The DEC DNA Routing Protocol dissector could crash. (Bug 10724) CVE-2015-0562
  • wnpa-sec-2015-04: The SMTP dissector could crash. (Bug 10823) CVE-2015-0563
  • wnpa-sec-2015-05: Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam Rathaus. CVE-2015-0564
  • The following bugs have been fixed:
  • WebSocket dissector: empty payload causes DISSECTOR_ASSERT_NOT_REACHED. (Bug 9332)
  • Wireshark crashes if Lua heuristic dissector returns true. (Bug 10233)
  • Display MEP ID in decimal in OAM Y.1731 Synthetic Loss Message and Reply PDU. (Bug 10500)
  • TCP Window Size incorrectly reported in Packet List. (Bug 10514)
  • Status bar "creeps" to the left a few pixels every time Wireshark is opened. (Bug 10518)
  • E-LMI Message type. (Bug 10531)
  • SMTP decoder can dump binary data to terminal in TShark. (Bug 10536)
  • PTPoE dissector gets confused by packets that include an FCS. (Bug 10611)
  • IPv6 Vendor Specific Mobility Option includes the next mobility option type. (Bug 10618)
  • Save PCAP to PCAPng with commentary fails. (Bug 10656)
  • Display filter "frame contains bytes [2342]" causes a crash. (Bug 10690)
  • Multipath TCP: checksum displayed when it’s not there. (Bug 10692)
  • LTE APN-AMBR is decoded incorrectly. (Bug 10699)
  • DNS NAPTR RR Replacement Length is incorrect. (Bug 10700)
  • IPv6 Experimental mobility header data is interpreted as options. (Bug 10703)
  • Dissector bug, protocol SPDY: tvbuff.c:610: failed assertion "tvb && tvb→initialized". (Bug 10704)
  • BGP: Incorrect decoding AS numbers when mixed AS size. (Bug 10742)
  • BGP update community - incorrect decoding. (Bug 10746)
  • Setting a 6LoWPAN context generates a Wireshark crash. (Bug 10747)
  • FC is not dissected (protocol UNKNOWN). (Bug 10751)
  • Crash when displaying several times INFO column. (Bug 10755)
  • Decoding of longitude value in LCSAP (3GPP TS 29.171) is incorrect. (Bug 10767)
  • Crash when enabling FCoIB manual settings without filling address field. (Bug 10796)
  • RSVP RECORD_ROUTE IPv4 Subobject Flags field incorrect decoding. (Bug 10799)
  • Wireshark Lua engine can’t access protocol field type. (Bug 10801)
  • Field Analysis of OpenFlow v1.4 OFPT_SET_ASYNC. (Bug 10808)
  • Lua: getting fieldinfo.value for FT_NONE causes assert. (Bug 10815)
  • Updated Protocol Support:
  • 6LoWPAN, ADwin, AllJoyn, Art-Net, Asterix, BGP, Bitcoin, Bluetooth OBEX, Bluetooth SDP, CFM, CIP, DCERPC PN-IO, DCERPC SPOOLSS, DEC DNA, DECT, DHCPv6, DNS, DTN, E-LMI, ENIP, Ethernet, Extreme, FCoIB, Fibre Channel, GED125, GTP, H.248, H.264, HiSLIP, IDRP, IEEE 802.11, IEEE P1722.1, Infiniband, IrDA, iSCSI, ISUP, LBMR, LCSAP, LPP, MAC LTE, MAUSB, MBIM, MIM, MIP, MIPv6, MP2T, MPEG-1, NAS EPS, NAT-PMP, NCP, NXP PN532, OpcUa, OpenFlow, PTP, RDM, RPKI-RTR, RSVP, RTnet, RTSP, SCTP, SMPP, SMTP, SPDY, Spice, TCP, WCCP, Wi-Fi P2P, and WiMAX
  • New and Updated Capture File Support:
  • K12

New in WireShark 1.12.2 (Nov 13, 2014)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • wnpa-sec-2014-20
  • SigComp UDVM buffer overflow. (Bug 10662) CVE-2014-8710
  • wnpa-sec-2014-21
  • AMQP crash. (Bug 10582) CVE-2014-8711
  • wnpa-sec-2014-22
  • NCP crashes. (Bug 10552, Bug 10628) CVE-2014-8712 CVE-2014-8713
  • wnpa-sec-2014-23
  • TN5250 infinite loops. (Bug 10596) CVE-2014-8714
  • The following bugs have been fixed:
  • Wireshark determine packets of MMS protocol as a packets of T.125 protocol. (Bug 10350)
  • 6LoWPAN Mesh headers not treated as encapsulating address. (Bug 10462)
  • UCP dissector bug of operation 31 - PID 0639 not recognized. (Bug 10463)
  • iSCSI dissector rejects PDUs with "expected data transfer length" > 16M. (Bug 10469)
  • GTPv2: trigging_tree under Trace information has wrong length. (Bug 10470)
  • openflow_v1 OFPT_FEATURES_REPLY parsed incorrectly. (Bug 10493)
  • Capture files from a remote virtual interface on MacOS X 10.9.5 aren’t dissected correctly. (Bug 10502)
  • Problem specifying protocol name for filtering. (Bug 10509)
  • LLDP TIA Network Policy Unknown Policy Flag Decode is not correct. (Bug 10512)
  • Decryption of DCERPC with Kerberos encryption fails. (Bug 10538)
  • Dissection of DECRPC NT sid28 shouldn’t show expert info if tree is null. (Bug 10542)
  • Attempt to render an SMS-DELIVER-REPORT instead of an SMS-DELIVER. (Bug 10547)
  • IPv6 Calipso option length is not used properly. (Bug 10561)
  • The SPDY dissector couldn’t dissecting packet correctly. (Bug 10566)
  • IPv6 QuickStart option Nonce is read incorrectly. (Bug 10575)
  • IPv6 Mobility Option IPv6 Address/Prefix marks too many bytes for the address/prefix field. (Bug 10576)
  • IPv6 Mobility Option Binding Authorization Data for FMIPv6 Authenticator field is read beyond the option data. (Bug 10577)
  • IPv6 Mobility Option Mobile Node Link Layer Identifier Link-layer Identifier field is read beyond the option data. (Bug 10578)
  • Wrong offset for hf_mq_id_icf1 in packet-mq.c. (Bug 10597)
  • Malformed PTPoE announce packet. (Bug 10611)
  • IPv6 Permanent Home Keygen Token mobility option includes too many bytes for the token field. (Bug 10619)
  • IPv6 Redirect Mobility Option K and N bits are parsed incorrectly. (Bug 10622)
  • IPv6 Care Of Test mobility option includes too many bytes for the Keygen Token field. (Bug 10624)
  • IPv6 MESG-ID mobility option is parsed incorrectly. (Bug 10625)
  • IPv6 AUTH mobility option parses Mobility SPI and Authentication Data incorrectly. (Bug 10626)
  • IPv6 DNS-UPDATE-TYPE mobility option includes too many bytes for the MD identity field. (Bug 10629)
  • IPv6 Local Mobility Anchor Address mobility option’s code and reserved fields are parsed as 2 bytes instead of 1. (Bug 10630)
  • WCCP v.2.01 extended assignment data element parsed wrong. (Bug 10641)
  • DNS ISDN RR Sub Address field is read one byte early. (Bug 10650)
  • TShark crashes when running with PDML on a specific packet. (Bug 10651)
  • DNS A6 Address Suffix field is parsed incorrectly. (Bug 10652)
  • DNS response time: calculation incorrect. (Bug 10657)
  • SMPP does not display properly the hour field in the Submit_sm Validity Period field. (Bug 10672)
  • DNS Name Length for Zone RR on root is 6 and Label Count is 1. (Bug 10674)
  • DNS WKS RR Protocol field is read as 4 bytes instead of 1. (Bug 10675)
  • IPv6 Mobility Option Context Request reads an extra request. (Bug 10676)
  • Updated Protocol Support:
  • 6LoWPAN, AMQP, ANSI IS-637-A, Bluetooth HCI, CoAP, DCERPC (all), DCERPC NT, DNS, GSM MAP, GTPv2, H.223, HPSW, HTTP2, IEEE 802.11, IPv6, iSCSI, Kerberos, LBT-RM, LLDP, MIH, Mobile IPv6, MQ, NCP, OpcUa, OpenFlow, PKTAP, PTPoE, SigComp, SMB2, SMPP, SPDY, Stanag 4607, T.125, UCP, USB CCID, and WCCP
  • New and Updated Capture File Support:
  • Catapult DCT2000, HP-UX nettl, Ixia IxVeriWave, pcap, pcap-ng, RADCOM, and Sniffer (DOS)

New in WireShark 1.99.0 Dev (Oct 8, 2014)

  • New and Updated Features:
  • The following features are new (or have been significantly
  • updated) since version 1.12.0:
  • The I/O Graph in the Gtk+ UI now supports an unlimited number of data points (up from 100k).
  • TShark now resets its state when changing files in ring-buffer mode.
  • Expert Info severities can now be configured.
  • Wireshark now supports external capture interfaces. External capture interfaces can be anything from a tcpdump-over-ssh pipe to a program that captures from proprietary or non-standard hardware. This functionality is not available in the Qt UI yet.
  • Qt port:
  • The Qt UI is now the default (program name is wireshark).
  • A Polish translation has been added.
  • The Interfaces dialog has been added.
  • The interface list is now updated when interfaces appear or disappear.
  • The Conversations and Endpoints dialogs have been added.
  • A Japanese translation has been added.
  • It is now possible to manage remote capture interfaces.
  • Windows: taskbar progress support has been added.
  • Most toolbar actions are in place and work.
  • More command line options are now supported
  • New Protocol Support:
  • ceph, corosync/totemnet, corosync/totemsrp, CP "Cooper" 2179, Dynamic Source Routing (RFC 4728), Generic Network Virtualization Encapsulation (Geneve), IPMI Trace, iSER, KNXnetIP, OptoMMP, S7 Communication, and Stateless Transport Tunneling
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Android logcat text files, and Wireshark now supports nanosecond timestamp resolution in PCAP-NG files.
  • Major API Changes:
  • The libwireshark API has undergone some major changes:
  • Many of the ep_ and se_ memory allocation routines have been removed.
  • The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua.

New in WireShark 1.12.1 (Sep 17, 2014)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2014-13: MEGACO dissector infinite loop. (Bug 10333) CVE-2014-6423
  • wnpa-sec-2014-14: Netflow dissector crash. (Bug 10370) CVE-2014-6424
  • wnpa-sec-2014-15: CUPS dissector crash. (Bug 10353) CVE-2014-6425
  • wnpa-sec-2014-16: HIP dissector infinite loop. CVE-2014-6426
  • wnpa-sec-2014-17: RTSP dissector crash. (Bug 10381) CVE-2014-6427
  • wnpa-sec-2014-18: SES dissector crash. (Bug 10454) CVE-2014-6428
  • wnpa-sec-2014-19: Sniffer file parser crash. (Bug 10461) CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432
  • The following bugs have been fixed:
  • Wireshark can crash during remote capture (rpcap) configuration. (Bug 3554, Bug 6922, ws-buglink:7021)
  • 802.11 capture does not decrypt/decode DHCP response. (Bug 8734)
  • Extra quotes around date fields (FT_ABSOLUTE_TIME) when using -E quote=d or s. (Bug 10213)
  • No progress line in "VOIP RTP Player". (Bug 10307)
  • MIPv6 Service Selection Identifier parse error. (Bug 10323)
  • Probably wrong length check in proto_item_set_end. (Bug 10329)
  • 802.11 BA sequence number decode is broken. (Bug 10334)
  • wmem_alloc_array() "succeeds" (and clobbers memory) when requested to allocate 0xaaaaaaaa items of size 12. (Bug 10343)
  • Different dissection results for same file. (Bug 10348)
  • Mergecap wildcard breaks in version 1.12.0. (Bug 10354)
  • Diameter TCP reassemble. (Bug 10362)
  • TRILL NLPID 0xc0 unknown to Wireshark. (Bug 10382)
  • BTLE advertising header flags (RxAdd/TxAdd) dissected incorrectly. (Bug 10384)
  • Ethernet OAM (CFM) frames including TLV’s are wrongly decoded as malformed. (Bug 10385)
  • BGP4: Wireshark skipped some potion of AS_PATH. (Bug 10399)
  • MAC address name resolution is broken. (Bug 10344)
  • Wrong decoding of RPKI RTR End of Data PDU. (Bug 10411)
  • SSL/TLS dissector incorrectly interprets length for status_request_v2 hello extension. (Bug 10416)
  • Misparsed NTP control assignments with empty values. (Bug 10417)
  • 6LoWPAN multicast address decompression problems. (Bug 10426)
  • Netflow v9 flowset not decoded if options template has zero-length scope section. (Bug 10432)
  • GUI Hangs when Selecting Path to GeoIP Files. (Bug 10434)
  • AX.25 dissector prints unprintable characters. (Bug 10439)
  • 6LoWPAN context handling not working. (Bug 10443)
  • SIP: When export to a CSV, Info is changed to differ. (Bug 10453)
  • Typo in packet-netflow.c. (Bug 10458)
  • Incorrect MPEG-TS decoding (OPCR field). (Bug 10446)
  • UPDATED PROTOCOL SUPPORT:
  • 6LoWPAN, A21, ACR122, Art-Net, AX.25, BGP, BTLE, CAPWAP, DIAMETER, DICOM, DVB-CI, Ethernet OAM, HIP, HiSLIP, HTTP2, IEEE 802.11, MAUSB, MEGACO, MIPv6, MP2T, Netflow, NTP, openSAFETY, OSI, RDM, RPKI RTR, RTSP, SES, SIP, TLS, and Token Ring MAC
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • DOS Sniffer and NetScaler

New in WireShark 1.12.0 (Aug 1, 2014)

  • BUG FIXES:
  • "On-the-wire" packet lengths are limited to 65535 bytes. (Bug 8808, Bug 9390)
  • "Follow TCP Stream" shows only the first HTTP request and response. (Bug 9044)
  • Files with pcap-ng Simple Packet Blocks can’t be read. (Bug 9200)
  • MPLS-over-PPP isn’t recognized. (Bug 9492)
  • NEW AND UPDATED FEATURES:
  • Expert information is now filterable when the new API is in use.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
  • "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • The Kerberos dissector has been replaced with an auto generated one from ASN1 protocol description, changing a lot of filter names.
  • Additionally the Windows installers have an extra component: a preview of the upcoming user interface for Wireshark 2.0.
  • The following features are new (or have been significantly updated) since version 1.11.3:
  • Transport name resolution is now disabled by default.
  • Support has been added for all versions of the DCBx protocol.
  • Cleanup of LLDP code, all dissected fields are now navigable.
  • The following features are new (or have been significantly updated) since version 1.11.2:
  • Qt port:
  • The About dialog has been added
  • The Capture Interfaces dialog has been added.
  • The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
  • The Export PDU dialog has been added.
  • Several SCTP dialogs have been added.
  • The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
  • The I/O Graph dialog has been added.
  • French translation has updated.
  • The following features are new (or have been significantly updated) since version 1.11.1:
  • Mac OS X packaging has been improved.
  • The following features are new (or have been significantly updated) since version 1.11.0:
  • Dissector output may be encoded as UTF-8. This includes TShark output.
  • Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.
  • REMOVED DISSECTORS:
  • The ASN1 plugin has been removed as it’s deemed obsolete.
  • The GNM dissector has been removed as it was never used.
  • The Kerberos hand made dissector has been replaced by one generated from ASN1 code.
  • PLATFORM SUPPORT:
  • U3 packages are no longer supported or provided.
  • This is the last major release that will support 32-bit versions of Mac OS X.
  • NEW PROTOCOL SUPPORT:
  • 29West, 802.1AE Secure tag, A21, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, Ethernet Local Management Interface (E-LMI), Ethernet Passive Optical Network (EPON), EXPORTED PDU, FINGER, HDMI, High-Speed LAN Instrument Protocol (HiSLIP), HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Link16, Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, Media Agnostic USB (MA USB), MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, MS NLB (Rewrite), Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, SPDY, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
  • MAJOR API CHANGES:
  • A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated).
  • A new API for expert information has been added, replacing the old one.
  • The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc.
  • dissector_try_heuristic() signature has been changed to return heur_dtbl_entry_t to make it possible to save it and use it in subsequent calls to avoid the overhead of going trough the heuristics list.

New in WireShark 1.12.0 RC2 (Jun 14, 2014)

  • The following bugs have been fixed:
  • "On-the-wire" packet lengths are limited to 65535 bytes.
  • "Follow TCP Stream" shows only the first HTTP req+res.
  • Files with pcap-ng Simple Packet Blocks can't be read.
  • MPLS-over-PPP isn't recognized. ([4]Bug 9492)
  • The following features are new (or have been significantly updated) since version 1.11.3:
  • Transport name resolution is now disabled by default.
  • Support has been added for all versions of the DCBx protocol.
  • Cleanup of LLDP code, all dissected fields are now navigable.
  • The following features are new (or have been significantly updated) since version 1.11.2:
  • Qt port
  • The About dialog has been added
  • The Capture Interfaces dialog has been added
  • The Decode As dialog has been added. It managed to
  • swallow up the User Specified Decodes dialog as well
  • The Export PDU dialog has been added
  • Several SCTP dialogs have been added
  • The statistics tree (the backend for many Statistics
  • and Telephony menu items) dialog has been added
  • The I/O Graph dialog has been added
  • French translation has updated
  • The following features are new (or have been significantly updated) since version 1.11.1:
  • Mac OS X packaging has been improved
  • The following features are new (or have been significantly updated) since version 1.11.0:
  • Dissector output may be encoded as UTF-8. This includes TShark output.
  • Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.
  • The following features are new (or have been significantly updated) since version 1.10:
  • Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
  • The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
  • Expert information is now filterable when the new API is in use.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C choplen> and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
  • "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • The Kerberos dissector has been replaced with an auto generated one from ASN1 protocol description, changing a lot of filter names.
  • Removed Dissectors:
  • The ASN1 plugin has been removed as it's deemed obsolete.
  • The GNM dissector has been removed as it was never used.
  • The Kerberos hand made dissector has been replaced by one generated from ASN1 code.
  • Platform Support:
  • Support for Windows XP has been deprecated. We will make an effort to support it for as long as possible but our ability to do so depends on upstream packages and other factors beyond our control.
  • U3 packages are no longer supported or provided.
  • This is the last major release that will support 32-bit versions of Mac OS X.
  • New Protocol Support
  • 29West, 802.1AE Secure tag, A21, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, Ethernet Local Management Interface (E-LMI), Ethernet Passive Optical Network (EPON), EXPORTED PDU, FINGER, HDMI, High-Speed LAN Instrument Protocol (HiSLIP), HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Link16, Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, Media Agnostic USB (MA USB), MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, MS NLB (Rewrite), Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, SPDY, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
  • New and Updated Capture File Support: Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
  • Major API Changes:
  • The libwireshark API has undergone some major changes: A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated).
  • A new API for expert information has been added, replacing the old one.
  • The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc.
  • dissector_try_heuristic() signature has been changed to return heur_dtbl_entry_t to make it possible to save it and use it in subsequent calls to avoid the overhead of going trough the heuristics list.

