Wireshark is a free and open source packet analyzer for PC!

Wireshark Portable

Join our mailing list

Stay up to date with latest software releases, news, software discounts, deals and more.

Subscribe
Download Wireshark Portable 4.2.4

Wireshark Portable

  -  51.1 MB  -  Open Source
  • Latest Version

    Wireshark Portable 4.2.4 LATEST

  • Review by

    Daniel Leblanc

  • Operating System

    Windows 8 (64-bit) / Windows 10 (64-bit) / Windows 11

  • User Rating

    Click to vote
  • Author / Product

    Wireshark Foundation / External Link

  • Filename

    WiresharkPortable64_4.2.4.paf.exe

The Ethereal network protocol analyzer has changed its name to the app. The name might be new, but the software is the same. Wireshark's powerful features make it the tool of choice for network troubleshooting, protocol development, and education worldwide.

Wireshark Portable version was written by networking experts around the world and is an example of the power of the open-source. Wireshark Portable for PC is used by network professionals around the world for analysis, troubleshooting, software and protocol development, and education.

The program has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements.

Main Features
  • Packet Analysis: It captures data packets from a network in real-time or from saved capture files for in-depth analysis.
  • Deep Inspection: Users can inspect hundreds of protocols, including Ethernet, IP, TCP, HTTP, DNS, and more, to diagnose network issues or investigate security incidents.
  • Filtering: Advanced filtering capabilities allow users to sift through large volumes of data to focus on specific packets or protocols.
  • Protocol Decoding: The app decodes packet contents into human-readable formats, aiding in understanding network communication.
  • VoIP Analysis: Support for VoIP protocols enables analysis of voice and video communications.
  • Exporting: Captured data can be exported to various file formats for further analysis or sharing.
  • Extensibility: It offers a rich ecosystem of plugins and scripts for extending functionality.
PROS
  • Comprehensive protocol support
  • Extensive filtering and analysis capabilities
  • Open-source and free
  • Active community and ongoing development
  • Cross-platform compatibility
CONS
  • Steep learning curve for beginners
  • Requires understanding of networking concepts
  • Limited support for decrypting encrypted traffic
  • Resource-intensive for capturing and analyzing large data volumes
Also Available: Download Wireshark for Mac

  • Wireshark Portable 4.2.4 Screenshots

    The images below have been resized. Click on them to view the screenshots in full size.

What's new in this version:

Wireshark Portable 4.2.4
Fixed:
- Extcap with configuration never starts; "Configure all extcaps before start of capture." is shown instead
- Packet Dissection CSV Export includes last column even if hidden
- Inject TLS secrets closes Wireshark on Windows
- Fuzz job issue: fuzz-2024-02-27-7196.pcap
- Wireshark crashes when adding another port to the HTTP dissector
- Fuzz job issue: fuzz-2024-03-03-7204.pcap
- Fuzz job issue: randpkt-2024-03-05-8004.pcap
- When adding a new row to a table an error report may be inserted
- '--export-objects' does not work as expected on tshark version later than 3.2.10
- Fuzz job issue: fuzz-2024-03-21-7215.pcap


Wireshark Portable 4.2.3
Fixed:
- Capture start fails when file set enabled and file extension not supplied if directory contains a period
- Cannot drag and move custom filter buttons in toolbar
- Not equal won’t work when used with wlan.addr
- sshdump fails to connect with private key (ssh-rsa)
- ChmodBPF installation fails on macOS Sonoma 14.1.2
- Windows installers should check for Windows 8.1
- Fuzz job crash output: fuzz-2024-01-05-7725.pcap
- Fuzz job crash output: fuzz-2024-01-06-7734.pcap
- Incorrect recursion depth assert failure when dissecting a legitimate GOOSE message
- OPC UA - large read request is reported as malformed in 4.2.1 but not in 4.0.12
- TFTP dissector bug type listed as netscii instead of netascii doesn’t show all TFTP packets including TFTP blocks
- SMB1 replies from LAN Drive app only show up as NBSS Continuation Message
- ciscodump - older SSH key exchange algorithms not supported
- Problem decoding LAPB/X.25/FTAM after adding X.75 decoding
- Wireshark Filter not working
- CFLOW: failure to decode 0 length data fields of IPFIX variable length data types
- Copy …​as Printable Text Feature Missing in 4.1/4.2
- Export Objects - HTTP is missing some HTTP/2 files in a two-pass analysis
- ASAM-CMP Plugin: Malformed message, length mismatch if vendor defined data of status messages has odd length
- OSS-Fuzz 66561: wireshark:fuzzshark_ip_proto-udp: Null-dereference READ in wmem_map_lookup


Wireshark Portable 4.2.2
Fixed:
- This release fixes a software update issue on Windows which causes Wireshark to hang if you are upgrading from version 4.2.0 or 4.2.1. If you are experiencing this issue you will need to download and install Wireshark 4.2.2 or later.
- sharkd is not installed by the Windows installer
- Fuzz job crash output: fuzz-2024-01-01-7740.pcap
- Can’t open a snoop file from the Open dialog box unless I select "All files" as the file type
- Add s4607 dissector to "decode as"
- Updater for 4.2.1 hangs


