-
Latest Version
Wireshark Portable 4.4.2 LATEST
-
Review by
-
Operating System
Windows 8 (64-bit) / Windows 10 (64-bit) / Windows 11
-
User Rating
Click to vote -
Author / Product
-
Filename
WiresharkPortable64_4.4.2.paf.exe
Wireshark Portable version was written by networking experts around the world and is an example of the power of the open-source. Wireshark Portable for PC is used by network professionals around the world for analysis, troubleshooting, software and protocol development, and education.
The program has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements.
Main Features
- Packet Analysis: It captures data packets from a network in real-time or from saved capture files for in-depth analysis.
- Deep Inspection: Users can inspect hundreds of protocols, including Ethernet, IP, TCP, HTTP, DNS, and more, to diagnose network issues or investigate security incidents.
- Filtering: Advanced filtering capabilities allow users to sift through large volumes of data to focus on specific packets or protocols.
- Protocol Decoding: The app decodes packet contents into human-readable formats, aiding in understanding network communication.
- VoIP Analysis: Support for VoIP protocols enables analysis of voice and video communications.
- Exporting: Captured data can be exported to various file formats for further analysis or sharing.
- Extensibility: It offers a rich ecosystem of plugins and scripts for extending functionality.
- Comprehensive protocol support
- Extensive filtering and analysis capabilities
- Open-source and free
- Active community and ongoing development
- Cross-platform compatibility
- Steep learning curve for beginners
- Requires understanding of networking concepts
- Limited support for decrypting encrypted traffic
- Resource-intensive for capturing and analyzing large data volumes
What's new in this version:
Wireshark Portable 4.4.2
Fixed:
The following vulnerabilities have been fixed:
- wnpa-sec-2024-14 FiveCo RAP dissector infinite loop
- wnpa-sec-2024-15 ECMP dissector crash
The following bugs have been fixed:
- CIP I/O is not detected by "enip" filter anymore
- Fuzz job issue: fuzz-2024-09-03-7550.pcap
- OSS-Fuzz 71476: wireshark:fuzzshark_ip_proto-udp: Index-out-of-bounds in DOFObjectID_Create_Unmarshal
- JA4_c hashes an empty field to e3b0c44298fc when it should be 000000000000
- Opening Wireshark 4.4.0 on macOS 15.0 disconnects iPhone Mirroring
- PTP analysis loses track of message associations in case of sequence number resets
- USB CCID: response packet in case SetParameters command is unsupported is flagged as malformed
- dumpcap crashes when run from TShark with a capture filter
- SRT dissector: The StreamID (SID) in the handshake extension is displayed without regarding the control characters and with NUL as terminating
- Ghost error message on POP3 packets
- Building against c-ares 1.34 fails
- D-Bus is not optional anymore
- macOS Intel DMGs aren’t fully notarized
- Incorrect name for MLD Capabilities and Operations Present flag in dissection of MLD Capabilities for MLO wifi-7 capture
- CQL Malformed Packet v4 S → C Type RESULT: Prepared[Malformed Packet] Issue 20142.
- Wi-Fi: 256 Block Ack (BA) is not parsed properly
- BACnet ReadPropertyMultiple request Maximum allowed recursion depth reached
- Statistics→I/O Graph crashes when using simple moving average
- HTTP2 body decompression fails on DATA with a single padded frame
- Compiler warning for ui/tap-rtp-common.c (ignoring return value) Issue 20169.
- SIP dissector bug due to "be-route" param in VIA header
- Coredump after trying to open 'Follow TCP stream' Issue 20174.
- Protobuf JSON mapping error
- Display filter "!stp.pvst.origvlan in { vlan.id }" causes a crash (Version 4.4.1) Issue 20183.
- Extcap plugins shipped with Wireshark Portable are not found in version 4.4.1
- IEEE 802.11be: Wrong regulatory info in HE Operation IE in Beacon frame
- Wireshark 4.4.1 does not decode RTCP packets
- Qt: Display filter sub-menu can only be opened on the triangle, not the full name
- Qt: Changing the display filter does not update the Conversations or Endpoints dialogs
- MODBUS Dissector bug
- Modbus dissector bug - Field Occurence and Layer Operator modbus.bitval field
- Wireshark crashes when a field is dragged from packet details towards the find input
- Lua DissectorTable("") : set ("10,11") unexpected behavior in locales with comma as decimal separator
New and Updated Features:
- The TShark syntax for dumping only fields with a certain prefix has changed from -G fields prefix to -G fields,prefix. This allows tshark -G fields to again support also specifying the configuration profile to use.
Wireshark Portable 4.4.1
The following vulnerabilities have been fixed:
- wnpa-sec-2024-12 ITS dissector crash
- wnpa-sec-2024-13 AppleTalk and RELOAD Framing dissector crashes
The following bugs have been fixed:
- Refresh interface during live-capture leads to corrupt interface handling
- Media type "application/octet-stream" registered for both Thread and UASIP
- Extcap toolbar stops working when new interface is added
- Decoding error ITS CPM version 2.1.1
- Build error in 4.3.0: sync_pipe_run_command_actual error: argument 2 is null but the corresponding size argument 3 value is 512004 [-Werror=nonnull] Issue 19930.
- html2text.py doesn’t handle the tag
- Incorrect NetFlow v8 TOS AS aggregation dissection
- The Windows packages don’t ship with the IP address plugin
- O_PATH is Linux-and-FreeBSD-specific
- Wireshark 4.4.0 doesn’t install USBcap USBcapCMD.exe in the correct directory
- OER dissector is not considering the preamble if ASN.1 SEQUENCE definition includes extension marker but no OPTIONAL items
- Bluetooth classic L2CAP incorrect dissection with connectionless reception channel
- Profile auto switch filters : Grayed Display Filter Expression dialog box when opened from Configuration Profiles dialog box
- Wireshark 4.4.0 / macOS 14.6.1 wifi if monitor mode
- TECMP Data Type passes too much data to sub dissectors
- Wireshark and tshark 4.4.0 ignore extcap options specified on the command line
- Cannot open release notes due to incorrect path with duplicated directory components
- Unable to open "Release Notes" from the "Help" menu
- No capture interfaces if Wireshark is started from command line with certain paths
- Wireshark 4.4.0 extcap path change breaks third party extcap installers
- Fuzz job UTF-8 encoding issue: fuzz-2024-09-10-7618.pcap
- Unable to create larger files than 99 size units
- Opening Wireshark 4.4.0 on macOS 15.0 disconnects iPhone Mirroring
- PRP trailer not shown for L2 IEC 61850 GOOSE packets in 4.4.0 (was working in 4.2.7) Issue 20088.
- GUI lags because NetworkManager keeps turning 802.11 monitor mode off
- Error while getting Bluetooth application process id by Issue 20100.
- Fuzz job assertion: randpkt-2024-10-05-7200.pcap
New and Updated Features:
- The TShark syntax for dumping only fields with a certain prefix has changed from -G fields prefix to -G fields,prefix. This allows tshark -G fields to again support also specifying the configuration profile to use.
Updated Protocol Support:
- AppleTalk, ARTNET, BGP, BT L2CAP, CIGI, CIP Motion, CoAP, COSE, DISTCC, DMP, Ethernet OAM PDU, F5 FILEINFO, GIOP, GOOSE, GSM Management, GSM SIM, GTP, HTTP, HTTP2, ID3v2, IDN, IEEE 1609.2, IEEE 802.11, IPPUSB, iRDMA, ISystemActivator, ITS, Kerberos, LwM2M-TLV, MMS, MQ, MySQL, NCP SSS, NetFlow, OER, OWAMP, QNET, RELOAD Framing, RTCP, RTLS, SANE, SMB2, SSyncP, Sysdig Event, T.124, TECMP, Thread, Thrift, and TWAMP
New and Updated Capture File Support:
- BLF, CLLOG, CommView, ERF, and pcap
Wireshark Portable 4.4.0
New:
- Many improvements and fixes to the graphing dialogs, including I/O Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs
- Wireshark now supports automatic profile switching. You can associate a display filter with a configuration profile, and when you open a capture file that matches the filter, Wireshark will automatically switch to that profile.
- Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1 and 5.2 has been removed. The Windows and macOS installers now ship with Lua 5.4.6.
- Improved display filter support for value strings (optional string representations for numeric fields)
- Display filter functions can be implemented as plugins, similar to protocol dissectors and file parsers
- Display filters can be translated to pcap filters using Edit › Copy › Display filter as pcap filter if each display filter field has a corresponding pcap filter equivalent
- Custom columns can be defined using any valid field expression, such as display filter functions, packet slices, arithmetic calculations, logical tests, raw byte addressing, and protocol layer modifiers.
- Custom output fields for tshark -e can also be defined using any valid field expression
- Wireshark can be built with the zlib-ng instead of zlib for compressed file support. Zlib-ng is substantially faster than zlib. The official Windows and macOS packages include this feature.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.
- New and Updated Features
- The following features are either new or have been significantly updated since version 4.2.0:
- The Windows installers now ship with Npcap 1.79. They previously shipped with Npcap 1.78.
Improvements to the "I/O Graphs" dialog:
- A number of crasher bugs have been fixed.
- The protocol tree context menu can open a I/O graph of the currently selected field
- Smaller intervals can be used, down to 1 microsecond
- A larger number of I/O Graph item buckets can be used, up to 225 (33 million) items
- The size of individual graph items has been reduced, which reduces memory utilization.
- When the Y field or Y axis changes, the graph displays the new graph correctly, retapping if necessary, instead of displaying information based on stale data.
- The graph is smarter about choosing whether to retap (expensive), recalculate (moderately intensive), or replot (cheap) in order to display the newly chosen options correctly with the least amount of calculations. For instance, a graph that has previously been plotted and is disabled and then reenabled without any other changes will not require a new retap
- LOAD graphs are graphed properly again
- Y axes have human readable units with SI prefixes
- Bar widths are scaled to the size of the interval.
- Bar border colors are a slightly darker color than that of the graph itself, instead of always black
- Time values have the correct width when axes are automatically reset.
- The precision of the interval time shown in the hint message depends on the interval.
- The tracer follows the currently selected row on the table of graphs, and does not appear on an invisible graph.
- The tracer moves to the frame selected in the main window
- Pending graph changes are saved when changing profiles when the I/O Graphs dialog is open.
- I/O Graph dialog windows for closed capture files are no longer affected by changing the list of graphs (either in that dialogs or in other dialogs for the currently open file.)
- Newly created temporary graphs, which will not be saved unless the configuration has changed, are more clearly marked with italics.
- When "Time of Day" is selected for a graph, the absolute time will be saved to CSV exports instead of the relative time
- Graphs can be reordered by dragging and dropping their list entries
- The graph layer order and legend order always matches the order in the graph list. Legends also appear properly
- The legend can be moved to other corners of the graph by right-clicking on it and selecting its new location from a menu.
- For purposes of displaying zero values, graphs with both lines and data point symbols are treated as line graphs, not scatter plots.
- Logarithmic ticks are used when the Y axis is logarithmic.
- The graph crosshairs context menu option works.
- You can resize the graph list columns to their contents by right clicking on the list header
- The graph is more responsive to mouse movement, especially on Linux Wayland.
Improvements to the Sequence Diagram (Flow Graphs and VoIP Calls):
- When exporting the graph as an image, the entire graph is shown with up to 1000 items instead of only what was visible on-screen. This value can be increased in the preferences
- Endpoints that share the same address now have two distinct nodes with a line between them
- The "Comment" column can be resized by selecting the axis between the "Comment" column and the graph and dragging, and auto-resized by double-clicking the column
- Tooltips are shown for elided comments.
- The scroll direction via keyboard is no longer reversed
- The column widths are fixed instead of resizing slightly depending on the visible entries
- The Y axis labels stay in the correct position without having to click the Reset button.
- The progress bar appears correctly in the Flow Graph (non VoIP Calls).
- The behavior of the "Any" and "Network" combobox is corrected
- "Limit to Display Filter" is checked if a display filter is applied when the Flow Graph is opened, per the documentation.
TCP Stream Graphs:
- A better decision is made about which side is the server and thus the initially chosen direction in the graph.
- The "Window Scaling" graph axis labels are corrected and show both graphs.
- The graph crosshairs context menu option works.
- Switching between relative and absolute sequence numbers works again.
- The "Follow Stream" dialog can now show delta times between turns and all packets and events.
- A number of graphs using the QCustomPlot widget ("I/O Graphs", "Flow Graph", "TCP Stream Graphs", and "RTP Player") are more responsive to mouse movement, especially on Linux when Wayland is used.
- The "Find Packet" dialog can search backwards and find additional occurrences of a string, hex value, or regular expression in a single frame.
- When using "Go To Packet" with an undisplayed frame, the window goes to nearest displayed frame by number
Display filter syntax enhancements:
- Better handling of comparisons with value strings. Now the display filter engine can correctly handle cases where multiple different numeric values map to the same value string, including but not limited to range-type value strings.
- Fields with value strings now support regular expression matching.
- Date and time values now support arithmetic, with some restrictions: the multiplier/divisor must be an integer or floating point number and appear on the right-hand side of the operator.
- The keyword "bitand" can be used as an alternative syntax for the bitwise-and operator.
- Functions alone can now be used as an entire logical expression. The result of the expression is the truthiness of the function return value (or of all values if more than one). This is useful for example to write "len(something)" instead of "len(something) != 0". Even more so if a function returns itself a boolean value, it is now possible to write "bool_test(some.field)" instead of having to write "bool_test(some.field) == True". Both forms are now valid.
- Display filter references can be written without curly braces. It is now possible to write $frame.number instead of ${frame.number} for example.
- There are new display filter functions which test various IP address properties. Check the wireshark-filter(5) man page for more information.
- There are new display filter functions which convert unsigned integer types to decimal or hexadecimal, and convert fields with value strings into the associated string for their value, which can be used to produce results similar to custom columns. Check the wireshark-filter(5) man page for more information.
- Display filter macros can be written with a semicolon after the macro name before the argument list, e.g. ${mymacro;arg1;…;argN}, instead of ${mymacro:arg1;…;argN}. The version with semicolons works better with pop-up suggestions when editing the display filter, so the version with the colon might be removed in the future.
- Display filter macros can be written using a function-like notation. The macro ${mymacro:arg1;…;argN} can be written $mymacro(arg1,…,argN).
- AX.25 addresses are now filtered using the "CALLSIGN-SSID" string syntax. Filtering based on the raw bytes values is still possible, like other field types, with the @ operator
- Display filter functions can be implemented as libwireshark plugins. Plugins are loaded during startup from the usual binary plugin configuration directories. See the ipaddr.c source file in the distribution for an example of a display filter C plugin and the doc/plugins.example folder for generic instructions how to build a plugin.
- Display filter autocompletions now also include display filter functions.
- The display filter macro configuration file has changed format. It now uses the same format as the "dfilters" file and has been renamed accordingly to "dmacros". Internally it no longer uses the UAT API and the display filter macro GUI dialog has been updated. There is some basic migration logic implemented but it is advisable to check that the "dfilter_macros" (old) and "dmacros" (new) files in the profile directory are consistent.