New in WireShark 1.10.8 (Jun 13, 2014)

  • Bug Fixes:
  • wnpa-sec-2014-07: The frame metadissector could crash. (Bug 9999, Bug 10030) (versions affected: 1.10.0 to 1.10.7). CVE-2014-4020
  • The following bugs have been fixed:
  • VoIP flow graph crash upon opening. (Bug 9179)
  • Tshark with "-F pcap" still generates a pcapng file. (Bug 9991)
  • IPv6 Next Header 0x3d recognized as SHIM6. (Bug 9995)
  • Failed to export pdml on large pcap. (Bug 10081)
  • TCAP: set a fence on info column after calling sub dissector (Bug 10091)
  • Dissector bug in JSON protocol. (Bug 10115)
  • GSM RLC MAC: do not skip too many lines of the CSN_DESCR when the field is missing (Bug 10120)
  • Wireshark PEEKREMOTE incorrectly decoding QoS data packets from Cisco Sniffer APs. (Bug 10139)
  • IEEE 802.11: fix dissection of HT Capabilities (Bug 10166)
  • Updated Protocol Support:
  • CIP, EtherNet/IP, GSM RLC MAC, IEEE 802.11, IPv6, and TCAP
  • New and Updated Capture File Support:
  • pcap-ng, and PEEKREMOTE

New in WireShark 1.10.7 (Apr 23, 2014)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2014-06: The RTP dissector could crash. (Bug 9885). Versions affected: 1.10.0 to 1.10.6. CVE-2014-2907
  • The following bugs have been fixed:
  • RTP not decoded inside the conversation in v.1.10.1 (Bug 9021)
  • SIP/SDP: disabled second media stream disables all media streams (Bug 9835)
  • Lua: trying to get/access a Preference before its registered causes a segfault (Bug 9853)
  • Some value_string strings contain newlines. (Bug 9878)
  • Tighten the NO_MORE_DATA_CHECK macros (Bug 9932)
  • Fix crash when calling "MAP Summary" dialog when no file is open (Bug 9934)
  • Fix comparing a sequence number of TCP fragment when its value wraps over uint32_t limit (Bug 9936)
  • Updated Protocol Support:
  • ANSI A, DVB-CI, GSM DTAP, GSM MAP, IEEE 802.11, LCSAP, LTE RRC, MAC LTE, Prism, RTP, SDP, SIP, and TCP

New in WireShark 1.11.3 Dev (Apr 16, 2014)

  • BUG FIX:
  • MPLS-over-PPP isn’t recognized. (Bug 9492)
  • NEW AND UPDATED FEATURES:
  • The following features are new (or have been significantly updated) since version 1.11.2:
  • Qt port:
  • The About dialog has been added
  • The Capture Interfaces dialog has been added.
  • The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
  • The Export PDU dialog has been added.
  • Several SCTP dialogs have been added.
  • The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
  • The I/O Graph dialog has been added.
  • French translation has updated.
  • REMOVED DISSECTORS:
  • The ASN1 plugin has been removed as it’s deemed obsolete.
  • The GNM dissector has been removed as it was never used.
  • NEW PROTOCOL SUPPORT:
  • 29West, 802.1AE Secure tag, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, EXPORTED PDU, FINGER, HDMI, HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
  • MAJOR API CHANGES:
  • A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated).
  • A new API for expert information has been added, replacing the old one.
  • The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc.

New in WireShark 1.10.6 (Mar 8, 2014)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2014-01:
  • The NFS dissector could crash.
  • Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
  • CVE-2014-2281
  • wnpa-sec-2014-02:
  • The M3UA dissector could crash.
  • Versions affected: 1.10.0 to 1.10.5
  • CVE-2014-2282
  • wnpa-sec-2014-03:
  • The RLC dissector could crash. (Bug 9730)
  • Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
  • CVE-2014-2283
  • wnpa-sec-2014-04:
  • The MPEG file parser could overflow a buffer.
  • Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
  • CVE-2014-2299
  • The following bugs have been fixed:
  • Customized OUI is not recognized correctly during dissection. (Bug 9122)
  • Properly decode CAPWAP Data Keep-Alives. (Bug 9165)
  • Build failure with GTK 3.10 - GTK developers have gone insane. (Bug 9340)
  • SIGSEGV/SIGABRT during free of TvbRange using a chained dissector in lua. (Bug 9483)
  • MPLS dissector no longer registers itself in "ppp.protocol" table. (Bug 9492)
  • Tshark doesn’t display the longer data fields (mbtcp). (Bug 9572)
  • DMX-CHAN disector does not clear strbuf between rows. (Bug 9598)
  • Dissector bug, protocol SDP: proto.c:4214: failed assertion "length >= 0". (Bug 9633)
  • False error: capture file appears to be damaged or corrupt. (Bug 9634)
  • SMPP field source_telematics_id field length different from spec. (Bug 9649)
  • Lua: bitop library is missing in Lua 5.2. (Bug 9720)
  • GTPv1-C / MM Context / Authentication quintuplet / RAND is not correct. (Bug 9722)
  • Lua: ProtoField.new() is buggy. (Bug 9725)
  • Lua: ProtoField.bool() VALUESTRING argument is not optional but was supposed to be. (Bug 9728)
  • Problem with CAPWAP Wireshark Dissector. (Bug 9752)
  • nas-eps dissector: CS Service notification dissection stops after Paging identity IE. (Bug 9789)
  • New and Updated Features:
  • IPv4 checksum verfification is now disabled by default.
  • Updated Protocol Support:
  • AppleTalk, CAPWAP, DMX-CHAN, DSI, DVB-CI, ESS, GTPv1, IEEE 802a, M3UA, Modbus/TCP, NAS-EPS, NFS, OpenSafety, SDP, and SMPP
  • New and Updated Capture File Support:
  • libpcap, MPEG, and pcap-ng

New in WireShark 1.10.5 (Dec 20, 2013)

  • Bug Fixes:
  • Wireshark stops showing new packets but dumpcap keeps writing them to the temp file. (Bug 9571)
  • Wireshark 1.10.4 shuts down when promiscuous mode is unchecked. (Bug 9577)
  • Homeplug dissector bug: STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address. (Bug 9578)
  • Updated Protocol Support:
  • GSM BSSMAP, GSM BSSMAP LE, GSM SMS, Homeplug, NAS-EPS, and SGSAP

New in WireShark 1.10.4 (Dec 18, 2013)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2013-66:
  • The SIP dissector could go into an infinite loop
  • Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
  • CVE-2013-7112
  • wnpa-sec-2013-67:
  • The BSSGP dissector could crash.
  • Versions affected: 1.10.0 to 1.10.3
  • CVE-2013-7113
  • wnpa-sec-2013-68:
  • The NTLMSSP v2 dissector could crash.
  • Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
  • CVE-2013-7114
  • The following bugs have been fixed:
  • "On-the-wire" packet lengths are limited to 65535 bytes.
  • Tx MCS set is not interpreted properly in WLAN beacon frame.
  • VoIP Graph Analysis window - some calls are black.
  • Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses.
  • epan/follow.c - Incorrect "bytes missing in capture file" in "check_fragments" due to an unsigned int wraparound?.
  • gsm_map doesn’t decode MAPv3 reportSM-DeliveryStatus result
  • Incorrect NFSv4 FATTR4_SECURITY_LABEL value.
  • Timestamp decoded for Gigamon trailer is not padded correctly.
  • SEL Fast Message Bug-fix for Signed 16-bit Integer Fast Meter Messages.
  • DNP3 Bug Fix for Analog Data Sign Bit Handling.
  • GSM SMS User Data header fill bits are wrong when using a 7 bits ASCII / IA5 encoding.
  • WCDMA RLC dissector cannot assemble PDUs with SNs skipped and wrap-arounded.
  • DTLS: fix buffer overflow in mac check.
  • PATCH] Correct data length in SCSI_DATA_IN packets (within iSCSI).
  • GSM SMS UDH EMS control expects 4 octets instead of 3 with OPTIONAL 4th.
  • Fix "decode as …" for packet-time.c.
  • New and Updated Capture File Support:
  • and Pcap-ng.
  • Updated Protocol Support:
  • ANSI IS-637-A, BSSGP, DNP3, DVB-BAT, DVB-CI, GSM MAP, GSM SMS, IEEE 802.11, iSCSI, NFSv4, NTLMSSP v2, RLC, SEL FM, SIP, and Time

New in WireShark 1.11.2 Dev (Nov 19, 2013)

  • BUG FIXES:
  • The following bugs have been fixed:
  • "On-the-wire" packet lengths are limited to 65535 bytes. ([1]Bug 8808, ws-buglink:9390)
  • "Follow TCP Stream" shows only the first HTTP req+res. ([2]Bug 9044)
  • Files with pcap-ng Simple Packet Blocks can't be read. ([3]Bug 9200)
  • NEW AND UPDATED FEATURES:
  • The following features are new (or have been significantly updated) since version 1.11.1:
  • Mac OS X packaging has been improved.
  • The following features are new (or have been significantly updated) since version 1.11.0:
  • Qt port:
  • The Follow Stream dialog now supports packet and TCP stream selection.
  • A Flow Graph (sequence diagram) dialog has been added.
  • The main window now respects geometry preferences.
  • The following features are new (or have been significantly updated) since version 1.10:
  • Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
  • A more flexible, modular memory manger (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old API.
  • Expert info is now filterable and now requires a new API.
  • The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
  • "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • NEW PROTOCOL SUPPORT:
  • 802.1AE Secure tag, ASTERIX, ATN, BT 3DS, CARP, Cisco MetaData, ELF file format, EXPORTED PDU, FINGER, HTTP2, IDRP, ILP, Kafka, Kyoto Tycoon binary protocol, MBIM, MiNT, MP4 / ISOBMFF file format, NXP PN532 HCI, OpenFlow, Picture Transfer Protocol Over IP, QUIC (Quick UDP Internet Connections), SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, STANAG 4607, STANAG 5066 SIS, Tinkerforge, UDT, URL Encoded Form Data, WHOIS, and Wi-Fi Display
  • NEW AND UPDATED CAPTURE FILE SUPPORT:
  • Netscaler 2.6, and STANAG 4607

New in WireShark 1.10.3 (Nov 1, 2013)

  • The following vulnerabilities have been fixed:
  • The IEEE 802.15.4 dissector could crash. (Bug 9139)
  • The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9168)
  • The SIP dissector could crash. (Bug 9228)
  • The OpenWire dissector could go into a large loop. Discovered by Murali. (Bug 9248)
  • The TCP dissector could crash. (Bug 9263)
  • The following bugs have been fixed:
  • new_packet_list: EAP-TLS reassemble does not happen when NEW_PACKET_LIST is toggled. (Bug 5349)
  • TLS decryption fails with XMPP start_tls. (Bug 8871)
  • Wrong Interpretation of GTS starting slot. (Bug 8946)
  • "Follow TCP Stream" shows only the first HTTP req+res. (Bug 9044)
  • The value of SEND_TO_UE in the DIAMETER Gx dictionary for Packet-Filter-Usage AVP is 0 instead of 1. (Bug 9126)
  • Crash then try to delete the same entry (length range) twice. (Bug 9129)
  • Crash if wrong "packet lengths range" entered. (Bug 9130)
  • Bssgp ⇒ SGSN-INVOKE-TRACE use the wrong function… (Bug 9157)
  • Minor correction to dissection of DLR frames in Ethernet/IP dissector. (Bug 9186)
  • WebSphere MQ V7 Bug Fix 8322 TSHM_EBCDIC. (Bug 9198)
  • EDNS0 "Higher bits in extended RCODE" incorrectly decoded in packet-dns.c. (Bug 9199)
  • Files with pcap-ng Simple Packet Blocks can’t be read. (Bug 9200)
  • Bug in RTP dissector if RTP extension is present. (Bug 9204)
  • Improve "eHRPD Indicator" NVSE dissection in 3GPP2 A11 Registration Request. (Bug 9206)
  • "make debian-package" fails, missing wsicon32.xpm. (Bug 9209)
  • Fix typo in MODCOD list of DVB-S2 dissector. (Bug 9218)
  • Ring buffer crash when tshark gets too far behind dumpcap. (Bug 9258)
  • PTP Dissector Wrongfully Reports Malformed Packet. (Bug 9262)
  • Wireshark lua dissector unable to load for media_type=application/octet-stream. (Bug 9296)
  • Wireshark crash when dissecting packet with NTLMSSP. (Bug 9299)
  • Padding in uint64 field in DCERPC protocol wrongly reported. (Bug 9300)
  • DCERPC data_blobs are not correctly dissected when NDR64 encoding is used. (Bug 9301)
  • Multiple PDUs in the same DCERPC packet are not correctly decrypted. (Bug 9302)
  • The tshark summary line doesn’t display the frame number or displays it sporadically. (Bug 9317)
  • Bluetooth: SDP improvements and minor fixes. (Bug 9327)
  • Duplicate IRC header field abbreviation breaks filter (example: irc.response.command). (Bug 9360)
  • Updated Protocol Support:
  • 3GPP2 A11, Bluetooth SDP, BSSGP, DCERPC, DCERPC NDR, DCERPC NT, DIAMETER, DNS, DVB-S2, Ethernet, EtherNet/IP, H.225, IEEE 802.15.4, IRC, NBAP, NTLMSSP, OpenWire, PTP, RTP, SIP, TCP, WiMax, and XMPP

New in WireShark 1.11.0 Dev (Oct 16, 2013)

  • Bug Fixes:
  • The following bugs have been fixed:
  • "Follow TCP Stream" shows only the first HTTP req+res.
  • Files with pcap-ng Simple Packet Blocks can't be read.
  • New and Updated Features:
  • Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
  • A more flexible, modular memory manger (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old API.
  • Expert info is now filterable and now requires a new API.
  • The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
  • The "Number" column shows related packets and protocol conversation spans (Qt only).
  • When manipulating packets with editcap using the -C and/or -s options, it is now possible to also adjust the original frame length using the -L option.
  • You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
  • You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
  • "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
  • New Protocol Support:
  • ASTERIX, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, and UDT
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support
  • Netscaler 2.6, and STANAG 4607

New in WireShark 1.10.2 (Sep 11, 2013)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2013-54:
  • The Bluetooth HCI ACL dissector could crash. Discovered by Laurent Butti. (Bug 8827)
  • Versions affected: 1.10.0 to 1.10.1
  • wnpa-sec-2013-55:
  • The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9005)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-56:
  • The ASSA R3 dissector could go into an infinite loop. Discovered by Ben Schmidt. (Bug 9020)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-57:
  • The RTPS dissector could overflow a buffer. Discovered by Ben Schmidt. (Bug 9019)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-58:
  • The MQ dissector could crash. (Bug 9079)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-59:
  • The LDAP dissector could crash. Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • wnpa-sec-2013-60:
  • The Netmon file parser could crash (Bug 8742)
  • Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
  • The following bugs have been fixed:
  • Lua ByteArray:append() causes wireshark crash. (Bug 4461)
  • Lua script can not get "data-text-lines" protocol data. (Bug 5200)
  • Lua: Trying to use Field.new("tcp.segments") to get reassembled TCP data is failed. (Bug 5201)
  • "Edit Interface Settings": "Capture Filter" combo box is not populated across Wireshark sessions. (Bug 7278)
  • PER normally small non-negative whole number decoding is wrong when >= 64. (Bug 8841)
  • Strange behavior of tree expand/collapse in packet details. (Bug 8908)
  • Incorrect parsing of IPFIX *IpTotalLength elements. (Bug 8918)
  • IO graph/advanced, max/min/summ error on frames with multiple Diameter messages. (Bug 8980)
  • pod2man error on reordercap.pod. (Bug 8982)
  • SGI Nsym disambiguation is unconditionally displayed when dissecting VHT. (Bug 8989)
  • The Wireshark icon doesn’t show up in OS X 10.5. (Bug 8993)
  • Build fails if system Python is version 3+. (Bug 8995)
  • SCSI dissector does not parse PERSISTENT RESERVE commands correctly. (Bug 9012)
  • SDP messages throws an assert. (Bug 9022)
  • Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses. (Bug 9031)
  • PN_MRP LinkUp Message is shown as LinkDown in info. (Bug 9035)
  • Dissector for EtherCAT: ADS highlighting in the Packet Bytes Pane is incorrect. (Bug 9036)
  • 802.11 HT Extended Capabilities B10 decode incorrect. (Bug 9038)
  • Wrong dissection of MSTI Root Identifiers for all MSTIs. (Bug 9088)
  • Weird malformed HTTP error. (Bug 9101)
  • Warning for attempting to install 64-bit Wireshark on a 32-bit machine has an embedded "\n". (Bug 9103)
  • Wireshark crashes when using "Export Specified Packets" > "Displayed". (Bug 9106)
  • Updated Protocol Support:
  • ASN.1 PER, ASSA R3, Bluetooth HCI ACL, EtherCAT AMS, GTPv2, HTTP, IEEE 802.11, IPFIX, ISDN SUP, LDAP, MQ, NBAP, Novell SSS, PROFINET MRP, Radiotap, ROHC, RTPS, SCSI, SIP, and STP
  • New and Updated Capture File Support:
  • and Microsoft Network Monitor, pcap-ng.

New in WireShark 1.10.1 (Jul 27, 2013)

  • The following bugs have been fixed:
  • Mark retransmitted SYN and FIN packets as retransmissions.
  • Wireshark hides under Taskbar. (Bug 3034)
  • IEEE 802.15.4 frame check sequence in "Chipcon mode" not displayed correctly. (Bug 4507)
  • Mask in Lua ProtoField.uint32() does not work as expected. (Bug 5734)
  • Crash when applying filter with Voip calls. (Bug 6090)
  • Delta time regressions to tshark introduced with SVN 45071. (Bug 8160)
  • Add MAC-DATA support to TETRA dissector and other minor improvements. (Bug 8708)
  • Crash analyzing VoIP Calls (T38). (Bug 8736)
  • Wireshark writes empty NRB FQDN which makes trace unloadable. (Bug 8763)
  • Quick launch icon is absent, so it shows up as a generic icon. (Bug 8773)
  • Wrong encoding for 2 pod files, UTF-8 characters in another. (Bug 8774)
  • SCSI (SPC) sense key specific information field must not include SKSV. (Bug 8782)
  • Wireshark crashes when closing Flow Graph with Graph Analysis opened. (Bug 8793)
  • Wrong size of LLRP ProtocolID Parameter in Accessspec Parameter. (Bug 8809)
  • Detection of IPv6 works only on Solaris 8. (Bug 8813)
  • ip.opt.type triggers for TCP NOP option. (Bug 8823)
  • DCOM-SYSACT dissector crash. (Bug 8828)
  • Incorrect decoding of MPLS Echo Request with BGP FEC. (Bug 8835)
  • Buggy IEC104 dissector caused by commit r48958. (Bug 8849)
  • ansi_637_tele dissector displays MSB as MBS for Call-Back Number. (Bug 8851)
  • LISP Map-Notify flags I and R shown incorrectly. (Bug 8852)
  • ONTAP_V4 fhandle decoding leads to dissector bug. (Bug 8853)
  • Dropped bytes in imap dissector. (Bug 8857)
  • Kismet drone/server dissector improvements. (Bug 8864)
  • TShark iostat_draw sizeof mismatch. (Bug 8888)
  • SCTP bytes graph crash. (Bug 8889)
  • Patch to Wireshark/tshark usage info and man pages to document all timestamp (-t) options. (Bug 8906)
  • Strange behavior of tree expand/collapse in packet details. (Bug 8908)
  • Graph Filter field limited to 256 characters. (Bug 8909)
  • Filter doesn’t support cflow ASN larger than 65535. (Bug 8959)
  • Wireshark crashes when switching from a v1.11.0 profile to a v1.4.6 prof and then to a v1.5.1 prof. (Bug 8884)
  • SIP stats shows incorrect values for Max/Ave setup times. (Bug 8897)
  • NFSv4 delegation not reported correctly. (Bug 8920)
  • Issue with Capture Options Adapter List. (Bug 8932)
  • RFC 5844 - IPv4 Support for Proxy Mobile IPv6 - Mobility option IPv4 DHCP Support Mode Option malformed packet. (Bug 8957)
  • RFC 3775 - Mobility Support in IPv6 - Mobility option PadN incorrectly highlights + 2 bytes. (Bug 8958)
  • All mongodb query show as [Malformed Packet: MONGO]. (Bug 8960)