Wireshark Portable 4.2.1
Fixed:
The following bugs have been fixed:
- Capture filters not saved to recently used list
- CFM dissector does not handle Sender ID TLV correctly when Chassis ID Length is zero
- OSS-Fuzz 64290: wireshark:fuzzshark_ip: Global-buffer-overflow in dissect_zcl_read_attr_struct
- Overriding capture options set by preference by command line arguments (like -S) doesn’t work
- Segfault when enabling monitor mode on wireless card that falsely claims to support it
- Documented format of temporary file name is out of date in the Wireshark User’s Guide
- Selection highlight lost when interface list is sorted
- HTTP3 malformed packets
- Capture filter compilation fails with obscure error message
- XML: Parsing encoding attribute failed when standalone attribute exists
- Display filter expressions where the protocol name starts with digit and contains a hyphen are rejected
- diameter.3GPP-* display filters not working after upgrade to version 4.2.0
- GigE-vision: Control Protocol shows "unknown" as value for ASCII character set
- The HTTP/3 Request Header URI is not correct
- QUIC/TLS not extracting "h3" from ALPN in a capture
- Documentation on system requirements should be updated
- 4.2.0: init.lua in subdirectories not loaded anymore
- Malformed SIP/SDP messages: components are not decoded properly
- heuristic_protos do not reset on profile swap
- Wireshark 4.2 crashes on Apply As Column
- NFLOG timestamp is incorrect
- Qt6 Crash (Double Free) When Attempting to Save TCP Stream Graph
- Fixed parsing display filter expressions containing literal OID values, e.g. snmp.name == 1.3.6.1.2.1.1.3.0


Wireshark Portable 4.2.0
- This is the first major Wireshark release under the Wireshark Foundation, a nonprofit which hosts Wireshark and promotes protocol analysis education. The foundation depends on your contributions in order to do its work. If you or your employer would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
- Wireshark supports dark mode on Windows
- A Windows installer for Arm64 has been added
- Packet list sorting has been improved
- Wireshark and TShark are now better about generating valid UTF-8 output
- A new display filter feature for filtering raw bytes has been added
- Display filter autocomplete is smarter about not suggesting invalid syntax
- Tools › MAC Address Blocks can lookup a MAC address in the IEEE OUI registry
- The enterprises, manuf, and services configuration files have been compiled in for improved start-up times. These files are no longer available in the master branch in our source code repository. You can download the manuf file from our automated build directory.
- The installation target no longer installs development headers by default
- The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs)
- Wireshark can be compiled on Windows using MSYS2. Check the Developer’s guide for instructions
- Wireshark can be cross-compiled for Windows using Linux. Check the Developer’s guide for instructions
- Tools › Browser (SSL Keylog) can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value
- Windows installer file names now have the format Wireshark--.exe.
- Wireshark now supports the Korean language
- Many other improvements have been made. See the “New and Updated Features” section below for more details.

Fixed:
The following bugs have been fixed:
- Issue 18413 - RTP player do not play audio frequently on Windows builds with Qt6
- Issue 18510 - Playback marker does not move after resume with Qt6

Display filter syntax-related changes:
- It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…​>. This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field’s raw data.
- Negation (unary minus) now works with any display filter arithmetic expression.
- Using the slice operator with strings produces a string. Previously it would produce a byte array. This is useful to index/slice UTF-8 multibyte strings. String byte slices can still be obtained using the "@" (raw operator) prefix.
- Arithmetic expressions are allowed as set elements.
- Absolute date and time values can be written as Unix time.
- The limitation where a minus sign needed to be preceded by a space character has been removed.
- Added XOR logical operator.
- Fixed the implementation of all …​ in membership operator (#19188).
- When parsing absolute time values the display filter engine has learned to understand timezones as specified in strptime(3), including some common North American designations. Arbitrary timezone names are not supported however. Previously only ISO8601 offsets and the "UTC" designation was understood.
- Writing value strings without double quotes is deprecated and will generate a warning. Value strings are integer or boolean values that can be represented using a user-friendly textual format, such as "Set"/"Unset" instead of numerical values like 1 and 0. It is now a requirement that value strings need to be written enclosed in double-quotes.
- The deprecated ~≃ operator symbol has been removed. It was replaced by !== in version 4.0.
- Running the test suite requires the pytest Python module. The emulation layer that allowed running tests without pytest installed has been removed.
- When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file.
- TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap.
- The text of any configured column (displayed or hidden) can be filtered anywhere that filters are used - in display filters, filters in taps, coloring rules, Wireshark read filters, and the -Y, -R, and -e options to TShark, the "Apply as Filter" GUI option, etc.
- The filter field names are prefixed by "_ws.col", followed by a lowercase version of the COL_ name found in epan/column-utils.h, e.g. "_ws.col.info" or "_ws.col.protocol"
- Using the column names as a filter is slower than other filter types because the columns must be constructed, so when the same filtering can be achieved via other fields, prefer that.
- The external name resolution text files "manuf", "enterprises" and "services" have been removed and replaced with static binary data. You can dump the respective internal data using tshark -G manuf|enterprises|services.
- The "manuf" file is now also read from the personal configuration folder, and is profile-based.
- The Lua console dialogs under the Tools menu were refactored and redesigned. It now consists of a single dialog window for input and output.
- Wireshark now shows byte units in the statistics in the user-selected language (uses the system default language by default).
- Packet list sorting has been improved:
- When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed.
- The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage. The maximum value can be changed in Preferences→Appearance→Layout
- Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size. If there are more rows visible, a warning will appear. Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows.
- Sorting can be interrupted.
- When changing the dissector via the "Decode As" table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect.) The previous behavior was to reset the dissector to the default. To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options.
- The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files. The extcap personal folder is now $HOME/.local/lib/wireshark/extcap. Previously it was $XDG_CONFIG_HOME/wireshark/extcap.
- The "init.lua" file is now loaded from any of the Lua plugin directories. Previously it was loaded from the personal configuration directory. (For backward-compatibility this is still allowed; note that deprecated features may be removed in a future release).
- Installation of development headers must be done explicitly using the CMake command cmake --install --component Development
- The Windows build has a new SpeexDSP external dependency. The speex code that was previously bundled has been removed.
- New --print-timers option added to TShark