Custom columns can be defined using any valid field expression:
- Display filter functions, like len(tcp.payload), including nested functions like min(len(tcp.payload), len(udp.payload)) and newly defined functions using the plugin system mentioned above
- Arithmetic calculations, like ip.len * 8 or tcp.srcport + tcp.dstport
- Slices, like tcp.payload[4:4]
- The layer operator, like ip.proto#1, which will return the protocol field in the first IPv4 layer if there is tunneling
- Raw byte addressing, like @ip, which will return the bytes of protocol or FT_NONE fields, among others
- Logical tests, like tcp.port == 443, which produce a check mark if the test matches (similar to protocol and FT_NONE fields without @.) This works with all logical operators, including e.g. regular expression matching (matches or ~.)
- Defined display filter macros.
- Any combination of the above also works.
- Multifield columns are still available. For backwards compatibility, X or Y is interpreted as a multifield column as before. To represent a logical test for the presence of multiple fields instead of concatenating values, use parenthesis, e.g. (tcp.options.timestamp or tcp.options.nop).
- Field references are not implemented because there’s no sense of a currently selected frame. "Resolved" column values (such as host name resolution or value string lookup) are not supported for any of the new expressions yet.
- Custom output fields for tshark -e can also be defined using any valid field expression as above.
- For custom output fields, X or Y is the usual logical test; to output multiple fields use multiple -e terms as before.
- The various -E options, including -E occurrence, all work as expected.
- When selecting "Manage Interfaces" from "Capture Options", Wireshark only attempts to reconnect to rpcap hosts that were active in the last session, instead of every remote host that the current profile has ever connected to
- The "Resolved Addresses" dialog only shows what addresses and ports are present in the file (not including information from static files), and selected rows or the entire table can be saved or copied to the clipboard in several formats
- Dumpcap and Wireshark support the -F option when capturing a file on the command line
- When capturing on the command line dumpcap accepts a -Q option that is quieter than -q and prints only errors to standard error, similar to tshark
- When capturing a file and requesting the pcap format, nanosecond resolution time stamps will be written if the device and version of libpcap supports it.
- When capturing using a file size autostop or ring buffer condition, the maximum value is now 2 TB, up from 2GiB. Note that you may have problems when the number of packets gets larger than 231 or 232, though that is also true when no limit is set.
- When capturing files in multiple file mode, a pattern that places the date and time before the index number can be used (e.g., foo_20240714110102_00001.pcap instead of foo_00001_20240714110102.pcap). This makes file names sortable in chronological order across file sets from different captures. The "File Set" dialog has been updated to handle the new pattern, which has been capable of being produced by tshark since version 3.6.0.
- Adding interfaces at startup is about twice as fast, and has many fewer UAC pop-ups when Npcap is installed with access restricted to Administrators on Windows.
- The Lua version included with the Windows and macOS installers has been updated to 5.4. While we have tried to help with backward compatibility by including lua_bitop library with Lua 5.3 and 5.4 in addition to the native Lua support for bit operations present in those versions, different versions of Lua are not guaranteed to be compatible. If a Lua dissector has issues, check the manuals for Lua 5.4, Lua 5.3, and Lua 5.2 for incompatibilities and suggested workarounds. Note that features marked as deprecated in one version are removed in the subsequent version without additional notice, so it can be worth checking the manual for previous versions.
- Lua scripts in the plugins directories are now initially loaded via the same internal Lua methods as require(). This avoids errors from loading plugins twice, once by scanning the directory initially, and once by require(), and also results in globals defined in plugins entering the global namespace. Previously globals defined in plugins only entered the global namespace when placed in the global plugins directory, but not the personal plugins directory. Using globals in plugins remains deprecated style (both by Wireshark and in Lua generally), that should be avoided via using other methods
- Lua functions have been added to decompress and decode TvbRanges with other compression types besides zlib, such as Brotli, Snappy, Zstd, and others, matching the support in the C API. tvbrange:uncompress() has been deprecated in favor of tvbrange:uncompress_zlib().
- Lua Dumper now defaults to the pcapng file type, and to per-packet encapsulation (creating interfaces on demand as necessary) when writing pcapng Issue 16403
- Editcap has an --extract-secrets option to extract embedded decryption secrets from a capture file
- Global profiles can be used in tshark by using --global-profile option.
- Capture files can be saved with LZ4 compression. LZ4 has an emphasis on speed and may be particularly useful for large files.
- Fast random access is supported with LZ4 compressed files when compressed with independent blocks, which is the default. This provides much more responsive GUI performance when jumping to different packets. Fast random access has been supported with gzip compressed files since version 1.8.0, but this is not supported for Zstd compressed files.
- Mergecap, Editcap, TShark and Text2pcap have an --compress option to compress output to different formats. For now, it supports the gzip and LZ4 compression formats. When the option is not given, the desired compression format can also be deduced from the output filename extension, e.g. gzip for .gz.
- Wireshark’s Git repostory tags are now signed using SSH. See the Developer’s Guide for more details.
Removed Features and Support:
- The tshark -G option with no argument is deprecated and will be removed in a future version. Use tshark -G fields to produce the same report.
Wireshark Portable 4.2.6
The following bugs have been fixed:
- RADIUS dissector’s dictionary loading broken in many ways
- 3.4 → 3.6.5 ASCII display is broken on CentOS 7
- Funnel/Lua: Closing child window disconnects buttons of parent
- Lua detection fails with Alpine Linux: missing: LUA_LIBRARIES
- vnd.3gpp.5gnas payloads of type SMS not decoded inside HTTP2 5GC
- TCP Stream Graphs green sliding window line not displayed correctly
- Wireshark window doesn’t fully fit on screen on small resolutions and can’t be resized properly on Russian language
- Wireshark started from command line doesn’t set gui.fileopen_remembered_dir correctly on Windows
- Wireshark expects wrong length for DHCP Relay Agent Information Source Port Suboption
- SIP P-Access-Network-Info header not correctly decoded
Updated Protocol Support:
- DHCP, E.212, MySQL, NAS-5GS, PKT CCC, ProtoBuf, RADIUS, RLC-LTE, RTP, SIP, SPRT, Thrift, and Wi-SUN
Wireshark Portable 4.2.5
The following vulnerabilities have been fixed:
- wnpa-sec-2024-07 MONGO and ZigBee TLV dissector infinite loops
- wnpa-sec-2024-08 The editcap command line utility could crash when chopping bytes from the beginning of a packet
- wnpa-sec-2024-09 The editcap command line utility could crash when injecting secrets while writing multiple files
The following bugs have been fixed:
- Flow Graph scrolls in the wrong direction vertically when pressing Up/Down
- TCP Stream Window Scaling not working in version 2.6.1 and later
- TCP stream graphs (Window scaling) axis display is confusing
- LUA get_dissector does not give the correct dissector under 32-bit version
- Lua: Segfault when registering a field or expert info twice
- SSH can not decrypt when KEX is [email protected]
- Wireshark crash related to Lua DissectorTable.heuristic_new()
- MATE fails to extract HTTP2 User-Agent header
- Fuzz job issue: fuzz-2024-02-29-7169.pcap
- Fuzz job issue: fuzz-2024-03-02-7158.pcap
- Problem to Decode 5GC-N7 HTTP for payload Application/JSON
- Copying data as C String produces incorrect string
- Incorrect decoding of supported Tx HE-MCS
- reordercap: Fix packet reordering with multiple IDB’s not at the beginning of a pcapng file