New in WireShark 1.10.0 (Jun 6, 2013)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Redirecting the standard output didn’t redirect the output the of -D or -L flags. This fix means that the output of those flags now goes to the standard output, not the standard error, as it did in previous releases. Bug 8609
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.8:
  • Wireshark on 32- and 64-bit Windows supports automatic updates.
  • The packet bytes view is faster.
  • You can now display a list of resolved host names in "hosts" format within Wireshark.
  • The wireless toolbar has been updated.
  • Wireshark on Linux does a better job of detecting interface addition and removal.
  • It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
  • The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
  • USB type and product name support has been improved.
  • All Bluetooth profiles and protocols are now supported.
  • Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • Capinfos now prints human-readable statistics with SI suffixes by default.
  • It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
  • Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • Wireshark can be compiled using GTK+ 3.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
  • Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.
  • Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add "gtk-scrolled-window-placement = top-right" in the config file, which might be called /.gtkrc-2.0 or /.config/gtk-3.0/settings.ini).
  • Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.
  • The LOAD() metric in the IO-graph now shows the load in IO units instead of thousands of IO units.
  • New Protocol Support:
  • Amateur Radio AX.25, Amateur Radio BPQ, Amateur Radio NET/ROM, America Online (AOL), AR Drone, Automatic Position Reporting System (APRS), AX.25 KISS, AX.25 no Layer 3, Bitcoin Protocol, Bluetooth Attribute Protocol, Bluetooth AVCTP Protocol, Bluetooth AVDTP Protocol, Bluetooth AVRCP Profile, Bluetooth BNEP Protocol, Bluetooth HCI USB Transport, Bluetooth HCRP Profile, Bluetooth HID Profile, Bluetooth MCAP Protocol, Bluetooth SAP Profile, Bluetooth SBC Codec, Bluetooth Security Manager Protocol, Cisco GED-125 Protocol, Clique Reliable Multicast Protocol (CliqueRM), D-Bus, Digital Transmission Content Protection over IP, DVB-S2 Baseband, FlexNet, Forwarding and Control Element Separation Protocol (ForCES), Foundry Discovery Protocol (FDP), Gearman Protocol, GEO-Mobile Radio (1) RACH, HoneyPot Feeds Protocol (HPFEEDS), LTE Positioning Protocol Extensions (LLPe), Media Resource Control Protocol Version 2 (MRCPv2), Media-Independent Handover (MIH), MIDI System Exclusive (SYSEX), Mojito DHT, MPLS-TP Fault-Management, MPLS-TP Lock-Instruct, NASDAQ’s OUCH 4.x, NASDAQ’s SoupBinTCP, OpenVPN Protocol, Pseudo-Wire OAM, RPKI-Router Protocol, SEL Fast Message, Simple Packet Relay Transport (SPRT), Skype, Smart Message Language (SML), SPNEGO Extended Negotiation Security Mechanism (NEGOEX), UHD/USRP, USB Audio, USB Video, v.150.1 State Signaling Event (SSE), VITA 49 Radio Transport, VNTAG, WebRTC Datachannel Protocol (RTCDC), and WiMAX OFDMA PHY SAP
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • AIX iptrace, CAM Inspector, Catapult DCT2000, Citrix NetScaler, DBS Etherwatch (VMS), Endace ERF, HP-UX nettl, IBM iSeries, Ixia IxVeriWave, NA Sniffer (DOS), Netscreen, Network Instruments Observer, pcap, pcap-ng, Symbian OS btsnoop, TamoSoft CommView, and Tektronix K12xx

New in WireShark 1.10.0 RC 2 (May 23, 2013)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Redirecting the standard output didn't redirect the output the of -D or -L flags. This fix means that the output of those flags now goes to the standard output, not the standard error, as it did in previous releases. [1]Bug 8609
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.8:
  • Wireshark on 32- and 64-bit Windows supports automatic updates.
  • The packet bytes view is faster.
  • You can now display a list of resolved host names in "hosts" format within Wireshark.
  • The wireless toolbar has been updated.
  • Wireshark on Linux does a better job of detecting interface addition and removal.
  • It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
  • The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
  • USB type and product name support has been improved.
  • All Bluetooth profiles and protocols are now supported.
  • Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request's frame to the response's frame and vice-versa are also added.
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • Capinfos now prints human-readable statistics with SI suffixes by default.
  • It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
  • Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • Wireshark can be compiled using GTK+ 3.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • Tshark's filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
  • Tshark's -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.
  • Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add "gtk-scrolled-window-placement = top-right" in the config file, which might be called [/.gtkrc-2.0 or ]/.config/gtk-3.0/settings.ini).
  • Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.
  • New Protocol Support:
  • Amateur Radio AX.25, Amateur Radio BPQ, Amateur Radio NET/ROM,
  • America Online (AOL), AR Drone, Automatic Position Reporting
  • System (APRS), AX.25 KISS, AX.25 no Layer 3, Bitcoin Protocol,
  • Bluetooth Attribute Protocol, Bluetooth AVCTP Protocol,
  • Bluetooth AVDTP Protocol, Bluetooth AVRCP Profile, Bluetooth
  • BNEP Protocol, Bluetooth HCI USB Transport, Bluetooth HCRP
  • Profile, Bluetooth HID Profile, Bluetooth MCAP Protocol,
  • Bluetooth SAP Profile, Bluetooth SBC Codec, Bluetooth Security
  • Manager Protocol, Cisco GED-125 Protocol, Clique Reliable
  • Multicast Protocol (CliqueRM), D-Bus, Digital Transmission
  • Content Protection over IP, DVB-S2 Baseband, FlexNet,
  • Forwarding and Control Element Separation Protocol (ForCES),
  • Foundry Discovery Protocol (FDP), Gearman Protocol, GEO-Mobile
  • Radio (1) RACH, HoneyPot Feeds Protocol (HPFEEDS), LTE
  • Positioning Protocol Extensions (LLPe), Media Resource Control
  • Protocol Version 2 (MRCPv2), Media-Independent Handover (MIH),
  • MIDI System Exclusive (SYSEX), Mojito DHT, MPLS-TP
  • Fault-Management, MPLS-TP Lock-Instruct, NASDAQ's OUCH 4.x,
  • NASDAQ's SoupBinTCP, OpenVPN Protocol, Pseudo-Wire OAM,
  • RPKI-Router Protocol, SEL Fast Message, Simple Packet Relay
  • Transport (SPRT), Skype, Smart Message Language (SML), SPNEGO
  • Extended Negotiation Security Mechanism (NEGOEX), UHD/USRP, USB
  • Audio, USB Video, v.150.1 State Signaling Event (SSE), VITA 49
  • Radio Transport, VNTAG, WebRTC Datachannel Protocol (RTCDC), and WiMAX OFDMA PHY SAP
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • AIX iptrace, CAM Inspector, Catapult DCT2000, Citrix NetScaler,
  • DBS Etherwatch (VMS), Endace ERF, HP-UX nettl, IBM iSeries,
  • Ixia IxVeriWave, NA Sniffer (DOS), Netscreen, Network
  • Instruments Observer, pcap, pcap-ng, Symbian OS btsnoop,
  • TamoSoft CommView, and Tektronix K12xx

New in WireShark 1.8.7 (May 18, 2013)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • The RELOAD dissector could go into an infinite loop. Discovered by Evan Jensen. (Bug 8364, (Bug 8546) Versions affected: 1.8.0 to 1.8.6.
The GTPv2 dissector could crash. (Bug 8493) Versions affected: 1.8.0 to 1.8.6.
  • The ASN.1 BER dissector could crash. (Bug 8599) Versions affected: 1.8.0 to 1.8.6, 1.6.0 to 1.6.14.
  • The PPP CCP dissector could crash. (Bug 8638) Versions affected: 1.8.0 to 1.8.6.
  • The DCP ETSI dissector could crash. Discovered by Evan Jensen. (Bug 8231, bug 8540, bug 8541) Versions affected: 1.8.0 to 1.8.6.
  • The MPEG DSM-CC dissector could crash. (Bug 8481) Versions affected: 1.8.0 to 1.8.6.
  • The Websocket dissector could crash. Discovered by Moshe Kaplan. (Bug 8448, Bug 8499) Versions affected: 1.8.0 to 1.8.6.
  • The MySQL dissector could go into an infinite loop. Discovered by Moshe Kaplan. (Bug 8458) Versions affected: 1.8.0 to 1.8.6.
  • The ETCH dissector could go into a large loop. Discovered by Moshe Kaplan. (Bug 8464) Versions affected: 1.8.0 to 1.8.6.
  • The following bugs have been fixed:
  • The Windows installer and uninstaller does a better job of detecting running executables.
  • Library mismatch when compiling on a system with an older Wireshark version. (Bug 6011)
  • SNMP dissector bug: STATUS_INTEGER_DIVIDE_BY_ZERO. (Bug 7359)
  • A console window is never opened. (Bug 7755)
  • GSM_MAP show malformed Packets when two IMSI. (Bug 7882)
  • Fix include and libs search path when cross compiling. (Bug 7926)
  • PER dissector crash. (Bug 8197)
  • pcap-ng: name resolution block is not written to file on save. (Bug 8317)
  • Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321)
  • Decoding of GSM MAP E164 Digits. (Bug 8450)
  • Silent installer and uninstaller not silent. (Bug 8451)
  • Replace use of INCLUDES with AM_CPPFLAGS in all Makefiles to placate recent autotools. (Bug 8452)
  • Wifi details are not stored in the Decryption Key Management dialog (post 1.8.x). (Bug 8446)
  • IO Graph should not be limited to 100k points (NUM_IO_ITEMS). (Bug 8460)
  • geographical_description: hf_gsm_a_geo_loc_deg_of_long 24 bit field truncated to 23 bits. (Bug 8532)
  • IRC message with multiple params causes malformed packet exception. (Bug 8548)
  • Part of Ping Reply Message in ICMPv6 Reply Message is marked as "Malformed Packet". (Bug 8554)
  • MP2T wiretap heuristic overriding ERF. (Bug 8556)
  • Cannot read content of Ran Information Application Error Rim Container. (Bug 8559)
  • Endian error and IP:Port error when decoding BT-DHT response message. (Bug 8572)
  • "ACE4_ADD_FILE/ACE4_ADD_SUBDIRECTORY" should be "ACE4_APPEND_DATA / ACE4_ADD_SUBDIRECTORY". (Bug 8575)
  • wireshark crashes while displaying I/O Graph. (Bug 8583)
  • GTPv2 MM Context (UMTS Key, Quad, and Quint Decoded) incorrectly. (Bug 8596)
  • DTLS 1.2 uses wrong PRF. (Bug 8608)
  • RTP DTMF digits are no longer displayed in VoIP graph analysis. (Bug 8610)
  • Universal port not accepted in RSA Keys List window. (Bug 8618)
  • Wireshark Dissector bug with HSRP Version 2. (Bug 8622)
  • LISP control packet incorrectly identified as LISP data based when UDP source port is 4341. (Bug 8627)
  • Bad tcp checksum not detected. (Bug 8629)
  • AMR Frame Type uses wrong Value String. (Bug 8681)
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • AMR, ASN.1 BER, BAT, Bluetooth DHT, BSSGP, DTLS, E.164, Ericsson A-bis OML, GSM A, GSM MAP, HDFSDATA, ICMP, ICMPv6, ixveriwave, IRC, KDSP, LISP Data, MMS, NFS, OpenWire, PPP, RELOAD, RTP, SASP, SIP, SSL/TLS, TCP, UA3G
  • New and Updated Capture File Support:
  • Endace ERF, NetScreen snoop.

New in WireShark 1.10.0 RC 1 (Apr 27, 2013)

  • All Bluetooth profiles and protocols are now supported.
  • Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • Wireshark can be compiled using GTK+ 3.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • Tshark's filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
  • Tshark's -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in
  • Many cases it is blank anyway.

New in WireShark 1.9.2 Dev (Mar 29, 2013)

  • The following features are new (or have been significantly updated) since version 1.8:
  • Wireshark on 32- and 64-bit Windows supports automatic updates.
  • The packet bytes view is faster.
  • You can now display a list of resolved host names in "hosts" format within Wireshark.
  • The wireless toolbar has been updated.
  • Wireshark on Linux does a better job of detecting interface addition and removal.
  • It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
  • The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
  • USB type and product name support has been improved.
  • Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request's frame to the response's frame and vice-versa are also added.
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • Capinfos now prints human-readable statistics with SI suffixes by default.
  • It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
  • It is now possible for tshark to display only the hex/ascii packet data without also requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
  • The Wireshark application icon, capture toolbar icons, and other icons have been updated.
  • New Protocol Support:
  • Amateur Radio AX.25, Amateur Radio BPQ, Amateur Radio NET/ROM, America Online (AOL), AR Drone, Automatic Position Reporting System (APRS), AX.25 KISS, AX.25 no Layer 3, Bitcoin Protocol, Bluetooth Attribute Protocol, Bluetooth AVCTP Protocol, Bluetooth AVDTP Protocol, Bluetooth AVRCP Profile, Bluetooth BNEP Protocol, Bluetooth HCI USB Transport, Bluetooth HCRP Profile, Bluetooth HID Profile, Bluetooth MCAP Protocol,
  • Bluetooth SAP Profile, Bluetooth SBC Codec, Bluetooth Security Manager Protocol, Cisco GED-125 Protocol, Clique Reliable Multicast Protocol (CliqueRM), D-Bus, Digital Transmission Content Protection over IP, DVB-S2 Baseband, FlexNet, Forwarding and Control Element Separation Protocol (ForCES), Foundry Discovery Protocol (FDP), Gearman Protocol, GEO-Mobile
  • Radio (1) RACH, HoneyPot Feeds Protocol (HPFEEDS), LTE Positioning Protocol Extensions (LLPe), Media Resource Control Protocol Version 2 (MRCPv2), Media-Independent Handover (MIH), MIDI System Exclusive (SYSEX), Mojito DHT, MPLS-TP Fault-Management, MPLS-TP Lock-Instruct, NASDAQ's OUCH 4.x, NASDAQ's SoupBinTCP, OpenVPN Protocol, Pseudo-Wire OAM, RPKI-Router Protocol, SEL Fast Message, Simple Packet Relay
  • Transport (SPRT), Skype, Smart Message Language (SML), SPNEGO Extended Negotiation Security Mechanism (NEGOEX), UHD/USRP, USB Audio, USB Video, v.150.1 State Signaling Event (SSE), VITA 49 Radio Transport, VNTAG, WebRTC Datachannel Protocol (RTCDC), and WiMAX OFDMA PHY SAP
  • New and Updated Capture File Support:
  • AIX iptrace, Catapult DCT2000, Citrix NetScaler, DBS Etherwatch VMS), Endace ERF, HP-UX nettl, IBM iSeries, Ixia IxVeriWave, NA Sniffer (DOS), Netscreen, Network Instruments Observer, pcap, pcap-ng, Symbian OS btsnoop, TamoSoft CommView, and Tektronix K12xx

New in WireShark 1.8.6 (Mar 7, 2013)

  • Bug Fixes:
  • The TCP dissector could crash. (Bug 8274)
  • The HART/IP dissectory could go into an infinite loop. (Bug 8360)
  • The CSN.1 dissector could crash.
  • The MS-MMS dissector could crash.
  • The MPLS Echo dissector could go into an infinite loop.
  • The RTPS and RTPS2 dissectors could crash. (Bug 8332)
  • The Mount dissector could crash. (Bug 8335)
  • The AMPQ dissector could go into an infinite loop. (Bug 8337)
  • The ACN dissector could attempt to divide by zero. (Bug 8340)
  • The CIMD dissector could crash. (Bug 8346)
  • The FCSP dissector could go into an infinite loop. (Bug 8359)
  • The RELOAD dissector could go into an infinite loop. (Bug 8364)
  • The DTLS dissector could crash. (Bug 8380)
  • The following bugs have been fixed:
  • Lua pinfo.cols.protocol not holding value in postdissector. (Bug 6020)
  • data combined via ssl_desegment_app_data not visible via "Follow SSL Stream" only decrypted ssl data tabs. (Bug 6434)
  • HTTP application/json-rpc should be decoded/shown as application/json. (Bug 7939)
  • Maximum value of 802.11-2012 Duration field should be 32767. (Bug 8056)
  • Voice RTP player crash if player is closed while playing. (Bug 8065)
  • Display Filter Macros crash. (Bug 8073)
  • RRC RadioBearerSetup message decoding issue. (Bug 8290)
  • R-click filters add ! in front of field when choosing "apply as filter>selected". (Bug 8297)
  • BACnet - Loop Object - Setpoint-Reference property does not decode correctly. (Bug 8306)
  • WMM TSPEC Element Parsing is not done is wrong due to a wrong switch case number. (Bug 8320)
  • Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321)
  • Registering ieee802154 dissector for IEEE802.15.4 frames inside Linux SLL frames. (Bug 8325)
  • Version Field is skipped while parsing WMM_TSPEC causing wrong dissecting (1 byte offset missing) of all fields in the TSPEC. (Bug 8330)
  • BACnet] UCS-2 strings longer than 127 characters do not decode correctly. (Bug 8331)
  • Malformed IEEE80211 frame triggers DISSECTOR_ASSERT. (Bug 8345)
  • Decoding of GSM MAP SMS Diagnostics. (Bug 8378)
  • Incorrect packet length displayed for Flight Message Transfer Protocol (FMTP). (Bug 8407)
  • Netflow dissector flowDurationMicroseconds nanosecond conversion wrong. (Bug 8410)
  • BE (3) AC is wrongly named as "Video" in (qos_acs). (Bug 8432)
  • Updated Protocol Support:
  • ACN, AMQP, ASN.1 PER, BACnet, CIMD, CSN.1, DOCSIS TLVs, DTLS, FCSP, FMP/NOTIFY, FMTP, GSM MAP SMS, HART/IP, IEEE 802.11, IEEE 802.15.4, JSON, Linux SLL, LTE RRC, Mount, MPLS Echo, Netflow, RELOAD, RSL, RTP, RTPS, RTPS2, SABP, SIP, SSL, TCP

New in WireShark 1.9.0 Dev (Feb 21, 2013)

  • The following features are new (or have been significantly updated) since version 1.8:
  • The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
  • It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport

New in WireShark 1.8.5 (Jan 30, 2013)

  • The following vulnerabilities have been fixed:
  • Infinite and large loops in the Bluetooth HCI, CSN.1, DCP-ETSI DOCSIS CM-STAUS, IEEE 802.3 Slow Protocols, MPLS, R3, RTPS, SDP, and SIP dissectors. Reported by Laurent Butti. (Bugs 8036, 8037, 8038, 8040, 8041, 8042, 8043, 8198, 8199, 8222)
  • The CLNP dissector could crash. Discovered independently by Laurent Butti and the Wireshark development team. (Bug 7871)
  • The DTN dissector could crash. (Bug 7945)
  • The MS-MMC dissector (and possibly others) could crash. (Bug 8112)
  • The DTLS dissector could crash. Discovered by Laurent Butti. (Bug 8111)
  • The ROHC dissector could crash. (Bug 7679)
  • The DCP-ETSI dissector could corrupt memory. Discovered by Laurent Butti. (Bug 8213)
  • The Wireshark dissection engine could crash. Discovered by Laurent Butti. (Bug 8197)
  • The NTLMSSP dissector could overflow a buffer. Discovered by Ulf Härnhammar.
  • The following bugs have been fixed:
  • SNMPv3 Engine ID registration. (Bug 2426)
  • Wrong decoding of gtp.target identification. (Bug 3974)
  • Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
  • Wireshark crashes when starting due to out-of-date plugin left behind from earlier installation. (Bug 7401)
  • Failed to dissect TLS handshake packets. (Bug 7435)
  • ISUP dissector problem with empty Generic Number. (Bug 7632)
  • Illegal character is used in temporary capture file name. (Bug 7877)
  • Lua code crashes wireshark after update to 1.8.3. (Bug 7976)
  • Timestamp info is not saved correctly when writing DOS Sniffer files. (Bug 7998)
  • 1.8.3 Wireshark User's Guide version is 1.6. (Bug 8009)
  • Core dumped when the file is closed. (Bug 8022)
  • LPP is misspelled in APDU parameter in e-CIDMeasurementInitiation request for LPPA message. (Bug 8023)
  • Wrong packet bytes are selected for ISUP CUG binary code. (Bug 8035)
  • Decodes FCoE Group Multicast MAC address as Broadcom MAC address. (Bug 8046)
  • The SSL dissector stops decrypting the SSL conversation with Malformed Packet:SSL error messages. (Bug 8075)
  • Unable to Save/Apply [Unistim Port] in Preferences. (Bug 8078)
  • Some Information Elements in GTPv2 are not dissected correctly. (Bug 8079)
  • Wrong bytes highlighted with "Find Packet...". (Bug 8085)
  • 3GPP ULI AVP. SAI is not correctly decoded. (Bug 8098)
  • Wireshark does not show "Start and End Time" information for Cisco Netflow/IPFIX with type 154 to 157. (Bug 8105)
  • GPRS Tunnel Protocoll GTP Version 1 does not decode DAF flag in Common Flags IE. (Bug 8193)
  • Wrong parcing of ULI of gtpv2 messages - errors in SAC, RAC & ECI. (Bug 8208)
  • Version Number in EtherIP dissector. (Bug 8211)
  • Warn Dissector bug, protocol JXTA. (Bug 8212)
  • Electromagnetic Emission Parser parses field Event Id as Entity Id. (Bug 8227)
  • Updated Protocol Support:
  • ANSI IS-637-A, ASN.1 PER, AX.25, Bluetooth HCI, CLNP, CSN.1, DCP-ETSI, DIAMETER, DIS PDU, DOCSIS CM-STATUS, DTLS, DTN, EtherIP, Fibre Channel, GPRS, GTP, GTPv2, HomePlug AV, IEEE 802.3 Slow, IEEE 802.15.4, ISUP, JXTA, LAPD, LPPa, MPLS, MS-MMC, NAS-EPS, NTLMSSP, ROHC, RSL, RTPS, SDP, SIP, SNMP, SSL
  • New and Updated Capture File Support:
  • DOS Sniffer