Removed Features and Support:
- With the addition of the universal and consistent filtering support for column text, the previous support in the -e option to TShark for displaying column text via the column title has been removed in general. Those field names cannot be used elsewhere (as they may not be legal filter names) and create confusion if more than one column has the same title or if a column is renamed. Prefer the column format instead, e.g. "_ws.col.info" for "_ws.col.Info". However, for backwards compatibility with existing tools and scripts, the titles of the default columns can continue to be used with tshark -e (but not elsewhere.)
- The bundled script "dtd_gen.lua" that was disabled by default has been removed from the installation. It can be found in the Wireshark Wiki under "Contrib".
- The Wi-Fi NAN dissector filter name has been changed from 'nan' to 'wifi_nan'

New File Format Decoding Support:
- RTPDump

New Protocol Support:
- Aruba UBT, ASAM Capture Module Protocol (CMP), ATSC Link-Layer Protocol (ALP), DECT DLC protocol layer (DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe), Digital Object Identifier Resolution Protocol (DO-IRP), Discard Protocol, FiRa UWB Controller Interface (UCI), FiveCo’s Register Access Protocol (5CoRAP), Fortinet FortiGate Cluster Protocol (FGCP), GPS L1 C/A LNAV navigation messages, GSM Radio Link Protocol (RLP), H.224, High Speed Fahrzeugzugang (HSFZ), Hypertext Transfer Protocol version 3 (HTTP/3), ID3v2, IEEE 802.1CB (R-TAG), Iperf3, JSON 3GPP, Low Level Signalling (ATSC3 LLS), Management Component Transport Protocol (MCTP), Management Component Transport Protocol - Control Protocol (MCTP CP), Matter home automation protocol, Microsoft Delivery Optimization, Multi-Drop Bus (MDB), Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP, RDP audio output virtual channel Protocol (rdpsnd), RDP clipboard redirection channel Protocol (cliprdr), RDP Program virtual channel Protocol (RAIL), SAP Enqueue Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), SMPTE ST2110-20 (Uncompressed Active Video), Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker), UWB UCI Protocol, Video Protocol 9 (VP9), VMware HeartBeat, Windows Delivery Optimization (MS-DO), Z21 LAN Protocol (Z21), Zabbix, ZigBee Direct (ZBD), and Zigbee TLV
- Updated Protocol Support:
- JSON: The dissector now has a preference to enable/disable "unescaping" of string values. By default it is off. Previously it was always on.
- JSON: The dissector now supports "Display JSON in raw form".
- IPv6: The dissector has a new preference to show some semantic details about addresses (default off).
- IPv6: The dissector now supports dissecting the Application-aware IPv6 Networking (APN6) option in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH), including all three types of APN ID, which are 32-bit, 64-bit and 128-bit in length.
- XML: The dissector now supports display character according to the "encoding" attribute of the XML declaration, and has a new preference to set default character encoding for some XML document without "encoding" attribute.
- SIP: The dissector now has a new preference to set default charset for displaying the body of SIP messages in raw text view.
- HTTP: The dissector now supports dissecting chunked data in streaming reassembly mode. Subdissectors of HTTP can register itself in "streaming_content_type" subdissector table for enabling streaming reassembly mode while transferring in chunked encoding. This feature ensures the server stream messages of GRPC-Web over HTTP/1.1 can be dissected even if the last chunk is absent.
- The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table.
- CFM: The dissector has been overhauled and updated to the level of IEEE std 802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015). This includes dissection of additional PDU types and TLVs as well as deeper dissection of existing PDUs and TLVs.
- Too many other protocol updates have been made to list them all here

New and Updated Codec support:
- Adaptive Multi-Rate (AMR), if compiled with opencore-amr

Major API Changes:
- Lua function "package.prepend_path" has been removed. If you need it please consider adding your own package.path customization code or installing your dependencies in Wireshark’s default paths.
- The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to reassemble the streaming data of a high level protocol that is not on top of TCP.
- Some of the API now uses C99 types instead of GLib types


Wireshark Portable 4.0.10
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon
- Bug Fixes

The following bugs have been fixed:
- Error loading g729.so plugin with Wireshark 4.0.9 and 3.6.17 on macOS


Wireshark Portable 4.0.8
New:
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon

The following vulnerabilities have been fixed:
- wnpa-sec-2023-23 CBOR dissector crash
- wnpa-sec-2023-24 BT SDP dissector infinite loop
- wnpa-sec-2023-25 BT SDP dissector memory leak
- wnpa-sec-2023-26 CP2179 dissector crash