- Wrong EPB lengths written if existing pcapng file has epb_hash options
- On Windows, Export Displayed Packets dialog does not have "include depended upon packets" checkbox
- vnd.3gpp.sms binary payload NOT decoded inside HTTP2 5GC
- NAS 5G message container dissection
- Incorrect interpretation of algorithm name in packet-tls-utils.c
Wireshark Portable 4.2.4
Fixed:
- Extcap with configuration never starts; "Configure all extcaps before start of capture." is shown instead
- Packet Dissection CSV Export includes last column even if hidden
- Inject TLS secrets closes Wireshark on Windows
- Fuzz job issue: fuzz-2024-02-27-7196.pcap
- Wireshark crashes when adding another port to the HTTP dissector
- Fuzz job issue: fuzz-2024-03-03-7204.pcap
- Fuzz job issue: randpkt-2024-03-05-8004.pcap
- When adding a new row to a table an error report may be inserted
- '--export-objects' does not work as expected on tshark version later than 3.2.10
- Fuzz job issue: fuzz-2024-03-21-7215.pcap
Wireshark Portable 4.2.3
Fixed:
- Capture start fails when file set enabled and file extension not supplied if directory contains a period
- Cannot drag and move custom filter buttons in toolbar
- Not equal won’t work when used with wlan.addr
- sshdump fails to connect with private key (ssh-rsa)
- ChmodBPF installation fails on macOS Sonoma 14.1.2
- Windows installers should check for Windows 8.1
- Fuzz job crash output: fuzz-2024-01-05-7725.pcap
- Fuzz job crash output: fuzz-2024-01-06-7734.pcap
- Incorrect recursion depth assert failure when dissecting a legitimate GOOSE message
- OPC UA - large read request is reported as malformed in 4.2.1 but not in 4.0.12
- TFTP dissector bug type listed as netscii instead of netascii doesn’t show all TFTP packets including TFTP blocks
- SMB1 replies from LAN Drive app only show up as NBSS Continuation Message
- ciscodump - older SSH key exchange algorithms not supported
- Problem decoding LAPB/X.25/FTAM after adding X.75 decoding
- Wireshark Filter not working
- CFLOW: failure to decode 0 length data fields of IPFIX variable length data types
- Copy … as Printable Text Feature Missing in 4.1/4.2
- Export Objects - HTTP is missing some HTTP/2 files in a two-pass analysis
- ASAM-CMP Plugin: Malformed message, length mismatch if vendor defined data of status messages has odd length
- OSS-Fuzz 66561: wireshark:fuzzshark_ip_proto-udp: Null-dereference READ in wmem_map_lookup
Wireshark Portable 4.2.2
Fixed:
- This release fixes a software update issue on Windows which causes Wireshark to hang if you are upgrading from version 4.2.0 or 4.2.1. If you are experiencing this issue you will need to download and install Wireshark 4.2.2 or later.
- sharkd is not installed by the Windows installer
- Fuzz job crash output: fuzz-2024-01-01-7740.pcap
- Can’t open a snoop file from the Open dialog box unless I select "All files" as the file type
- Add s4607 dissector to "decode as"
- Updater for 4.2.1 hangs
Wireshark Portable 4.2.1
Fixed:
The following bugs have been fixed:
- Capture filters not saved to recently used list
- CFM dissector does not handle Sender ID TLV correctly when Chassis ID Length is zero
- OSS-Fuzz 64290: wireshark:fuzzshark_ip: Global-buffer-overflow in dissect_zcl_read_attr_struct
- Overriding capture options set by preference by command line arguments (like -S) doesn’t work
- Segfault when enabling monitor mode on wireless card that falsely claims to support it
- Documented format of temporary file name is out of date in the Wireshark User’s Guide
- Selection highlight lost when interface list is sorted
- HTTP3 malformed packets
- Capture filter compilation fails with obscure error message
- XML: Parsing encoding attribute failed when standalone attribute exists
- Display filter expressions where the protocol name starts with digit and contains a hyphen are rejected
- diameter.3GPP-* display filters not working after upgrade to version 4.2.0
- GigE-vision: Control Protocol shows "unknown" as value for ASCII character set
- The HTTP/3 Request Header URI is not correct
- QUIC/TLS not extracting "h3" from ALPN in a capture
- Documentation on system requirements should be updated
- 4.2.0: init.lua in subdirectories not loaded anymore
- Malformed SIP/SDP messages: components are not decoded properly
- heuristic_protos do not reset on profile swap
- Wireshark 4.2 crashes on Apply As Column
- NFLOG timestamp is incorrect
- Qt6 Crash (Double Free) When Attempting to Save TCP Stream Graph
- Fixed parsing display filter expressions containing literal OID values, e.g. snmp.name == 1.3.6.1.2.1.1.3.0
Wireshark Portable 4.2.0
- This is the first major Wireshark release under the Wireshark Foundation, a nonprofit which hosts Wireshark and promotes protocol analysis education. The foundation depends on your contributions in order to do its work. If you or your employer would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
- Wireshark supports dark mode on Windows
- A Windows installer for Arm64 has been added
- Packet list sorting has been improved
- Wireshark and TShark are now better about generating valid UTF-8 output
- A new display filter feature for filtering raw bytes has been added
- Display filter autocomplete is smarter about not suggesting invalid syntax
- Tools › MAC Address Blocks can lookup a MAC address in the IEEE OUI registry
- The enterprises, manuf, and services configuration files have been compiled in for improved start-up times. These files are no longer available in the master branch in our source code repository. You can download the manuf file from our automated build directory.
- The installation target no longer installs development headers by default
- The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs)
- Wireshark can be compiled on Windows using MSYS2. Check the Developer’s guide for instructions
- Wireshark can be cross-compiled for Windows using Linux. Check the Developer’s guide for instructions
- Tools › Browser (SSL Keylog) can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value
- Windows installer file names now have the format Wireshark--.exe.
- Wireshark now supports the Korean language
- Many other improvements have been made. See the “New and Updated Features” section below for more details.
Fixed:
The following bugs have been fixed:
- Issue 18413 - RTP player do not play audio frequently on Windows builds with Qt6
- Issue 18510 - Playback marker does not move after resume with Qt6
Display filter syntax-related changes:
- It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…>. This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field’s raw data.
- Negation (unary minus) now works with any display filter arithmetic expression.
- Using the slice operator with strings produces a string. Previously it would produce a byte array. This is useful to index/slice UTF-8 multibyte strings. String byte slices can still be obtained using the "@" (raw operator) prefix.
- Arithmetic expressions are allowed as set elements.
- Absolute date and time values can be written as Unix time.
- The limitation where a minus sign needed to be preceded by a space character has been removed.
- Added XOR logical operator.
- Fixed the implementation of all … in membership operator (#19188).
- When parsing absolute time values the display filter engine has learned to understand timezones as specified in strptime(3), including some common North American designations. Arbitrary timezone names are not supported however. Previously only ISO8601 offsets and the "UTC" designation was understood.
- Writing value strings without double quotes is deprecated and will generate a warning. Value strings are integer or boolean values that can be represented using a user-friendly textual format, such as "Set"/"Unset" instead of numerical values like 1 and 0. It is now a requirement that value strings need to be written enclosed in double-quotes.
- The deprecated ‰ƒ operator symbol has been removed. It was replaced by !== in version 4.0.
- Running the test suite requires the pytest Python module. The emulation layer that allowed running tests without pytest installed has been removed.
- When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file.
- TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap.
- The text of any configured column (displayed or hidden) can be filtered anywhere that filters are used - in display filters, filters in taps, coloring rules, Wireshark read filters, and the -Y, -R, and -e options to TShark, the "Apply as Filter" GUI option, etc.
