What's new in WireShark 4.2.4
Mar 28, 2024
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2024-06[3] T.38 dissector crash. Issue 19695[4]. CVE-2024-2955[5].
- The following bugs have been fixed:
- Extcap with configuration never starts; "Configure all extcaps before start of capture." is shown instead. Issue 18487[6].
- Packet Dissection CSV Export includes last column even if hidden. Issue 19666[7].
- Inject TLS secrets closes Wireshark on Windows. Issue 19667[8].
- Fuzz job issue: fuzz-2024-02-27-7196.pcap. Issue 19674[9].
- Wireshark crashes when adding another port to the HTTP dissector. Issue 19677[10].
- Fuzz job issue: fuzz-2024-03-03-7204.pcap. Issue 19685[11].
- Fuzz job issue: randpkt-2024-03-05-8004.pcap. Issue 19688[12].
- When adding a new row to a table an error report may be inserted. Issue 19705[13].
- '--export-objects' does not work as expected on tshark version later than 3.2.10. Issue 19715[14].
- Fuzz job issue: fuzz-2024-03-21-7215.pcap. Issue 19717[15].
- Updated Protocol Support
- 5GLI, 6LoWPAN, AFP, AllJoyn, AMQP, ASAP, Babel, BACnet, Banana, BEEP, Bencode, BFCP, BGP, BT BNEP, BT SDP, BT-DHT, BVLC, CFLOW, CIP, CMIP, CMP, COROSYNC/TOTEMSRP, COSE, CQL, CSN.1, DAP, DCCP, DCOM, DHCPv6, DICOM, DISP, DOCSIS MAC MGMT, DOF, DVB-S2, E2AP, EDONKEY, ENRP, ErlDP, Etch, EXTREME MESH, FC-SWILS, GIOP, GLOW, GNW, GOOSE, GQUIC, Gryphon, GSM A-bis OML, GSUP, GTPv2, H.223, H.225.0, H.245, H.248, H.264, H.265, HSMS, ICMPv6, ICQ, IEEE1609dot2, IPP, IPPUSB, ISAKMP, iSCSI, ISIS LSP, ISO 7816, ISUP, ITS, JSON 3GPP, JXTA, Kafka, KINK, KNX/IP, LDAP, LDP, LISP, LISP TCP, LLRP, LwM2M-TLV, M2UA, M3UA, MAC-LTE, MBIM, MMS, MONGO, MPEG PES, MPLS Echo, MQ PCF, MQTT-SN, MS-WSP, MSDP, MsgPack, NAS-5GS, NETLINK, NHRP, OpenFlow, OpenWire, OPSI, OSC, P22, P7, PANA, PIM, PNIO, ProtoBuf, PROXY, Q.2931, QNET, RDP, RESP, RPL, RSL, RSVP, RTLS, RTMPT, RTPS, S7COMM, SCTP, SIMULCRYPT, SMB2, SML, SNA, SNMP, Socks, SolarEdge, SOME/IP, SoulSeek, SUA, T.38, TCAP, TEAP, TFTP, Thread, Thrift, TN5250, USBHID, USBVIDEO, VP9, WASSP, WiMAX ASN CP, WLCCP, WTP, X.509IF, X.509SAT, XML, XMPP, YAMI, Z39.50, and ZigBee ZCL
- Updated File Format Decoding Support:
- BLF, JPEG, and RBM
New in WireShark 4.2.3 (Feb 15, 2024)
- Bug Fixes:
- If you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will
- need to download and install[2] Wireshark 4.2.3 or later by hand.
- The following bugs have been fixed:
- Capture start fails when file set enabled and file extension not supplied if directory contains a period. Issue 14614[3].
- Cannot drag and move custom filter buttons in toolbar. Issue 19447[4].
- Not equal won’t work when used with wlan.addr. Issue 19449[5].
- sshdump fails to connect with private key (ssh-rsa) Issue 19510[6].
- ChmodBPF installation fails on macOS Sonoma 14.1.2. Issue 19527[7].
- Windows installers should check for Windows 8.1. Issue 19569[8].
- Fuzz job crash output: fuzz-2024-01-05-7725.pcap. Issue 19570[9].
- Fuzz job crash output: fuzz-2024-01-06-7734.pcap. Issue 19578[10].
- Incorrect recursion depth assert failure when dissecting a legitimate GOOSE message. Issue 19580[11].
- OPC UA - large read request is reported as malformed in 4.2.1 but not in 4.0.12. Issue 19581[12].
- TFTP dissector bug type listed as netscii instead of netascii doesn’t show all TFTP packets including TFTP blocks. Issue 19589[13].
- SMB1 replies from LAN Drive app only show up as NBSS Continuation Message. Issue 19593[14].
- ciscodump - older SSH key exchange algorithms not supported. Issue 19594[15].
- Problem decoding LAPB/X.25/FTAM after adding X.75 decoding. Issue 19595[16].
- Wireshark Filter not working. Issue 19604[17].
- CFLOW: failure to decode 0 length data fields of IPFIX variable length data types. Issue 19605[18].
- Copy …as Printable Text Feature Missing in 4.1/4.2. Issue 19607[19].
- Export Objects - HTTP is missing some HTTP/2 files in a two-pass analysis. Issue 19609[20].
- ASAM-CMP Plugin: Malformed message, length mismatch if vendor defined data of status messages has odd length. Issue 19626[21].
