Wireshark is a free and open source packet analyzer for PC!

Wireshark Portable

Join our mailing list

Stay up to date with latest software releases, news, software discounts, deals and more.

Subscribe
Download Wireshark Portable 4.0.3

  -  43.4 MB  -  Open Source

What's new in this version:

Wireshark Portable 4.0.3
Fixed:
- Wnpa-sec-2023-01 EAP dissector crash
- Wnpa-sec-2023-02 NFS dissector memory leak
- Wnpa-sec-2023-03 Dissection engine crash
- Wnpa-sec-2023-04 GNW dissector crash
- Wnpa-sec-2023-05 iSCSI dissector crash
- Wnpa-sec-2023-06 Multiple dissector excessive loops
- Wnpa-sec-2023-07 TIPC dissector crash

The following bugs have been fixed:
- Qt: After modifying coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect
- Help file doesn’t display for extcap interfaces
- For USB traffic on XHC20 interface destination is always given as Host
- Wireshark Expert Info - cannot deselect the limit to display filter tick box
- Wrong pointer conversion in get_data_source_tvb_by_name() Issue 18517.
- Wrong number of bits skipped while decoding an empty UTF8String on UPER packet
- Crash when analyzing protobuf packets
- Uninitialized values in various dissectors
- String (GeoIP country/city) ordering doesn’t work in Endpoints
- Wireshark crashes with an assertion failure on stray minus in filter
- IO Graph: Add new graph only works until the 10th graph
- Fuzz job crash output: fuzz-2022-12-30-11007.pcap
- Q.850 - error in label for cause 0x7F
- Uninitialized values in CoAP and RTPS dissectors
- Screenshots in AppStream metainfo.xml file not available


Wireshark Portable 4.0.2
Fixed:
- wnpa-sec-2022-09 Multiple dissector infinite loops
- wnpa-sec-2022-10 Kafka dissector memory exhaustion
- Qt: Endpoints dialog - unexpected byte unit suffixes in packet columns
- GOOSE: field "floating_point" not working anymore
- EVS Header-Full format padding issues
- Wireshark 4.0.0 VOIP playback has no sound and can’t resume after pausing
- Wireshark crashes when exporting a profile on Mac OSX if there is no extension
- EVS dissector missing value description
- Qt 6 font descriptions not backward compatible with Qt 5
- Wireshark, wrong TCP ACKed unseen segment message
- Invalid Cyrillic symbol in timezone at "Arrival Time" field in frame
- ProtoBuf parse extension definitions failed
- Fuzz job crash output: fuzz-2022-11-09-11134.pcap
- Fuzz job crash output: fuzz-2022-11-14-11111.pcap
- Wireshark is using old version of ASN (ETSI TS 125 453 V11.2.0) which is imapacting length of param in the messages
- BGP: False IGMP flags value in EVPN routes (type 6,7,8)
- wslog assumes stderr and stdout exist
- Editing packet comments, with non-ASCII characters, on Windows saves them in the local code page, not in UTF-8
- Unable to decrypt PSK based DTLS traffic which uses Connection ID
- HTTP2 tests fail when built without nghttp2


Wireshark Portable 4.0.1
New:
- The Windows installers now ship with Qt 5.12.2. They previously shipped with Qt 6.2.3.

Fixed:
- Comparing a boolean field against 1 always succeeds on big-endian machines
- Qt: MaxMind GeoIP columns not added to Endpoints table
- Fuzz job crash output: fuzz-2022-10-04-7131.pcap
- The RTP player might not play audio on Windows
- Wireshark 4.0 breaks display filter expression with > sign
- Capture filters not working when using SSH capture and dumpcap
- Packet diagram field values are not terminated
- Packet bytes not displayed completely if scrolling
- Fuzz job crash output: fuzz-2022-10-13-7166.pcap
- Decoding bug H.245 userInput Signal
- CFDP dissector doesn’t handle "destination filename" only
- Home page capture button doesn’t pop up capture options dialog
- Missing dot in H.248 protocol name
- Missing dot for protocol H.264 in protocol column
- Fuzz job crash output: fuzz-2022-10-23-7240.pcap


Wireshark Portable 4.0.0
- We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- The display filter syntax is more powerful with many new extensions. See below for details.
- The Conversation and Endpoint dialogs have been redesigned. See below for details
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane
- Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
- Speed when using MaxMind geolocation has been greatly improved
- The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.

New and Updated Features:
The following features are new (or have been significantly updated) since version 4.0.0rc2:
- Nothing of note

The following features are new (or have been significantly updated) since version 4.0.0rc1:
- The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3
- The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70

The following features are new (or have been significantly updated) since version 3.7.2:
- The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.

The following features are new (or have been significantly updated) since version 3.7.1:
- The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
- The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
- New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.

The following features are new (or have been significantly updated) since version 3.7.0:
- The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.