Fixed:
- TShark cannot capture to pipe on Windows correctly
- Wireshark wrongly blames group membership when pcap capabilities are removed
- Packet bytes window broken layout
- RTP Player only shows waveform until sequence rollover
- Valid Ethernet CFM DMM packets are shown as malformed
- Crash on DICOM Export Objects window close
- The QUIC dissector is reporting the quic_transport_parameters max_ack_delay with the title "GREASE"
- Preferences: Folder name editing behaves weirdly, cursor jumps
- DHCPFO: Expert info list does not show all expert infos
- Websocket packets not decoded and displayed for Field type=Custom and Field name websocket.payload.text
- Cannot read pcapng file captured on OpenBSD and read on FreeBSD
- UI: While capturing the Wireshark icon changes from green to blue when new file is created
- Conversation: heap-use-after-free after wmem_leave_file_scope
- IP Packets with DSCP 44 does not indicate "Voice-Admit"
- NAS 5GS Malformed Packet Decoding SOR transparent container PLMN ID and access technology list
- UI: Auto scroll button in the toolbar is turned on when manually scrolling to the end of packet list


Wireshark Portable 4.0.7
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you might have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon

Fixed:
The following vulnerabilities have been fixed:
- wnpa-sec-2023-21 Kafka dissector crash
- wnpa-sec-2023-22 iSCSI dissector crash
- The following bugs have been fixed:
- Crash when (re)loading a capture file after renaming a dfilter macro
- Moving a column deselects selected packet and moves to beginning of packet list
- If you set the default interface in the preferences, it doesn’t work with TShark
- Severe performance issues in Follow → Save As raw workflow
- TShark doesn’t support the tab character as an aggregator character in "-T fields" Issue 18002.
- On Windows clicking on a link in the 'Software Update' window launches, now unsupported, MS Internet Explorer
- Wireshark 4.x.x on Win10-x64 crashes after saving a file with a name already in use
- NAS-5GS Operator-defined Access Category: Multiple Criteria values not displayed in dissected packet display
- Server Hello Packet Invisible - during 802.1x Authentication- from Wireshark App Version 4.0.3 (v4.0.3-0-gc552f74cdc23) & above
- TShark reassembled data is incomplete/truncated
- CQL protocol parsing issues with Result frames from open source Cassandra
- TLS 1.3 second Key Update doesn’t work
- HTTP2 dissector reports an assertion error on large data frames
- epan: Single letter hostnames aren’t displayed correctly
- BLF: CAN-FD-Message format is missing a field
- BLF: last parameter of LIN-Message is not mandatory (BUGFIX) Issue 19147.
- PPP IPv6CP: Incorrect payload length warning
- INSTALL file needs to be updated for Debian
- Some RTP streams make Wireshark crash when trying to play stream
- Wrong ordering in OpenFlow 1.0 Datapath unique ID
- Incorrect mask in RTCP slice picture ID
- Dissection error in AMQP 1.0


Wireshark Portable 4.0.6
Fixed:
- Candump log file parser crash
- BLF file parser crash
- GDSDB dissector infinite loop
- NetScaler file parser crash
- VMS TCPIPtrace file parser crash
- BLF file parser crash
- RTPS dissector crash
- IEEE C37.118 Synchrophasor dissector crash
- XRA dissector infinite loop
- Conversations list has incorrect unit (bytes) in bit speed columns in the 3.7 development versions
- The media_type table should treat media types, e.g. application/3gppHal+json, as case-insensitive
- NNTP dissector bug
- Incorrect padding in BFCP decoder
- SPNEGO dissector bug
- SRT values are incorrect when applying a time shift
- Add warning that capturing is not supported in Wireshark installed from flatpak
- Opening Wireshark with -z io,stat option
- batadv dissector bug
- radiotap-gen build fails if pcap is not found
- [UDS] When filtering the uds.wdbi.data_identifier or uds.iocbi.data_identifier field is interpreted as 1 byte whereas it consists of 2 bytes
- Wireshark can’t save this capture in that format
- MSMMS parsing buffer overflow
- USB HID parser shows wrong label for usages Rx/Vx/Vbrx of usage page Generic Desktop Control
- "Follow → QUIC Stream" mixes data between streams


Wireshark Portable 4.0.5
Fixed:
- wnpa-sec-2023-09 RPCoRDMA dissector crash
- wnpa-sec-2023-10 LISP dissector large loop
- wnpa-sec-2023-11 GQUIC dissector crash
- Wireshark ITS Dissector RTCMEM wrong protocol version selector 2 - should use 118862
- Wireshark treats the letter E in SSRC as an exponential representation of a number18879
- VNC RRE Parser skips over data
- sshdump coredump when --remote-interface is left empty
- Fuzz job crash output: fuzz-2023-03-17-7298.pcap
- Fuzz job crash output: fuzz-2023-03-27-7564.pcap
- RFC8925 support (dhcp option 108)
- DIS dissector shows an incorrect state in the packet list info column
- RTP analysis shows incorrect timestamp error when timestamp is rolled over
- Asterisk (*) key crash on Endpoint/Conversation dialog
- The RTP player waveform now synchronizes better with audio.