- OSS-Fuzz 66561: wireshark:fuzzshark_ip_proto-udp: Null-dereference READ in wmem_map_lookup. Issue 19642[22].
- Updated Protocol Support:
- ASAM CMP, CAN, CFLOW, CMIP, CMP, DAP, DICOM, DISP, E2AP, GLOW, GOOSE, GTP, GTPv2, H.225, H.245, H.248, HTTP2, IEEE 1609.2, IEEE 1722, IPv4, IPv6, ISO 15765, ISUP, ITS, Kerberos, LDAP, MMS, NBT, NRUP, openSAFETY, P22, P7, PARLAY, RTMPT, RTP, SCSI, SOME/IP, T.38, TCP, TECMP, TFTP, WOW, X.509if, X.509sat, X.75, X11, Z39.50, and ZigBee Green Power
- New and Updated Capture File Support:
- pcap and pcapng
New in WireShark 4.2.2 (Jan 5, 2024)
- Bug Fixes:
- This release fixes a software update issue on Windows which causes Wireshark to hang if you are upgrading from version 4.2.0 or 4.2.1. If you are experiencing this issue you will need to download and install[2] Wireshark 4.2.2 or later.
- The following bugs have been fixed:
- sharkd is not installed by the Windows installer. Issue 19556[3].
- Fuzz job crash output: fuzz-2024-01-01-7740.pcap. Issue 19558[4].
- Can’t open a snoop file from the Open dialog box unless I select "All files" as the file type. Issue 19565[5].
- Add s4607 dissector to "decode as" Issue 19566[6].
- Updater for 4.2.1 hangs. Issue 19568[7].
- Updated Protocol Support:
- RSVP, RTPS, and STANAG 4607
New in WireShark 4.2.0 (Nov 16, 2023)
- What’s New:
- This is the first major Wireshark release under the Wireshark Foundation, a nonprofit which hosts Wireshark and promotes protocol analysis education. The foundation depends on your contributions in order to do its work. If you or your employer would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
- Wireshark supports dark mode on Windows.
- A Windows installer for Arm64 has been added.
- Packet list sorting has been improved.
- Wireshark and TShark are now better about generating valid UTF-8 output.
- A new display filter feature for filtering raw bytes has been added.
- Display filter autocomplete is smarter about not suggesting invalid syntax.
- "Tools › MAC Address Blocks" can lookup a MAC address in the IEEE OUI registry.
- The enterprises, manuf, and services configuration files have been compiled in for improved start-up times. These files are no longer available in the master branch in our source code repository. You can download the manuf file[2] from our automated build directory.
- The installation target no longer installs development headers by default.
- The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs).
- Wireshark can be compiled on Windows using MSYS2[3]. Check the Developer’s guide for instructions.
- Wireshark can be cross-compiled for Windows using Linux. Check the Developer’s guide for instructions.
- "Tools › Browser (SSL Keylog)" can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value.
- Windows installer file names now have the format Wireshark--.exe.
- Wireshark now supports the Korean language.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.
- Bug Fixes:
- Issue 18413[4] - RTP player do not play audio frequently on Windows builds with Qt6.
- Issue 18510[5] - Playback marker does not move after resume with Qt6.
New in WireShark 4.0.10 (Oct 9, 2023)
- What’s New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release.
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon.
- Bug Fixes:
- The following bugs have been fixed:
- Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS.
New in WireShark 4.0.7 (Jul 13, 2023)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-21[3] Kafka dissector crash. Issue 19105[4].
- wnpa-sec-2023-22[5] iSCSI dissector crash. Issue 19164[6].
- The following bugs have been fixed:
- Crash when (re)loading a capture file after renaming a dfilter macro. Issue 13753[7].
- Moving a column deselects selected packet and moves to beginning of packet list. Issue 16251[8].
- If you set the default interface in the preferences, it doesn’t work with TShark. Issue 16593[9].
- Severe performance issues in Follow → Save As raw workflow. Issue 17313[10].
- TShark doesn’t support the tab character as an aggregator character in "-T fields" Issue 18002[11].
- On Windows clicking on a link in the 'Software Update' window launches, now unsupported, MS Internet Explorer. Issue 18488[12].
- Wireshark 4.x.x on Win10-x64 crashes after saving a file with a name already in use. Issue 18679[13].
- NAS-5GS Operator-defined Access Category: Multiple Criteria values not displayed in dissected packet display. Issue 18941[14].
- Server Hello Packet Invisible - during 802.1x Authentication- from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) & above. Issue 19071[15].
- TShark reassembled data is incomplete/truncated. Issue 19107[16].
- CQL protocol parsing issues with `Result` frames from open source Cassandra. Issue 19119[17].
- TLS 1.3 second Key Update doesn’t work. Issue 19120[18].
- HTTP2 dissector reports an assertion error on large data frames. Issue 19121[19].
- epan: Single letter hostnames aren’t displayed correctly. Issue 19137[20].
- BLF: CAN-FD-Message format is missing a field. Issue 19146[21].
- BLF: last parameter of LIN-Message is not mandatory (BUGFIX) Issue 19147[22].
- PPP IPv6CP: Incorrect payload length warning. Issue 19149[23].
- INSTALL file needs to be updated for Debian. Issue 19167[24].
- Some RTP streams make Wireshark crash when trying to play stream. Issue 19170[25].
- Wrong ordering in OpenFlow 1.0 Datapath unique ID. Issue 19172[26].