New in WireShark 1.8.4 (Nov 29, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • Wireshark could leak potentially sensitive host name resolution information when working with multiple pcap-ng files. Discovered by Laura Chappell.
  • The USB dissector could go into an infinite loop. (Bug 7787)
  • The sFlow dissector could go into an infinite loop. (Bug 7789)
  • The SCTP dissector could go into an infinite loop. (Bug 7802)
  • The EIGRP dissector could go into an infinite loop. (Bug 7800)
  • The ISAKMP dissector could crash. (Bug 7855)
  • The iSCSI dissector could go into an infinite loop. (Bug 7858)
  • The WTP dissector could go into an infinite loop. (Bug 7869)
  • The RTCP dissector could go into an infinite loop. (Bug 7879)
  • The 3GPP2 A11 dissector could go into an infinite loop. (Bug 7801)
  • The ICMPv6 dissector could go into an infinite loop. (Bug 7844)
  • The following bugs have been fixed:
  • Menu and Title bars inaccessible using GTK2 (non-legacy) with two monitors. (Bug 553)
  • 802.11 Probe Response fails to parse. (Bug 1284)
  • Tshark - decimal symbol. (Bug 2880)
  • Malformed tpncp.dat file can crash Wireshark. (Bug 6665)
  • SSL decryption not work even with example capture file and key. (Bug 6869)
  • Info line is incorrect on SIP message containing another SIP message in body. (Bug 7780)
  • OOPS: dissector table "sctp.ppi" doesn't exist Protocol being registered is "Datagram Transport Layer Security". (Bug 7784)
  • Dissection of IEEE 802.11 Channel Switch Announcement element fails. (Bug 7797)
  • Invalid memory accesses when loading RADIUS captures. (Bug 7803)
  • ISUP CIC should have format BASE_DEC, not BASE_HEX. (Bug 7848)
  • We don't handle pcap-ng files with IDBs that come after packet blocks. (Bug 7851)
  • '*' wildcard in the 'Src IP' or 'Dest IP' field of the ESP SA dialog does not work. (Bug 7866)
  • nas_eps dissector does not decode some esm message. (Bug 7912)
  • WLAN decryption status not updated after updating WEP/WPA keys. (Bug 7921)
  • IPv6 Option Pad1 Incorrect dissection. (Bug 7938)
  • Print GNUTLS error message if PEM import fails. (Bug 7948)
  • GSM classmark3 8-PSK decode error. (Bug 7964)
  • Parsing the Server Name Indication extension in SSL/TLS traffic reads some fields incorrectly. (Bug 7967)
  • Lua code crashes wireshark after update to 1.8.3. (Bug 7976)
  • 2 bugs in Ran-Information-Error Rim Container. (Bug 8000)
  • Misspelling (typo) in IPv6 display filter field name. (Bug 8006)
  • Two BSSGP dissector bugs. (Bug 8008)
  • Core dump during SCTP association analysis. (Bug 8011)
  • Updated Protocol Support:
  • 3GPP2 A11, BSSGP, EIGRP, FMP/NOTIFY, GSM A, ICMP, ICMPv6, IEEE 802.11, IPsec, IPv6, ISAKMP, iSCSI, LTE RRC, NAS EPS, NDPS, Prism, RADIUS, RRC, RTCP, SCTP, sFlow, SIP, SMB2, SSL/TLS, TPNCP, USB
  • New and Updated Capture File Support:
  • CommView NCF, iSeries, pcap-ng.

New in WireShark 1.8.3 (Oct 3, 2012)

  • BUG FIXES:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2012-26: The HSRP dissector could go into an infinite loop. (Bug 7581)
  • wnpa-sec-2012-27: The PPP dissector could abort. (Bug 7316, bug 7668)
  • wnpa-sec-2012-28: Martin Wilck discovered an infinite loop in the DRDA dissector. (Bug 7666)
  • wnpa-sec-2012-29: Laurent Butti discovered a buffer overflow in the LDP dissector. (Bug 7567)
  • The following bugs have been fixed:
  • The HTTP dissector does not reassemble headers when the first TCP segment does not contain a full header line.
  • HDCP2 uses the wrong protocol id.
  • Several I/O graph problems have been fixed.
  • No markers show up when maps are displayed. (Bug 5016)
  • Assertion when using tshark/wireshark on large captures. (Bug 5699)
  • Volume label field of "SMB/TRANS2-QUERY_FS_INFO/InfoVolume level" reply packet is not displayed correctly due alignment issue. (Bug 5778)
  • 64-bit Wireshark appears to hit 2-Gbyte memory limit on 64-bit Windows. (Bug 5979)
  • Truncated/partial JPEG files are not dissected. (Bug 6230)
  • Support for MPLS Packet Loss and Delay Measurement, RFC 6374. (Bug 6881)
  • Memory leak in voip_calls.c. (Bug 7320)
  • When listing protocols available for "Decode As", plugins are sorted after built-ins. (Bug 7348)
  • Hidden columns should not be printed when printing packet summary line. (Bug 7356)
  • Size wrong in "File Set List" for just-finished captures. (Bug 7370)
  • Error: no dependency information found for debian/wireshark-common/usr/lib/wireshark/libwsutil.so.2 (used by debian/wireshark/usr/bin/wireshark). (Bug 7408)
  • Parse and properly display LTE RADIUS AVP 3GPP-User-Location-Info. (Bug 7474)
  • [PATCH] HomeplugAV dissector: decode device id. (Bug 7548)
  • BACnet GetEnrollmentSummary-ACK does not decode correctly. (Bug 7556)
  • epan/dissectors/packet-per.c dissect_per_constrained_integer_64b fails for 64 bits. (Bug 7624)
  • New SCTP PPID 48. (Bug 7635)
  • dissector of Qos attribute "Reliability Class" in GMM/SM message. (Bug 7670)
  • Performance regression in tshark -z io,stat. (Bug 7674)
  • Incorrect io-stat table format when unsupported "-t" operand is specified and when using AVG of relative_time fields. (Bug 7685)
  • IEEE 802.11 TKIP dissection : wrong IS_TKIP macro. (Bug 7691)
  • Homeplug AV dissectors does not properly dissect short frames. (Bug 7707)
  • mm_context_nas_dl_cnt and mm_context_nas_ul_cnt are not dissected properly in ContextResponse message in Gtpv2. (Bug 7718)
  • This trace causes Wireshark to crash when VoIP Calls selected. (Bug 7724)
  • Some diameter Gx enumerations are missing values or value is incorrect. (Bug 7727)
  • Wireshark 1.8.2 is only displaying 2 filters from the drop-down menu even when preferences are set to higher integer. (Bug 7731)
  • BGP bad decoding for Graceful Restart Capability with only helper support & for Enhanced Route Refresh Capability. (Bug 7734)
  • Dissection error of D-RELEASE and D-CONNECT in TETRA dissector. (Bug 7736)
  • DND can cause Wireshark to crash. (Bug 7744)
  • SCSI: WRITE BUFFER fields always display as zero. (Bug 7753)
  • UPDATED PROTOCOL SUPPORT:
  • ASN.1 PER, BACnet, BGP, DIAMETER, DRDA, DVB CI, DVB, GSM Management, GTP, GTPv2, HDCP2, HomePlug AV, ICMP, ICMPv6, IEEE 802.11, IEEE 802a, Interlink, JPEG, LDP, LPP, MPEG, MPLS, PCAP, PPP, RANAP, RRC, RRLP, SCCP, SCSI, SCTP, SDP, SMB, TETRA

New in WireShark 1.8.3 (Oct 3, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • The HSRP dissector could go into an infinite loop. (Bug 7581)
  • The PPP dissector could abort. (Bug 7316, bug 7668)
  • Martin Wilck discovered an infinite loop in the DRDA dissector. (Bug 7666)
  • Laurent Butti discovered a buffer overflow in the LDP dissector. (Bug 7567)
  • The following bugs have been fixed:
  • The HTTP dissector does not reassemble headers when the first TCP segment does not contain a full header line.
  • HDCP2 uses the wrong protocol id.
  • Several I/O graph problems have been fixed.
  • No markers show up when maps are displayed. (Bug 5016)
  • Assertion when using tshark/wireshark on large captures. (Bug 5699)
  • Volume label field of "SMB/TRANS2-QUERY_FS_INFO/InfoVolume level" reply packet is not displayed correctly due alignment issue. (Bug 5778)
  • 64-bit Wireshark appears to hit 2-Gbyte memory limit on 64-bit Windows. (Bug 5979)
  • Truncated/partial JPEG files are not dissected. (Bug 6230)
  • Support for MPLS Packet Loss and Delay Measurement, RFC 6374. (Bug 6881)
  • Memory leak in voip_calls.c. (Bug 7320)
  • When listing protocols available for "Decode As", plugins are sorted after built-ins. (Bug 7348)
  • Hidden columns should not be printed when printing packet summary line. (Bug 7356)
  • Size wrong in "File Set List" for just-finished captures. (Bug 7370)
  • Error: no dependency information found for debian/wireshark-common/usr/lib/wireshark/libwsutil.so.2 (used by debian/wireshark/usr/bin/wireshark). (Bug 7408)
  • Parse and properly display LTE RADIUS AVP 3GPP-User-Location-Info. (Bug 7474)
  • [PATCH] HomeplugAV dissector: decode device id. (Bug 7548)
  • BACnet GetEnrollmentSummary-ACK does not decode correctly. (Bug 7556)
  • epan/dissectors/packet-per.c dissect_per_constrained_integer_64b fails for 64 bits. (Bug 7624)
  • New SCTP PPID 48. (Bug 7635)
  • dissector of Qos attribute "Reliability Class" in GMM/SM message. (Bug 7670)
  • Performance regression in tshark -z io,stat. (Bug 7674)
  • Incorrect io-stat table format when unsupported "-t" operand is specified and when using AVG of relative_time fields. (Bug 7685)
  • IEEE 802.11 TKIP dissection : wrong IS_TKIP macro. (Bug 7691)
  • Homeplug AV dissectors does not properly dissect short frames. (Bug 7707)
  • mm_context_nas_dl_cnt and mm_context_nas_ul_cnt are not dissected properly in ContextResponse message in Gtpv2. (Bug 7718)
  • This trace causes Wireshark to crash when VoIP Calls selected. (Bug 7724)
  • Some diameter Gx enumerations are missing values or value is incorrect. (Bug 7727)
  • Wireshark 1.8.2 is only displaying 2 filters from the drop-down menu even when preferences are set to higher integer. (Bug 7731)
  • BGP bad decoding for Graceful Restart Capability with only helper support & for Enhanced Route Refresh Capability. (Bug 7734)
  • Dissection error of D-RELEASE and D-CONNECT in TETRA dissector. (Bug 7736)
  • DND can cause Wireshark to crash. (Bug 7744)
  • SCSI: WRITE BUFFER fields always display as zero. (Bug 7753)
  • Updated Protocol Support:
  • ASN.1 PER, BACnet, BGP, DIAMETER, DRDA, DVB CI, DVB, GSM Management, GTP, GTPv2, HDCP2, HomePlug AV, ICMP, ICMPv6, IEEE 802.11, IEEE 802a, Interlink, JPEG, LDP, LPP, MPEG, MPLS, PCAP, PPP, RANAP, RRC, RRLP, SCCP, SCSI, SCTP, SDP, SMB, TETRA

New in WireShark 1.8.2 (Aug 16, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • The DCP ETSI dissector could trigger a zero division. Reported by Laurent Butti. (Bug 7566)
  • The MongoDB dissector could go into a large loop. Reported by Ben Schmidt. (Bug 7572)
  • The XTP dissector could go into an infinite loop. Reported by Ben Schmidt. (Bug 7571)
  • The ERF dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7563)
  • The AFP dissector could go into a large loop. Reported by Stefan Cornelius. (Bug 7603)
  • The RTPS2 dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7568)
  • The GSM RLC MAC dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7561)
  • The CIP dissector could exhaust system memory. Reported by Ben Schmidt. (Bug 7570)
  • The STUN dissector could crash. Reported by Laurent Butti. (Bug 7569)
  • The EtherCAT Mailbox dissector could abort. Reported by Laurent Butti. (Bug 7562)
  • The CTDB dissector could go into a large loop. Reported by Ben Schmidt. (Bug 7573)
  • The pcap-ng file parser could trigger a zero division. (Bug 7533)
  • The Ixia IxVeriWave file parser could overflow a buffer. (Bug 7533)
  • The following bugs have been fixed:
  • Move Y.1711 out of MPLS dissector. (Bug 6787)
  • Patch: Add frame.interface_id support for ERF file format. (Bug 7266)
  • Freeze when Resizing or Moving while capturing. (Bug 7305)
  • Wireshark crashes when using multiple files. (Bug 7423)
  • Wireshark crashes on opening very short NFS pcap file. (Bug 7498)
  • Analyze->Apply as Filter and Analyze->Prepare a Filter cause crashes. (Bug 7506)
  • crashes in interface list, pipe handling. (Bug 7511)
  • ISDN LAPD X.31 packet traffic can not be decoded. (Bug 7514)
  • GIOP request_id used for sub dissectors is not assigned when decoding GIOP 1.2 Request message. (Bug 7516)
  • pcap-ng -ISB always writes 0 for isb_ifrecv option. (Bug 7523)
  • GSM classmark3 decode wrong. (Bug 7524)
  • mem corruption\heap corruption\div0 bugs. (Bug 7533)
  • DNS AD flag not shown properly. (Bug 7555)
  • Wireshark and TShark crash at start with invalid color filter on SPARC. (Bug 7634)
  • Updated Protocol Support:
  • AFP, Apache JServ Protocol v1.3, Bluetooth L2CAP, CIP, CTDB, DCP ETSI, ERF, EtherCAT Mailbox, FC Link Control, GIOP, GSM A, GSM RLC MAC, GTP, GTPv2, ISDN, LISP, MongoDB, MPLS ITU-T Y.1711 OAM, MPLS PM, NFS, RTPS2, SCTP, STUN, XTP
  • New and Updated Capture File Support:
  • Ixia IxVeriWave, pcap-ng

New in WireShark 1.8.1 (Jul 24, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed.
  • wnpa-sec-2012-11: The PPP dissector could crash. (Debian bug 680056) --> Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.
  • wnpa-sec-2012-12: The NFS dissector could use excessive amounts of CPU. (Bug 7436) --> Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.
  • The following bugs have been fixed:
  • Wireshark crashes on bootp filter. (Bug 7391)
  • Wireshark > 1.4 does not correctly read Association ID for PS Poll packets. (Bug 7429)
  • Radius-EAP broken since 1.8.0 release. (Bug 7430)
  • SNMP incorrectly marks SNMPv3 "discovery" packet as malformed. (Bug 7438)
  • Widgets are not properly expanded in GTK3. (Bug 7377)
  • Find Next Mark duplicated on Edit Menu. (Bug 7445)
  • DVB-CI/CI+: fix offset error in operator_info apdu. (Bug 7468)
  • Unable to correctly identify IEC 61850 MMS packets. (Bug 7488)
  • WinPcap doesn't install if vcredist_x64 requires reboot. (Bug 7507)
  • Updated Protocol Support:
  • BACapp, BOOTP, DCERPC SPOOLSS, DVB-CI, H.248, IEEE 802.11, Jmirror, NAS EPS, NFS, PPP, RELOAD Framing, SES, SNMP, XMPP
  • New and Updated Capture File Support:
  • Microsoft Network Monitor

New in WireShark 1.8.0 (Jun 22, 2012)

  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.6:
  • Wireshark supports capturing from multiple interfaces at once.
  • You can now add, edit, and save packet and capture file annotations.
  • Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
  • Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
  • OID resolution is now supported on 64-bit Windows.
  • The "Save As" menu item has been split into "Save As", which lets you save a file using a different filename and "Export Specified Packets", which lets you have more control over which packets are saved.
  • TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
  • TCP window updates are no longer colorized as "Bad TCP".
  • TShark's command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
  • GeoIP IPv6 databases are now supported.

New in WireShark 1.8.0 RC 2 (Jun 19, 2012)

  • New and Updated Features:
  • Wireshark supports capturing from multiple interfaces at once.
  • You can now add, edit, and save packet annotations.
  • Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
  • Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
  • OID resolution is now supported on 64-bit Windows.
  • When saving packets, the default choice is now to save only the displayed packets rather than all packets.
  • TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
  • TCP window updates are no longer colorized as "Bad TCP".
  • TShark's command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
  • GeoIP IPv6 databases are now supported.