The Conversation and Endpoint dialogs have been redesigned with the following improvements:
- The context menu now includes the option to resize all columns, as well as copying elements
- Data may be exported as JSON
- Tabs may be detached and reattached from the dialog
- Adding and removing tabs will keep them in the same order all the time
- If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets
- Columns are now sorted via secondary properties if an identical entry is found
- Conversations are sorted via second address and first port number
- Endpoints are sorted via port numbers
- IPv6 addresses are sorted correctly after IPv4 addresses
- The dialog elements have been moved to make it easier to handle for new users
- Selection of tap elements is done via a list
- All configurations and options are done via a left side button row
- Columns for the Conversations and Endpoint dialogs can be hidden by a context menu
- TCP and UDP conversations now include the stream ID and allow filtering on it

The following features are new (or have been significantly updated) since version 3.6.0:
- The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
- The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.

The display filter syntax has been updated and enhanced:
- A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
- Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
- Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
- Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
- New display filter functions max(), min() and abs() have been added.
- Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
- A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
- The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
- Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used
- Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B"
- Logical AND now has higher precedence than logical OR, in line with most programming languages

It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
- Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
- Support for some additional character escape sequences in double quoted strings has been added. Along with octal () and hex (x) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
- Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit
- Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: , ', ".
- A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
- The aliases "any_eq" for "==" and "all_ne" for "!=" have been added
- The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead
- Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
- The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
- Literal strings can handle embedded null bytes (the value '') correctly. This includes regular expression patterns. For example the double-quoted string " is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes.
- Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0.
- It is now possible to test for the existence of a slice
- All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other.

The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
- text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
- Consistent with the other command line tools like editcap, mergecap, tshark, and the "Import from Hex Dump" option within Wireshark, the default capture file format for text2pcap is now pcapng. The -n flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release.
- text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similar to the -T option of editcap.
- text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
- text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
- text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
- In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
- The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
- The IEEE 802.11 dissector supports Mesh Connex (MCX).
- The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
- The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
- It is possible to set extcap passwords in tshark and other CLI tools
- The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
- Support to display JSON mapping for Protobuf message has been added
- macOS debugging symbols are now shipped in separate packages, similar to Windows packages
- In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
- The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
- The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session
- ciscodump now supports IOS, IOS-XE and ASA remote capturing

Removed Features and Support:
- The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.

New Protocol Support:
- Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Huawei GRE bonding (GREbond), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Open Control Protocol for OCA/AES70 (OCP.1), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS Network Coprocessor product (ZB NCP)

Updated Protocol Support:
- Too many protocols have been updated to list here

New and Updated Capture File Support:
- There is no new or updated capture file support in this release

Major API Changes:
- proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.
- proto.h: The field display types for floats have been extended and refactored. The type BASE_FLOAT has been removed. Use BASE_NONE instead. New display types for floats are BASE_DEC, BASE_HEX, BASE_EXP and BASE_CUSTOM.
- The Wireshark Lua API now uses the lrexlib bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change.
- The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated.

Other Development Changes:
- The PCRE2 library is now required to build Wireshark
- You must now have a compiler with C11 support in order to build Wireshark

The following libraries and tools have had their minimum required version increased:
- CMake 3.10 is required on macOS and Linux
- Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration
- Windows SDK 10.0.18362.0 is required due to issues with C11 support

macOS version 10.11 to 10.14 (was 10.8) is required depending on the version of Qt:
- Qt 5.10 or higher requires macOS version 10.11
- Qt 5.12 or higher requires macOS version 10.12
- Qt 5.14 or higher requires macOS version 10.13
- Qt 6.0 or higher requires macOS version 10.14
- GLib version 2.50.0 (was 2.38.0) is required
- Libgcrypt version 1.8.0 (was 1.5.0) is required
- c-ares version 1.13.0 (was 1.5.0)
- Python version 3.6.0 (was 3.4.0)
- GnuTLS version 3.5.8 (was 3.3.0)
- Nghttp2 minimum version has been set to 1.11.0 (none previous)
- Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks


Wireshark Portable 3.6.8
New:
- This is the last release branch with support for 32-bit Windows. Updates will no longer be available after May 22, 2024 for that platform

Fixed:
- TCAP Malformed exception on externally re-assembled packet
- Extended 3GPP-GPRS-Negotiated-QoS-profile strings decoded incompletely
- HTTP2 dissector decodes first SSL record only
- L2TP improvements - cookie length detection, UDP encapsulation and more
- USB Truncation of URB_isochronous in frames
- ISUP/BICC parameter summary text duplication
- Running rpm-setup.sh shows missing packages that Centos does not need
- IPX/IPX RIP: Crash on expand subtree
- Qt: A file or packet comment that is too large will corrupt the pcapng file
- BGP dissector bug
- Wrong interpretation of the cbsp.rep_period field in epan/dissectors/packet-gsm_cbsp.c
- Assertion due to incorrect mask for btatt.battery_power_state.*
- Qt: Expert Info dialog not showing Malformed Frame when Frame length is less than captured length
- Wireshark and tshark become non-responsive when reading certain packets


Wireshark Portable 3.6.7
New:
- This is the last release branch with support for 32-bit Windows. Updates will no longer be available after May 22, 2024 for that platform.