- Incorrect mask in RTCP slice picture ID. Issue 19182[27].
- Dissection error in AMQP 1.0. Issue 19191[28].
- Updated Protocol Support:
- 9P, AMQP, BGP, CQL, DHCPFO, EAP, GlusterFS, GSM MAP, HTTP2, iSCSI, Kafka, Kerberos, NAN, NAS-5GS, OCP.1, OpenFlow 1.0, PDCP-NR, PEAP, PPPoE, RSL, RTCP, rtnetlink, and XMPP
New in WireShark 4.0.6 (May 25, 2023)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-12[3] Candump log file parser crash. Issue 19062[4].
- wnpa-sec-2023-13[5] BLF file parser crash. Issue 19063[6].
- wnpa-sec-2023-14[7] GDSDB dissector infinite loop. Issue 19068[8].
- wnpa-sec-2023-15[9] NetScaler file parser crash. Issue 19081[10].
- wnpa-sec-2023-16[11] VMS TCPIPtrace file parser crash. Issue 19083[12].
- wnpa-sec-2023-17[13] BLF file parser crash. Issue 19084[14].
- wnpa-sec-2023-18[15] RTPS dissector crash. Issue 19085[16]. CVE-2023-0666[17].
- wnpa-sec-2023-19[18] IEEE C37.118 Synchrophasor dissector crash. Issue 19087[19]. CVE-2023-0668[20].
- IEEE-C37.118 parsing buffer overflow. Issue 19087[21].
- The following bugs have been fixed:
- Conversations list has incorrect unit (bytes) in bit speed columns in the 3.7 development versions. Issue 18211[22].
- The media_type table should treat media types, e.g. application/3gppHal+json, as case-insensitive. Issue 18611[23].
- NNTP dissector bug. Issue 18981[24].
- Incorrect padding in BFCP decoder. Issue 18890[25].
- SPNEGO dissector bug. Issue 18991[26].
- SRT values are incorrect when applying a time shift. Issue 18999[27].
- Add warning that capturing is not supported in Wireshark installed from flatpak. Issue 19008[28].
- Opening Wireshark with -z io,stat option. Issue 19042[29].
- batadv dissector bug. Issue 19047[30].
- radiotap-gen build fails if pcap is not found. Issue 19059[31].
- [UDS] When filtering the uds.wdbi.data_identifier or uds.iocbi.data_identifier field is interpreted as 1 byte whereas it consists of 2 bytes. Issue 19078[32].
- Wireshark can’t save this capture in that format. Issue 19080[33].
- MSMMS parsing buffer overflow. Issue 19086[34].
- USB HID parser shows wrong label for usages Rx/Vx/Vbrx of usage page Generic Desktop Control. Issue 19095[35].
- Updated Protocol Support:
- The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
- batadv BFCP CommunityID COSE GDSDB H.265 HTTP ILP ISAKMP MSMMS NNTP NR RRC NTLMSSP RTPS SPNEGO Synphasor TCP UDS ULP USB HID
- New and Updated Capture File Support:
- BLF, Candump, NetScaler, and VMS TCPIPtrace
New in WireShark 4.0.5 (Apr 15, 2023)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-09[3] RPCoRDMA dissector crash. Issue 18852[4]. CVE-2023-1992[5].
- wnpa-sec-2023-10[6] LISP dissector large loop. Issue 18900[7]. CVE-2023-1993[8].
- wnpa-sec-2023-11[9] GQUIC dissector crash Issue 18947[10]. CVE-2023-1994[11].
- The following bugs have been fixed:
- Wireshark ITS Dissector RTCMEM wrong protocol version selector 2 - should use 1. Issue 18862[12].
- Wireshark treats the letter E in SSRC as an exponential representation of a number. Issue 18879[13].
- VNC RRE Parser skips over data. Issue 18883[14].
- sshdump coredump when --remote-interface is left empty. Issue 18904[15].
- Fuzz job crash output: fuzz-2023-03-17-7298.pcap. Issue 18917[16].
- Fuzz job crash output: fuzz-2023-03-27-7564.pcap. Issue 18934[17].
- RFC8925 support (dhcp option 108) Issue 18943[18].
- DIS dissector shows an incorrect state in the packet list info column. Issue 18967[19].
- RTP analysis shows incorrect timestamp error when timestamp is rolled over. Issue 18973[20].
- Asterisk (*) key crash on Endpoint/Conversation dialog. Issue 18975[21].
- The RTP player waveform now synchronizes better with audio.
- Updated Protocol Support:
- DHCP, DIS, DNS, ERF, FF, genl, GQUIC, GSM A-bis OML, HL7, IEEE 802.11, ITS, LAPD, netfilter, netlink-route, netlink-sock_diag, nl80211, RLC, RPCoRDMA, RTPS, SCTP, SMB, UDS, VNC, and WCP
New in WireShark 4.0.4 (Mar 3, 2023)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-08[3] ISO 15765 and ISO 10681 dissector crash. Issue 18839[4].
- The following bugs have been fixed:
- UTF-8 characters end up escaped in PSML output. Issue 10445[5].
- Export filtered displayed packets won’t save IP fragments of SCTP fragments needed to reassemble a displayed frame. Issue 12597[6].
- DICOM dissection in reassembled PDV goes wrong. Issue 13388[7].
- "Export Objects - IMF" produces incorrect file, TCP reassembly fails with retransmissions that have additional data. Issue 13523[8].
