Wireshark-announce: [Wireshark-announce] Wireshark 4.3.1 is now available
From: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>
Date: Wed, 31 Jul 2024 13:27:39 -0700
I'm proud to announce the release of Wireshark 4.3.1.
This is an experimental release intended to test new features for
Wireshark 4.4.
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
What’s New
Many improvements and fixes to the graphing dialogs, including I/O
Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.
Wireshark now supports automatic profile switching. You can associate
a display filter with a configuration profile, and when you open a
capture file that matches the filter, Wireshark will automatically
switch to that profile.
Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1
and 5.2 has been removed. The Windows and macOS installers now ship
with Lua 5.4.6.
Improved display filter support for value strings (optional string
representations for numeric fields).
Display filter functions can be implemented as runtime-loadable C
plugins.
Display filters can be translated to pcap filters using "Edit › Copy ›
Display filter as pcap filter" if each display filter field has a
corresponding pcap filter equivalent.
Custom columns can be defined using any valid field expression, such
as display filter functions, slices, arithmetic calculations, logical
tests, raw byte addressing, and the layer modifier.
Custom output fields for `tshark -e` can also be defined using any
valid field expression.
Wireshark can be built with the zlib-ng instead of zlib for compressed
file support. Zlib-ng is substantially faster than zlib. The official
Windows and macOS packages have this feature included.
Many other improvements have been made. See the “New and Updated
Features” section below for more details.
New and Updated Features
The following features are either new or have been significantly
updated since version 4.2.0:
• The Windows installers now ship with Npcap 1.79. They previously
shipped with Npcap 1.78.
• Improvements to the "I/O Graphs" dialog:
• A number of crasher bugs have been fixed.
• The protocol tree context menu can open a I/O graph of the
currently selected field. Issue 11362[1]
• Smaller intervals can be used, down to 1 microsecond. Issue
13682[2]
• A larger number of I/O Graph item buckets can be used, up to
225 items. Issue 8460[3]
• The memory usage has been improved, the size of an item has
been reduced from 152 bytes to 88 bytes.
• When the Y field or Y axis changes, the graph displays the new
graph correctly, retapping if necessary, instead of displaying
information based on stale data.
• The graph is smarter about choosing whether to retap
(expensive), recalculate (moderately intensive), or replot
(cheap) in order to display the newly chosen options correctly
with the least amount of calculations. For instance, a graph that
has previously been plotted and is disabled and then reenabled
without any other changes will not require a new retap. Issue
15822[4]
• LOAD graphs are graphed properly again. Issue 18450[5]
• The I/O Graph y-axis has human readable units with SI
prefixes. Issue 12827[6]
• I/O Graph bar widths are scaled to the size of the interval.
• I/O Graph bar border colors are a slightly darker color than
that of the graph itself, instead of always black. Issue 17422[7]
• The correct width of times that appear on the graph are used
when automatically resetting the axes.
• The precision of the interval time shown in the hint message
depends on the interval.
• The tracer follows the currently selected row on the table of
graphs, and does not appear on an invisible graph.
• The tracer moves to the frame selected in the main window.
Issue 12909[8]
• Pending graph changes are saved when changing profiles with
the I/O Graphs dialog open.
• I/O Graph dialog windows for closed capture files are no
longer affected by changing the list of graphs (either in that
dialogs or in other dialogs for the currently open file.)
• Temporary graphs that have just been added and will not be
saved unless the configuration has changed are more clearly
marked with italics.
• When Time of Day is selected on the graph, the absolute time
is copied to the CSV instead of relative time. Issue 13717[9]
• The graphs can be reordered via drag and drop. Issue 13855[10]
• The graph layer order and order in the legend always matches
the order in the table, and the legend appears properly. Issue
13854[11]
• The legend can be moved to other corners of the graph by
right-clicking on it and selecting from a context menu.
• Graphs with both lines and data point symbols are treated as
line graphs, not scatter plots, for purposes of displaying zero
values.
• Logarithmic ticks are used when the Y-scale is logarithmic.
• The graph crosshairs context menu option works.
• The columns on the table of graphs can be all resized at once
via the header context menu. Issue 18102[12]
• The graph is more responsive to mouse moves, especially on
Linux Wayland
• Improvements to the Sequence Diagram (Flow Graph / VoIP Calls):
• When exporting the graph as an image, the entire graph is
shown, up to 1000 items (which can be changed in preferences),
instead of only what was visible on-screen. Issue 13504[13]
• Endpoints that share a same address now have two distinct
nodes with a line between them. Issue 12038[14]
• The Comment column can be resized, by selecting the axis
between the Comment column and the graph and dragging, and
auto-resized by double-clicking the column. Issue 4972[15]
• Tooltips are shown for elided comments
• The scroll direction via keyboard is no longer reversed. Issue
12932[16]
• The column widths are fixed, instead of resizing slightly
depending on the visible entries. Issue 12931[17]
• The Y-axis labels stay in the correct position without having
to click Reset.