Fixed:
The following bugs have been fixed:
- Multiple Files preference "Create new file automatically…​after" [time] working incorrectly
- get_filter Lua function doesn’t return the filter
- Dissector bug, protocol HTTP failed assertion "saved_layers_len < 500" with chunked/multipart
- Wrong EtherCAT bit label (possible dissector bug)
- UDP packets falsely marked as "malformed packet"
- TLS certificate parser with filter crash
- Incorrect type for the IEC 60870 APDU appears in packet details pane
- NHRP Problem
- EtherCAT CoE header unknown type


Wireshark Portable 3.6.6
Fixed:
- TLS: RSA decryption fails with Extended Master Secret and renegotiation
- "dfilter" file on Windows adds carriage returns, and requires line feeds
- Npcap bundled version needs a bump to v1.60 for Windows 11 compatibility
- "Browse" button in Prefs/Name Resolution/MaxMind crashes Wireshark on macOS
- TFTP: some packets are not recognized as TFTP packets with 3.6.5


Wireshark Portable 3.6.5
Fixed:
- This release fixes an installation issue on Windows which was introduced in the 3.6.4 release


Wireshark Portable 3.6.3
Fixed:
- Fuzz job crash output: fuzz-2022-01-19-7399.pcap
- TLS dissector incorrectly reports JA3 values
- "Wiki Protocol page" in packet details menu is broken - wiki pages not migrated to GitLab?
- Dissector bug, protocol PFCP display Flow Description IE value error in Additional Flow Description of PFD Management Request Message
- Bluetooth: Fails to open Log file for SCO connection
- Fuzz job crash output: fuzz-2022-03-07-10896.pcap
- libwiretap: Save as ERF causes segmentation fault
- HTTP server returning multiple early hints shows too many responses in "Follow HTTP Stream"


Wireshark Portable 3.6.2
The following vulnerabilities have been fixed:
- wnpa-sec-2022-01 RTMPT dissector infinite loop
- wnpa-sec-2022-02 Large loops in multiple dissectors
- wnpa-sec-2022-03 PVFS dissector crash
- wnpa-sec-2022-04 CSN.1 dissector crash
- wnpa-sec-2022-05 CMS dissector crash

The following bugs have been fixed:
- Support for GSM SMS TPDU in HTTP2 body
- Wireshark 3.6.1 broke the ABI by removing ws_log_default_writer from libwsutil
- Fedora RPM package build failing with RPATH of /usr/local/lib64
- macos-setup.sh: ftp.pcre.org no longer exists
- nmap.org/npcap ? npcap.com: domain/URL change
- MPLS ECHO FEC stack change TLV not dissected correctly
- Attempting to open a systemd journal export file segfaults
- Dissector bug on 802.11ac packets
- The Info column shows only one NGAP/S1AP packet of several packets inside an SCTP packet
- Uninstalling Wireshark 3.6.1 on Windows 10 fails to remove the installation directory because it doesn’t remove the User’s Guide subdirectory and all its contents.
- 3.6 doesn’t build without zlib
- SIP Statistics no longer properly reporting method type accounting
- Fuzz job crash output: fuzz-2022-01-26-6940.pcap
- SCTP retransmission detection broken for the first data chunk of each association with relative TSN
- “Show In Folder” doesn’t work correctly for filenames with spaces
- New and Updated Features
- New Protocol Support
- There are no new protocols in this release
- Updated Protocol Support
- AMP, ASN.1 PER, ATN-ULCS, BGP, BP, CFLOW, CMS, CSN.1, GDSDB, GSM RP, GTP, HTTP3, IEEE 802.11 Radiotap, IPDC, ISAKMP, Kafka, MP2T, MPEG PES, MPEG SECT, MPLS ECHO, NGAP, NTLMSSP, OpenFlow 1.4, OpenFlow 1.5, P_MUL, PN-RT, PROXY, PTP, PVFS, RSL, RTMPT, rtnetlink, S1AP, SCTP, Signal PDU, SIP, TDS, USB, WAP, and ZigBee ZCL

New and Updated Capture File Support:
- BLF and libpcap

New File Format Decoding Support:
- There is no new or updated file format support in this release


Wireshark Portable 3.6.1
The following vulnerabilities have been fixed:
- wnpa-sec-2021-17 RTMPT dissector infinite loop
- wnpa-sec-2021-18 BitTorrent DHT dissector infinite loop
- wnpa-sec-2021-19 pcapng file parser crash
- wnpa-sec-2021-20 RFC 7468 file parser infinite loop
- wnpa-sec-2021-21 Sysdig Event dissector crash
- wnpa-sec-2021-22 Kafka dissector infinite loop