- The intelligent scroll bar or minimap is not predictable on locating and scrolling. Issue 13989[9].
- If you mark (or unmark) the currently-selected frame, the packet details still say it’s not marked (or it is marked) Issue 14330[10].
- An out-of-order packet incorrectly detected as retransmission breaks desegmentation of TCP stream. Issue 15993[11].
- Sorting Packet Loss Column is not sorting correct. Issue 16785[12].
- Some HTTPS packets cannot be decrypted. Issue 17406[13].
- SIP TCP decoding regression from Wireshark 1.99.0 to 3.6.8. Issue 18411[14].
- Frame comments not preserved when using filter to write new pcap from tshark. Issue 18693[15].
- ChmodBPF not working on macOS Ventura 13.1. Issue 18734[16].
- Wireshark GUI and window manager stuck after setting display filter. Issue 18809[17].
- Dissector bug, protocol H.261. Issue 18812[18].
- File extension heuristics are case-sensitive. Issue 18821[19].
- Symbolic links to packages in macOS dmg can’t be double-clicked to install on macOS 13.2. Issue 18830[20].
- Potential memory leak in tshark.c. Issue 18837[21].
- Fuzz job crash output: fuzz-2023-02-05-7303.pcap. Issue 18842[22].
- f5fileinfo: Hardware platforms missing descriptions. Issue 18848[23].
- The lines in the intelligent scrollbar are off by one. Issue 18850[24].
- Wireshark crashes on invalid UDS packet in Lua context. Issue 18865[25].
- TECMP dissector shows the wrong Voltage in Vendor Data. Issue 18871[26].
- UDS: Names of RDTCI subfunctions 0x0b … 0x0e are not correct. Issue 18873[27].
New in WireShark 4.0.3 (Jan 19, 2023)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-01[2] EAP dissector crash. Issue 18622[3].
- wnpa-sec-2023-02[4] NFS dissector memory leak. Issue 18628[5].
- wnpa-sec-2023-03[6] Dissection engine crash. Issue 18766[7].
- wnpa-sec-2023-04[8] GNW dissector crash. Issue 18779[9].
- wnpa-sec-2023-05[10] iSCSI dissector crash. Issue 18796[11].
- wnpa-sec-2023-06[12] Multiple dissector excessive loops. Issue 18711[13]. Issue 18720[14], Issue 18737[15].
- wnpa-sec-2023-07[16] TIPC dissector crash. Issue 18770[17].
- The following bugs have been fixed:
- Qt: After modifying coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect. Issue 12475[18].
- Help file doesn’t display for extcap interfaces. Issue 15592[19].
- For USB traffic on XHC20 interface destination is always given as Host. Issue 16768[20].
- Wireshark Expert Info - cannot deselect the limit to display filter tick box. Issue 18461[21].
- Wrong pointer conversion in get_data_source_tvb_by_name() Issue 18517[22].
- Wrong number of bits skipped while decoding an empty UTF8String on UPER packet. Issue 18702[23].
- Crash when analyzing protobuf packets. Issue 18730[24].
- Uninitialized values in various dissectors. Issue 18742[25].
- String (GeoIP country/city) ordering doesn’t work in Endpoints. Issue 18749[26].
- Wireshark crashes with an assertion failure on stray minus in filter. Issue 18750[27].
- IO Graph: Add new graph only works until the 10th graph. Issue 18762[28].
- Fuzz job crash output: fuzz-2022-12-30-11007.pcap. Issue 18770[29].
- Q.850 - error in label for cause 0x7F. Issue 18780[30].
- Uninitialized values in CoAP and RTPS dissectors. Issue 18785[31].
- Screenshots in AppStream metainfo.xml file not available. Issue 18801[32].
- Updated Protocol Support:
- ASTERIX, BEEP, BGP, BPv6, CoAP, EAP, GNW, GSM A-bis P-GSL, iSCSI,
- ISUP, LwM2M-TLV, MBIM, NBAP, NFS, OBD-II, OPUS, ProtoBuf, RLC, ROHC,
- RTPS, Telnet, TIPC, and USB
New in WireShark 4.0.2 (Dec 8, 2022)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2022-09[2] Multiple dissector infinite loops.
- wnpa-sec-2022-10[3] Kafka dissector memory exhaustion.
- The following bugs have been fixed:
- Qt: Endpoints dialog - unexpected byte unit suffixes in packet columns. Issue 18229[4].
- GOOSE: field "floating_point" not working anymore. Issue 18491[5].
- EVS Header-Full format padding issues. Issue 18498[6].
- Wireshark 4.0.0 VOIP playback has no sound and can’t resume after pausing. Issue 18510[7].
- Wireshark crashes when exporting a profile on Mac OSX if there is no extension. Issue 18525[8].
- EVS dissector missing value description. Issue 18550[9].
- Qt 6 font descriptions not backward compatible with Qt 5. Issue 18553[10].
- Wireshark, wrong TCP ACKed unseen segment message. Issue 18558[11].
- Invalid Cyrillic symbol in timezone at "Arrival Time" field in frame. Issue 18562[12].
- ProtoBuf parse extension definitions failed. Issue 18599[13].
- Fuzz job crash output: fuzz-2022-11-09-11134.pcap. Issue 18613[14].
- Fuzz job crash output: fuzz-2022-11-14-11111.pcap. Issue 18632[15].
- Wireshark is using old version of ASN (ETSI TS 125 453 V11.2.0) which is imapacting length of param in the messages. Issue 18646[16].