Wireshark Portable 4.0.4
- We do not ship official 32-bit Windows packages for Wireshark 4.0 and later. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release
- If you’re running Wireshark on macOS and upgraded to macOS 13 from an earlier version, you will likely have to open and run the “Uninstall ChmodBPF” package, then open and run “Install ChmodBPF” in order to reset the ChmodBPF Launch Daemon

Fixed:
- The following vulnerabilities have been fixed:
- wnpa-sec-2023-08 ISO 15765 and ISO 10681 dissector crash

The following bugs have been fixed:
- UTF-8 characters end up escaped in PSML output
- Export filtered displayed packets won’t save IP fragments of SCTP fragments needed to reassemble a displayed frame
- DICOM dissection in reassembled PDV goes wrong
- "Export Objects - IMF" produces incorrect file, TCP reassembly fails with retransmissions that have additional data
- The intelligent scroll bar or minimap is not predictable on locating and scrolling
- If you mark (or unmark) the currently-selected frame, the packet details still say it’s not marked (or it is marked) Issue 14330.
- An out-of-order packet incorrectly detected as retransmission breaks desegmentation of TCP stream
- Sorting Packet Loss Column is not sorting correct
- Some HTTPS packets cannot be decrypted
- SIP TCP decoding regression from Wireshark 1.99.0 to 3.6.8
- Frame comments not preserved when using filter to write new pcap from tshark
- ChmodBPF not working on macOS Ventura 13.1
- Wireshark GUI and window manager stuck after setting display filter
- Dissector bug, protocol H.261
- File extension heuristics are case-sensitive
- Symbolic links to packages in macOS dmg can’t be double-clicked to install on macOS 13.2
- Potential memory leak in tshark.c
- Fuzz job crash output: fuzz-2023-02-05-7303.pcap
- f5fileinfo: Hardware platforms missing descriptions
- The lines in the intelligent scrollbar are off by one
- Wireshark crashes on invalid UDS packet in Lua context
- TECMP dissector shows the wrong Voltage in Vendor Data
- UDS: Names of RDTCI subfunctions 0x0b …? 0x0e are not correct

Updated Protocol Support:
- ASTERIX, BGP, DHCP, ERF, F5 Ethernet trailer, GMR-1 RR, Gryphon, GSM SMS, H.261, H.450, ISO 10681, ISO 15765, MIPv6, NAS-5gs, NR RRC, NS Trace, OptoMMP, PDCP-LTE, PDCP-NR, QSIG, ROHC, RSVP, RTCP, SCTP, SIP, TCP, TECMP, TWAMP, UDS, and UMTS RLC


Wireshark Portable 4.0.3
Fixed:
- Wnpa-sec-2023-01 EAP dissector crash
- Wnpa-sec-2023-02 NFS dissector memory leak
- Wnpa-sec-2023-03 Dissection engine crash
- Wnpa-sec-2023-04 GNW dissector crash
- Wnpa-sec-2023-05 iSCSI dissector crash
- Wnpa-sec-2023-06 Multiple dissector excessive loops
- Wnpa-sec-2023-07 TIPC dissector crash

The following bugs have been fixed:
- Qt: After modifying coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect
- Help file doesn’t display for extcap interfaces
- For USB traffic on XHC20 interface destination is always given as Host
- Wireshark Expert Info - cannot deselect the limit to display filter tick box
- Wrong pointer conversion in get_data_source_tvb_by_name() Issue 18517.
- Wrong number of bits skipped while decoding an empty UTF8String on UPER packet
- Crash when analyzing protobuf packets
- Uninitialized values in various dissectors
- String (GeoIP country/city) ordering doesn’t work in Endpoints
- Wireshark crashes with an assertion failure on stray minus in filter
- IO Graph: Add new graph only works until the 10th graph
- Fuzz job crash output: fuzz-2022-12-30-11007.pcap
- Q.850 - error in label for cause 0x7F
- Uninitialized values in CoAP and RTPS dissectors
- Screenshots in AppStream metainfo.xml file not available


Wireshark Portable 4.0.2
Fixed:
- wnpa-sec-2022-09 Multiple dissector infinite loops
- wnpa-sec-2022-10 Kafka dissector memory exhaustion
- Qt: Endpoints dialog - unexpected byte unit suffixes in packet columns
- GOOSE: field "floating_point" not working anymore
- EVS Header-Full format padding issues
- Wireshark 4.0.0 VOIP playback has no sound and can’t resume after pausing
- Wireshark crashes when exporting a profile on Mac OSX if there is no extension
- EVS dissector missing value description
- Qt 6 font descriptions not backward compatible with Qt 5
- Wireshark, wrong TCP ACKed unseen segment message
- Invalid Cyrillic symbol in timezone at "Arrival Time" field in frame
- ProtoBuf parse extension definitions failed
- Fuzz job crash output: fuzz-2022-11-09-11134.pcap
- Fuzz job crash output: fuzz-2022-11-14-11111.pcap
- Wireshark is using old version of ASN (ETSI TS 125 453 V11.2.0) which is imapacting length of param in the messages
- BGP: False IGMP flags value in EVPN routes (type 6,7,8)
- wslog assumes stderr and stdout exist
- Editing packet comments, with non-ASCII characters, on Windows saves them in the local code page, not in UTF-8
- Unable to decrypt PSK based DTLS traffic which uses Connection ID
- HTTP2 tests fail when built without nghttp2


Wireshark Portable 4.0.1
New:
- The Windows installers now ship with Qt 5.12.2. They previously shipped with Qt 6.2.3.