The following bugs have been fixed:
- Allow sub-second timestamps in hexdumps
- GRPC: An unnecessary empty Protobuf tree item is displayed if the GRPC message body length is 0
- Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system path.pkg" on M1 MacBook Air Monterey without Rosetta 2
- TECMP: LIN Payload is cut off by 1 byte
- Wireshark crashes if a 64 bit field of type BASE_CUSTOM is applied as a column
- Command line option "-o console.log.level" causes wireshark and tshark to exit on start
- Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture
- Unable to build without tshark
- IEEE 802.11 action frames are not getting parsed and always seen as malformed
- IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes
- dfilter: 'tcp.port not in {1}' crashes Wireshark

New and Updated Features:
- The 'console.log.level' preference was removed in Wireshark 3.6.0. This release adds an '-o console.log.level:' backward-compatibilty option on the CLI that maps to the new logging sub-system. Note that this does not have bitmask semantics and does not correspond to any actual preference. It is just a transition mechanism for users that were relying on this CLI option and will be removed in the future. To see the new diagnostic output options consult the manpages or the output of '--help'.

Updated Protocol Support:
- ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11, IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig Event, and TECMP

New and Updated Capture File Support:
- BLF and RFC 7468


Wireshark Portable 3.6.0
New and Updated Features:
The following features are new (or have been significantly updated) since version 3.6.0rc3:
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later

The following features are new (or have been significantly updated) since version 3.6.0rc2:
- Display filter set elements must now be comma-separated. See below for more details.

The following features are new (or have been significantly updated) since version 3.6.0rc1:
- The display filter expression “a != b” now has the same meaning as “!(a == b)”

The following features are new (or have been significantly updated) since version 3.5.0:
- Nothing of note.

The following features are new (or have been significantly updated) since version 3.4.0:
Several changes have been made to the display filter syntax:
- The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.
- It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
- Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
- Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as …​ in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version.
- Support for the syntax "a not in b" with the same meaning as "not a in b" has been added

Packaging updates:
- A macOS Arm 64 (Apple Silicon) package is now available
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later
- The Windows installers now ship with Npcap 1.55
- A 64-bit Windows PortableApps package is now available

- TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
- Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types.
- Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
- “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams.
- Wireshark now supports dissecting RTP packets with OPUS payloads.
- Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.

The RTP Player has been significatnly redesigned and improved. See Playing VoIP Calls and RTP Player Window in the User’s Guide for more details:
- The RTP Player can play many streams in row
- The UI is more responsive
- The RTP Player maintains playlist and other tools can add and remove streams to and from it
- Every stream can be muted or routed to the left or right channel for replay
- The option to save audio has been moved from the RTP Analysis dialog to the RTP Player. The RTP Player also saves what was played, and it can save in multichannel .au or .wav.
- The RTP Player is now accessible from the Telephony › RTP › RTP Player menu

The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal and can stay opened on background:
- The same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …​)

The “Follow Stream” dialog is now able to follow SIP calls based on their Call-ID value:
- The “Follow Stream” dialog’s YAML output format has been updated to add timestamps and peers information For more details see Following Protocol Streams in the User’s Guide
- IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the “Enable stricter conversation tracking heuristics” top level protocol preference.
- USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures
- TShark can now export TLS session keys with the --export-tls-session-keys option
- Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated
- The “RTP Stream Analysis” dialog CSV export format was slightly changed. The first line of the export contains column titles as in other CSV exports.
- Wireshark now supports the Turkish language
- The settings in the “Import from Hex Dump” dialog is now stored in a profile import_hexdump.json file
- Analyze › Reload Lua Plugins has been improved to properly support FileHandler
- The “RTP Stream Analysis” and “IAX2 Stream Analysis” dialogs now show correct calculation mean jitter calculations
- RTP streams are now created based on Skinny protocol messages in addition to other types of messages
- The “VoIP Calls Flow Sequence” window shows more information about various Skinny messages
- Initial support for building Wireshark on Windows using GCC and MinGW-w64 has been added. See README.msys2 in the sources for more information.


Wireshark Portable 3.5.0
New and Updated Features:
The following features are new (or have been significantly updated) since version 3.4.0:
- The Windows installers now ship with Npcap 1.50
- A 64-bit Windows PortableApps package is now available
- A macOS Arm 64 (Apple Silicon) package is now available
- TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It is accessed with the new tcp.completeness filter.
- Protobuf fields that are not serialized on the wire (missing in capture files) can now be displayed with default values by setting the new 'add_default_value' preference. The default values might be explicitly declared in 'proto2' files, or false for bools, first value for enums, zero for numeric types.
- Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
- "Follow DCCP stream" feature to filter for and extract the contents of DCCP streams
- Wireshark now supports dissecting the rtp packet with OPUS payload
- Importing captures from text files is now also possible based on regular expressions. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
- Display filter literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This is useful to avoid the complexity of using two levels of character escapes with regular expressions.
- Significant RTP Player redesign and improvements (see Wireshark User Documentation, Playing VoIP Calls and RTP Player Window)
- RTP Player can play many streams in row
- UI is more responsive
- RTP Player maintains playlist, other tools can add/remove streams to it
- Every stream can be muted or routed to L/R channel for replay
- Save audio is moved from RTP Analysis to RTP Player. RTP Player saves what was played. RTP Player can save in multichannel .au or .wav.
- RTP Player added to menu Telephony>RTP>RTP Player
- VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal, can stay opened on background
- Same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …​)
- Follow stream is now able to follow SIP calls based on their Call-ID value
- Follow stream YAML output format’s has been changed to add timestamps and peers information (for more details see the user’s guide, Following Protocol Streams)
- IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the "Enable stricter conversation tracking heuristics" top level protocol preference.
- USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures.
- TShark can now export TLS session keys with the --export-tls-session-keys option.
- Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated.
- Format of export to CSV in RTP Stream Analysis dialog was slightly changed. First line of export contains names of columns as in other CSV exports.
- Wireshark now supports the Turkish language.