- BGP: False IGMP flags value in EVPN routes (type 6,7,8) Issue 18660[17].
- wslog assumes stderr and stdout exist. Issue 18684[18].
- Editing packet comments, with non-ASCII characters, on Windows saves them in the local code page, not in UTF-8. Issue 18698[19].
- Unable to decrypt PSK based DTLS traffic which uses Connection ID. Issue 18705[20].
- HTTP2 tests fail when built without nghttp2. Issue 18707[21].
- Updated Protocol Support:
- ASN.1 PER, ASTERIX, BGP, BPv6, DTLS, EVS, GOOSE, GSM Osmux, IPv6, Kafka, Locamation IM, MONGO, NXP 802.15.4, OpenFlow v6, PCAP, Protobuf, RTP, S1AP, SKINNY, TCP, and WASSP
New in WireShark 4.0.1 (Oct 27, 2022)
- Bug Fixes:
- Comparing a boolean field against 1 always succeeds on big-endian machines. Issue 12236[2].
- Qt: MaxMind GeoIP columns not added to Endpoints table. Issue 18320[3].
- Fuzz job crash output: fuzz-2022-10-04-7131.pcap. Issue 18402[4].
- The RTP player might not play audio on Windows. Issue 18413[5].
- Wireshark 4.0 breaks display filter expression with > sign. Issue 18418[6].
- Capture filters not working when using SSH capture and dumpcap. Issue 18420[7].
- Packet diagram field values are not terminated. Issue 18428[8].
- Packet bytes not displayed completely if scrolling. Issue 18438[9].
- Fuzz job crash output: fuzz-2022-10-13-7166.pcap. Issue 18467[10].
- Decoding bug H.245 userInput Signal. Issue 18468[11].
- CFDP dissector doesn’t handle "destination filename" only. Issue 18495[12].
- Home page capture button doesn’t pop up capture options dialog. Issue 18506[13].
- Missing dot in H.248 protocol name. Issue 18513[14].
- Missing dot for protocol H.264 in protocol column. Issue 18524[15].
- Fuzz job crash output: fuzz-2022-10-23-7240.pcap. Issue 18534[16].
- Removed Features and Support:
- The experimental display filter syntax for literals using angle brackets that was introduced in Wireshark 4.0.0 has been removed. For byte arrays a colon prefix can be used instead. See the User’s Guide[17] for details.
- Updated Protocol Support:
- ASN.1 PER, CFDP, Diameter, DirectPlay, F5 Ethernet Trailer, GTP, H.223, H.248, H.264, H.265, IEEE 802.11, IPv4, MBIM, O-RAN FH CUS, PFCP, RTCP, SCTP, SMB, TCP, and TRANSUM
- New and Updated Capture File Support:
- BLF
New in WireShark 4.0.0 (Oct 5, 2022)
- What’s New:
- We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- The display filter syntax is more powerful with many new extensions. See below for details.
- The Conversation and Endpoint dialogs have been redesigned. See below for details.
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
- Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
- Speed when using MaxMind geolocation has been greatly improved.
- The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.
- New and Updated Features:
- The following features are new (or have been significantly updated) since version 4.0.0rc2:
- Nothing of note.
- The following features are new (or have been significantly updated) since version 4.0.0rc1:
- The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
- The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
- The following features are new (or have been significantly updated) since version 3.7.2:
- The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
- The following features are new (or have been significantly updated) since version 3.7.1:
- The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
- The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
- New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
- The following features are new (or have been significantly updated) since version 3.7.0:
- The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
- The Conversation and Endpoint dialogs have been redesigned with the following improvements:
- The context menu now includes the option to resize all columns, as well as copying elements.
- Data may be exported as JSON.
- Tabs may be detached and reattached from the dialog.
- Adding and removing tabs will keep them in the same order all the time.
- If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets.
- Columns are now sorted via secondary properties if an identical entry is found.
- Conversations are sorted via second address and first port number.
- Endpoints are sorted via port numbers.
- IPv6 addresses are sorted correctly after IPv4 addresses.
- The dialog elements have been moved to make it easier to handle for new users.
- Selection of tap elements is done via a list.
- All configurations and options are done via a left side button row.
- Columns for the Conversations and Endpoint dialogs can be hidden by a context menu.
- TCP and UDP conversations now include the stream ID and allow filtering on it.
- The following features are new (or have been significantly updated) since version 3.6.0:
- The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
- The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
- The display filter syntax has been updated and enhanced:
- A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
- Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
- Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
- Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
- New display filter functions max(), min() and abs() have been added.
- Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
- A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
- The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
- Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used.
- Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B".
- Logical AND now has higher precedence than logical OR, in line with most programming languages.
- It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
- Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
- Support for some additional character escape sequences in double quoted strings has been added. Along with octal () and hex (x) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
- Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit.
- Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: , ', ".
- A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
- The aliases "any_eq" for "==" and "all_ne" for "!=" have been added.
- The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead.
- Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
- The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
- Literal strings can handle embedded null bytes (the value '') correctly. This includes regular expression patterns. For example the double-quoted string " is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes.
- Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0.
- It is now possible to test for the existence of a slice.
- All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other.
- The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
- text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
- Consistent with the other command line tools like editcap, mergecap, tshark, and the "Import from Hex Dump" option within Wireshark, the default capture file format for text2pcap is now pcapng. The -n flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release.
- text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similar to the -T option of editcap.