New in WireShark 1.8.0 RC 1 (Jun 7, 2012)

  • Bug Fixes:
  • When saving the displayed packets, packets which are dependencies (e.g., due to reassembly) of the displayed packets are included in the list of saved packets (Bug 3315).
  • Rearranging columns in preferences doesn't work on 64-bit Windows. (Bug 6077)
  • New and Updated Features:
  • Wireshark supports capturing from multiple interfaces at once.
  • You can now add, edit, and save packet and capture file annotations.
  • Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
  • Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
  • OID resolution is now supported on 64-bit Windows.
  • When saving packets, the default choice is now to save only the displayed packets rather than all packets.
  • TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
  • TCP window updates are no longer colorized as "Bad TCP".
  • TShark's command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
  • GeoIP IPv6 databases are now supported.
  • New Protocol Support:
  • Aastra Signalling Protocol (AASP), ActiveMQ OpenWire, Bandwidth Reservation Protocol (BRP), Bazaar, Binary Floor Control Protocol, BitTorrent DHT, C12.22, CANopen, CIP Motion, CIP Safety, Cisco FabricPath MiM, DMX Channel Data, DMX SIP, DMX Test, DMX Text, DMX, DVB Application Information Table, DVB Bouquet Association Table, DVB Event Information Table, DVB MultiProtocol Encapsulation (DVB-MPE), DVB Network Information Table, DVB Service Description Table, DVB Time and Date Table, DVB Time Offset Table, DVB/ETSI IP Data Cast (IPDC) Electronic Service Guide (ESG), ECP VDP, EIA-709.1 (LonTalk), EIA-852 (CN/IP), ELCOM, Ericsson A-bis OML (OM 2000), Ericsson HDLC, Ericsson Proprietary PCAP, ETSI CAT, ETV-AM Data, ETV-AM EISS Section, Flight Message Transfer Protocol (FMTP), Gadu-Gadu, GEO-Mobile Radio (1) BCCH, GEO-Mobile Radio (1) Common, GEO-Mobile Radio (1) DTAP, GEO-Mobile Radio (1) Radio Resource, Gluster Callback, Gluster CLI, Gluster Dump, Gluster Portmap, GlusterD, GlusterFS Callback, GlusterFS Handshake, GlusterFS, GSM A-bis OML, GSM CBCH, GSM Cell Broadcast Service, GSM SIM, H.248.2, Hadoop Distributed File System (HDFS), HART/IP, Hazelcast, HDFS Data, High bandwidth Digital Content Protection (HDCP), High-availability Seamless Redundancy (HSR), HomePlug AV, HSR/PRP, IEEE 1722.1, ISO 7816, ixveriwave, Kismet drone/server protocol, KristalliNet, LCS-AP, Link Access Procedure, Satellite channel (LAPSat), LLRP, LTE Positioning Protocol A (LPPa), LTE Positioning Protocol, M3 Application Protocol (M3AP), MAC Address Acquisition Protocol, MBMS synchronisation protocol, Microsoft Credential Security Support Provider (CredSSP), MoldUDP, MoldUDP64, MPEG Conditional Access, MPEG descriptors, MPEG DSM-CC, MPEG Program Association Table (PAT), MPEG Program Map Table, MPEG Section, MPLS Packet Loss and Delay Measurement, MPLS-TP Protection State Coordination, Multiple VLAN Registration Protocol (MRVP), Netfilter LOG, NOE, NXP MiFare, NXP PN532, Open IPTV Forum openSAFETY, Performance Co-Pilot (PCP), PPI Sensor, RDP, RTP-MIDI, SBc Application Part (SBc-AP), SDH/SONET, Solaris IP over InfiniBand, Sony FeliCa, T.124, UA (Universal Alcatel), UA3G, UASIP, UAUDP, USB Integrated Circuit Card Interface Device Class (CCID), V5 Data Link Layer (V5DL), V5 Envelope Function (V5EF), Virtual eXtensible Local Area Network (VXLAN), VSS-Monitoring, Vuze DHT, WaveAgent, WebSocket, WSE Remote Ethernet, XMCP, YAMI
  • Updated Protocol Support:
  • Too many protocols have been updated to list here.
  • New and Updated Capture File Support:
  • Aethra Telecommunications' PC108, Catapult DCT2000, Citrix NetScaler, Cisco Secure IDS IPLog, Endace ERF, Gammu DCT3, Generic MIME, IBM iSeries, InfoVista 5View, Ixia IxVeriWave, LANalyzer, Microsoft NetMon, MPEG2-TS, Network Instruments Observer, Nokia DCT3, pcap, pcap-ng, Solaris snoop, TamoSoft CommView, Tektronix K12xx, XML

New in WireShark 1.6.7 (Apr 7, 2012)

  • Wireshark could crash while reading SSL decryption keys on 64-bit Windows.
  • Malformed Packets H263-1996 (RFC2190). (Bug 6996)
  • Wireshark could crash while trying to open an rpcap: URL. (Bug 6922)

New in WireShark 1.6.6 (Mar 28, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:wnpa-sec-2012-04: The ANSI A dissector could dereference a NULL pointer and crash. (Bug 6823)wnpa-sec-2012-05: The IEEE 802.11 dissector could go into an infinite loop. (Bug 6809)wnpa-sec-2012-06: The pcap and pcap-ng file parsers could crash trying to read ERF data. (Bug 6804)wnpa-sec-2012-07: The MP2T dissector could try to allocate too much memory and crash. (Bug 6833)The Windows installers now include GnuTLS 1.12.18, which fixes several vulnerabilities.
  • The following bugs have been fixed:ISO SSAP: ActivityStart: Invalid decoding the activity parameter as a BER Integer. (Bug 2873)Forward slashes in URI need to be converted to backslashes if WIN32. (Bug 5237)Character echo pauses in Capture Filter field in Capture Options. (Bug 5356)
  • Some PGM options are not parsed correctly. (Bug 5687)
  • dumpcap crashes when capturing from pipe to a pcap-ng file (e.g., when passing data from CACE Pilot to Wireshark). (Bug 5939)
  • Unable to rearrange columns in preferences on Windows. (Bug 6077) (Note: this bug still affects the 64-bit package)
  • No error for UDP/IPv6 packet with zero checksum. (Bug 6232)
  • Wireshark installer doesn't add access_bpf in 10.5.8. (Bug 6526)
  • Corrupted Diameter dictionary file that crashes Wireshark. (Bug 6664)
  • packetBB dissector bug: More than 1000000 items in the tree -- possible infinite loop. (Bug 6687)
  • ZEP dissector: Timestamp not always displayed correctly. Fractional seconds never displayed. (Bug 6703)
  • GOOSE Messages don't use the length field to perform the dissection. (Bug 6734)
  • Ethernet traces in K12 text format sometimes give bogus "malformed frame" errors and other problems. (Bug 6735)
  • max_ul_ext isn't printed/decoded to the packet details log in GTP protocol packet. (Bug 6761)
  • non-IPP packets to or from port 631 are dissected as IPP. (Bug 6765)
  • lua proto registration fails for uppercase proto / g_ascii_strdown problem. (Bug 6766)
  • no menu item Fle->Export->SSL Session Keys in GTK. (Bug 6813)
  • IAX2 dissector reads past end of packet for unknown IEs. (Bug 6815)
  • TShark 1.6.5 immediately crashes on SSL decryption (every time). (Bug 6817)
  • USB: unknown GET DESCRIPTOR response triggers assert failure. (Bug 6826)
  • IEEE1588 PTPv2 over IPv6. (Bug 6836)
  • Patch to fix DTLS decryption. (Bug 6847)
  • Expression... dialog crash. (Bug 6891)
  • display filter "gtp.msisdn" not working. (Bug 6947)
  • Multiprotocol Label Switching Echo - Return Code: Reserved (5). (Bug 6951)
  • ISAKMP : VendorID CheckPoint : Malformed Packet. (Bug 6972)
  • Adding a Custom HTTP Header Field with a trailing colon causes wireshark to immediately crash (and crash upon restart). (Bug 6982)
  • Radiotap dissector lists a bogus "DBM TX Attenuation" bit. (Bug 7000)
  • MySQL dissector assertion. (Ask 8649)
  • Radiotap header format data rate alignment issues. (Ask 8649)
  • Updated Protocol Support:
  • ANSI A, BSSGP, DIAMETER, DTLS, GOOSE, GSM Management, GTP, HTTP, IAX2, IEEE 802.11, IPP, ISAKMP, ISO SSAP, MP2T, MPLS, MySQL, NTP, PacketBB, PGM, Radiotap, SSL, TCP, UDP, USB, WSP
  • New and Updated Capture File Support:
  • Endace ERF, Pcap-NG, Tektronix K12

New in WireShark 1.6.5 (Jan 11, 2012)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2012-01: Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats. (Bug 6663, bug 6666, bug 6667, bug 6668, bug 6669, bug 6670). Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
  • wnpa-sec-2012-02: Wireshark could dereference a NULL pointer and crash. (Bug 6634) Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
  • wnpa-sec-2012-03: The RLC dissector could overflow a buffer. (Bug 6391) Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
  • The following bugs have been fixed:
  • "Closing File!" Dialog Hangs. (Bug 3046)
  • Sub-fields of data field should appear in exported PDML as children of the data field instead of as siblings to it. (Bug 3809)
  • Incorrect time differences displayed with time reference set. (Bug 5580)
  • Wrong packet type association of SNMP trap after TFTP transfer. (Bug 5727)
  • SSL/TLS decryption needs wireshark to be rebooted. (Bug 6032)
  • Export HTTP Objects -> save all crashes Wireshark. (Bug 6250)
  • Wireshark Netflow dissector complains there is no template found though the template is exported. (Bug 6325)
  • DCERPC EPM tower UUID must be interpreted always as little endian. (Bug 6368)
  • Crash if no recent files. (Bug 6549)
  • IPv6 frame containing routing header with 0 segments left calculates wrong UDP checksum. (Bug 6560)
  • IPv4 UDP/TCP Checksum incorrect if routing header present. (Bug 6561)
  • Incorrect Parsing of SCPS Capabilities Option introduced in response to bug 6194. (Bug 6562)
  • Various crashes after loading NetMon2.x capture file. (Bug 6578)
  • Fixed compilation of dumpcap on some systems (when MUST_DO_SELECT is defined). (Bug 6614)
  • SIGSEGV in SVN 40046. (Bug 6634)
  • Wireshark dissects TCP option 25 as an "April 1" option. (Bug 6643)
  • ZigBee ZCL Dissector reports invalid status. (Bug 6649)
  • ICMPv6 DNSSL option malformed on padding. (Bug 6660)
  • Wrong tvb_get_bits function call in packet-csn1.c. (Bug 6708)
  • [UDP] - Length Field of Pseudo Header while computing CheckSum is not correct. (Bug 6711)
  • pcapio.c: bug in libpcap_write_interface_description_block. (Bug 6719)
  • Memory leaks in various dissectors.
  • Bytes highlighted in wrong Byte pane when field selected in Details pane.
  • Updated Protocol Support:
  • BGP, BMC CSN1, DCERPC EPM, DCP(ETSI) DMP DTLS GSM Management, H245 HPTEAM, ICMPv6, IEEE 802.15.4 IPSEC IPv4, IPv6, ISAKMP KERBEROS LDSS NFS RLC, RPC-NETLOGON RRC RTMPT SIGCOMP SSL SYSLOG TCP, UDP, XML ZigBee ZCL
  • New and Updated Capture File Support:
  • Accellent 5Views, AIX iptrace, HP-UX nettl, I4B, Microsoft Network Monitor, Novell LANalyzer, PacketLogger, Pcap-ng, Sniffer, Tektronix K12, WildPackets {Airo,Ether}Peek.

New in WireShark 1.6.4 (Nov 19, 2011)

  • Bug Fixes:
  • Patch to fix memory leaks/errors in Lua plugin. (Bug 5575)
  • Wireshark crashes if a field of type BASE_CUSTOM is applied as a column. (Bug 6503)
  • Filter Expression dialog can only be opened once. (Bug 6537)
  • Wireshark crashes if compiled without GLib thread support. (Bug 6540)
  • 80211 QoS Control: Add Raw TID. (Bug 6548)
  • SNMP length check error. (Bug 6564)
  • UCP dissector bug of operation 61. (Bug 6570)

New in WireShark 1.7.0 Dev (Nov 9, 2011)

  • New and Updated Features:
  • Wireshark supports capturing from multiple interfaces at once.
  • Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
  • Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
  • OID resolution is now supported on 64-bit Windows.
  • TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
  • TCP window updates are no longer colorized as "Bad TCP".
  • TShark's command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
  • GeoIP IPv6 databases are now supported.

New in WireShark 1.6.3 (Nov 2, 2011)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • wnpa-sec-2011-17: The CSN.1 dissector could crash. (Bug 6351). Versions affected: 1.6.0 to 1.6.2.
  • wnpa-sec-2011-18: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered that the Infiniband dissector could dereference a NULL pointer. (Bug 6476) Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
  • wnpa-sec-2011-19: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a buffer overflow in the ERF file reader. (Bug 6479) Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
  • The following bugs have been fixed:
  • Assertion failed when doing File->Quit->Save during live capture. (Bug 1710)
  • Wrong PCEP XRO sub-object decoding. (Bug 3778)
  • Wireshark window takes very long time to show up if invalid network file path is at recent file list (Bug 3810)
  • Decoding [Status Records] Timestamp Sequence Field in Bundle Protocol fails if over 32 bits. (Bug 4109)
  • ISUP party number dissection. (Bug 5221)
  • wireshark-1.4.2 crashes when testing the example python dissector because of a dissector count assertion. (Bug 5431)
  • Ethernet packets with both VLAN tag and LLC header no longer displayed correctly. (Bug 5645)
  • SLL encapsuled 802.1Q VLAN is not dissected. (Bug 5680)
  • Wireshark crashes when attempting to open a file via drag & drop when there's already a file open. (Bug 5987)
  • Adding and removing custom HTTP headers requires a restart. (Bug 6241)
  • Can't read full 64-bit SNMP values. (Bug 6295)
  • Dissection fails for frames with Gigamon Header and VLAN. (Bug 6305)
  • RTP Stream Analysis does not work for TURN-encapsulated RTP. (Bug 6322)
  • packet-csn1.c doesn't process CSN_CHOICE entries properly. (Bug 6328)
  • BACnet property time-synchronization-interval (204) name shown incorrectly as time-synchronization-recipients. (Bug 6336)
  • GUI crash on invalid IEEE 802.11 GAS frame. (Bug 6345)
  • [ASN.1 PER] Incorrect decoding of BIT STRING type. (Bug 6347)
  • ICMPv6 router advertisement Prefix Information Flag R "Router Address" missing. (Bug 6350)
  • Export -> Object -> HTTP -> save all: Error on saving files. (Bug 6362)
  • Inner tag of 802.1ad frames not parsed properly. (Bug 6366)
  • Added cursor type decoding to MySQL dissector. (Bug 6396)
  • Incorrect identification of UDP-encapsulated NAT-keepalive packets. (Bug 6414)
  • WPA IE pairwise cipher suite dissector uses incorrect value_string list. (Bug 6420)
  • S1AP protocol can't decode IPv6 transportLayerAddress. (Bug 6435)
  • RTPS2 dissector doesn't handle 0 in the octestToNextHeader field. (Bug 6449)
  • packet-ajp13 fix, cleanup, and enhancement. (Bug 6452)
  • Network Instruments Observer file format bugs. (Bug 6453)
  • Wireshark crashes when using "Open Recent" 2 times in a row. (Bug 6457)
  • Wireshark packet_gsm-sms, display bug: Filler bits in TP-User Data Header. (Bug 6469)
  • wireshark unable to decode NetFlow options which have system scope size != 4 bytes. (Bug 6471)
  • Display filter Expression Dialog Box Error. (Bug 6472)
  • text_import_scanner.l missing. (Bug 6531)
  • Updated Protocol Support:
  • AJP13, ASN.1 PER, BACnet, CSN.1, DTN, Ethernet, ICMPv6, IEEE 802.11, IEEE 802.1q, Infiniband, IPsec, MySQL, PCEP, PN-RT, RTP, S1AP, SSL
  • New and Updated Capture File Support:
  • Endace ERF.

New in WireShark 1.6.2 (Sep 9, 2011)

  • The following vulnerabilities have been fixed:
  • wnpa-sec-2011-12: A large loop in the OpenSafety dissector could cause a crash. (Bug 6138)
  • wnpa-sec-2011-13: A malformed IKE packet could consume excessive resources.
  • wnpa-sec-2011-14: A malformed capture file could result in an invalid root tvbuff and cause a crash. (Bug 6135)
  • wnpa-sec-2011-15: Wireshark could run arbitrary Lua scripts. (Bug 6136)
  • wnpa-sec-2011-16: The CSN.1 dissector could crash. (Bug 6139)
  • The following bugs have been fixed:
  • configure ignores (partially) LDFLAGS. (Bug 5607)
  • Build fails when it tries to #include , not present in Solaris 9. (Bug 5608)
  • Unable to configure zero length SNMP Engine ID. (Bug 5731)
  • BACnet who-is request device range values are not decoded correctly in the packet details window. (Bug 5769)
  • H.323 RAS packets missing from packet counts in "Telephony->VoIP Calls" and the "Flow Graph" for the call. (Bug 5848)
  • Wireshark crashes if sercosiii module isn't installed. (Bug 6006)
  • Editcap could create invalid pcap files when converting from JPEG. (Bug 6010)
  • Timestamp is incorrectly decoded for ICMP Timestamp Response packets from MS Windows. (Bug 6114)
  • Malformed Packet in decode for BGP-AD update. (Bug 6122)
  • Wrong display of CSN_BIT in CSN.1. (Bug 6151)
  • Fix CSN_RECURSIVE_TARRAY last bit error in packet-csn1.c. (Bug 6166)
  • Wireshark cannot display Reachable time & Retrans timer in IPv6 RA messages. (Bug 6168)
  • ReadPropertyMultiple-ACK not correctly dissected. (Bug 6178)
  • GTPv2 dissectors should treat gtpv2_ccrsi as optional. (Bug 6183)
  • BGP : AS_PATH attribute was decode wrong. (Bug 6188)
  • Fixes for SCPS TCP option. (Bug 6194)
  • Offset calculated incorrectly for sFlow extended data. (Bug 6219)
  • [Enter] key behavior varies when manually typing display filters. (Bug 6228)
  • Contents of pcapng EnhancedPacketBlocks with comments aren't displayed. (Bug 6229)
  • Misdecoding 3G Neighbour Cell Information Element in SI2quater message due to a coding typo. (Bug 6237)
  • Mis-spelled word "unknown" in assorted files. (Bug 6244)
  • tshark run with -Tpdml makes a seg fault. (Bug 6245)
  • btl2cap extended window shows wrong bit. (Bug 6257)
  • NDMP dissector incorrectly represents "ndmp.bytes_left_to_read" as signed. (Bug 6262)
  • TShark/dumpcap skips capture duration flag occasionally. (Bug 6280)
  • File types with no snaplen written out with a zero snaplen in pcap-ng files. (Bug 6289)
  • Wireshark improperly parsing 802.11 Beacon Country Information tag. (Bug 6264)
  • ERF records with extension headers not written out correctly to pcap or pcap-ng files. (Bug 6265)
  • RTPS2: MAX_BITMAP_SIZE is defined incorrectly. (Bug 6276)
  • Copying from RTP stream analysis copies 1st line many times. (Bug 6279)
  • Wrong display of CSN_BIT under CSN_UNION. (Bug 6287)
  • MEGACO context tracking fix - context id reuse. (Bug 6311)
  • Updated Protocol Support: BACapp, Bluetooth L2CAP, CSN.1, DCERPC, GSM A RR, GTPv2, ICMP, ICMPv6, IKE, MEGACO, MSISDN, NDMP, OpenSafety, RTPS2, sFlow, SNMP, TCP
  • New and Updated Capture File Support: CommView, pcap-ng, JPEG.

New in WireShark 1.6.1 (Jul 19, 2011)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • The Lucent/Ascend file parser was susceptible to an infinite loop.
  • Versions affected: 1.2.0 to 1.2.17, 1.4.0 to 1.4.7, and 1.6.0.
  • CVE-2011-2597
  • The ANSI MAP dissector was susceptible to an infinite loop. (Bug 6044)
  • Versions affected: 1.4.0 to 1.4.7, and 1.6.0.
  • The following bugs have been fixed:
  • TCP dissector doesn't decode TCP segments of length 1. (Bug 4716)
  • wireshark 1.4.0rc1 and python - spurious message. (Bug 4878)
  • Missing LUA function. (Bug 5006)
  • Lua API description about creating a new Tvb from a bytearray is not correct in wireshark's user guide. (Bug 5199)
  • Character echo pauses in Capture Filter field in Capture Options. (Bug 5356)
  • White space in protocol field abbreviation causes runtime failure while registering Lua dissector. (Bug 5569)
  • "File not found" box uses wrong filename encoding. (Bug 5715)
  • capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too many . (Bug 5803)
  • Wireshark crashes if Lua contains "Pref.range()" with missing arguments. (Bug 5895)
  • The "range" field in Lua's "Pref.range()" serves as default while the "default" field does nothing . (Bug 5896)
  • Wireshark crashes when calling TreeItem:set_len() on TreeItem without tvb. (Bug 5941)
  • TvbRange_string(lua_State* L) call a wrong function. (Bug 5960)
  • VoIP call flow graph displays BICC APM as a BICC ANM. (Bug 5966)
  • Cannot Live-capture VirtualBox network packets with Wireshark; pipe problem. (Bug 6002)
  • Interface list in Capture Options isn't cleared when selecting other host. (Bug 6008)
  • H323 rate multiplier wrong. (Bug 6009)
  • Inclusion of config.h is too late in lex-files resulting in wrong definition of _FILE_OFFSET_BITS. (Bug 6012)
  • tshark crashes when loading Lua script that contains GUI function. (Bug 6018)
  • 802.11 Disassociation Packet's "Reason Code" field is imprecisely decoded/described. (Bug 6022)
  • Wireshark crashes when setting custom column's field name with conditional. (Bug 6028)
  • Crash after applying "expert.severity" field as column. (Bug 6035)
  • GTS Descriptor count limited to 3 instead of 7. (Bug 6055)
  • The SSL dissector can not resemble correctly the frames after TCP zero window probe packet. (Bug 6059)
  • Packet parser takes too long for this trace. (Bug 6073)
  • The SSL dissector can not resemble correctly the frames after TCP zero window probe packet. (Bug 6059)
  • Wireshark crashes after repeating "File -> Import -> Cancel". (Bug 6080)
  • Decoding of MQ ASCII and EBCDIC Traffic Flow - ASCII shows fine, EBCDIC does not. (Bug 6084)
  • 802.11 Association Response Packet's "Status Code" field is imprecisely decoded/described. (Bug 6093)
  • Abis interface not correctly handled in gsmtap dissector. (Bug 6097)
  • Wrong decoding of RLC/MAC EGPRS Packet Downlink Ack/Nack (3GPP TS 44.060). (Bug 6098)
  • CSN Ack/Nack Description wrongly handled in gsm_rlcmac_dl dissector (3GPP TS 44.060). (Bug 6101)
  • wireshark 1.6.0 and python support: installer fails to create the wspy_dissectors subdirectory and . (Bug 6110)
  • Wireshark crash during RTP stream analysis. (Bug 6120)
  • Tshark custom columns: Why don't I get an error message? (Bug 6131)
  • New and Updated Capture File Support:
  • Network Monitor.