New File Format Decoding Support:
- Vector Informatik Binary Log File (BLF)

New Protocol Support:
- Bluetooth Link Manager Protocol (BT LMP), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), High-Performance Connectivity Tracer (HiPerConTracer), Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, and World of Warcraft World (WOWW)

Updated Protocol Support:
- Too many protocols have been updated to list here

New and Updated Capture File Support:
- Vector Informatik Binary Log File (BLF)

Wireshark Portable 3.4.7
Fixed:
The following vulnerabilities have been fixed:
- wnpa-sec-2021-06 DNP dissector crash

The following bugs have been fixed:
- TCP dissector - Erroneous DSACK reporting Issue 17315
- No wlan_radio.duration calculated for PHY type: 802.11ac (VHT) Issue 17419
- NAN Dissector has wrong minimum length for availability attribute Issue 17431


Wireshark Portable 3.4.6
Fixed:
- wnpa-sec-2021-04 DVB-S2-BB dissector infinite loop
- Macro filters can’t handle escaped characters
- Display filter crashes Wireshark
- IEEE-1588 Signalling Unicast TLV incorrectly reported as being malformed
- IETF QUIC TLS decryption error with extraneous packets during the handshake
- Statistics → Resolved Addresses: multi-protocol (TCP/UDP/…​) ports not displayed

Updated Protocol Support:
- DNP, DVB-S2-BB, ProtoBuf, PTP, QUIC, RANAP, and TACACS

New and Updated Capture File Support:
- Ascend, ERF, K12, NetScaler, and pcapng


Wireshark Portable 3.4.5
The following vulnerabilities have been fixed:
- Wnpa-sec-2021-04 MS-WSP dissector excessive memory consumption

The following bugs have been fixed:
- TShark does not print GeoIP information
- TShark error when piping to "head"
- Parts of ASCII representation in Packet Bytes pane are missing
- Buildbot crash output: fuzz-2021-02-22-1012761.pcap
- NDPE attribute of NAN packet is not dissected
- TECMP: reserved flag interpreted as part of timestamp
- Master branch does not compile at least with gcc-11
- DNS IXFR/AXFR multiple response
- File too large
- Build fails with CMake 3.20


Wireshark Portable 3.4.4
Fixed:
The following vulnerabilities have been fixed:
- wnpa-sec-2021-03 Wireshark could open unsafe URLs

The following bugs have been fixed:
- NTP Version 3 Client Decode PDML output issue (Reference ID Issue)
- 3.4.2: public wireshark include files are including build time "config.h"
- wireshark-3.4.3/epan/dissectors/packet-s7comm.c:3521: bad array index ?
- SIP protocol: P-Called-Party-ID header mixed up with P-Charge-Info header
- Asterix CAT010 Decode Error
- _ws.expert columns not populated for IPv4
- Buildbot crash output: fuzz-2021-02-12-1651908.pcap
- gQUIC: Wireshark 3.4.3 fails to dissect a packet (gQUIC q024) that v3.2.6 succeeds


Wireshark Portable 3.4.3
- The Windows installers now ship with Npcap 1.10. They previously shipped with Npcap 1.00

Fixed:
The following vulnerabilities have been fixed:
- wnpa-sec-2021-01 USB HID dissector memory leak
- wnpa-sec-2021-02 USB HID dissector crash

The following bugs have been fixed:
- SIP response single-line multiple Contact-URIs decoding error
Adding filter while "Telephony?VoIP Calls?Flow Sequence" open causes OOB memory reads and - potential crashes.
- QUIC packet not fully dissected
- SOMEIP-SD hidden entries are off
- Problem with calculation on UDP checksum in SRv6
- Dark mode not working in Wireshark 3.4.2 on macOS
- Wireshark 3.4.0: build failure on older MacOS releases, due to 'CLOCK_REALTIME'
- TECMP: Status Capture Module messages shows 3 instead of 2 bytes for HW version
- Documentation - editorial error - README.dissector bad reference
- Cannot save capture with comments to a format that doesn’t support it (no pop-up)
- AUTOSAR-NM: PNI TF-String wrong way around
- Fibre Channel parsing errors even with the fix for #17084
- f5ethtrailer: Won’t find a trailer after an FCS that begins with a 0x00 byte
f5ethtrailer: legacy format, low noise only, no vip name trailers no longer detected
- Buildbot crash output: fuzz-2021-01-22-3387835.pcap
- Dissection error on large ZVT packets
- TShark crashes with -T ek option