- text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
- text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
- text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
- In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
- The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
- The IEEE 802.11 dissector supports Mesh Connex (MCX).
- The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
- The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
- It is possible to set extcap passwords in tshark and other CLI tools.
- The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
- Support to display JSON mapping for Protobuf message has been added.
- macOS debugging symbols are now shipped in separate packages, similar to Windows packages.
- In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
- The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
- The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
- ciscodump now supports IOS, IOS-XE and ASA remote capturing
- Removed Features and Support:
- The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.
- New Protocol Support:
- Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Huawei GRE bonding (GREbond), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Open Control Protocol for OCA/AES70 (OCP.1), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS Network Coprocessor product (ZB NCP)
- Updated Protocol Support:
- Too many protocols have been updated to list here.
- New and Updated Capture File Support:
- There is no new or updated capture file support in this release.
- Major API Changes:
- proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.
- proto.h: The field display types for floats have been extended and refactored. The type BASE_FLOAT has been removed. Use BASE_NONE instead. New display types for floats are BASE_DEC, BASE_HEX, BASE_EXP and BASE_CUSTOM.
- The Wireshark Lua API now uses the lrexlib bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change.
- The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated.
- Other Development Changes:
- The PCRE2 library is now required to build Wireshark.
- You must now have a compiler with C11 support in order to build Wireshark.
- The following libraries and tools have had their minimum required version increased:
- CMake 3.10 is required on macOS and Linux.
- Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration.
- Windows SDK 10.0.18362.0 is required due to issues with C11 support.
- macOS version 10.11 to 10.14 (was 10.8) is required depending on the version of Qt:
- Qt 5.10 or higher requires macOS version 10.11
- Qt 5.12 or higher requires macOS version 10.12
- Qt 5.14 or higher requires macOS version 10.13
- Qt 6.0 or higher requires macOS version 10.14
- GLib version 2.50.0 (was 2.38.0) is required.
- Libgcrypt version 1.8.0 (was 1.5.0) is required.
- c-ares version 1.13.0 (was 1.5.0).
- Python version 3.6.0 (was 3.4.0).
- GnuTLS version 3.5.8 (was 3.3.0).
- Nghttp2 minimum version has been set to 1.11.0 (none previous).
- Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks.
New in WireShark 3.6.8 (Sep 8, 2022)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2022-06[2] F5 Ethernet Trailer dissector infinite loop. Issue 18307[3].
- The following bugs have been fixed:
- TCAP Malformed exception on externally re-assembled packet Issue 10515[4].
- Extended 3GPP-GPRS-Negotiated-QoS-profile strings decoded incompletely Issue 10688[5].
- HTTP2 dissector decodes first SSL record only Issue 11173[6].
- L2TP improvements - cookie length detection, UDP encapsulation and more Issue 16565[7].
- USB Truncation of URB_isochronous in frames Issue 18021[8].
- ISUP/BICC parameter summary text duplication Issue 18094[9].
- Running rpm-setup.sh shows missing packages that Centos does not need Issue 18166[10].
- IPX/IPX RIP: Crash on expand subtree Issue 18234[11].
- Qt: A file or packet comment that is too large will corrupt the pcapng file Issue 18235[12].
- BGP dissector bug Issue 18248[13].
- Wrong interpretation of the cbsp.rep_period field in epan/dissectors/packet-gsm_cbsp.c Issue 18254[14].
- Assertion due to incorrect mask for btatt.battery_power_state.* Issue 18267[15].
- Qt: Expert Info dialog not showing Malformed Frame when Frame length is less than captured length Issue 18312[16].
- Wireshark and tshark become non-responsive when reading certain packets Issue 18313[17].
- Updated Protocol Support:
- BGP, BICC, BT ATT, CBSP, Couchbase, F5 Ethernet Trailer, Frame, GTP, GTP (prime), IPsec, ISUP, L2TP, NAS-5GS, Protobuf, SCCP, TCP, and TLS
- New and Updated Capture File Support:
- pcap, pcapng
New in WireShark 3.6.7 (Jul 28, 2022)
- The following bugs have been fixed:
- Multiple Files preference "Create new file automatically…after" [time] working incorrectly Issue 16783.
- get_filter Lua function doesn’t return the filter Issue 17188.
- Dissector bug, protocol HTTP failed assertion "saved_layers_len < 500" with chunked/multipart Issue 18130.
- Wrong EtherCAT bit label (possible dissector bug) Issue 18132.
- UDP packets falsely marked as "malformed packet" Issue 18136.
- TLS certificate parser with filter crash Issue 18155.
- Incorrect type for the IEC 60870 APDU appears in packet details pane Issue 18167.
- NHRP Problem Issue 18181.
- EtherCAT CoE header unknown type Issue 18220.
- New and Updated Features:
- Updated Protocol Support:
- BGP, DTLS, EtherCAT, EtherCAT Mailbox, HTTP, IEC 104, MEGACO, NHRP, PPPoE, QUIC, RTCP, Signal PDU, SOME/IP, and X509IF
New in WireShark 3.6.6 (Jun 16, 2022)
- Bug Fixes:
- TLS: RSA decryption fails with Extended Master Secret and renegotiation Issue 18059[2].
- "dfilter" file on Windows adds carriage returns, and requires line feeds Issue 18082[3].
- Npcap bundled version needs a bump to v1.60 for Windows 11 compatibility Issue 18084[4].