New in WireShark 1.6.0 (Jun 8, 2011)

  • Bug Fixes:
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Crash when sorting column while capturing. (Bug 4273)
  • Ring buffers are no longer turned on by default when using multiple capture files.
  • New and Updated Features:
  • Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets.
  • Large file (greater than 2 GB) support has been improved.
  • Wireshark and TShark can import text dumps, similar to text2pcap.
  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
  • Wireshark can export SSL session keys via File→Export→SSL Session Keys...
  • TShark can show a specific occurrence of a field when using '-T fields'.
  • Custom columns can show a specific occurrence of a field.
  • You can hide columns in the packet list.
  • Wireshark can now export SMB objects.
  • dftest and randpkt now have manual pages.
  • TShark can now display iSCSI, ICMP and ICMPv6 service response times.
  • Dumpcap can now save files with a user-specified group id.
  • Syntax checking is done for capture filters.
  • You can display the compiled BPF code for capture filters in the Capture Options dialog.
  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
  • Packet length is (finally) a default column.
  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
  • 802.1q VLAN tags are now shown in the Ethernet II protocol tree instead of a separate tree.
  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
  • The RTP player now shows why media interruptions occur.
  • Graphs now save as PNG images by default.
  • TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via [-z hosts]. TShark's -z option now uses the [-z ,srt] syntax instead of [-z ,rtt] for all protocols that support service response time statistics. This matches Wireshark's syntax for this option.
  • Wireshark and TShark can now read compressed Windows Sniffer files.
  • New Protocol Support:
  • ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Broadcast/Multicast Control, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet, MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol, MUX27010, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, openSAFETY, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink, USB/AT Commands, uTorrent Transport Protocol, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
  • Updated Protocol Support
  • New and Updated Capture File Support:
  • Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

New in WireShark 1.6.0 RC 2 (Jun 3, 2011)

  • Bug Fixes:
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Crash when sorting column while capturing. (Bug 4273)
  • Ring buffers are no longer turned on by default when using multiple capture files.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.4:
  • Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets.
  • Large file (greater than 2 GB) support has been improved.
  • Wireshark and TShark can import text dumps, similar to text2pcap.
  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
  • Wireshark can export SSL session keys via File‚ÜíExport‚ÜíSSL Session Keys...
  • TShark can show a specific occurrence of a field when using '-T fields'.
  • Custom columns can show a specific occurrence of a field.
  • You can hide columns in the packet list.
  • Wireshark can now export SMB objects.
  • dftest and randpkt now have manual pages.
  • TShark can now display iSCSI, ICMP and ICMPv6 service response times.
  • Dumpcap can now save files with a user-specified group id.
  • Syntax checking is done for capture filters.
  • You can display the compiled BPF code for capture filters in the Capture Options dialog.
  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
  • Packet length is (finally) a default column.
  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
  • 802.1q VLAN tags are now shown in the Ethernet II protocol tree instead of a separate tree.
  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
  • The RTP player now shows why media interruptions occur.
  • Graphs now save as PNG images by default.
  • TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via [-z hosts] .
  • TShark's -z option now uses the [-z ,srt] syntax instead of [-z ,rtt] for all protocols that support service response time statistics. This matches Wireshark's syntax for this option.
  • Wireshark and TShark can now read compressed Windows Sniffer files.
  • New Protocol Support: ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Broadcast/Multicast Control, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet, MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol, MUX27010, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, openSAFETY, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink, USB/AT Commands, uTorrent Transport Protocol, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
  • Updated Protocol Support: Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

New in WireShark 1.4.7 (Jun 1, 2011)

  • The following vulnerabilities have been fixed:
  • Large/infinite loop in the DICOM dissector. (Bug 5876)
  • Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted Diameter dictionary file could crash Wireshark.
  • Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted snoop file could crash Wireshark. (Bug 5912)
  • David Maciejak of Fortinet's FortiGuard Labs discovered that malformed compressed capture data could crash Wireshark. (Bug 5908)
  • Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted Visual Networks file could crash Wireshark. (Bug 5934)
  • The following bugs have been fixed:
  • AIM dissector has some endian issues. (Bug 5464)
  • Telephony→MTP3→MSUS doesn't display window. (Bug 5605)
  • Support for MS NetMon 3.x traces containing raw IPv6 ("Type 7") packets. (Bug 5817)
  • Service Indicator in M3UA protocol data. (Bug 5834)
  • IEC60870-5-104 protocol, incorrect decoding of timestamp type CP56Time2a. (Bug 5889)
  • DNP3 dissector incorrect constants AL_OBJ_FCTR_16NF _FDCTR_32NF _FDCTR_16NF. (Bug 5920)
  • 3GPP QoS: Traffic class is not decoded properly. (Bug 5928)
  • Wireshark crashes when creating ProtoField.framenum in Lua. (Bug 5930)
  • Fix a wrong mask to extract FMID from DECT packets dissector. (Bug 5947)
  • Incorrect DHCPv6 remote identifier option parsing. (Bug 5962)
  • Updated Protocol Support:
  • DICOM, IEC104, M3UA, TCP,
  • New and Updated Capture File Support:
  • Network Monitor.

New in WireShark 1.6.0 RC 1 (May 17, 2011)

  • The following bugs have been fixed:
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Ring buffers are no longer turned on by default when using multiple capture files.
  • New and Updated Features:
  • Wireshark can import text dumps, similar to text2pcap.
  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
  • TShark can show a specific occurrence of a field when using '-T fields'.
  • Custom columns can show a specific occurrence of a field.
  • You can hide columns in the packet list.
  • Wireshark can now export SMB objects.
  • dftest and randpkt now have manual pages.
  • TShark can now display iSCSI, ICMP and ICMPv6 service response times.
  • Dumpcap can now save files with a user-specified group id.
  • Syntax checking is done for capture filters.
  • You can display the compiled BPF code for capture filters in the Capture Options dialog.
  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
  • Packet length is (finally) a default column.
  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
  • 802.1q VLAN tags are now shown by the Ethernet II dissector.
  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
  • The RTP player now shows why media interruptions occur.
  • Graphs now save as PNG images by default.
  • TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via [-z hosts]
  • The tshark -z option now uses the [-z ,srt] syntax instead of [-z ,rtt] for all protocols that support service response time statistics. This syntax now matches Wireshark's syntax for this option.
  • New Protocol Support:
  • ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Broadcast/Multicast Control, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet, MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol, MUX27010, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, GPPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink, USB/AT Commands, uTorrent Transport Protocol, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
  • New and Updated Capture File Support:
  • Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

New in WireShark 1.4.6 (Apr 19, 2011)

  • Bug Fixes
  • Wireshark and TShark can crash while analyzing TCP packets. (Bug 5837)
  • Updated Protocol Support:
  • TCP

New in WireShark 1.4.5 (Apr 16, 2011)

  • Bug Fixes:
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The X.509if dissector could crash. (Bug 5754, Bug 5793)
  • Paul Makowski from SEI/CERT discovered that the DECT dissector could overflow a buffer. He verified that this could allow remote code execution on many platforms.
  • Cygwin make fails after updating to bash v 4.1.9.2
  • Export HTTP > All - System Appears Hung (but isn't). (Bug 1671)
  • Some HTTP responses don't decode with TCP reassembly on. (Bug 3785)
  • Wireshark crashes when cancelling a large sort operation. (Bug 5189)
  • Wireshark crashes if SSL preferences RSA key is actually a DSA key. (Bug 5662)
  • tshark incorrectly calculates TCP stream for some syn packets. (Bug 5743)
  • Wireshark not able to decode the PPP frame in a sflow (RFC3176) flow sample packet because Wireshark incorrectly read the protocol in PPP frame header. (Bug 5746)
  • Mysql protocol dissector: all fields should be little endian. (Bug 5759)
  • Error when opening snoop from Juniper SSG-140. (Bug 5762)
  • svnversion: command not found. (Bug 5798)
  • capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too many. (Bug 5803)
  • Value of TCP segment data cannot be copied. (Bug 5811)
  • proto_field_is_referenced() is not exported in libwireshark.dll. (Bug 5816)
  • Wireshark ver. 1.4.4 not displayed "Granted QoS" field in a A11 packet. (Bug 5822)
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • HTTP, LDAP, MySQL, NFS, sFlow, SSL, TCP
  • New and Updated Capture File Support

New in WireShark 1.5.1 Dev (Apr 13, 2011)

  • The following bugs have been fixed:
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Ring buffers are no longer turned on by default when using multiple capture files.

New in WireShark 1.4.4 (Mar 2, 2011)

  • Bug Fixes:
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that Wireshark could free an uninitialized pointer while reading a malformed pcap-ng file. (Bug 5652) 
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0538
  • Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a large packet length in a pcap-ng file could crash Wireshark. (Bug 5661) 
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
  • Wireshark could overflow a buffer while reading a Nokia DCT3 trace file. 
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0713
  • Paul Makowski working for SEI/CERT discovered that Wireshark on 32 bit systems could crash while reading a malformed 6LoWPAN packet. (Bug 5722) 
Versions affected: 1.4.0 to 1.4.3.
  • joernchen of Phenoelit discovered that the LDAP and SMB dissectors could overflow the stack. (Bug 5717) 
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior versions including 1.0.x are also affected.)
  • Xiaopeng Zhang of Fortinet's Fortiguard Labs discovered that large LDAP Filter strings can consume excessive amounts of memory. (Bug 5732) 
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior versions including 1.0.x are also affected.)
  • The following bugs have been fixed:
  • A TCP stream would not always be recognized as the same stream. (Bug 2907)
  • Wireshark Crashing by pressing 2 Buttons. (Bug 4645)
  • A crash can occur in the NTLMSSP dissector. (Bug 5157)
  • The column texts from a Lua dissector could be mangled. (Bug 5326) (Bug 5630)
  • Corrections to ANSI MAP ASN.1 specifications. (Bug 5584)
  • When searching in packet bytes, the field and bytes are not immediately shown. (Bug 5585)
  • Malformed Packet: ULP reported when dissecting ULP SessionID PDU. (Bug 5593)
  • Wrong IEI in container of decode_gtp_mm_cntxt. (Bug 5598)
  • Display filter does not work for expressions of type BASE_DEC, BASE_DEC_HEX and BASE_HEX_DEC. (Bug 5606)
  • NTLMSSP dissector may fail to compile due to space embedded in C comment delimiters. (Bug 5614)
  • Allow for name resolution of link-scope and multicast IPv6 addresses from local host file. (Bug 5615)
  • DHCPv6 dissector formats DUID_LLT time incorrectly. (Bug 5627)
  • Allow for IEEE 802.3bc-2009 style PoE TLVs. (Bug 5639)
  • Various fixes to the HIP packet dissector. (Bug 5646)
  • Display "Day of Year" for January 1 as 1, not 0. (Bug 5653)
  • Accommodate the CMake build on Ubuntu 10.10. (Bug 5665)
  • E.212 MCC 260 Poland update according to local national regulatory. (Bug 5668)
  • IPP on ports other than 631 not recognized. (Bug 5677)
  • Potential access violation when writing to LANalyzer files. (Bug 5698)
  • IEEE 802.15.4 Superframe Specification - Final CAP Slot always 0. (Bug 5700)
  • Peer SRC and DST AS numbers are swapped for cflow. (Bug 5702)
  • dumpcap: -q option behavior doesn't match documentation. (Bug 5716)
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • ANSI MAP, BitTorrent, DCM, DHCPv6, DTAP, DTPT, E.212, GSM Management, GTP, HIP, IEEE 802.15.4, IPP, LDAP, LLDP, Netflow, NTLMSSP, P_Mul, Quake, Skinny, SMB, SNMP, ULP
  • New and Updated Capture File Support:
  • LANalyzer, Nokia DCT3, Pcap-ng
  • Getting Wireshark:
  • Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
  • Vendor-supplied Packages:
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations:
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

New in WireShark 1.5.0 Dev (Jan 25, 2011)

  • New and Updated Features:
  • Wireshark can import text dumps, similar to text2pcap.
  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
  • TShark can show a specific occurrence of a field when using '-T fields'.
  • Custom columns can show a specific occurrence of a field.
  • You can hide columns in the packet list.
  • Wireshark can now export SMB objects.
  • dftest and randpkt now have manual pages.
  • TShark can now display iSCSI service response times.
  • Dumpcap can now save files with a user-specified group id.
  • Syntax checking is done for capture filters.
  • You can display the compiled BPF code for capture filters in the Capture Options dialog.
  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
  • Packet length is (finally) a default column.
  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
  • 802.1q VLAN tags are now shown by the Ethernet II dissector.
  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
  • The RTP player now shows why media interruptions occur.
  • Graphs now save as PNG images by default.
  • New Protocol Support:
  • ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Constrained Application Protocol (COAP), Digium TDMoE, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, SAMETIME, SCoP, SGSAP, Tektronix Teklink, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
  • New and Updated Capture File Support:
  • Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

New in WireShark 1.4.3 (Jan 12, 2011)

  • FRAsse discovered that the MAC-LTE dissector could overflow a buffer. (Bug 5530)
  • FRAsse discovered that the ENTTEC dissector could overflow a buffer. (Bug 5539)
  • The ASN.1 BER dissector could assert and make Wireshark exit prematurely. (Bug 5537)
  • The following bugs have been fixed:
  • AMQP failed assertion. (Bug 4048)
  • Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
  • Fuzz testing reports possible dissector bug: TCP. (Bug 4211)
  • Wrong length calculation in new_octet_aligned_subset_bits() (PER dissector). (Bug 5393)
  • Function dissect_per_bit_string_display might read more bytes than available (PER dissector). (Bug 5394)
  • Cannot load wpcap.dll & packet.dll from Wireshark program directory. (Bug 5420)
  • Wireshark crashes with Copy -> Description on date/time fields. (Bug 5421)
  • DHCPv6 OPTION_CLIENT_FQDN parse error. (Bug 5426)
  • Information element Error for supported channels. (Bug 5430)
  • Assert when using ASN.1 dissector with loading a 'type table'. (Bug 5447)
  • Bug with RWH parsing in Infiniband dissector. (Bug 5444)
  • Help->About Wireshark mis-reports OS. (Bug 5453)
  • Delegated-IPv6-Prefix(123) is shown incorrect as X-Ascend-Call-Attempt-Limit(123). (Bug 5455)
  • "tshark -r file -T fields" is truncating exported data. (Bug 5463)
  • gsm_a_dtap: incorrect "Extraneous Data" when decoding Packet Flow Identifier. (Bug 5475)
  • Improper decode of TLS 1.2 packet containing both CertificateRequest and ServerHelloDone messages. (Bug 5485)
  • LTE-PDCP UL and DL problem. (Bug 5505)
  • CIGI 3.2/3.3 support broken. (Bug 5510)
  • Prepare Filter in RTP Streams dialog does not work correctly. (Bug 5513)
  • Wrong decode at ethernet OAM Y.1731 ETH-CC. (Bug 5517)
  • WPS: RF bands decryption. (Bug 5523)
  • Incorrect LTP SDNV value handling. (Bug 5521)
  • LTP bug found by randpkt. (Bug 5323)
  • Buffer overflow in SNMP EngineID preferences. (Bug 5530)
  • Updated Protocol Support:
  • AMQP, ASN.1 BER, ASN.1 PER, CFM, CIGI, DHCPv6, Diameter, ENTTEC, GSM A GM, IEEE 802.11, InfiniBand, LTE-PDCP, LTP, MAC-LTE, MP2T, RADIUS, SAMR, SCCP, SIP, SNMP, TCP, TLS, TN3270, UNISTIM, WPS
  • New and Updated Capture File Support:
  • Endace ERF, Microsoft Network Monitor, VMS TCPtrace.

New in WireShark 1.4.2 (Nov 20, 2010)

  • Bug Fixes:
  • Nephi Johnson of BreakingPoint discovered that the LDSS dissector could overflow a buffer. (Bug 5318)
  • The ZigBee ZCL dissector could go into an infinite loop. (Bug 5303)
  • The following bugs have been fixed:
  • File-Open Display Filter is overwritten by Save-As Filename. (Bug 3894)
  • Wireshark crashes with "Gtk-ERROR **: Byte index 6 is off the end of the line" if click on last PDU. (Bug 5285)
  • GTK-ERROR can occur in packets when there are multiple Netbios/SMB headers in a single frame. (Bug 5289)
  • "Tshark -G values" crashes on Windows. (Bug 5296)
  • PROFINET I&M0FilterData packet not fully decoded. (Bug 5299)
  • PROFINET MRP linkup/linkdown decoding incorrect. (Bug 5300)
  • [lua] Dumper:close() will cause a segfault due later GC of the Dumper. (Bug 5320)
  • Network Instruments' trace files sometimes cannot be read with an error message of "Observer: bad record: Invalid magic number". (Bug 5330)
  • IO Graph Time of Day times incorrect for filtered data. (Bug 5340)
  • Wireshark tools do not detect and read some ERF files correctly. (Bug 5344)
  • "editcap -h" sends some lines to stderr and others to stdout. (Bug 5353)
  • IP Timestamp Option: "flag=3" variant (prespecified) not displayed correctly. (Bug 5357)
  • AgentX PDU Header 'hex field highlighting' incorrectly spans extra bytes. (Bug 5364)
  • AgentX dissector cannot handle null OID in Open-PDU. (Bug 5368)
  • Crash with "Gtk-ERROR **: Byte index 6 is off the end of the line". (Bug 5374)
  • ANCP Portmanagment TLV wrong decoded. (Bug 5388)
  • Crash during startup because of Python SyntaxError in wspy_libws.py. (Bug 5389)
  • Updated Protocol Support:
  • AgentX, ANCP, DIAMETER, HTTP, IP, LDSS, MIME, NBNS, PROFINET, SIP, TCP, Telnet, ZigBee
  • New and Updated Capture File Support:
  • Endace ERF, Network Instruments Observer.