Fixed:
- Comparing a boolean field against 1 always succeeds on big-endian machines
- Qt: MaxMind GeoIP columns not added to Endpoints table
- Fuzz job crash output: fuzz-2022-10-04-7131.pcap
- The RTP player might not play audio on Windows
- Wireshark 4.0 breaks display filter expression with > sign
- Capture filters not working when using SSH capture and dumpcap
- Packet diagram field values are not terminated
- Packet bytes not displayed completely if scrolling
- Fuzz job crash output: fuzz-2022-10-13-7166.pcap
- Decoding bug H.245 userInput Signal
- CFDP dissector doesn’t handle "destination filename" only
- Home page capture button doesn’t pop up capture options dialog
- Missing dot in H.248 protocol name
- Missing dot for protocol H.264 in protocol column
- Fuzz job crash output: fuzz-2022-10-23-7240.pcap


Wireshark Portable 4.0.0
- We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
- The display filter syntax is more powerful with many new extensions. See below for details.
- The Conversation and Endpoint dialogs have been redesigned. See below for details
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane
- Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
- Speed when using MaxMind geolocation has been greatly improved
- The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
- Many other improvements have been made. See the “New and Updated Features” section below for more details.

New and Updated Features:
The following features are new (or have been significantly updated) since version 4.0.0rc2:
- Nothing of note

The following features are new (or have been significantly updated) since version 4.0.0rc1:
- The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3
- The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70

The following features are new (or have been significantly updated) since version 3.7.2:
- The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.

The following features are new (or have been significantly updated) since version 3.7.1:
- The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
- The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
- New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.

The following features are new (or have been significantly updated) since version 3.7.0:
- The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.

The Conversation and Endpoint dialogs have been redesigned with the following improvements:
- The context menu now includes the option to resize all columns, as well as copying elements
- Data may be exported as JSON
- Tabs may be detached and reattached from the dialog
- Adding and removing tabs will keep them in the same order all the time
- If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets
- Columns are now sorted via secondary properties if an identical entry is found
- Conversations are sorted via second address and first port number
- Endpoints are sorted via port numbers
- IPv6 addresses are sorted correctly after IPv4 addresses
- The dialog elements have been moved to make it easier to handle for new users
- Selection of tap elements is done via a list
- All configurations and options are done via a left side button row
- Columns for the Conversations and Endpoint dialogs can be hidden by a context menu
- TCP and UDP conversations now include the stream ID and allow filtering on it

The following features are new (or have been significantly updated) since version 3.6.0:
- The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
- The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.

The display filter syntax has been updated and enhanced:
- A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses.
- Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported.
- Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering.
- Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis).
- New display filter functions max(), min() and abs() have been added.
- Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments.
- A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide for details.
- The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3.
- Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used
- Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B"
- Logical AND now has higher precedence than logical OR, in line with most programming languages

It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release.
- Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error.
- Support for some additional character escape sequences in double quoted strings has been added. Along with octal () and hex (x) encoding, the following C escape sequences are now supported with the same meaning: a, b, f, n, r, t, v. Previously they were only supported with character constants.
- Unicode universal character names are now supported with the escape sequences uNNNN or UNNNNNNNN, where N is a hexadecimal digit
- Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: , ', ".
- A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne).
- The aliases "any_eq" for "==" and "all_ne" for "!=" have been added
- The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead
- Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively.
- The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting.
- Literal strings can handle embedded null bytes (the value '') correctly. This includes regular expression patterns. For example the double-quoted string " is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes.
- Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0.
- It is now possible to test for the existence of a slice
- All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other.

The text2pcap command and the “Import from Hex Dump” feature have been updated and enhanced:
- text2pcap supports writing the output file in all the capture file formats that wiretap library supports, using the same -F option as editcap, mergecap, and tshark.
- Consistent with the other command line tools like editcap, mergecap, tshark, and the "Import from Hex Dump" option within Wireshark, the default capture file format for text2pcap is now pcapng. The -n flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release.
- text2pcap supports selecting the encapsulation type of the output file format using the wiretap library short names with an -E option, similar to the -T option of editcap.
- text2pcap has been updated to use the new logging output options and the -d flag has been removed. The "debug" log level corresponds to the old -d flag, and the "noisy" log level corresponds to using -d multiple times.
- text2pcap and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions.
- text2pcap supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x.
- In general, text2pcap and wireshark’s “Import from Hex Dump” have feature parity.
- The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
- The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
- The IEEE 802.11 dissector supports Mesh Connex (MCX).
- The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
- The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
- It is possible to set extcap passwords in tshark and other CLI tools
- The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
- Support to display JSON mapping for Protobuf message has been added
- macOS debugging symbols are now shipped in separate packages, similar to Windows packages
- In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
- The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
- The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session
- ciscodump now supports IOS, IOS-XE and ASA remote capturing

Removed Features and Support:
- The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged.

New Protocol Support:
- Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Huawei GRE bonding (GREbond), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Open Control Protocol for OCA/AES70 (OCP.1), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS Network Coprocessor product (ZB NCP)

Updated Protocol Support:
- Too many protocols have been updated to list here

New and Updated Capture File Support:
- There is no new or updated capture file support in this release

Major API Changes:
- proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead.
- proto.h: The field display types for floats have been extended and refactored. The type BASE_FLOAT has been removed. Use BASE_NONE instead. New display types for floats are BASE_DEC, BASE_HEX, BASE_EXP and BASE_CUSTOM.
- The Wireshark Lua API now uses the lrexlib bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change.
- The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated.