- "Browse" button in Prefs/Name Resolution/MaxMind crashes Wireshark on macOS Issue 18088[5].
- TFTP: some packets are not recognized as TFTP packets with 3.6.5 Issue 18122[6].
- Updated Protocol Support:
- DTLS, F5 Capture Information, F5 Ethernet Trailer, FlexRay, MBIM, TFTP, TLS, and ZigBee ZCL
New in WireShark 3.6.3 (Mar 24, 2022)
- Bug Fixes:
- The following bugs have been fixed:
- Fuzz job crash output: fuzz-2022-01-19-7399.pcap Issue 17894[1].
- TLS dissector incorrectly reports JA3 values Issue 17942[2].
- "Wiki Protocol page" in packet details menu is broken - wiki pages not migrated to GitLab? Issue 17944[3].
- Dissector bug, protocol PFCP display Flow Description IE value error in Additional Flow Description of PFD Management Request Message Issue 17951[4].
- Bluetooth: Fails to open Log file for SCO connection Issue 17964[5].
- Fuzz job crash output: fuzz-2022-03-07-10896.pcap Issue 17984[6].
- libwiretap: Save as ERF causes segmentation fault Issue 17989[7].
- HTTP server returning multiple early hints shows too many responses in "Follow HTTP Stream" Issue 18006[8].
- Updated Protocol Support:
- CSN.1, HTTP, IEEE 802.11, NTLM SSP, PFCP, PKTLOG, SSDP, TLS, and USB HID
- New and Updated Capture File Support:
- pcap and pcapng
New in WireShark 3.6.2 (Feb 11, 2022)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2022-01[1] RTMPT dissector infinite loop. Issue 17813[2].
- wnpa-sec-2022-02[3] Large loops in multiple dissectors. Issue 17829[4], Issue 17842[5], Issue 17847[6], Issue 17855[7], Issue 17891[8], Issue 17925[9], Issue 17926[10], Issue 17931[11], Issue 17932[12], Issue 17933[13].
- wnpa-sec-2022-03[14] PVFS dissector crash. Issue 17840[15].
- wnpa-sec-2022-04[16] CSN.1 dissector crash. Issue 17882[17].
- wnpa-sec-2022-05[18] CMS dissector crash. Issue 17935[19].
- The following bugs have been fixed:
- Support for GSM SMS TPDU in HTTP2 body Issue 17784[20].
- Wireshark 3.6.1 broke the ABI by removing ws_log_default_writer from libwsutil Issue 17822[21].
- Fedora RPM package build failing with RPATH of /usr/local/lib64 Issue 17830[22].
- macos-setup.sh: ftp.pcre.org no longer exists Issue 17834[23].
- nmap.org/npcap → npcap.com: domain/URL change Issue 17838[24].
- MPLS ECHO FEC stack change TLV not dissected correctly Issue 17868[25].
- Attempting to open a systemd journal export file segfaults Issue 17875[26].
- Dissector bug on 802.11ac packets Issue 17878[27].
- The Info column shows only one NGAP/S1AP packet of several packets inside an SCTP packet Issue 17886[28].
- Uninstalling Wireshark 3.6.1 on Windows 10 fails to remove the installation directory because it doesn’t remove the User’s Guide subdirectory and all its contents. Issue 17898[29].
- 3.6 doesn’t build without zlib Issue 17899[30].
- SIP Statistics no longer properly reporting method type accounting Issue 17904[31].
- Fuzz job crash output: fuzz-2022-01-26-6940.pcap Issue 17909[32].
- SCTP retransmission detection broken for the first data chunk of each association with relative TSN Issue 17917[33].
- “Show In Folder” doesn’t work correctly for filenames with spaces Issue 17927[34].
New in WireShark 3.6.1 (Dec 30, 2021)
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2021-17[1] RTMPT dissector infinite loop. Issue 17745[2]. CVE-2021-4185[3].
- wnpa-sec-2021-18[4] BitTorrent DHT dissector infinite loop. Issue 17754[5]. CVE-2021-4184[6].
- wnpa-sec-2021-19[7] pcapng file parser crash. Issue 17755[8]. CVE-2021-4183[9].
- wnpa-sec-2021-20[10] RFC 7468 file parser infinite loop. Issue 17801[11]. CVE-2021-4182[12].
- wnpa-sec-2021-21[13] Sysdig Event dissector crash. CVE-2021-4181[14].
- wnpa-sec-2021-22[15] Kafka dissector infinite loop. Issue 17811[16].
- The following bugs have been fixed:
- Allow sub-second timestamps in hexdumps Issue 15562[17].
- GRPC: An unnecessary empty Protobuf tree item is displayed if the GRPC message body length is 0 Issue 17675[18].
- Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system path.pkg" on M1 MacBook Air Monterey without Rosetta 2 Issue 17757[19].
- TECMP: LIN Payload is cut off by 1 byte Issue 17760[20].
- Wireshark crashes if a 64 bit field of type BASE_CUSTOM is applied as a column Issue 17762[21].
- Command line option "-o console.log.level" causes wireshark and tshark to exit on start Issue 17763[22].
- Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture Issue 17764[23].
- Unable to build without tshark Issue 17766[24].
- IEEE 802.11 action frames are not getting parsed and always seen as malformed Issue 17767[25].
- IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes Issue 17775[26].
- dfilter: 'tcp.port not in {1}' crashes Wireshark Issue 17785[27].