- The filter field names are prefixed by "_ws.col", followed by a lowercase version of the COL_ name found in epan/column-utils.h, e.g. "_ws.col.info" or "_ws.col.protocol"
- Using the column names as a filter is slower than other filter types because the columns must be constructed, so when the same filtering can be achieved via other fields, prefer that.
- The external name resolution text files "manuf", "enterprises" and "services" have been removed and replaced with static binary data. You can dump the respective internal data using tshark -G manuf|enterprises|services.
- The "manuf" file is now also read from the personal configuration folder, and is profile-based.
- The Lua console dialogs under the Tools menu were refactored and redesigned. It now consists of a single dialog window for input and output.
- Wireshark now shows byte units in the statistics in the user-selected language (uses the system default language by default).
- Packet list sorting has been improved:
- When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed.
- The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage. The maximum value can be changed in Preferences→Appearance→Layout
- Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size. If there are more rows visible, a warning will appear. Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows.
- Sorting can be interrupted.
- When changing the dissector via the "Decode As" table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect.) The previous behavior was to reset the dissector to the default. To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options.
- The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files. The extcap personal folder is now $HOME/.local/lib/wireshark/extcap. Previously it was $XDG_CONFIG_HOME/wireshark/extcap.
- The "init.lua" file is now loaded from any of the Lua plugin directories. Previously it was loaded from the personal configuration directory. (For backward-compatibility this is still allowed; note that deprecated features may be removed in a future release).
- Installation of development headers must be done explicitly using the CMake command cmake --install --component Development
- The Windows build has a new SpeexDSP external dependency. The speex code that was previously bundled has been removed.
- New --print-timers option added to TShark
Removed Features and Support:
- With the addition of the universal and consistent filtering support for column text, the previous support in the -e option to TShark for displaying column text via the column title has been removed in general. Those field names cannot be used elsewhere (as they may not be legal filter names) and create confusion if more than one column has the same title or if a column is renamed. Prefer the column format instead, e.g. "_ws.col.info" for "_ws.col.Info". However, for backwards compatibility with existing tools and scripts, the titles of the default columns can continue to be used with tshark -e (but not elsewhere.)
- The bundled script "dtd_gen.lua" that was disabled by default has been removed from the installation. It can be found in the Wireshark Wiki under "Contrib".
- The Wi-Fi NAN dissector filter name has been changed from 'nan' to 'wifi_nan'
New File Format Decoding Support:
- RTPDump
New Protocol Support:
- Aruba UBT, ASAM Capture Module Protocol (CMP), ATSC Link-Layer Protocol (ALP), DECT DLC protocol layer (DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe), Digital Object Identifier Resolution Protocol (DO-IRP), Discard Protocol, FiRa UWB Controller Interface (UCI), FiveCo’s Register Access Protocol (5CoRAP), Fortinet FortiGate Cluster Protocol (FGCP), GPS L1 C/A LNAV navigation messages, GSM Radio Link Protocol (RLP), H.224, High Speed Fahrzeugzugang (HSFZ), Hypertext Transfer Protocol version 3 (HTTP/3), ID3v2, IEEE 802.1CB (R-TAG), Iperf3, JSON 3GPP, Low Level Signalling (ATSC3 LLS), Management Component Transport Protocol (MCTP), Management Component Transport Protocol - Control Protocol (MCTP CP), Matter home automation protocol, Microsoft Delivery Optimization, Multi-Drop Bus (MDB), Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP, RDP audio output virtual channel Protocol (rdpsnd), RDP clipboard redirection channel Protocol (cliprdr), RDP Program virtual channel Protocol (RAIL), SAP Enqueue Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), SMPTE ST2110-20 (Uncompressed Active Video), Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker), UWB UCI Protocol, Video Protocol 9 (VP9), VMware HeartBeat, Windows Delivery Optimization (MS-DO), Z21 LAN Protocol (Z21), Zabbix, ZigBee Direct (ZBD), and Zigbee TLV
- Updated Protocol Support:
- JSON: The dissector now has a preference to enable/disable "unescaping" of string values. By default it is off. Previously it was always on.
- JSON: The dissector now supports "Display JSON in raw form".
- IPv6: The dissector has a new preference to show some semantic details about addresses (default off).
- IPv6: The dissector now supports dissecting the Application-aware IPv6 Networking (APN6) option in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH), including all three types of APN ID, which are 32-bit, 64-bit and 128-bit in length.
- XML: The dissector now supports display character according to the "encoding" attribute of the XML declaration, and has a new preference to set default character encoding for some XML document without "encoding" attribute.
- SIP: The dissector now has a new preference to set default charset for displaying the body of SIP messages in raw text view.
- HTTP: The dissector now supports dissecting chunked data in streaming reassembly mode. Subdissectors of HTTP can register itself in "streaming_content_type" subdissector table for enabling streaming reassembly mode while transferring in chunked encoding. This feature ensures the server stream messages of GRPC-Web over HTTP/1.1 can be dissected even if the last chunk is absent.
- The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
- CFM: The dissector has been overhauled and updated to the level of IEEE std 802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015). This includes dissection of additional PDU types and TLVs as well as deeper dissection of existing PDUs and TLVs.
- Too many other protocol updates have been made to list them all here
New and Updated Codec support:
- Adaptive Multi-Rate (AMR), if compiled with opencore-amr
Major API Changes:
- Lua function "package.prepend_path" has been removed. If you need it please consider adding your own package.path customization code or installing your dependencies in Wireshark’s default paths.
- The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to reassemble the streaming data of a high level protocol that is not on top of TCP.
- Some of the API now uses C99 types instead of GLib types
Wireshark Portable 4.0.10
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon
- Bug Fixes
The following bugs have been fixed:
- Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS
Wireshark Portable 4.0.8
New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon
The following vulnerabilities have been fixed:
- wnpa-sec-2023-23 CBOR dissector crash
- wnpa-sec-2023-24 BT SDP dissector infinite loop
- wnpa-sec-2023-25 BT SDP dissector memory leak
- wnpa-sec-2023-26 CP2179 dissector crash
Fixed:
- TShark cannot capture to pipe on Windows correctly
- Wireshark wrongly blames group membership when pcap capabilities are removed
- Packet bytes window broken layout
- RTP Player only shows waveform until sequence rollover
- Valid Ethernet CFM DMM packets are shown as malformed
- Crash on DICOM Export Objects window close
- The QUIC dissector is reporting the quic_transport_parameters max_ack_delay with the title "GREASE"
- Preferences: Folder name editing behaves weirdly, cursor jumps
- DHCPFO: Expert info list does not show all expert infos
- Websocket packets not decoded and displayed for Field type=Custom and Field name websocket.payload.text
- Cannot read pcapng file captured on OpenBSD and read on FreeBSD
- UI: While capturing the Wireshark icon changes from green to blue when new file is created
- Conversation: heap-use-after-free after wmem_leave_file_scope
- IP Packets with DSCP 44 does not indicate "Voice-Admit"
- NAS 5GS Malformed Packet Decoding SOR transparent container PLMN ID and access technology list
- UI: Auto scroll button in the toolbar is turned on when manually scrolling to the end of packet list
Wireshark Portable 4.0.7
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon
Fixed:
The following vulnerabilities have been fixed:
- wnpa-sec-2023-21 Kafka dissector crash
- wnpa-sec-2023-22 iSCSI dissector crash
- The following bugs have been fixed:
- Crash when (re)loading a capture file after renaming a dfilter macro
- Moving a column deselects selected packet and moves to beginning of packet list
- If you set the default interface in the preferences, it doesn’t work with TShark
- Severe performance issues in Follow → Save As raw workflow
- TShark doesn’t support the tab character as an aggregator character in "-T fields" Issue 18002.