Updated Protocol Support:
- AUTOSAR-NM, DHCPv6, DoIP, FC ELS, GQUIC, IPv6, NAS 5GS, NAS EPS, QUIC, SIP, SOME/IP-SD, TECMP, TLS, TPNCP, USB HID, and ZVT

New and Updated Capture File Support:
- f5ethtrailer and pcapng


Wireshark Portable 3.4.2
Fixed:
- wnpa-sec-2020-20 QUIC dissector crash

New and Updated Features:
- IETF QUIC TLS decryption errors when packets are coalesced with random data
- QUIC: missing dissection of some coalesced SH packets
- macos-setup.sh can’t find SDK on macOS Big Sur, as it went to 11
- Mapping endpoints in browser ⇒ Map file error
- Wireshark 3.4.1 hangs on startup on macOS Big Sur 11.0.1
- False expect error seen on FCoE frames (not seen with older release wireshark 1.2.18)
- Several libraries missing in 3.4.1 and 3.2.9 installers for macOS


Wireshark Portable 3.4.1
Bug-Fixes:
- wnpa-sec-2020-16 Kafka dissector memory leak
- wnpa-sec-2020-17 USB HID dissector crash
- wnpa-sec-2020-18 RTPS dissector memory leak
- wnpa-sec-2020-19 Multiple dissector memory leak


New and Updated Features:
- IETF QUIC TLS decryption errors when a NAT rebinding happens for a connection Bug 16915
- IETF QUIC TLS decryption error with key update Bug 16916
- IETF QUIC TLS decryption error after the second key update Bug 16920
- SOME/IP: Wrong dissection of parameters after Array Bug 16951
- Can editcap properly corrupt pcapng file with systemd journal export block? Bug 16965
- Crash when a GIOP ior.txt file is present Bug 16984
- Protobuf: failed to parse .proto file contains negative enum values or option values of number type
- MMRP dissector bug Bug 17005
- QUIC: "Loss bits" capability Bug 17010
- Stdin capture fails on Windows Bug 17018
- SSTP no longer recognized Bug 17024
- RFC2190 encapsulated H.263 bitfields masked wrong in Mode A Bug 17025
- editcap fails when splitting into multiple pcapng files Bug 17060


Wireshark Portable 3.4.0
New and Updated Features:
The following features are new (or have been significantly updated) since version 3.4.0rc1:
- Nothing of note

The following features are new (or have been significantly updated) since version 3.3.1:
- The Protobuf fields defined as google.protobuf.Timestamp type of Protobuf standard library can now be dissected as Wireshark fields of absolute time type

The following features are new (or have been significantly updated) since version 3.3.0:
- The Windows installers now ship with Npcap 1.00. They previously shipped with Npcap 0.9997
- The Windows installers now ship with Qt 5.15.1. They previously shipped with Qt 5.12.8

The following features are new (or have been significantly updated) since version 3.2.0:
- Windows executables and installers are now signed using SHA-2 only
- Save RTP stream to .au supports any codec with 8000 Hz rate supported by Wireshark (shown in RTP player). If save of audio is not possible (unsupported codec or rate), silence of same length is saved and warning is shown
- Asynchronous DNS resolution is always enabled. As a result, the c-ares library is now a required dependency
- Protobuf fields can be dissected as Wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching
- Dissectors based on Protobuf can register themselves to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYTES or STRING type
- Wireshark is able to decode, play, and save iLBC payload on platforms where the iLBC library is available
- Wireshark is able to decode, play, and save opus payload on platforms where the opus library is available
- Decode As” entries can now be copied from other profiles using a button in the dialog
- sshdump can now be copied to multiple instances. Each instance will show up a different interface and will have its own profile
- The main window now supports a packet diagram view, which shows each packet as a textbook-style diagram
- Filter buttons (“Preferences ? Filter Buttons”) can be grouped by using “//” as a path separator in the filter button label
- IPP Over USB packets can now be dissected and displayed

New Protocol Support:
- Arinc 615A (A615A), Asphodel Protocol, AudioCodes Debug Recording (ACDR), Bluetooth HCI ISO (BT HCI ISO), Cisco MisCabling Protocol (MCP), Community ID Flow Hashing (CommunityID), DCE/RPC IRemoteWinspool SubSystem, (IREMOTEWINSPOOL), Dynamic Link Exchange Protocol (DLEP), EAP Generalized Pre-Shared Key (EAP-GPSK), EAP Password Authenticated Exchange (EAP-PAX), EAP Pre-Shared Key (EAP-PSK), EAP Shared-secret Authentication and Key Establishment (EAP-SAKE), Fortinet Single Sign-on (FSSO), FTDI Multi-Protocol Synchronous Serial Engine (FTDI MPSSE), Hypertext Transfer Protocol Version 3 (HTTP3), ILDA Digital Network (IDN), Java Debug Wire Protocol (JDWP), LBM Stateful Resolution Service (LBMSRS), Lithionics Battery Management, .NET Message Framing Protocol (MC-NMF), .NET NegotiateStream Protocol (MS-NNS), OBSAI UDP-based Communication Protocol (UDPCP), Palo Alto Heartbeat Backup (PA-HB-Bak), ScyllaDB RPC, Technically Enhanced Capture Module Protocol (TECMP), Tunnel Extensible Authentication Protocol (TEAP), UDP based FTP w/ multicast V5 (UFTP5), and USB Printer (USBPRINTER)