- New and Updated Features:
- The 'console.log.level' preference was removed in Wireshark 3.6.0. This release adds an '-o console.log.level:' backward-compatibilty option on the CLI that maps to the new logging sub-system. Note that this does not have bitmask semantics and does not correspond to any actual preference. It is just a transition mechanism for users that were relying on this CLI option and will be removed in the future. To see the new diagnostic output options consult the manpages or the output of '--help'.
- pdated Protocol Support:
- ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11, IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig Event, and TECMP
- New and Updated Capture File Support:
- BLF and RFC 7468
New in WireShark 3.6.0 (Nov 23, 2021)
- New and Updated Features:
- The following features are new (or have been significantly updated) since version 3.6.0rc3:
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
- The following features are new (or have been significantly updated) since version 3.6.0rc2:
- Display filter set elements must now be comma-separated. See below for more details.
- The following features are new (or have been significantly updated) since version 3.6.0rc1:
- The display filter expression “a != b” now has the same meaning as “!(a == b)”.
- The following features are new (or have been significantly updated) since version 3.4.0:
- Several changes have been made to the display filter syntax:
- The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.
- It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
- Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
- Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as … in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version.
- Support for the syntax "a not in b" with the same meaning as "not a in b" has been added.
- Packaging updates:
- A macOS Arm 64 (Apple Silicon) package is now available.
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
- The Windows installers now ship with Npcap 1.55.
- A 64-bit Windows PortableApps package is now available.
- TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
- Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types.
- Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
- “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams.
- Wireshark now supports dissecting RTP packets with OPUS payloads.
- Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
- The RTP Player has been significatnly redesigned and improved. See Playing VoIP Calls[1] and RTP Player Window[2] in the User’s Guide for more details.
- The RTP Player can play many streams in row.
- The UI is more responsive.
- The RTP Player maintains playlist and other tools can add and remove streams to and from it.
- Every stream can be muted or routed to the left or right channel for replay.
- The option to save audio has been moved from the RTP Analysis dialog to the RTP Player. The RTP Player also saves what was played, and it can save in multichannel .au or .wav.
- The RTP Player is now accessible from the Telephony › RTP › RTP Player menu.
- The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal and can stay opened on background.
- The same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …)
- The “Follow Stream” dialog is now able to follow SIP calls based on their Call-ID value.
- The “Follow Stream” dialog’s YAML output format has been updated to add timestamps and peers information For more details see Following Protocol Streams[3] in the User’s Guide.
- IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the “Enable stricter conversation tracking heuristics” top level protocol preference.
- USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures.
- TShark can now export TLS session keys with the --export-tls-session-keys option.
- Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated.
- The “RTP Stream Analysis” dialog CSV export format was slightly changed. The first line of the export contains column titles as in other CSV exports.
- Wireshark now supports the Turkish language.
- The settings in the “Import from Hex Dump” dialog is now stored in a profile import_hexdump.json file.
- Analyze › Reload Lua Plugins has been improved to properly support FileHandler.
- The “RTP Stream Analysis” and “IAX2 Stream Analysis” dialogs now show correct calculation mean jitter calculations.
- RTP streams are now created based on Skinny protocol messages in addition to other types of messages.
- The “VoIP Calls Flow Sequence” window shows more information about various Skinny messages.
- Initial support for building Wireshark on Windows using GCC and MinGW-w64 has been added. See README.msys2 in the sources for more information.
- New File Format Decoding Support:
- Vector Informatik Binary Log File (BLF)
- New Protocol Support:
- 5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT LMP), Bundle Protocol version 7 (BPv7), Bundle Protocol version 7 Security (BPSec), CBOR Object Signing and Encryption (COSE), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme extra Eth Header (EXEH), High-Performance Connectivity Tracer (HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol (EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), mSignal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI payload (xIRI)
- Updated Protocol Support:
- Too many protocols have been updated to list here.
- New and Updated Capture File Support:
- Vector Informatik Binary Log File (BLF)
New in WireShark 3.4.10 (Nov 18, 2021)
- What’s New:
- This release fixes a forward compatibility issue[1] with the I/O Graphs preferences.
- Bug Fixes:
- The following vulnerabilities have been fixed:
- wnpa-sec-2021-07[2] Bluetooth DHT dissector crash. Issue 17651[3]. CVE-2021-39929[4].
- wnpa-sec-2021-08[5] Bluetooth HCI_ISO dissector crash. Issue 17649[6]. CVE-2021-39926[7].
- wnpa-sec-2021-09[8] Bluetooth SDP dissector crash. Issue 17635[9]. CVE-2021-39925[10].
- wnpa-sec-2021-10[11] Bluetooth DHT dissector large loop. Issue 17677[12]. CVE-2021-39924[13].
- wnpa-sec-2021-11[14] PNRP dissector large loop. Issue 17684[15].
- wnpa-sec-2021-12[16] C12.22 dissector crash. Issue 17636[17]. CVE-2021-39922[18].
- wnpa-sec-2021-13[19] IEEE 802.11 dissector crash. Issue 17704[20]. CVE-2021-39928[21].
- wnpa-sec-2021-14[22] Modbus dissector crash. Issue 17703[23]. CVE-2021-39921[24].
- wnpa-sec-2021-15[25] IPPUSB dissector crash. Issue 17705[26]. CVE-2021-39920[27].
- The following bugs have been fixed:
- OSS-Fuzz: Heap-use-after-free in ROS Issue 16342[28].
- Allow for '