Wireshark-announce: [Wireshark-announce] Wireshark 4.2.0rc1 is now available

From: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>
Date: Thu, 5 Oct 2023 12:29:05 -0700
I'm proud to announce the release of Wireshark 4.2.0rc1.


 This is the first release candidate for Wireshark 4.2.

 What is Wireshark?

  Wireshark is the world’s most popular network protocol analyzer. It is
  used for troubleshooting, analysis, development and education.

 What’s New

  Wireshark supports dark mode on Windows.

  A Windows installer for Arm64 has been added.

  Packet list sorting has been improved.

  Wireshark and TShark are now better about generating valid UTF-8
  output.

  A new display filter feature for filtering raw bytes has been added.

  Display filter autocomplete is smarter about not suggesting invalid
  syntax.

  "Tools › MAC Address Blocks" can lookup a MAC address in the IEEE OUI
  registry.

  The enterprises, manuf, and services configuration files have been
  compiled in for improved start-up times.

  The installation target no longer installs development headers by
  default.

  The Wireshark installation is relocatable on Linux (and other ELF
  platforms with support for relative RPATHs).

  Wireshark can be compiled on Windows using MSYS2[1]. Check the
  Developer’s guide for instructions.

  Wireshark can be cross-compiled for Windows using Linux. Check the
  Developer’s guide for instructions.

  "Tools › Browser (SSL Keylog)" can launch your web browser with the
  SSLKEYLOGFILE environment variable set to the appropriate value.

  Windows installer file names now have the format
  Wireshark-<version>-<architecture>.exe.

  Many other improvements have been made. See the “New and Updated
  Features” section below for more details.

  Bug Fixes

   The following bugs have been fixed:

     • Issue 18413[2] - RTP player do not play audio frequently on
       Windows builds with Qt6.

     • Issue 18510[3] - Playback marker does not move after resume with
       Qt6.

  New and Updated Features

   The following features are new (or have been significantly updated)
   since version 4.1.0:

     • Improved dark mode support.

   The following features are new (or have been significantly updated)
   since version 4.0.0:

     • The Windows installers now ship with Qt 6.5.3. They previously
       shipped with Qt 6.2.3.

     • The API has been updated to ensure that the dissection engine
       produces valid UTF-8 strings.

     • Wireshark now builds with Qt6 by default. To use Qt5 instead pass
       USE_qt6=OFF to CMake.

     • The "ciscodump" extcap supports Cisco IOS XE 17.x.

     • The default interval between GUI updates when capturing has been
       decreased from 500ms to 100ms, and is now configurable.

     • The -n option also now disables IP address geolocation
       information lookup in configured MaxMind databases (and
       geolocation lookup can be enabled with -Ng.) This is most
       relevant for TShark, where geolocation lookups are synchronous.

     • The display filter drop-down list is now sorted by "most recently
       used" instead of "most recently created".

     • Display filter syntax-related changes:

        • It is now possible to filter on raw packet data for any field
       by using the syntax `@some.field == <bytes…​>`. This can be
       useful to filter on malformed UTF-8 strings, among other use
       cases where it is necessary to look at the field’s raw data.

        • Negation (unary minus) now works with any display filter
       arithmetic expression.

        • Using the slice operator with strings produces a string.
       Previously it would produce a byte array. This is useful to
       index/slice UTF-8 multibyte strings. String byte slices can still
       be obtained using the "@" (raw operator) prefix.

        • Arithmetic expressions are allowed as set elements.

        • Absolute date and time values can be written as Unix time.

        • The limitation where a minus sign needed to be preceded by a
       space character has been removed.

        • Added XOR logical operator.

        • Fixed the implementation of `all …​ in` membership operator
       (#19188[4]).

        • When parsing absolute time values the display filter engine
       has learned to understand timezones as specified in
       strptime(3)[5], including some common North American
       designations. Arbitrary timezone names are not supported however.
       Previously only ISO8601 offsets and the "UTC" designation was
       understood.

        • Writing value strings without double quotes is deprecated and
       will generate a warning. Value strings are integer or boolean
       values that can be represented using a user-friendly textual
       format, such as "Set"/"Unset" instead of numerical values like 1
       and 0. It is now a requirement that value strings need to be
       written enclosed in double-quotes.

        • The deprecated ~≃ operator symbol has been removed. It was
       replaced by !== in version 4.0.

     • Running the test suite requires the pytest[6] Python module. The
       emulation layer that allowed running tests without pytest
       installed has been removed.