- On Windows clicking on a link in the 'Software Update' window launches, now unsupported, MS Internet Explorer
- Wireshark 4.x.x on Win10-x64 crashes after saving a file with a name already in use
- NAS-5GS Operator-defined Access Category: Multiple Criteria values not displayed in dissected packet display
- Server Hello Packet Invisible - during 802.1x Authentication- from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) & above
- TShark reassembled data is incomplete/truncated
- CQL protocol parsing issues with Result frames from open source Cassandra
- TLS 1.3 second Key Update doesn’t work
- HTTP2 dissector reports an assertion error on large data frames
- epan: Single letter hostnames aren’t displayed correctly
- BLF: CAN-FD-Message format is missing a field
- BLF: last parameter of LIN-Message is not mandatory (BUGFIX) Issue 19147.
- PPP IPv6CP: Incorrect payload length warning
- INSTALL file needs to be updated for Debian
- Some RTP streams make Wireshark crash when trying to play stream
- Wrong ordering in OpenFlow 1.0 Datapath unique ID
- Incorrect mask in RTCP slice picture ID
- Dissection error in AMQP 1.0
Wireshark Portable 4.0.6
Fixed:
- Candump log file parser crash
- BLF file parser crash
- GDSDB dissector infinite loop
- NetScaler file parser crash
- VMS TCPIPtrace file parser crash
- BLF file parser crash
- RTPS dissector crash
- IEEE C37.118 Synchrophasor dissector crash
- XRA dissector infinite loop
- Conversations list has incorrect unit (bytes) in bit speed columns in the 3.7 development versions
- The media_type table should treat media types, e.g. application/3gppHal+json, as case-insensitive
- NNTP dissector bug
- Incorrect padding in BFCP decoder
- SPNEGO dissector bug
- SRT values are incorrect when applying a time shift
- Add warning that capturing is not supported in Wireshark installed from flatpak
- Opening Wireshark with -z io,stat option
- batadv dissector bug
- radiotap-gen build fails if pcap is not found
- [UDS] When filtering the uds.wdbi.data_identifier or uds.iocbi.data_identifier field is interpreted as 1 byte whereas it consists of 2 bytes
- Wireshark can’t save this capture in that format
- MSMMS parsing buffer overflow
- USB HID parser shows wrong label for usages Rx/Vx/Vbrx of usage page Generic Desktop Control
- "Follow → QUIC Stream" mixes data between streams
Wireshark Portable 4.0.5
Fixed:
- wnpa-sec-2023-09 RPCoRDMA dissector crash
- wnpa-sec-2023-10 LISP dissector large loop
- wnpa-sec-2023-11 GQUIC dissector crash
- Wireshark ITS Dissector RTCMEM wrong protocol version selector 2 - should use 118862
- Wireshark treats the letter E in SSRC as an exponential representation of a number18879
- VNC RRE Parser skips over data
- sshdump coredump when --remote-interface is left empty
- Fuzz job crash output: fuzz-2023-03-17-7298.pcap
- Fuzz job crash output: fuzz-2023-03-27-7564.pcap
- RFC8925 support (dhcp option 108)
- DIS dissector shows an incorrect state in the packet list info column
- RTP analysis shows incorrect timestamp error when timestamp is rolled over
- Asterisk (*) key crash on Endpoint/Conversation dialog
- The RTP player waveform now synchronizes better with audio.
Wireshark Portable 4.0.4
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you will likely have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon
Fixed:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-08 ISO 15765 and ISO 10681 dissector crash
The following bugs have been fixed:
- UTF-8 characters end up escaped in PSML output
- Export filtered displayed packets won’t save IP fragments of SCTP fragments needed to reassemble a displayed frame
- DICOM dissection in reassembled PDV goes wrong
- "Export Objects - IMF" produces incorrect file, TCP reassembly fails with retransmissions that have additional data
- The intelligent scroll bar or minimap is not predictable on locating and scrolling
- If you mark (or unmark) the currently-selected frame, the packet details still say it’s not marked (or it is marked) Issue 14330.
- An out-of-order packet incorrectly detected as retransmission breaks desegmentation of TCP stream
- Sorting Packet Loss Column is not sorting correct
- Some HTTPS packets cannot be decrypted
- SIP TCP decoding regression from Wireshark 1.99.0 to 3.6.8
- Frame comments not preserved when using filter to write new pcap from tshark
- ChmodBPF not working on macOS Ventura 13.1
- Wireshark GUI and window manager stuck after setting display filter
- Dissector bug, protocol H.261
- File extension heuristics are case-sensitive
- Symbolic links to packages in macOS dmg can’t be double-clicked to install on macOS 13.2
- Potential memory leak in tshark.c
- Fuzz job crash output: fuzz-2023-02-05-7303.pcap
- f5fileinfo: Hardware platforms missing descriptions
- The lines in the intelligent scrollbar are off by one
- Wireshark crashes on invalid UDS packet in Lua context
- TECMP dissector shows the wrong Voltage in Vendor Data
- UDS: Names of RDTCI subfunctions 0x0b …? 0x0e are not correct
Updated Protocol Support:
- ASTERIX, BGP, DHCP, ERF, F5 Ethernet trailer, GMR-1 RR, Gryphon, GSM SMS, H.261, H.450, ISO 10681, ISO 15765, MIPv6, NAS-5gs, NR RRC, NS Trace, OptoMMP, PDCP-LTE, PDCP-NR, QSIG, ROHC, RSVP, RTCP, SCTP, SIP, TCP, TECMP, TWAMP, UDS, and UMTS RLC
Wireshark Portable 4.0.3
Fixed:
- Wnpa-sec-2023-01 EAP dissector crash
- Wnpa-sec-2023-02 NFS dissector memory leak
- Wnpa-sec-2023-03 Dissection engine crash
- Wnpa-sec-2023-04 GNW dissector crash
- Wnpa-sec-2023-05 iSCSI dissector crash
- Wnpa-sec-2023-06 Multiple dissector excessive loops
- Wnpa-sec-2023-07 TIPC dissector crash
The following bugs have been fixed:
- Qt: After modifying coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect
- Help file doesn’t display for extcap interfaces
- For USB traffic on XHC20 interface destination is always given as Host
- Wireshark Expert Info - cannot deselect the limit to display filter tick box
- Wrong pointer conversion in get_data_source_tvb_by_name() Issue 18517.
- Wrong number of bits skipped while decoding an empty UTF8String on UPER packet
- Crash when analyzing protobuf packets
- Uninitialized values in various dissectors
- String (GeoIP country/city) ordering doesn’t work in Endpoints
- Wireshark crashes with an assertion failure on stray minus in filter
- IO Graph: Add new graph only works until the 10th graph
- Fuzz job crash output: fuzz-2022-12-30-11007.pcap
- Q.850 - error in label for cause 0x7F
- Uninitialized values in CoAP and RTPS dissectors
- Screenshots in AppStream metainfo.xml file not available
Wireshark Portable 4.0.2
Fixed:
- wnpa-sec-2022-09 Multiple dissector infinite loops
- wnpa-sec-2022-10 Kafka dissector memory exhaustion
- Qt: Endpoints dialog - unexpected byte unit suffixes in packet columns
- GOOSE: field "floating_point" not working anymore
- EVS Header-Full format padding issues
- Wireshark 4.0.0 VOIP playback has no sound and can’t resume after pausing
- Wireshark crashes when exporting a profile on Mac OSX if there is no extension
- EVS dissector missing value description
- Qt 6 font descriptions not backward compatible with Qt 5
- Wireshark, wrong TCP ACKed unseen segment message
- Invalid Cyrillic symbol in timezone at "Arrival Time" field in frame
- ProtoBuf parse extension definitions failed
- Fuzz job crash output: fuzz-2022-11-09-11134.pcap
- Fuzz job crash output: fuzz-2022-11-14-11111.pcap
- Wireshark is using old version of ASN (ETSI TS 125 453 V11.2.0) which is imapacting length of param in the messages
- BGP: False IGMP flags value in EVPN routes (type 6,7,8)
- wslog assumes stderr and stdout exist
- Editing packet comments, with non-ASCII characters, on Windows saves them in the local code page, not in UTF-8
- Unable to decrypt PSK based DTLS traffic which uses Connection ID
- HTTP2 tests fail when built without nghttp2
Wireshark Portable 4.0.1
New:
- The Windows installers now ship with Qt 5.12.2. They previously shipped with Qt 6.2.3.