Updated Protocol Support:
- Too many protocols have been updated to list here

New and Updated Capture File Support:
- MP4 (ISO/IEC 14496-12)


Wireshark Portable 3.3.0
New and Updated Feature:
The following features are new (or have been significantly updated) since version 3.2.0:
- Windows executables and installers are now signed using SHA-2 only
- Save RTP stream to .au supports any codec with 8000 Hz rate supported by Wireshark (shown in RTP player). If save of audio is not possible (unsupported codec or rate), silence of same length is saved and warning is shown
- Asynchronous DNS resolution is always enabled. As a result, the c-ares library is now a required dependency
- Protobuf fields can be dissected as Wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching
- Dissectors based on Protobuf can register themselves to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYTES or STRING type
- Wireshark is able to decode, play, and save iLBC payload on platforms where the iLBC library is available
- “Decode As” entries can now be copied from other profiles using a button in the dialog
- sshdump can now be copied to multiple instances. Each instance will show up a different interface and will have its own profile
- The main window now supports a packet diagram view, which shows each packet as a textbook-style diagram.


Wireshark Portable 3.2.6
The following vulnerabilities have been fixed:
- wnpa-sec-2020-10 Kafka dissector crash. Bug 16672. CVE-2020-17498

The following bugs have been fixed:
- Kafka dissector fails parsing FETCH responses
- Dissector for ASTERIX Category 001 / 210 does not recognize bit 1 as extension
- "invalid timestamp" for Systemd Journal Export Block
- Decoding Extended Emergency number list IE length
- Some macOS Bluetooth PacketLogger capture files aren’t recognized as PacketLogger files (regression, bisected)
- Short IMSIs (5 digits) lead to wrong decoding+warning
- Decoding of PFCP IE 'PFD Contents' results in "malformed packet"
- RFH2 Header with 32 or less bytes of NameValue will not parse out that info
- CDP: Port ID TLV followed by Type 1009 TLV triggers [Malformed Packet]
- tshark crashed when processing opcda
- tshark with --export-dicom gives “Segmentation fault (core dumped)”

Updated Protocol Support:
- ASTERIX, BSSAP, CDP, CoAP, DCERPC SPOOLSS, DCOM, DICOM, DVB-S2, E.212, GBCS, GSM RR, GSM SMS, IEEE 802.11, Kafka, MQ, Nano, NAS 5GS, NIS+, NR RRC, PacketLogger, PFCP, RTPS, systemd Journal, TDS, TN3270, and TN5250

New and Updated Capture File Support:
- PacketLogger and pcapng


Wireshark Portable 3.2.5
New:
- The Windows installers now ship with Npcap 0.9994. They previously shipped with Npcap 0.9991
- The Windows installers now ship with USBPcap 1.5.4.0. They previously shipped with USBPcap 1.5.3.0

Fixed:
- wnpa-sec-2020-09 GVCP dissector infinite loop
- Add decryption support for QUIC IETF version 0xfaceb001 and 0xfaceb002
- Windows Uninstall does not remove all files in Program Files
- The "relative sequence number" is same as "raw sequence number" when tcp.analyze_sequence_numbers:FALSE
- Importing profiles from a different Windows PC fails
- Decode as not working correctly with multiple user profiles
- Wireshark can misdissect the HE Radiotap field if it’s ever dissected one with any value unknown
- Buildbot crash output: fuzz-2020-06-19-5981.pcap
- Buildbot crash output: fuzz-2020-06-20-7665.pcap
- mergecap man page contains invalid formatting


Wireshark Portable 3.2.4
Bug Fixes:
- The following vulnerabilities have been fixed
- wnpa-sec-2020-08 The NFS dissector could crash
- SDP dissector does not parse sprop-parameter-sets field
- PVS-Studio analyser long list of issues
- Can’t have duplicate personal and global profile names
- pcapng file dissector incorrectly computes nanoseconds from timestamps because it assumes the resolution is in nanoseconds
- Read of uninitialized memory in detect_camins_file
- Read of uninitialized memory in lanalyzer_read_trace_record
- capture -> options -> select interface -> (choose) -> SEGV
- SOMEIP: SOME/IP dissector ignores the length field configuration of structs
- Packet List Pane doesn’t consume the entire pane
- Range parameter on numeric parameter in extcap plugin doesn’t work
- Export Packet Dissections not working on Windows (Wireshark 3.2.x)
- capinfos "Capture duration" output is truncated if there are more than 11 digits of seconds and fractions of a second
- MIME Files Format/pcapng: Simple Packet Block parsed incorrectly
- SOMEIP: SOME/IP-SD unique id is not unique for eventgroup types (BUG)
- Buildbot crash output: fuzz-2020-05-13-12195.pcap