     • When saving files or exporting packets after changing their time
       with the "Time Shift" dialog, the shifted time is written to the
       new file.

     • TLS secrets used in decrypting packets can be embedded (or
       discarded) from the capture file via the GUI, similar to the
       options --inject-secrets and --discard-all-secrets in editcap.

     • The text of any configured column (displayed or hidden) can be
       filtered anywhere that filters are used - in display filters,
       filters in taps, coloring rules, Wireshark read filters, and the
       -Y, -R, and -e options to TShark, the "Apply as Filter" GUI
       option, etc.

        • The filter field names are prefixed by "_ws.col", followed by
       a lowercase version of the COL_ name found in
       epan/column-utils.h, e.g. "_ws.col.info" or "_ws.col.protocol"

        • Using the column names as a filter is slower than other filter
       types because the columns must be constructed, so when the same
       filtering can be achieved via other fields, prefer that.

     • The external name resolution text files "manuf", "enterprises"
       and "services" have been removed and replaced with static binary
       data. You can dump the respective internal data using `tshark -G
       manuf|enterprises|services`.

     • The "manuf" file is now also read from the personal configuration
       folder, and is profile-based.

     • The Lua console dialogs under the Tools menu were refactored and
       redesigned. It now consists of a single dialog window for input
       and output.

     • Wireshark now shows byte units in the statistics in the
       user-selected language (uses the system default language by
       default).

     • Packet list sorting has been improved:

        • When sorting packet list with a filter applied, only the
       visible packets are sorted, which greatly increases sorting
       speed.

        • The cache size for column text is limited to a default of
       10000 rows, which limits the maximum memory usage. The maximum
       value can be changed in Preferences→Appearance→Layout

        • Due to the above, columns that require packet dissection can
       only be sorted if the number of visible rows is less than the
       cache size. If there are more rows visible, a warning will
       appear. Columns that do not require packet dissection (those that
       calculated directly from the capture file frame headers, such as
       packet number, time, and frame length) can be sorted with any
       number of visible rows.

        • Sorting can be interrupted.

     • When changing the dissector via the "Decode As" table for values
       that have default dissectors registered, selecting "(none)" will
       select no dissection (while still allowing heuristic dissectors
       to attempt to dissect.) The previous behavior was to reset the
       dissector to the default. To facilitate resetting the dissector,
       the default dissector is now sorted at the top of the list of
       possible dissector options.

     • The personal extcap plugin folder location on Unix has been
       changed to follow existing conventions for architecture-dependent
       files. The extcap personal folder is now
       `$HOME/.local/lib/wireshark/extcap`. Previously it was
       `$XDG_CONFIG_HOME/wireshark/extcap`.

     • The "init.lua" file is now loaded from any of the Lua plugin
       directories. Previously it was loaded from the personal
       configuration directory. (For backward-compatibility this is
       still allowed; note that deprecated features may be removed in a
       future release).

     • Installation of development headers must be done explicitly using
       the CMake command `cmake --install <builddir> --component
       Development`.

     • The Windows build has a new SpeexDSP external dependency
       (https://www.speex.org). The speex code that was previously
       bundled has been removed.

     • New `--print-timers` option added to TShark.

  Removed Features and Support

     • With the addition of the universal and consistent filtering
       support for column text, the previous support in the -e option to
       TShark for displaying column text via the column title has been
       removed in general. Those field names cannot be used elsewhere
       (as they may not be legal filter names) and create confusion if
       more than one column has the same title or if a column is
       renamed. Prefer the column format instead, e.g. "_ws.col.info"
       for "_ws.col.Info". However, for backwards compatibility with
       existing tools and scripts, the titles of the default columns can
       continue to be used with `tshark -e` (but not elsewhere.)

     • The bundled script "dtd_gen.lua" that was disabled by default has
       been removed from the installation. It can be found in the
       Wireshark Wiki under "Contrib"[7].

     • The Wi-Fi NAN dissector filter name has been changed from 'nan'
       to 'wifi_nan'.