New in WireShark 1.4.1 (Oct 12, 2010)

  • Bug Fixes:
  • The Penetration Test Team of NCNIPC (China) discovered that the ASN.1 BER dissector was susceptible to a stack overflow. (Bug 5230). Versions affected: All previous versions up to and including 1.2.11 and 1.4.0.
  • The following bugs have been fixed:
  • Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
  • Incorrect behavior using sorting in the packet list. (Bug 2225)
  • Cooked-capture dissector should omit the source address field if empty. (Bug 2519)
  • MySQL dissector doesn't dissect MySQL stream. (Bug 2691)
  • Wireshark crashes if active display filter macro is renamed. (Bug 5002)
  • Incorrect dissection of MAP V2 PRN_ACK. (Bug 5076)
  • TCP bytes_in_flight becomes inflated with lost packets. (Bug 5132)
  • Wireshark fails to start on Windows XP 64bit. (Bug 5160)
  • GTP header is exported in PDML with an incorrect size. (Bug 5162)
  • Packet list hidden columns will not be parsed correctly from preferences file. (Bug 5163)
  • Wireshark does not display the t.38 graph. (Bug 5165)
  • Wireshark don't show mgcp calls in "Telephony → VoIP calls". (Bug 5167)
  • Wireshark 1.4.0 & VoIP calls "Prepare Filter" problem. (Bug 5172)
  • GTPv2: IMSI is decoded improperly. (Bug 5179)
  • [NAS EPS] EPS Quality of Service IE decoding is wrong. (Bug 5186)
  • Wireshark mistakenly writes "not all data available" for IPv4 checksum. (Bug 5194)
  • GSM: Cell Channel Description, range 1024 format. (Bug 5214)
  • Wrong SDP interpretation on VoIP call flow chart. (Bug 5220)
  • The CLDAP attribute value on a CLDAP reply is no longer being decoded. (Bug 5239)
  • [NAS EPS] Traffic Flow Template IE dissection bugs. (Bug 5243)
  • [NAS EPS] Use Request Type IE defined in 3GPP 24.008. (Bug 5246)
  • NTLMSSP_AUTH domain and username truncated to first letter with IE8/Windows7 (generating the NTLM packet). (Bug 5251)
  • IPv6 RH0: dest addr is to be used i.s.o. last RH address when 0 segments remain. (Bug 5252)
  • EIGRP dissection error in Flags field in external route TLVs. (Bug 5261)
  • MRP packet is not correctly parsed in PROFINET multiple write record request. (Bug 5267)
  • MySQL Enhancement: support of Show Fields and bug fix. (Bug 5271)
  • [NAS EPS] Fix TFT decoding when having several Packet Filters defined. (Bug 5274)
  • Crash if using ssl.debug.file with no password for ssl.keys_list. (Bug 5277)
  • Updated Protocol Support:
  • ASN.1 BER, ASN.1 PER, EIGRP, GSM A RR, GSM Management, GSM MAP, GTP, GTPv2, ICMPv6, Interlink, IPv4, IPv6, IPX, LDAP, LLC, MySQL, NAS EPS, NTLMSSP, PN-IO, PPP, RPC, SDP, SLL, SSL, TCP

New in WireShark 1.4.0 (Aug 31, 2010)

  • Bug Fixes:
  • The following bugs have been fixed:
  • Update time display in background. (Bug 1275)
  • Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
  • Tshark returns 0 even with an invalid interface or capture filter. (Bug 4735)
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.2:
  • The packet list internals have been rewritten and are now more efficient.
  • Columns are easier to use. You can add a protocol field as a column by right-clicking on its packet detail item, and you can adjust some column preferences by right-clicking the column header.
  • Preliminary Python scripting support has been added.
  • Many memory leaks have been fixed.
  • Wireshark 1.4 does not support Windows 2000. Please use Wireshark 1.2 or 1.0 on those systems.
  • Packets can now be ignored (excluded from dissection), similar to the way they can be marked.
  • Manual IP address resolution is now supported.
  • Columns with seconds can now be displayed as hours, minutes and seconds.
  • You can now set the capture buffer size on UNIX and Linux if you have libpcap 1.0.0 or greater.
  • TShark no longer needs elevated privileges on UNIX or Linux to list interfaces. Only dumpcap requires privileges now.
  • Wireshark and TShark can enable 802.11 monitor mode directly if you have libpcap 1.0.0 or greater.
  • You can play RTP streams directly from the RTP Analysis window.
  • Capinfos and editcap now respectively support time order checking and forcing.
  • Wireshark now has a "jump to timestamp" command-line option.
  • You can open JPEG files directly in Wireshark.
  • New Protocol Support:
  • 3GPP Nb Interface RTP Multiplex, Access Node Control Protocol, Apple Network-MIDI Session Protocol, ARUBA encapsulated remote mirroring, Assa Abloy R3, Asynchronous Transfer Mode, B.A.T.M.A.N. Advanced Protocol, Bluetooth AMP Packet, Bluetooth OBEX, Bundle Protocol, CIP Class Generic, CIP Connection Configuration Object, CIP Connection Manager, CIP Message Router, collectd network data, Control And Provisioning of Wireless Access Points, Controller Area Network, Device Level Ring, DOCSIS Bonded Initial Ranging Message, Dropbox LAN sync Discovery Protocol, Dropbox LAN sync Protocol, DTN TCP Convergence Layer Protocol, EtherCAT Switch Link, Fibre Channel Delimiters, File Replication Service DFS-R, Gateway Load Balancing Protocol, Gigamon Header, GigE Vision Control Protocol, Git Smart Protocol, GSM over IP ip.access CCM sub-protocol, GSM over IP protocol as used by ip.access, GSM Radiotap, HI2Operations, Host Identity Protocol, HP encapsulated remote mirroring, HP NIC Teaming Heartbeat, IEC61850 Sampled Values, IEEE 1722 Protocol, InfiniBand Link, Interlink Protocol, IPv6 over IEEE 802.15.4, ISO 10035-1 OSI Connectionless Association Control Service, ISO 9548-1 OSI Connectionless Session Protocol, ISO 9576-1 OSI Connectionless Presentation Protocol, ITU-T Q.708 ISPC Analysis, Juniper Packet Mirror, Licklider Transmission Protocol, MPLS PW ATM AAL5 CPCS-SDU mode encapsulation, MPLS PW ATM Cell Header, MPLS PW ATM Control Word, MPLS PW ATM N-to-One encapsulation, no CW, MPLS PW ATM N-to-One encapsulation, with CW, MPLS PW ATM One-to-One or AAL5 PDU encapsulation, Multiple Stream Reservation Protocol, NetPerfMeter Protocol, NetScaler Trace, NexusWare C7 MTP, NSN FLIP, OMRON FINS Protocol, packetbb Protocol, Peer Network Resolution Protocol, PKIX Attribute Certificate, Pseudowire Padding, Server/Application State Protocol, Solaris IPNET, TN3270 Protocol, TN5250 Protocol, TRILL, Twisted Banana, UMTS FP Hint, UMTS MAC, UMTS Metadata, UMTS RLC, USB HID, USB HUB, UTRAN Iuh interface HNBAP signalling, UTRAN Iuh interface RUA signalling, V5.2, Vendor Specific Control Protocol, Vendor Specific Network Protocol, VMware Lab Manager, VXI-11 Asynchronous Abort, VXI-11 Core Protocol, VXI-11 Interrupt, X.411 Message Access Service, ZigBee Cluster Library
  • New and Updated Capture File Support:
  • Accellent 5Views, ASN.1 Basic Encoding Rules, Catapult DCT2000, Daintree SNA, Endace ERF, EyeSDN, Gammu DCT3 trace, IBM iSeries, JPEG/JFIF, libpcap, Lucent/Ascend access server trace, NetScaler, PacketLogger, pcapng, Shomiti/Finisar Surveyor, Sun snoop, Symbian OS btsnoop, Visual Networks

New in WireShark 1.2.10 (Jul 30, 2010)

  • Bug Fixes:
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The SigComp Universal Decompressor Virtual Machine could overrun a buffer. (Bug 4867)
  • Versions affected: 0.10.8 to 1.0.14, 1.2.0 to 1.2.9
  • CVE-2010-2287
  • The GSM A RR dissector could crash. (Bug 4897)
  • Versions affected: 1.2.2 to 1.2.9
  • Due to a regression the ASN.1 BER dissector could overrun the stack.
  • Versions affected: 0.10.13 to 1.0.14, 1.2.0 to 1.2.9
  • CVE-2010-2284
  • The IPMI dissector could go into an infinite loop.
  • Versions affected: 1.2.0 to 1.2.9
  • The following bugs have been fixed:
  • Wireshark crashes after configuring new Information column. (Bug 4854)
  • Crash triggered when changing display filter from right-mouse pop-up menu via packet-list. (Bug 4860)
  • Wireshark crash selecting Inter-Asterisk exchange v2 packet data. (Bug 4868)
  • zlib-1.2.5 cause tshark to stop live capture. (Bug 4916)
  • Crash when adding SNMP users. (Bug 4926)
  • Wireshark via ssh -X on ipv6 link-local address fails to allow capture. (Bug 4945)
  • OMAPI dissector fails to parse combined initialization messages. (Bug 4982)
  • QUERY_FS_INFO for Macintosh level 0x301 - MacSupportFlags decodes wrong. (Bug 4993)
  • SCSI dissector misidentifies ATA PASSTHROUGH command as ACCESS CONTROL IN. (Bug 5037)
  • Wrong decoding of GTP Prime (GTP') packets. (Bug 5055)
  • Updated Protocol Support:
  • ASN.1 BER, GSM A RR, GTP, IAX2, IPMI, OMAPI, PRES, SCSI, SMB, UNISTIM

New in WireShark 1.2.9 (Jun 10, 2010)

  • Bug Fixes:
  • The SMB dissector could dereference a NULL pointer. (Bug 4734)
  • J. Oquendo discovered that the ASN.1 BER dissector could overrun the stack.
  • The SMB PIPE dissector could dereference a NULL pointer on some platforms.
  • The SigComp Universal Decompressor Virtual Machine could go into an infinite loop. (Bug 4826)
  • The SigComp Universal Decompressor Virtual Machine could overrun a buffer. (Bug 4837)
  • The following bugs have been fixed:
  • Cannot open file with File -> Open. (Bug 1791)
  • Application crash when changing real-time option. (Bug 4035)
  • Crash in filter autocompletion. (Bug 4306)
  • The XML dissector doesn't allow dots (".") in tags. (Bug 4405)
  • Live capture stops when using zlib 1.2.5. (Bug 4708)
  • Want to be able to apply decode as to Data Portion of Lan Trace. (Bug 4721)
  • SABP short pdu (packet_per.c). (Bug 4743)
  • Kerberos pre-auth type constants - MS extensions are wrong. (Bug 4752)
  • Check HTTP Content-Length parsing for overflow. (Bug 4758)
  • Wrong variable used for proto_tree_add_text() in ptp dissector. (Bug 4773)
  • Crash when close window frame of gtk file chooser. (Bug 4778)
  • text2pcap expects \n delimited text (instead of \r\n) on win32. (Bug 4780)
  • Wrong decoding for BGP ORF. (Bug 4782)
  • Crash when Ctrl-Backspacing the display filter. (Bug 4797)
  • Acker AFI field incorrect size in PGM dissector. (Bug 4798)
  • Fedora 13: wireshark fails to build (linking problem). (Bug 4815)
  • The NFS FH hash (nfs.fh.hash) incorrectly matches multiple filehandles. (Bug 4839)
  • AES-CTR decoding not working, (dissectors/packet_ipsec.c using gcrypt). (Bug 4838)
  • Updated Protocol Support:
  • ASN.1 BER, BGP, HTTP, IGMP, IPsec, Kerberos, NFS, PGM, PTP, SABP, SigComp, SMB, TCAP, XML,
  • Updated Capture File Support:
  • ERF, PacketLogger.

New in WireShark 1.2.8 (May 6, 2010)

  • Bug Fixes:
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The DOCSIS dissector could crash. (Bug 4644), (bug 4646). Versions affected: 0.9.6 to 1.0.12, 1.2.0 to 1.2.7
  • The following bugs have been fixed:
  • HTTP parser limits with Content-Length. (Bug 1958)MATE dissector bug with GOGs. (Bug 3010)Changing fonts and deleting system time from preferences, results in wireshark crash. (Bug 3387)ERF file starting with record with timestamp=0,1 or 2 not recognized as ERF file. (Bug 4503)The SSL dissector can not correctly resemple SSL records when the record header is spit between packets. (Bug 4535)TCP reassembly can call subdissector with incorrect TCP sequence number. (Bug 4624)PTP dissector displays big correction field values wrong. (Bug 4635)MSF is at Anthorn, not Rugby. (Bug 4678)ProtoField __tostring() description is missing in Wireshark's Lua API Reference Manual. (Bug 4695)EVRC packet bundling not handled correctly. (Bug 4718)Completely unresponsive when run very first time by root user. (Bug 4308)
  • Updated Protocol Support:
  • DOCSIS, HTTP, SSL
  • Updated Capture File Support:
  • ERF, PacketLogger.

New in WireShark 1.2.7 (Apr 1, 2010)

  • Bug Fixes
  • SNMPv3 Engine ID registration. (Bug 2426)
  • Open file dialog always displayed when clicking anywhere on Wireshark. (Bug 2478)
  • tshark reports wrong number of bytes on big dumpfiles with -z io,stat. (Bug 3205)
  • Negative INTEGER number displayed as positive number in SNMP dissector. (Bug 3230)
  • Add support for FT_BOOLEAN fields to wslua FieldInfo. (Bug 4049)
  • Wireshark crashes w/ GLib error when trying to play RTP stream. (Bug 4119)
  • Windows 2000 support has been restored. (Bug 4176)
  • Wrong dissection on be_cell_id_list for bssmap. (Bug 4437)
  • I/O Graph dropdown boxes not working correctly. (Bug 4487)
  • Runtime Error when right-clicking field and selecting "Filter Field Reference". (Bug 4522)
  • In GSM SMS PDU TPVPF showing wrong. (Bug 4524)
  • Profinet: May be wrong defined byte meaning. (Bug 4525)
  • GLib-CRITICAL ** Message. (Bug 4547)
  • Certain EDP display filters trigger Wireshark/tshark runtime error. (Bug 4563)
  • Some NCP frames trigger "Dissector bug, protocol NCP". (Bug 4565)
  • The encapsulation abbreviation "bluetooth-h4" is ambiguous. (Bug 4613)
  • Updated Protocol Support:
  • BSSMAP, DMP, GSM SMS, LDSS, NCP, PN/IO, PPP, SIP, SNMP

New in WireShark 1.3.3 Dev (Feb 12, 2010)

  • The rewritten packet list internals have been greatly improved.
  • You can now ignore packets, similar to the way you can mark them.

New in WireShark 1.2.6 (Jan 28, 2010)

  • Babi discovered several buffer overflows in the LWRES dissector.
  • Versions affected: 0.9.15 to 1.0.10, 1.2.0 to 1.2.5
  • The following bugs have been fixed:
  • Wireshark could crash while decrypting Kerberos data.
  • Address display filters hang Wireshark. (Bug 658)
  • PSML - structure context node missing. (Bug 1564)
  • Wireshark doesn't dynamically update the packet list. (Bug 1605)
  • LUA: There's no tvb_get_stringz() equivalent. (Bug 2244)
  • tvb_new_real_data is prone to memory leak. (Bug 3917)
  • Malformed OPC UA traffic makes Wireshark "freeze". (Bug 3986)
  • Analyze→Expert... doesn't show IP "Bad Checksum" errors. (Bug 4177)
  • Wireshark can't decrypt WPA(2)-PSK when passphrase is 63 bytes. (Bug 4183)
  • RTP stream analysis: Wrong jitter values after clicking the refresh button. (Bug 4340)
  • Wireshark decodes bootp option 2 incorrectly. (Bug 4342)
  • Deleting SMI modules causes Wireshark to crash. (Bug 4354)
  • Wireshark decodes kerberos AS-REQ PADATA incorrect. (Bug 4363)
  • PDML output from TShark includes invalid characters. (Bug 4402)
  • Empty GPRS LLC S frames cause truncated data exception. (Bug 4417)
  • New and Updated Features
  • Feature parity between the 64- and 32-bit Windows installer has been improved. The 64-bit installer now supports the "matches" operator, GeoIP location, and most types of decryption. Kerberos decryption and OID resolution are still not supported.
  • New Protocol Support
  • There are no new protocols in this release.
  • Updated Protocol Support
  • BJNP, BOOTP/DHCP, DHCPv6, FIP, GPRS LLC, IEEE 802.11, IP, Kerberos, OPCUA, SCTP, SSL, ZRTP
  • Updated Capture File Support
  • There are no updated capture file formats in this release.
  • Getting Wireshark
  • Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
  • Vendor-supplied Packages
  • Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
  • File Locations
  • Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

New in WireShark 1.2.5 (Dec 17, 2009)

  • Bug Fixes:
  • The Daintree SNA file parser could overflow a buffer. (Bug 4294)
  • The SMB and SMB2 dissectors could crash. (Bug 4301)
  • The IPMI dissector could crash on Windows. (Bug 4319)
  • The following bugs have been fixed:
  • Wireshark does not graph rtp streams. (Bug 3801)
  • Wireshark showing extraneous data in a TCP stream. (Bug 3955)
  • Wrong decoding of gtp.target identification. (Bug 3974)
  • TTE dissector bug. (Bug 4247)
  • Upper case in Lua pref symbol causes Wireshark to crash. (Bug 4255)
  • OpenBSD 4.5 build fails at epan/dissectors/packet-rpcap.c. (Bug 4258)
  • Incorrect display of stream data using "Follow tcp stream" option. (Bug 4288)
  • Custom RADIUS dictionary can cause a crash. (Bug 4316)
  • Updated Protocol Support:
  • DAP, eDonkey, GTP, IPMI, MIP, RADIUS, RANAP, SMB, SMB2, TCP, TTE, VNC, X.509sat
  • Updated Capture File Support:
  • Daintree SNA.

New in WireShark 1.2.4 (Nov 17, 2009)

  • Bug Fixes:
  • Can't save RTP stream in both directions. (Bug 4120)
  • Wireshark could crash at startup on Windows. (Bug 4155)
  • New and Updated Features:
  • There are no new features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • DCERPC, IPFIX/Netflow, IPv4, NAS EPS, RTCP, TIPC
  • Updated Capture File Support:
  • Capture file support is unchanged in this release.

New in WireShark 1.2.3 (Oct 28, 2009)

  • The following vulnerabilities have been fixed:
  • The Paltalk dissector could crash on alignment-sensitive processors. (Bug 3689)The DCERPC/NT dissector could crash.The SMB dissector could crash.
  • The following bugs have been fixed:
  • Wireshark memory leak with each file open and/or display filter change. (Bug 2375)
  • DHCP Dissector displays negative lease time. (Bug 2733)
  • Invalid advertised window line on tcptrace style graph. (Bug 3417)
  • SMB get_dfs_referral referral entry is not dissected correctly. (Bug 3542)
  • Error dissecting eMule sourceOBFU message. (Bug 3848)
  • Typos in Diameter XML files. (Bug 3878)
  • RSL dissector for MS Power IE is broken. (Bug 4017)
  • Manifest problem in 1.2.2 Win64 build. (Bug 4024)
  • FIP dissector throws assertion. (Bug 4046)
  • TCAP problem with indefinite length 'components' SEQ OF. (Bug 4053)
  • GSM MAP: an-APDU not decoded. (Bug 4095)
  • Add "Drag and Drop entries..." message on Columns preferences page. (Bug 4099)
  • Editcap -t and -w option parses fractional digits incorrectly. (Bug 4162)
  • New and Updated Features:
  • The 32-bit and 64-bit Windows packages now include WinPcap 4.1.1.
  • Updated Protocol Support:
  • DCERPC NT, DHCP, Diameter, E.212, eDonkey, FIP, IPsec, MGCP, NCP, Paltalk, RADIUS, RSL, SBus, SMB, SNMP, SSL, TCP, Teamspeak2, WPS

New in WireShark 1.2.2 (Sep 16, 2009)

  • Bug Fixes:
  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
  • The GSM A RR dissector could crash. (Bug 3893) Versions affected: 1.2.0 to 1.2.1
  • The OpcUa dissector could use excessive CPU and memory. (Bug 3986) Versions affected: 0.99.6 to 1.0.8, 1.2.0 to 1.2.1
  • The TLS dissector could crash on some platforms. (Bug 4008) Versions affected: 1.2.0 to 1.2.1
  • The following bugs have been fixed:
  • The "Capture->Interfaces" window can't be closed. (Bug 1740)
  • tshark-1.0.2 (dumpcap) signal abort core saved. (Bug 2767)
  • Memory leak fixes. (Bug 3330)
  • Display filter autocompletion doesn't work for some RADIUS and WiMAX ASNCP fields. (Bug 3538)
  • Wireshark Portable includes wrong WinPcap installer. (Bug 3547)
  • Crash when loading a profile. (Bug 3640)
  • The proto,colinfo tap doesn't work if the INFO column isn't being printed. (Bug 3675)
  • Flow Graph adds too much unnecessary garbage. (Bug 3693)
  • The EAP Diameter dictionary file was missing in the distribution. (Bug 3761)
  • Graph analysis window is behind other window. (Bug 3773)
  • IKEv2 Cert Request payload dissection error. (Bug 3782)
  • DNS NAPTR RR (RFC 3403) replacement MUST be a fully qualified domain-name. (Bug 3792)
  • Malformed RTCP Packet error while sending Payload specific RTCP feedback packet( as per RFC 4585). (Bug 3800)
  • 802.11n Block Ack packet Bitmap field missing. (Bug 3806)
  • Wireshark doesn't decode WBXML/ActiveSync information correctly. (Bug 3811)
  • Malformed packet when IPv6 packet has Next Header == 59. (Bug 3820)
  • Wireshark could crash while reading an ERF file. (Bug 3849)
  • Minor errors in gsm rr dissectors. (Bug 3889)
  • WPA Decryption Issues. (Bug 3890)
  • GSM A RR sys info dissection problem. (Bug 3901)
  • GSM A RR inverts MEAS-VALID values. (Bug 3915)
  • PDML output leaks ~300 bytes / packet. (Bug 3913)
  • Incorrect station identifier parsing in Kingfisher dissector. (Bug 3946)
  • DHCPv6, Vendor-Specific Informantion, SubOption"Option Request" parser incorrect. (Bug 3987)
  • Wireshark could leak memory while analyzing SSL.
  • Wireshark could crash while updating menu items after reading a file in some cases.
  • The Mac OS X ChmodBPF script now works correctly under Snow Leopard.
  • New and Updated Features:
  • There are no new or updated features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • DCERPC, DHCPv6, DNS, E.212, GSM A RR, GTPv2, H.248, IEEE 802.11, IPMI, ISAKMP/IKE, ISUP, Kingfisher, LDAP, OpcUA, RTCP, SCTP, SIP, SSL, TCP, WBXML, ZRTP
  • Updated Capture File Support:
  • ERF