Other Development Changes:
- The PCRE2 library is now required to build Wireshark
- You must now have a compiler with C11 support in order to build Wireshark

The following libraries and tools have had their minimum required version increased:
- CMake 3.10 is required on macOS and Linux
- Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration
- Windows SDK 10.0.18362.0 is required due to issues with C11 support

macOS version 10.11 to 10.14 (was 10.8) is required depending on the version of Qt:
- Qt 5.10 or higher requires macOS version 10.11
- Qt 5.12 or higher requires macOS version 10.12
- Qt 5.14 or higher requires macOS version 10.13
- Qt 6.0 or higher requires macOS version 10.14
- GLib version 2.50.0 (was 2.38.0) is required
- Libgcrypt version 1.8.0 (was 1.5.0) is required
- c-ares version 1.13.0 (was 1.5.0)
- Python version 3.6.0 (was 3.4.0)
- GnuTLS version 3.5.8 (was 3.3.0)
- Nghttp2 minimum version has been set to 1.11.0 (none previous)
- Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks


Wireshark Portable 3.6.8
New:
- This is the last release branch with support for 32-bit Windows. Updates will no longer be available after May 22, 2024 for that platform

Fixed:
- TCAP Malformed exception on externally re-assembled packet
- Extended 3GPP-GPRS-Negotiated-QoS-profile strings decoded incompletely
- HTTP2 dissector decodes first SSL record only
- L2TP improvements - cookie length detection, UDP encapsulation and more
- USB Truncation of URB_isochronous in frames
- ISUP/BICC parameter summary text duplication
- Running rpm-setup.sh shows missing packages that Centos does not need
- IPX/IPX RIP: Crash on expand subtree
- Qt: A file or packet comment that is too large will corrupt the pcapng file
- BGP dissector bug
- Wrong interpretation of the cbsp.rep_period field in epan/dissectors/packet-gsm_cbsp.c
- Assertion due to incorrect mask for btatt.battery_power_state.*
- Qt: Expert Info dialog not showing Malformed Frame when Frame length is less than captured length
- Wireshark and tshark become non-responsive when reading certain packets


Wireshark Portable 3.6.7
New:
- This is the last release branch with support for 32-bit Windows. Updates will no longer be available after May 22, 2024 for that platform.

Fixed:
The following bugs have been fixed:
- Multiple Files preference "Create new file automatically…​after" [time] working incorrectly
- get_filter Lua function doesn’t return the filter
- Dissector bug, protocol HTTP failed assertion "saved_layers_len < 500" with chunked/multipart
- Wrong EtherCAT bit label (possible dissector bug)
- UDP packets falsely marked as "malformed packet"
- TLS certificate parser with filter crash
- Incorrect type for the IEC 60870 APDU appears in packet details pane
- NHRP Problem
- EtherCAT CoE header unknown type


Wireshark Portable 3.6.6
Fixed:
- TLS: RSA decryption fails with Extended Master Secret and renegotiation
- "dfilter" file on Windows adds carriage returns, and requires line feeds
- Npcap bundled version needs a bump to v1.60 for Windows 11 compatibility
- "Browse" button in Prefs/Name Resolution/MaxMind crashes Wireshark on macOS
- TFTP: some packets are not recognized as TFTP packets with 3.6.5


Wireshark Portable 3.6.5
Fixed:
- This release fixes an installation issue on Windows which was introduced in the 3.6.4 release


Wireshark Portable 3.6.3
Fixed:
- Fuzz job crash output: fuzz-2022-01-19-7399.pcap
- TLS dissector incorrectly reports JA3 values
- "Wiki Protocol page" in packet details menu is broken - wiki pages not migrated to GitLab?
- Dissector bug, protocol PFCP display Flow Description IE value error in Additional Flow Description of PFD Management Request Message
- Bluetooth: Fails to open Log file for SCO connection
- Fuzz job crash output: fuzz-2022-03-07-10896.pcap
- libwiretap: Save as ERF causes segmentation fault
- HTTP server returning multiple early hints shows too many responses in "Follow HTTP Stream"


Wireshark Portable 3.6.2
The following vulnerabilities have been fixed:
- wnpa-sec-2022-01 RTMPT dissector infinite loop
- wnpa-sec-2022-02 Large loops in multiple dissectors
- wnpa-sec-2022-03 PVFS dissector crash
- wnpa-sec-2022-04 CSN.1 dissector crash
- wnpa-sec-2022-05 CMS dissector crash