  New File Format Decoding Support

   RTPDump

  New Protocol Support

   Aruba UBT, ASAM Capture Module Protocol (CMP), ATSC Link-Layer
   Protocol (ALP), DECT DLC protocol layer (DECT-DLC), DECT NWK protocol
   layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named
   AaMiDe), Digital Object Identifier Resolution Protocol (DO-IRP),
   Discard Protocol, FiRa UWB Controller Interface (UCI), FiveCo’s
   Register Access Protocol (5CoRAP), Fortinet FortiGate Cluster
   Protocol (FGCP), GPS L1 C/A LNAV navigation messages, GSM Radio Link
   Protocol (RLP), H.224, High Speed Fahrzeugzugang (HSFZ), Hypertext
   Transfer Protocol version 3 (HTTP/3), ID3v2, IEEE 802.1CB (R-TAG),
   Iperf3, JSON 3GPP, Low Level Signalling (ATSC3 LLS), Management
   Component Transport Protocol (MCTP), Management Component Transport
   Protocol - Control Protocol (MCTP CP), Matter home automation
   protocol, Microsoft Delivery Optimization, Multi-Drop Bus (MDB),
   Non-volatile Memory Express - Management Interface (NVMe-MI) over
   MCTP, RDP audio output virtual channel Protocol (rdpsnd), RDP
   clipboard redirection channel Protocol (cliprdr), RDP Program virtual
   channel Protocol (RAIL), SAP Enqueue Server (SAPEnqueue), SAP GUI
   (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP
   Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP
   Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network
   Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1
   Protocol (SINEC AP), SMPTE ST2110-20 (Uncompressed Active Video),
   Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS
   receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker),
   UWB UCI Protocol, Video Protocol 9 (VP9), VMware HeartBeat, Windows
   Delivery Optimization (MS-DO), Z21 LAN Protocol (Z21), Zabbix, ZigBee
   Direct (ZBD), and Zigbee TLV

  Updated Protocol Support

     • JSON: The dissector now has a preference to enable/disable
       "unescaping" of string values. By default it is off. Previously
       it was always on.

     • JSON: The dissector now supports "Display JSON in raw form".

     • IPv6: The dissector has a new preference to show some semantic
       details about addresses (default off).

     • IPv6: The dissector now supports dissecting the Application-aware
       IPv6 Networking (APN6) option[8] in the Hop-by-Hop Options Header
       (HBH) and Destination Options Header (DOH), including all three
       types of APN ID, which are 32-bit, 64-bit and 128-bit in length.

     • XML: The dissector now supports display character according to
       the "encoding" attribute of the XML declaration, and has a new
       preference to set default character encoding for some XML
       document without "encoding" attribute.

     • SIP: The dissector now has a new preference to set default
       charset for displaying the body of SIP messages in raw text view.

     • HTTP: The dissector now supports dissecting chunked data in
       streaming reassembly mode. Subdissectors of HTTP can register
       itself in "streaming_content_type" subdissector table for
       enabling streaming reassembly mode while transferring in chunked
       encoding. This feature ensures the server stream messages of
       GRPC-Web over HTTP/1.1 can be dissected even if the last chunk is
       absent.

     • The media type dissector table now properly treats media types
       and subtypes as case-insensitive automatically, per RFC 6838.
       Media types no longer need to be lower cased before registering
       or looking up in the table.

     • CFM: The dissector has been overhauled and updated to the level
       of IEEE std 802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015).
       This includes dissection of additional PDU types and TLVs as well
       as deeper dissection of existing PDUs and TLVs.

   Too many other protocol updates have been made to list them all here.

  New and Updated Codec support

   Adaptive Multi-Rate (AMR), if compiled with opencore-amr[9].

  Major API Changes

     • Lua function "package.prepend_path" has been removed. If you need
       it please consider adding your own package.path customization
       code or installing your dependencies in Wireshark’s default
       paths.

     • The reassemble_streaming_data_and_call_subdissector() API has
       been added to provide a simpler way to reassemble the streaming
       data of a high level protocol that is not on top of TCP.

     • Some of the API now uses C99 types instead of GLib types. Issue
       19116[10]

 Getting Wireshark

  Wireshark source code and installation packages are available from
  https://www.wireshark.org/download.html.

  Vendor-supplied Packages

   Most Linux and Unix vendors supply their own Wireshark packages. You
   can usually install or upgrade Wireshark using the package management
   system specific to that platform. A list of third-party packages can
   be found on the download page[11] on the Wireshark web site.

 File Locations

  Wireshark and TShark look in several different locations for
  preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
  locations vary from platform to platform. You can use "Help › About
  Wireshark › Folders" or `tshark -G folders` to find the default
  locations on your system.

 Getting Help

  The User’s Guide, manual pages and various other documentation can be
  found at https://www.wireshark.org/docs/

  Community support is available on Wireshark’s Q&A site[12] and on the
  wireshark-users mailing list. Subscription information and archives
  for all of Wireshark’s mailing lists can be found on the web site[13].