Fixed:
- Comparing a boolean field against 1 always succeeds on big-endian machines
- Qt: MaxMind GeoIP columns not added to Endpoints table
- Fuzz job crash output: fuzz-2022-10-04-7131.pcap
- The RTP player might not play audio on Windows
- Wireshark 4.0 breaks display filter expression with > sign
- Capture filters not working when using SSH capture and dumpcap
- Packet diagram field values are not terminated
- Packet bytes not displayed completely if scrolling
- Fuzz job crash output: fuzz-2022-10-13-7166.pcap
- Decoding bug H.245 userInput Signal
- CFDP dissector doesn’t handle "destination filename" only
- Home page capture button doesn’t pop up capture options dialog
- Missing dot in H.248 protocol name
- Missing dot for protocol H.264 in protocol column
- Fuzz job crash output: fuzz-2022-10-23-7240.pcap
Wireshark Portable 4.0.0
- We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- The display filter syntax is more powerful with many new extensions. See below for details.
- The Conversation and Endpoint dialogs have been redesigned. See below for details
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane
- Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
- Speed when using MaxMind geolocation has been greatly improved
- The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.
New and Updated Features:
The following features are new (or have been significantly updated) since version 4.0.0rc2:
- Nothing of note
The following features are new (or have been significantly updated) since version 4.0.0rc1:
- The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3
- The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70
The following features are new (or have been significantly updated) since version 3.7.2:
- The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
The following features are new (or have been significantly updated) since version 3.7.1:
- The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
- The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
- New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
The following features are new (or have been significantly updated) since version 3.7.0:
- The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
The Conversation and Endpoint dialogs have been redesigned with the following improvements:
- The context menu now includes the option to resize all columns, as well as copying elements
- Data may be exported as JSON
- Tabs may be detached and reattached from the dialog
- Adding and removing tabs will keep them in the same order all the time
- If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets
- Columns are now sorted via secondary properties if an identical entry is found
- Conversations are sorted via second address and first port number
- Endpoints are sorted via port numbers
- IPv6 addresses are sorted correctly after IPv4 addresses
- The dialog elements have been moved to make it easier to handle for new users
- Selection of tap elements is done via a list
- All configurations and options are done via a left side button row
- Columns for the Conversations and Endpoint dialogs can be hidden by a context menu
- TCP and UDP conversations now include the stream ID and allow filtering on it
The following features are new (or have been significantly updated) since version 3.6.0:
- The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
- The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
The display filter syntax has been updated and enhanced:
- A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
- Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
- Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
- Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
- New display filter functions max(), min() and abs() have been added.
- Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
- A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
- The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
- Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used
- Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B"
- Logical AND now has higher precedence than logical OR, in line with most programming languages
It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
- Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
- Support for some additional character escape sequences in double quoted strings has been added. Along with octal () and hex (x) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
- Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit
- Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: , ', ".
- A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
- The aliases "any_eq" for "==" and "all_ne" for "!=" have been added
- The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead
- Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
- The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
- Literal strings can handle embedded null bytes (the value '') correctly. This includes regular expression patterns. For example the double-quoted string " is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes.
- Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0.
- It is now possible to test for the existence of a slice
- All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other.
The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
- text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
- Consistent with the other command line tools like editcap, mergecap, tshark, and the "Import from Hex Dump" option within Wireshark, the default capture file format for text2pcap is now pcapng. The -n flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release.
- text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similar to the -T option of editcap.
- text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
- text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
- text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
- In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
- The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
- The IEEE 802.11 dissector supports Mesh Connex (MCX).
- The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
- The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
- It is possible to set extcap passwords in tshark and other CLI tools
- The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
- Support to display JSON mapping for Protobuf message has been added
- macOS debugging symbols are now shipped in separate packages, similar to Windows packages
- In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
- The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
- The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session
- ciscodump now supports IOS, IOS-XE and ASA remote capturing
Removed Features and Support:
- The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.
New Protocol Support:
- Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Huawei GRE bonding (GREbond), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Open Control Protocol for OCA/AES70 (OCP.1), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS Network Coprocessor product (ZB NCP)
Updated Protocol Support:
- Too many protocols have been updated to list here
New and Updated Capture File Support:
- There is no new or updated capture file support in this release
Major API Changes:
- proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.
- proto.h: The field display types for floats have been extended and refactored. The type BASE_FLOAT has been removed. Use BASE_NONE instead. New display types for floats are BASE_DEC, BASE_HEX, BASE_EXP and BASE_CUSTOM.
- The Wireshark Lua API now uses the lrexlib bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change.
- The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated.
Other Development Changes:
- The PCRE2 library is now required to build Wireshark
- You must now have a compiler with C11 support in order to build Wireshark
The following libraries and tools have had their minimum required version increased:
- CMake 3.10 is required on macOS and Linux
- Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration
- Windows SDK 10.0.18362.0 is required due to issues with C11 support
macOS version 10.11 to 10.14 (was 10.8) is required depending on the version of Qt:
- Qt 5.10 or higher requires macOS version 10.11
- Qt 5.12 or higher requires macOS version 10.12
- Qt 5.14 or higher requires macOS version 10.13
- Qt 6.0 or higher requires macOS version 10.14
- GLib version 2.50.0 (was 2.38.0) is required
- Libgcrypt version 1.8.0 (was 1.5.0) is required
- c-ares version 1.13.0 (was 1.5.0)
- Python version 3.6.0 (was 3.4.0)
- GnuTLS version 3.5.8 (was 3.3.0)
- Nghttp2 minimum version has been set to 1.11.0 (none previous)
- Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks
Wireshark Portable 3.6.8
New:
- This is the last release branch with support for 32-bit Windows. Updates will no longer be available after May 22, 2024 for that platform
Fixed:
- TCAP Malformed exception on externally re-assembled packet
- Extended 3GPP-GPRS-Negotiated-QoS-profile strings decoded incompletely
- HTTP2 dissector decodes first SSL record only
- L2TP improvements - cookie length detection, UDP encapsulation and more
- USB Truncation of URB_isochronous in frames
- ISUP/BICC parameter summary text duplication
- Running rpm-setup.sh shows missing packages that Centos does not need
- IPX/IPX RIP: Crash on expand subtree
- Qt: A file or packet comment that is too large will corrupt the pcapng file
- BGP dissector bug
- Wrong interpretation of the cbsp.rep_period field in epan/dissectors/packet-gsm_cbsp.c
- Assertion due to incorrect mask for btatt.battery_power_state.*
- Qt: Expert Info dialog not showing Malformed Frame when Frame length is less than captured length
- Wireshark and tshark become non-responsive when reading certain packets
Wireshark Portable 3.6.7
New:
- This is the last release branch with support for 32-bit Windows. Updates will no longer be available after May 22, 2024 for that platform.