Updated Protocol Support:
- AoE, APRS, ASN.1 BER, DIS, DTLS, FTP, GSM SMS, H.264, IMAP, Infiniband, ISObus VT, Kafka, LSD, MAC LTE, NAS 5GS, NFS, ONC RPC, OSC, pcapng, PDCP LTE, RADIUS, RLC LTE, RTSP, SDP, SIP, Snort, SOMEIP, STUN, TLS, and UMTS FP

New and Updated Capture File Support:
- Camins, Catapult DCT 2000, Lanalyzer, and MPEG


Wireshark Portable 3.2.3
Bug Fixes:
The following vulnerabilities have been fixed:
- wnpa-sec-2020-07 The BACapp dissector could crash

The following bugs have been fixed:
- Add (IETF) QUIC Dissector
- Rename profile name loses list selection
- Dissector bug warning dissecting TLS Certificate Request with many names
- Only ACKs, but no DATA frames are visible in -> TCP Stream Graph -> Time Sequence (tcptrace)
- Copy>Description does not work properly for all tree items
- Importing profiles in Windows - zip files fail and from directory crashes Wireshark
- Packet List selection is gone when adding or removing a display filter
- Check for updates, and auto-update, not working in 3.2.1
- f5ethtrailer: TLS trailer creates incorrect CLIENT keylog entries
- Buildbot crash output: randpkt-2020-03-04-18423.pcap
- File open dialog shows garbled time stamps
- RTCP Bye without optional reason reported as [Malformed Packet]
- [oss-fuzz] #20732: Undefined-shift in dissect_rtcp
- SOMEIP: SOME/IP-SD dissector fails to register SOME/IP ports, if IPv6 is being used (BUG)
- tshark logs: "…​could not be opened: Too many open files."
- Typo in About Wireshark > Keyboard Shortcuts > Unignore All Displayed
- Buildbot crash output: randpkt-2020-04-02-31746.pcap


Wireshark Portable 3.2.2
New:
- Automatic updates were inadvertently disabled in the Wireshark 3.2.1 64-bit and 32-bit Windows installers. If you’re running Wireshark 3.2.1 on Windows you will have to update to a later version manually

Bug Fixes:
The following vulnerabilities have been fixed:
- wnpa-sec-2020-03 LTE RRC dissector memory leak
- wnpa-sec-2020-04 WiMax DLMAP dissector crash
- wnpa-sec-2020-05 EAP dissector crash
- wnpa-sec-2020-06 WireGuard dissector crash

The following bugs have been fixed:
- Add (IETF) QUIC Dissector
- Support for CoAP over TCP and WebSockets (RFC 8323)
- SMB IOCTL response packet with BUFFER_OVERFLOW status is dissected improperly
- Wireshark fails to build with GCC-9
- NVMe/TCP ICReq PDU Not Interpreted Correctly
- ICMP: No response if ICMP reply packet has an ICMP checksum of 0x0000
- Display filter parsing broken after upgrade from 3.0.7
- IPv4 fragment offset value is incorrect in IPv4 header decode
- RTCP frame length warning for SAT>IP APP packets
- RTP export to rtpdump file doesn’t work
- CFDP dissector skips a byte
- ISAKMP: IKEv2 transforms and proposal have critical bit (BUG)
- No IPv4/IPv6 hosts in Resolved Addresses dialog
- Lack of Check for Updates option in the Windows GUI
- LLDP dissector consumes all octets to the end of the TVB and eth trailer dissector does not get called
- LACP dissector consumes all octets to the end of the TVB and eth trailer dissector does not get called


Wireshark Portable 3.2.1
Bug Fixes:
The following vulnerabilities have been fixed:
- wnpa-sec-2020-01 WASSP dissector crash

The following bugs have been fixed:
- Incorrect parsing of USB CDC packets
- Wireshark fails to create directory if parent directory does not yet exist
- Buildbot crash output: randpkt-2019-11-30-22633.pcap
- Closing Flow Graph closes (crashes) main GUI window
- Wireshark interprets websocket frames after HTTP handshake in a wrong way
- A-bis/OML: IPA Destination IP Address attribute contains inverted value (endianness)
- wiretap/log3gpp.c: 2 * leap before looking ?
- Opening shell terminal prints Wireshark: Permission denied
- h264: SPS frame_crop_right_offset shown in UI as frame_crop_left_offset
- BGP: update of "Sub-TLV Length" by draft-ietf-idr-tunnel-encaps
- SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown Bit(s)" expert message
- USB Audio feature unit descriptor is incorrectly dissected
- Compiling the .y files fails with Berkeley YACC
- PDB files in Windows installer
- NAS-5GS 5GS network feature support lacks MCSI, EMCN3 two fields (oct

Join our mailing list

Stay up to date with latest software releases, news, software discounts, deals and more.

Subscribe