  Bugs and feature requests can be reported on the issue tracker[14].

  You can learn protocol analysis and meet Wireshark’s developers at
  SharkFest[15].

 How You Can Help

  The Wireshark Foundation helps as many people as possible understand
  their networks as much as possible. You can find out more and donate
  at wiresharkfoundation.org[16].

 Frequently Asked Questions

  A complete FAQ is available on the Wireshark web site[17].

 References

   1. https://www.msys2.org/
   2. https://gitlab.com/wireshark/wireshark/-/issues/18413
   3. https://gitlab.com/wireshark/wireshark/-/issues/18510
   4. https://gitlab.com/wireshark/wireshark/-/issues/19188
   5. https://man.netbsd.org/strptime.3
   6. https://pypi.org/project/pytest/
   7. https://wiki.wireshark.org/Contrib
   8. https://www.ipv6plus.net/Phase3/apn6/
   9. https://sourceforge.net/projects/opencore-amr/
  10. https://gitlab.com/wireshark/wireshark/-/issues/19116
  11. https://www.wireshark.org/download.html
  12. https://ask.wireshark.org/
  13. https://www.wireshark.org/lists/
  14. https://gitlab.com/wireshark/wireshark/-/issues
  15. https://sharkfest.wireshark.org
  16. https://wiresharkfoundation.org
  17. https://www.wireshark.org/faq.html


Digests

wireshark-4.2.0rc1.tar.xz: 44826104 bytes
SHA256(wireshark-4.2.0rc1.tar.xz)=fb69fd1db6c94ca17d8efba1bd8ebd593d256b9415ef70604de393bc45c59a14
SHA1(wireshark-4.2.0rc1.tar.xz)=60b183e6025b7852808e2e05900b5357e3fe0418

Wireshark-4.2.0rc1-arm64.exe: 67480264 bytes
SHA256(Wireshark-4.2.0rc1-arm64.exe)=479868014bf675ca068603858fca890f7fa79c33f3026bcfe162ef29c7630d5f
SHA1(Wireshark-4.2.0rc1-arm64.exe)=74da47a7ce990363f9c4013437c2be044b224454

Wireshark-4.2.0rc1-x64.exe: 86047696 bytes
SHA256(Wireshark-4.2.0rc1-x64.exe)=d8a1032207e6b190913a4a5665f539d9c79eeb76c1dc4db55a9bd556facec7f0
SHA1(Wireshark-4.2.0rc1-x64.exe)=aef506e02a00418873ea05042c2d4d5a8f042c3b

Wireshark-4.2.0rc1-x64.msi: 62447616 bytes
SHA256(Wireshark-4.2.0rc1-x64.msi)=ff7c708f159085647ab30ac28f773d8e7c3679fb84dc96acbe5278c706332a13
SHA1(Wireshark-4.2.0rc1-x64.msi)=50a985e8995e7ecf8351f7b39e33163629683d16

WiresharkPortable64_4.2.0rc1.paf.exe: 53323312 bytes
SHA256(WiresharkPortable64_4.2.0rc1.paf.exe)=432436301f35e5f710970602cad38fde1396d176ae302543867473aebb587ebc
SHA1(WiresharkPortable64_4.2.0rc1.paf.exe)=1e9d81281ad8e03db9ac06a52c796d6419857ab1

Wireshark 4.2.0rc1 Arm 64.dmg: 63892447 bytes
SHA256(Wireshark 4.2.0rc1 Arm 64.dmg)=26b75f32914fc692a4da89b0bbf7825c22e0f4f8143479aa3c37f8df4e2e1082
SHA1(Wireshark 4.2.0rc1 Arm 64.dmg)=4379181eb1e4b7de91f427ed642069ef2e3331b3

Wireshark 4.2.0rc1 Intel 64.dmg: 67219337 bytes
SHA256(Wireshark 4.2.0rc1 Intel 64.dmg)=2ac12679cc57197799a54a2473002283287fea8280a1ebb416e16f699306c54c
SHA1(Wireshark 4.2.0rc1 Intel 64.dmg)=2a97576f0f570da70fb2758506e4af5996e4da73

You can validate these hashes using the following commands (among others):

    Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
    Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
    macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
    Other: openssl sha256 wireshark-x.y.z.tar.xz

Attachment: OpenPGP_signature
Description: OpenPGP digital signature