Fixed:
The following bugs have been fixed:
- Multiple Files preference "Create new file automatically…after" [time] working incorrectly
- get_filter Lua function doesn’t return the filter
- Dissector bug, protocol HTTP failed assertion "saved_layers_len < 500" with chunked/multipart
- Wrong EtherCAT bit label (possible dissector bug)
- UDP packets falsely marked as "malformed packet"
- TLS certificate parser with filter crash
- Incorrect type for the IEC 60870 APDU appears in packet details pane
- NHRP Problem
- EtherCAT CoE header unknown type
Wireshark Portable 3.6.6
Fixed:
- TLS: RSA decryption fails with Extended Master Secret and renegotiation
- "dfilter" file on Windows adds carriage returns, and requires line feeds
- Npcap bundled version needs a bump to v1.60 for Windows 11 compatibility
- "Browse" button in Prefs/Name Resolution/MaxMind crashes Wireshark on macOS
- TFTP: some packets are not recognized as TFTP packets with 3.6.5
Wireshark Portable 3.6.5
Fixed:
- This release fixes an installation issue on Windows which was introduced in the 3.6.4 release
Wireshark Portable 3.6.3
Fixed:
- Fuzz job crash output: fuzz-2022-01-19-7399.pcap
- TLS dissector incorrectly reports JA3 values
- "Wiki Protocol page" in packet details menu is broken - wiki pages not migrated to GitLab?
- Dissector bug, protocol PFCP display Flow Description IE value error in Additional Flow Description of PFD Management Request Message
- Bluetooth: Fails to open Log file for SCO connection
- Fuzz job crash output: fuzz-2022-03-07-10896.pcap
- libwiretap: Save as ERF causes segmentation fault
- HTTP server returning multiple early hints shows too many responses in "Follow HTTP Stream"
Wireshark Portable 3.6.2
The following vulnerabilities have been fixed:
- wnpa-sec-2022-01 RTMPT dissector infinite loop
- wnpa-sec-2022-02 Large loops in multiple dissectors
- wnpa-sec-2022-03 PVFS dissector crash
- wnpa-sec-2022-04 CSN.1 dissector crash
- wnpa-sec-2022-05 CMS dissector crash
The following bugs have been fixed:
- Support for GSM SMS TPDU in HTTP2 body
- Wireshark 3.6.1 broke the ABI by removing ws_log_default_writer from libwsutil
- Fedora RPM package build failing with RPATH of /usr/local/lib64
- macos-setup.sh: ftp.pcre.org no longer exists
- nmap.org/npcap ? npcap.com: domain/URL change
- MPLS ECHO FEC stack change TLV not dissected correctly
- Attempting to open a systemd journal export file segfaults
- Dissector bug on 802.11ac packets
- The Info column shows only one NGAP/S1AP packet of several packets inside an SCTP packet
- Uninstalling Wireshark 3.6.1 on Windows 10 fails to remove the installation directory because it doesn’t remove the User’s Guide subdirectory and all its contents.
- 3.6 doesn’t build without zlib
- SIP Statistics no longer properly reporting method type accounting
- Fuzz job crash output: fuzz-2022-01-26-6940.pcap
- SCTP retransmission detection broken for the first data chunk of each association with relative TSN
- “Show In Folder” doesn’t work correctly for filenames with spaces
- New and Updated Features
- New Protocol Support
- There are no new protocols in this release
- Updated Protocol Support
- AMP, ASN.1 PER, ATN-ULCS, BGP, BP, CFLOW, CMS, CSN.1, GDSDB, GSM RP, GTP, HTTP3, IEEE 802.11 Radiotap, IPDC, ISAKMP, Kafka, MP2T, MPEG PES, MPEG SECT, MPLS ECHO, NGAP, NTLMSSP, OpenFlow 1.4, OpenFlow 1.5, P_MUL, PN-RT, PROXY, PTP, PVFS, RSL, RTMPT, rtnetlink, S1AP, SCTP, Signal PDU, SIP, TDS, USB, WAP, and ZigBee ZCL
New and Updated Capture File Support:
- BLF and libpcap
New File Format Decoding Support:
- There is no new or updated file format support in this release
Wireshark Portable 3.6.1
The following vulnerabilities have been fixed:
- wnpa-sec-2021-17 RTMPT dissector infinite loop
- wnpa-sec-2021-18 BitTorrent DHT dissector infinite loop
- wnpa-sec-2021-19 pcapng file parser crash
- wnpa-sec-2021-20 RFC 7468 file parser infinite loop
- wnpa-sec-2021-21 Sysdig Event dissector crash
- wnpa-sec-2021-22 Kafka dissector infinite loop
The following bugs have been fixed:
- Allow sub-second timestamps in hexdumps
- GRPC: An unnecessary empty Protobuf tree item is displayed if the GRPC message body length is 0
- Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system path.pkg" on M1 MacBook Air Monterey without Rosetta 2
- TECMP: LIN Payload is cut off by 1 byte
- Wireshark crashes if a 64 bit field of type BASE_CUSTOM is applied as a column
- Command line option "-o console.log.level" causes wireshark and tshark to exit on start
- Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture
- Unable to build without tshark
- IEEE 802.11 action frames are not getting parsed and always seen as malformed
- IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes
- dfilter: 'tcp.port not in {1}' crashes Wireshark
New and Updated Features:
- The 'console.log.level' preference was removed in Wireshark 3.6.0. This release adds an '-o console.log.level:' backward-compatibilty option on the CLI that maps to the new logging sub-system. Note that this does not have bitmask semantics and does not correspond to any actual preference. It is just a transition mechanism for users that were relying on this CLI option and will be removed in the future. To see the new diagnostic output options consult the manpages or the output of '--help'.
Updated Protocol Support:
- ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11, IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig Event, and TECMP
New and Updated Capture File Support:
- BLF and RFC 7468
Wireshark Portable 3.6.0
New and Updated Features:
The following features are new (or have been significantly updated) since version 3.6.0rc3:
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later
The following features are new (or have been significantly updated) since version 3.6.0rc2:
- Display filter set elements must now be comma-separated. See below for more details.
The following features are new (or have been significantly updated) since version 3.6.0rc1:
- The display filter expression “a != b” now has the same meaning as “!(a == b)”
The following features are new (or have been significantly updated) since version 3.5.0:
- Nothing of note.
The following features are new (or have been significantly updated) since version 3.4.0:
Several changes have been made to the display filter syntax:
- The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.
- It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
- Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
- Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as … in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version.
- Support for the syntax "a not in b" with the same meaning as "not a in b" has been added
Packaging updates:
- A macOS Arm 64 (Apple Silicon) package is now available
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later
- The Windows installers now ship with Npcap 1.55
- A 64-bit Windows PortableApps package is now available
- TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
- Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types.
- Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
- “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams.
- Wireshark now supports dissecting RTP packets with OPUS payloads.
- Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
The RTP Player has been significatnly redesigned and improved. See Playing VoIP Calls and RTP Player Window in the User’s Guide for more details:
- The RTP Player can play many streams in row
- The UI is more responsive
- The RTP P
- OperaOpera 115.0 Build 5322.68 (64-bit)
- 4K Download4K Video Downloader+ 1.10.0 (64-bit)
- PhotoshopAdobe Photoshop CC 2025 26.1 (64-bit)
- OKXOKX - Buy Bitcoin or Ethereum
- iTop VPNiTop VPN 6.1.0 - Fast, Safe & Secure
- Premiere ProAdobe Premiere Pro CC 2025 25.0
- BlueStacksBlueStacks 10.41.610.1001
- Hero WarsHero Wars - Online Action Game
- TradingViewTradingView - Trusted by 60 Million Traders
- LockWiperiMyFone LockWiper (Android) 5.7.2
Comments and User Reviews