The following bugs have been fixed:
- Support for GSM SMS TPDU in HTTP2 body
- Wireshark 3.6.1 broke the ABI by removing ws_log_default_writer from libwsutil
- Fedora RPM package build failing with RPATH of /usr/local/lib64
- macos-setup.sh: ftp.pcre.org no longer exists
- nmap.org/npcap ? npcap.com: domain/URL change
- MPLS ECHO FEC stack change TLV not dissected correctly
- Attempting to open a systemd journal export file segfaults
- Dissector bug on 802.11ac packets
- The Info column shows only one NGAP/S1AP packet of several packets inside an SCTP packet
- Uninstalling Wireshark 3.6.1 on Windows 10 fails to remove the installation directory because it doesn’t remove the User’s Guide subdirectory and all its contents.
- 3.6 doesn’t build without zlib
- SIP Statistics no longer properly reporting method type accounting
- Fuzz job crash output: fuzz-2022-01-26-6940.pcap
- SCTP retransmission detection broken for the first data chunk of each association with relative TSN
- “Show In Folder” doesn’t work correctly for filenames with spaces
- New and Updated Features
- New Protocol Support
- There are no new protocols in this release
- Updated Protocol Support
- AMP, ASN.1 PER, ATN-ULCS, BGP, BP, CFLOW, CMS, CSN.1, GDSDB, GSM RP, GTP, HTTP3, IEEE 802.11 Radiotap, IPDC, ISAKMP, Kafka, MP2T, MPEG PES, MPEG SECT, MPLS ECHO, NGAP, NTLMSSP, OpenFlow 1.4, OpenFlow 1.5, P_MUL, PN-RT, PROXY, PTP, PVFS, RSL, RTMPT, rtnetlink, S1AP, SCTP, Signal PDU, SIP, TDS, USB, WAP, and ZigBee ZCL

New and Updated Capture File Support:
- BLF and libpcap

New File Format Decoding Support:
- There is no new or updated file format support in this release


Wireshark Portable 3.6.1
The following vulnerabilities have been fixed:
- wnpa-sec-2021-17 RTMPT dissector infinite loop
- wnpa-sec-2021-18 BitTorrent DHT dissector infinite loop
- wnpa-sec-2021-19 pcapng file parser crash
- wnpa-sec-2021-20 RFC 7468 file parser infinite loop
- wnpa-sec-2021-21 Sysdig Event dissector crash
- wnpa-sec-2021-22 Kafka dissector infinite loop

The following bugs have been fixed:
- Allow sub-second timestamps in hexdumps
- GRPC: An unnecessary empty Protobuf tree item is displayed if the GRPC message body length is 0
- Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system path.pkg" on M1 MacBook Air Monterey without Rosetta 2
- TECMP: LIN Payload is cut off by 1 byte
- Wireshark crashes if a 64 bit field of type BASE_CUSTOM is applied as a column
- Command line option "-o console.log.level" causes wireshark and tshark to exit on start
- Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture
- Unable to build without tshark
- IEEE 802.11 action frames are not getting parsed and always seen as malformed
- IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes
- dfilter: 'tcp.port not in {1}' crashes Wireshark

New and Updated Features:
- The 'console.log.level' preference was removed in Wireshark 3.6.0. This release adds an '-o console.log.level:' backward-compatibilty option on the CLI that maps to the new logging sub-system. Note that this does not have bitmask semantics and does not correspond to any actual preference. It is just a transition mechanism for users that were relying on this CLI option and will be removed in the future. To see the new diagnostic output options consult the manpages or the output of '--help'.

Updated Protocol Support:
- ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11, IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig Event, and TECMP

New and Updated Capture File Support:
- BLF and RFC 7468


Wireshark Portable 3.6.0
New and Updated Features:
The following features are new (or have been significantly updated) since version 3.6.0rc3:
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later

The following features are new (or have been significantly updated) since version 3.6.0rc2:
- Display filter set elements must now be comma-separated. See below for more details.

The following features are new (or have been significantly updated) since version 3.6.0rc1:
- The display filter expression “a != b” now has the same meaning as “!(a == b)”

The following features are new (or have been significantly updated) since version 3.5.0:
- Nothing of note.

The following features are new (or have been significantly updated) since version 3.4.0:
Several changes have been made to the display filter syntax:
- The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.
- It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
- Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
- Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as …​ in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version.
- Support for the syntax "a not in b" with the same meaning as "not a in b" has been added

Packaging updates:
- A macOS Arm 64 (Apple Silicon) package is now available
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later
- The Windows installers now ship with Npcap 1.55
- A 64-bit Windows PortableApps package is now available

- TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
- Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types.
- Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
- “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams.
- Wireshark now supports dissecting RTP packets with OPUS payloads.
- Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.

The RTP Player has been significatnly redesigned and improved. See Playing VoIP Calls and RTP Player Window in the User’s Guide for more details:
- The RTP Player can play many streams in row
- The UI is more responsive
- The RTP Player maintains playlist and other tools can add and remove streams to and from it
- Every stream can be muted or routed to the left or right channel for replay
- The option to save audio has been moved from the RTP Analysis dialog to the RTP Player. The RTP Player also saves what was played, and it can save in multichannel .au or .wav.
- The RTP Player is now accessible from the Telephony › RTP › RTP Player menu

The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal and can stay opened on background:
- The same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …​)

The “Follow Stream” dialog is now able to follow SIP calls based on their Call-ID value:
- The “Follow Stream” dialog’s YAML output format has been updated to add timestamps and peers information For more details see Following Protocol Streams in the User’s Guide
- IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the “Enable stricter conversation tracking heuristics” top level protocol preference.
- USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures
- TShark can now export TLS session keys with the --export-tls-session-keys option
- Wireshark participated in the Google Season of D

Join our mailing list

Stay up to date with latest software releases, news, software discounts, deals and more.

Subscribe