New in WireShark 1.2.1 (Jul 21, 2009)

  • The following vulnerabilities have been fixed:
  • The IPMI dissector could overrun a buffer.
  • The AFS dissector could crash.
  • The Infiniband dissector could crash on some platforms.
  • The Bluetooth L2CAP dissector could crash.
  • The RADIUS dissector could crash.
  • The MIOP dissector could crash.
  • The sFlow dissector could use excessive CPU and memory.
  • The following bugs have been fixed:
  • Wireshark could crash while reading a pcap-ng file.
  • Wireshark could crash while reading a PacketLogger file.
  • CFLOW decoding is wrong for IPv6 fields (Bug 3328)
  • Buildbot crash output: fuzz-2009-04-24-2891.pcap (Bug 3438)
  • packet-dcm, corrupt DICOM export files (Bug 3493)
  • GeoIP map should use random temporary file name (Bug 3530)
  • Wireshark crashes when range_string is the data type (Bug 3536)
  • Pcap-ng breaks VoIP call data (Bug 3539)
  • ANSI MAP legInformation BER Error (Bug 3541)
  • Starting Wireshark Portable 1.2.0 gives error message. (Bug 3547)
  • On Windows, Wireshark could crash on startup. (Bug 3555)
  • The title in the TCP sequence graphs is too short. (Bug 3556)
  • USB Packets in pcap-ng Files Not Dissected Properly (Bug 3560)
  • 802.11 decryption is broken (Bug 3590)
  • SMB2 Error Response doesn't decode properly (Bug 3609)
  • configure.in uses deprecated autoconf test for gnutls detection (Bug 3627)
  • Radius Malformed Packet error message (Bug 3635)
  • Wireshark could crash when loading a profile. (Bug 3640)
  • Analyze->Decode as... menu item becomes unavailable (Bug 3642)
  • btsnoop: Incorrect error message for not supported datalink type (Bug 3645)
  • Decode error for network-id in BICC BCU-ID (Bug 3648)
  • IEC 60870-5-104 dissector decodes nothing (Bug 3650)
  • radius_register_avp_dissector() can stop RADIUS dissector from working correctly (Bug 3651)
  • ANSI ISUP Cause indicators with coding standard=ANSI fail to dissect. (Bug 3654)
  • Wrong field position in PacketCable Multimedia Extended Classifier (Bug 3656)
  • FF Protocol "FMS Initiate - Version OD Calling" field packet data not unpacked properly (Bug 3694)
  • hci_h4: Optimize column/field handling (Bug 3703)
  • BSSLAP Protocol Not Decoded In BSSMAP-LE Messages (Bug 3711)
  • Description of tshark -t dd missing from tshark.pod (Bug 3723)
  • Problem in packet-per.c for ASN.1 PER Encoding (Bug 3733)
  • [SNMP] Crash when dissecting packet (custom MIB) (Bug 3746)
  • Updated Protocol Support:
  • AFS, ANSI ISUP, ANSI MAP, ASN.1 PER, Bluetooth HCI H4, Bluetooth L2CAP, BSS CFLOW, COPS, Diameter, DICOM, FF-HSE, ICMPv6, IEC-60870-5-104, IEEE 802.11, Infiniband, IPMI, MIOP, RADIUS, RSVP, sFlow, SNMP, SMB2, ZIOP
  • New Capture File Support:
  • Btsnoop, DCT3, Packetlogger, pcap-ng.

New in WireShark 1.2.0 (Jun 17, 2009)

  • Bug Fixes:
  • Too many bugs have been fixed since the 1.0 release to list here. Some notable fixes are:
  • Type-ahead search now works properly.
  • Several bugs that affected capture from pipes have been fixed.
  • Many Lua-related bugs have been fixed.
  • Several memory leaks have been found and fixed.
  • The "Follow TCP Stream" feature could show two streams at the same time The hex dump view has been narrowed.
  • WPA and SSL decryption bugs have been fixed.
  • Readability problems on 256-color displays on Windows have been fixed.
  • New and Updated Features:
  • The following features are new (or have been significantly updated) since version 1.0:
  • Wireshark has a spiffy new start page.
  • Display filters now autocomplete.
  • A 64-bit Windows (x64) installer is now provided.
  • Support for the c-ares resolver library has been added. It has many advantages over ADNS.
  • Many new protocol dissectors and capture file formats have been added (see below for a complete list).
  • Macintosh OS X support has been improved.
  • GeoIP database lookups.
  • OpenStreetMap + GeoIP integration.
  • Improved Postscript® print output.
  • The preference handling code is now much smarter about changes.
  • Support for Pcap-ng, the next-generation capture file format.
  • Support for process information correlation via IPFIX.
  • Column widths are now saved.
  • The last used configuration profile is now saved.
  • Protocol preferences are changeable from the packet details context menu.
  • Support for IP packet comparison.
  • Capinfos now shows the average packet rate.
  • GTK1 is no longer supported. (Yes, this is a feature.)
  • Official Windows packages are now built using Microsoft Visual C++ 2008 SP1.
  • New Protocol Support:
  • Anything in Anything Protocol, ATM PW, N-to-one Cell Mode, B.A.T.M.A.N. Layer 3 Protocol, BACnet MS/TP, BSS LCS Assistance Protocol, Canon BJNP, CESoPSN basic NxDS0 mode (no RTP support), Charging ASE, Cimetrics MS/TP, DECT Protocol, Digital Private Signalling System No 1 Link Layer, DOCSIS Mac Domain Description, DOCSIS Registration Request Multipart, DOCSIS Registration Response Multipart, DOCSIS Synchronisation Message, E100 Encapsulation, EHS, Enhanced Variable Rate Codec, Ethernet Global Data, Ethernet PW, Exchange 2003 Directory Request For Response, Far End Failure Detection, FCoE Initialization Protocol, GOOSE, GPEF, GPRS Tunneling Protocol V2, GSM A-I/F COMMON, GSM A-I/F GPRS Mobility and Session Management, GSM SACCH, GSM Um Interface, HDLC PW, FR port mode (no CW), HDLC-like framing for PPP, IEC 60870-5-104,Apci, IEC 60870-5-104,Asdu, IEEE 802.15.4 Low-Rate Wireless PAN non-ASK PHY, IEEE C37.118 Synchrophasor Protocol, Intelligent Platform Management Interface (Session Wrapper), Inter-Integrated Circuit, Internal TDM, IPSICTL, ISMACryp Protocol, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, iWARP Marker Protocol data unit Aligned framing, Kontiki Delivery Protocol, LANforge Traffic Generator, Layer 1 Event Messages, Lb-I/F BSSMAP LE, LeCroy VICP, Link Access Procedure, Channel Dm (LAPDm), Local Download Sharing Service, LTE Radio Resource Control (RRC) protocol, MAC-LTE, Memcache Protocol, Mesh Header, MP4V-ES, Nasdaq TotalView-ITCH, Nasdaq-SoupTCP version 2.0, NAT Port Mapping Protocol, Netdump Protocol, Non-Access-Stratum (NAS)PDU, PacketLogger, Paltalk Messenger Protocol, PDCP-LTE, PW Associated Channel Header, PW Ethernet Control Word, PW Frame Relay DLCI Control Word, PW MPLS Control Word (generic/preferred), Real-Time Publish-Subscribe Wire Protocol 2.x, Remote Packet Capture, RLC-LTE, SAToP (no RTP support), SERCOS III V1.1, SIMULCRYPT Protocol, Subnetwork Dependent Convergence Protocol XID, Teamspeak2 Protocol, TTEthernet, TTEthernet Protocol Control Frame, Turbocell Aggregate Data, Turbocell Header, TURN Channel, Unreliable Multicast Inter-ORB Protocol, VCDU, Wave Short Message Protocol(IEEE P1609.3), Wireless Access Station Session Protocol, Wireshark Expert Info, World of Warcraft, Xpress Transport Protocol, ZigBee Application Framework, ZigBee Application Support Layer, ZigBee Device Profile, ZigBee Encapsulation Protocol, ZigBee Network Layer, Zipped Inter-ORB Protocol, ZRTP
  • Updated Protocol Support:
  • There are too many updates to list here.
  • New Capture File Support:
  • Apple Bluetooth PacketLogger, Daintree's Sensor Network Analyzer, dct3trace, Pcap-NG, TNEF (yes, those silly winmail.dat attachments)

New in WireShark 1.0.8 (May 22, 2009)

  • Bug Fixes:
  • The following vulnerabilities have been fixed:
  • The PCNFSD dissector could crash. Versions affected: 0.8.20 to 1.0.7
  • The following bugs have been fixed:
  • Lua integration could crash. (Bug 2453)
  • The SCCP dissector could crash when loading more than one file in a single session. (Bug 3409)
  • The NDMP dissector could crash if reassembly was enabled. (Bug 3470)
  • New and Updated Features:
  • There are no new or updated features in this release.
  • New Protocol Support:
  • There are no new protocols in this release.
  • Updated Protocol Support:
  • All ASN.1 protocols, DICOM, NDMP, PCNFSD, RTCP, SCCP, SSL, STANAG 5066
  • New and Updated Capture File Support:
  • There are no new or updated capture file formats in this release.

New in WireShark 1.0.7 (Apr 10, 2009)

  • The following vulnerabilities have been fixed. See the security advisory for details and a workaround.:
  • The PROFINET dissector was vulnerable ta format string overflow.
  • The LDAP dissector could crash on Windows.
  • The Check Point High-Availability Protocol (CPHAP) dissector could crash.
  • Wireshark could crash while loading a Tektronix .rf5 file.
  • The following bugs have been fixed::
  • Correct use of proto_tree_add_int_format()
  • RTP dynamic payload clock rates incorrectly determined
  • TShark fails tproperly close capture files when opening new ones
  • ANSI MAP digits type decode and bitmask corrections
  • Twsmall patches for ipvs-syncd dissector
  • BGP capability dissection failure
  • ANSI MAP fix for missing MEID/MSC ID number in RegNot
  • BACnet PrivateTransferError shows malformed packet
  • Windows silent installer is not that silent
  • Crash in ASN.1 dissector when using 'type table'
  • 802.11n SM Power save mode value 0x3 label is incorrect
  • 802.11 WME ie displayed incorrectly
  • "Copy as filter" from the packet list has been fixed.
  • New and Updated Features: There are nnew or updated features in this release.
  • New Protocol Support: There are nnew protocols in this release.
  • Updated Protocol Support: ACN, ANSI MAP, ASN.1 BACnet, BGP, CPHAP, GSM MAP, IEEE 802.11, IPVS, LDAP, NetFlow/IPFIX, PROFINET, RTP, SNMP, WSP
  • New and Updated Capture File Support: (TBD)

New in WireShark 1.1.3 (Mar 26, 2009)

  • This version features a new top-level menu arrangement and integration with OpenStreetMap.

New in WireShark 1.0.6 (Feb 7, 2009)

  • On non-Windows systems, Wireshark could crash if the HOME environment variable contained sprintf-style string formatting characters. Discovered by babi. (Bug 3150)
  • Wireshark could crash while reading a malformed NetScreen snoop file. Discovered by babi. (Bug 3151)
  • Wireshark could crash while reading a Tektronix K12 text capture file. (Bug 1937)
  • Crash when loading capture file and Preferences: NO Info column (Bug 2902)
  • Some Lua scripts may lead to corruption via out of bounds stack (Bug 3062)
  • Build with GLib 1.2 fails with error: 'G_MININT32' undeclared (Bug 3109)
  • Wrong decoding IMSI with GSM MAP protocol (Bug 3116)
  • Segmentation fault for "Follow TCP stream" (Bug 3119)
  • SMPP optional parameter 'network_error_code' incorrectly decoded (Bug 3128)
  • DHCPv6 dissector doesn't handle malformed FQDN (Bug 3134)
  • WCCP overrides CFLOW as decoded protocol (Bug 3175)
  • Improper decoding of MPLS echo reply IPv4 Interface and Label Stack Object (Bug 3179)
  • ANSI MAP fix for TRN digits/SMS and OTA subdissection (Bug 3214)
  • The 1.0 branch can now be built with Visual Studio 2008.

New in WireShark 1.0.5 (Dec 11, 2008)

  • The following vulnerabilities have been fixed:
  • The SMTP dissector could consume excessive amounts of CPU and memory. Versions affected: 1.0.4
  • The WLCCP dissector could go into an infinte loop. Versions affected: 0.99.7 to 1.0.4
  • The following bugs have been fixed:
  • Missing CRLF during HTTP POST in the "packet details" window (Bug 2534)
  • Memory assertion in time_secs_to_str_buf() when compiled with GCC 4.2.3 (Bug 2777)
  • Diameter dissector fails RFC 4005 compliance (Bug 2828)
  • LDP vendor private TLV type is not correctly shown (Bug 2832)
  • Wireshark on MacOS does not run when there are spaces in its path (Bug 2844)
  • OS X Intel package incorrectly claims to be Universal (Bug 2979)
  • Compilation broke when compiling without zlib (Bug 2993)
  • Memory leak: saved_repoid (Bug 3017)
  • Memory leak: follow_info (Bug 3018)
  • Memory leak: follow_info (Bug 3019)
  • Memory leak: tacplus_data (Bug 3020)
  • Memory leak: col_arrows (Bug 3021)
  • Memory leak: col_arrows (Bug 3022)
  • Incorrect address structure assigned for find_conversation() in WSP (Bug 3071)
  • Memory leak with unistim in voip_calls (Bug 3079)
  • Error parsing the BSSGP protocol (Bug 3085)
  • Assertion thrown in fvalue_get_uinteger when decoding TIPC (Bug 3086)
  • LUA script : Wireshark crashes after closing and opening again a window used by a listener.draw() function. (Bug 3090)
  • Updated Protocol Support:
  • ANSI MAP, BSSGP, CIP, Diameter, ENIP, GIOP, H.263, H.264, HTTP, MPEG PES, PostgreSQL, PPI, PTP, Rsync, RTP, SMTP, SNMP, STANAG 5066, TACACS, TIPC, WLCCP, WSP

New in WireShark 1.0.4 (Oct 21, 2008)

  • Florent Drouin and David Maciejak found that the Bluetooth ACL dissector could crash or abort. (Bug 1513)
  • The Q.931 dissector could crash or abort. (Bug 2870)
  • Wireshark could abort while reading Tamos CommView capture files. (Bug 2926)
  • David Maciejak found that the USB dissector could crash or abort. This led to the disovery of a similar problem in the Bluetooth RFCOMM dissector. (Bug 2922)
  • Vivek Gupta and David Maciejak found that the PRP and MATE dissectors could make Wireshark crash. (Neither PRP nor MATE are enabled by default.) (Bug 2549)
  • Fixed: Let MP2T call its subdissectors, even without tree (Bug 2627)
  • Fixed: Wireless Toolbar not enabled (using AirPcap) if PCAP_REMOTE=1 (Bug 2685)
  • Fixed: Failure to dissect long SASL wrapped LDAP response (Bug 2687)
  • Fixed: Fix compiler warnings (Bug 2823)
  • Fixed: Homeplug dissection bugs (Bug 2859)
  • Fixed: Malformed Packet DCP ETSI error (Bug 2860)
  • Fixed: Wrong size of selected_registrar in WPS dissector (Bug 2865)
  • Fixed: Dissector assertion displaying cookies in DTLS frames (Bug 2876)
  • Fixed: Missing field type in documentation (Bug 2889)
  • Fixed: Wireshark -p switch seems to have no effect to PROMISCUOUS mode (Bug 2891)
  • Fixed: Misspelled PPI error vector magnitude filter (Bug 2903)
  • Fixed: Modbus Function 43 Encapsulated Interface Transport decoding (Bug 2917)
  • Fixed: Crash when printing or exporting some protocol data (Bug 2934)
  • Fixed: Crash when selecting "Export Selected Packet Bytes" (Bug 2964)

New in WireShark 1.1.1 (Sep 22, 2008)

  • This is a development release, intended to be used as a platform for testing new features.

New in WireShark 1.0.3 (Sep 5, 2008)

  • Security updates and new features

New in WireShark 1.0.2 (Jul 23, 2008)

  • A series of vulnerabilities have been fixed. See the security advisory for details and a workaround. Wireshark could crash while reassembling packets. Versions affected: 0.8.19 to 1.0.1

New in WireShark 1.0.0 (Apr 1, 2008)

  • The X.509sat dissector could crash. Versions affected: 0.99.5 to 0.99.8
  • The Roofnet dissector could crash on Windows, Solaris, and possibly other platforms. Versions affected: 0.99.5 to 0.99.8
  • The LDAP dissector could crash on Windows and possibly other platforms. Versions affected: 0.99.2 to 0.99.8
  • The SCCP dissector could crash while using the "decode as" feature. Versions affected: 0.99.6 to 0.99.8
  • Several SNMP-related bugs have been fixed.
  • Several memory-related bugs have been fixed.
  • The "About" box finally displays version 1.0.
  • This release includes an experimental Mac OS X package.
  • New Protocol Support: IEEE 802.15.4, Infiniband, Parallel Redundancy Protocol, RedBack, Lawful Intercept, Xcsl
  • Updated Protocol Support: AFS, ALCAP, ATM, BACapp, CIGI, DCC (renamed from DCCP), DCCP (renamed from DCP), DCERPC SPOOLSS, DCERPC NT, DHCP, DirectPlay, EtherCAT, FIX, GIOP, GTP, H.248, HTTP, ICMPv6, ICQ, IPv6, ISIS, JXTA, NCP, P_Mul, PCAP, PKIX1Explicit, PTP, RADIUS, Roofnet, RTCP,RTMPT, RTP, RX, SABP, SCSI OSD, sFlow, SMPP, SNMP, SSCOP, TAPA, TIPC, TPNCP, UNISTIM, X.25, X.509sat, XML
  • New and Updated Capture File Support: Hilscher Analyzer

New in WireShark 0.99.8 (Feb 28, 2008)

  • Fixed: The SCTP dissector could crash. Versions affected: 0.99.5 to 0.99.7
  • Fixed: The SNMP dissector could crash. Versions affected: 0.99.6 to 0.99.7
  • Fixed: The TFTP dissector could crash Wireshark on Ubuntu 7.10. (This appears to be a bug in the Cairo library on that platform.) Versions affected: 0.6.0 to 0.99.7
  • Fixed: Wireshark could crash when saving I/O graphs.
  • Fixed: Wireshark could crash when editing table-based preferences.
  • Fixed: Wireshark could crash when trying to play RTP streams.
  • Fixed: Wireshark could crash when trying to apply a display filter macro.
  • Fixed: Wireshark could crash in Turkish and other locales.
  • You can now have multiple configuration profiles.
  • Temporary coloring rules have been added, which let you color or filter on a conversation.
  • I/O graphs have been improved.
  • Wireshark now has WLAN traffic statistics.
  • The Wireshark GUI now supports RPCAP.
  • Conversations and endopoints can now be limited to the current display filter.
  • Experimental support for the NTAR/PcapNG file format has been added.

New in WireShark 0.99.7 (Dec 19, 2007)

  • Security updates and new features