• The progress bar appears correctly in the Flow Graph (non VoIP
Calls.)
• The behavior of the "Any" and "Network" combobox is corrected.
Issue 19818[18]
• "Limit to Display Filter" is checked if a display filter is
applied when the Flow Graph is opened, per the documentation.
• TCP Stream Graphs:
• A better decision is made about which side is the server and
thus the initially chosen direction in the graph.
• The Window Scaling graph axis labels are corrected and show
both graphs.
• The graph crosshairs context menu option works.
• Switching between relative and absolute sequence numbers works
again.
• The "Follow Stream" dialog can now show delta times between turns
and all packets and events.
• A number of graphs using QCustomPlot ("I/O Graphs", "Flow Graph",
"TCP Stream Graphs", and "RTP Player") are more responsive during
mouse moves, especially on Linux when Wayland is used.
• The "Find Packet" dialog can search backwards, and find
additional occurrences of a string, hex value, or regular
expression in a single frame.
• When using "Go To Packet" with an undisplayed frame, the window
goes to nearest displayed frame (by number.) Issue 2988[19]
• Display filter syntax-related enhancements:
• Better handling of comparisons with value strings. Now the
display filter engine can correctly handle cases where multiple
different numeric values map to the same value string, including
but not limited to range-type value strings.
• Fields with value strings now support regular expression
matching.
• Date and time values now support arithmetic, with some
restrictions: the multiplier/divisor must be an integer or float
and appear on the right-hand side of the operator.
• The keyword "bitand" can be used as an alternative syntax for
the bitwise-and operator.
• Functions alone can now be used as an entire logical
expression. The result of the expression is the truthiness of the
function return value (or of all values if more than one). This
is useful for example to write "len(something)" instead of
"len(something) != 0". Even more so if a function returns itself
a boolean value, it is now possible to write
"bool_test(some.field)" instead of having to write
"bool_test(some.field) == True" (both forms are now valid).
• Display filter references can be written without curly braces.
It is now possible to write `$frame.number` instead of
`${frame.number}` for example.
• Added new display filter functions to test various IP address
properties. Check the wireshark-filter(5) manpage for more
information.
• Added new display filter functions to convert unsigned integer
types to decimal or hexadecimal, and convert fields with value
strings into the associated string for their value (used to
produce results similar to custom columns). Check the
wireshark-filter(5) manpage for more information.
• Display filter macros can be written with a semicolon after
the macro name before the argument list, e.g.
`${mymacro;arg1;…;argN}`, instead of `${mymacro:arg1;…;argN}`.
The version with semicolons works better with pop-up suggestions
when editing the display filter, so the version with the colon
might be removed in the future.
• Display filter macros can be written using a function-like
notation. The macro `${mymacro:arg1;…;argN}` can be written
`$mymacro(arg1,…,argN)`.
• AX.25 addresses are now filtered using the "CALLSIGN-SSID"
string syntax. Filtering based on the raw bytes values is still
possible, like other field types, with the `@` operator. Issue
17973[20]
• Display filter functions can be implemented as libwireshark
plugins. Plugins are loaded during startup from the usual binary
plugin configuration directories. See the `ipaddr.c` source file
in the distribution for an example of a display filter C plugin
and the doc/plugins.example folder for generic instructions how
to build a plugin.
• Display filter autocompletions now also include display filter
functions.
• The display filter macro configuration file has changed format.
It now uses the same format as the "dfilters" file and has been
renamed accordingly to "dmacros". Internally it no longer uses
the UAT API and the display filter macro GUI dialog has been
updated. There is some basic migration logic implemented but it
is advisable to check that the "dfilter_macros" (old) and
"dmacros" (new) files in the profile directory are consistent.
• Custom columns can be defined using any valid field expression:
• Display filter functions, like `len(tcp.payload)`, including
nested functions like `min(len(tcp.payload), len(udp.payload)`
and newly defined functions using the plugin system mentioned
above. Issue 15990[21] Issue 16181[22]
• Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
tcp.dstport`. Issue 7752[23]
• Slices, like `tcp.payload[4:4]`. Issue 10154[24]
• The layer operator, like `ip.proto#1` to return the proto
field in the first IPv4 layer if there is tunneling. Issue
18588[25]
• Raw byte addressing, like `@ip`, useful to return the bytes of
a protocol or FT_NONE field, among others. Issue 19076[26]
• Logical tests, like `tcp.port == 443`, which produce a check
mark if the test matches (similar to protocol and none fields
without `@`.) This works with all logical operators, including
e.g. regular expression matching (`matches` or `~`.)
• Defined display filter macros.
• Any combination of the above also works.
• Multifield columns are still available. For backwards
compatibility, `X or Y` is interpreted as a multifield column as
before. To represent a logical test for the presence of multiple
fields instead of concatenating values, use parenthesis, like
`(tcp.options.timestamp or tcp.options.nop`.
• Field references are not implemented, because there’s no sense
of a currently selected frame. "Resolved" column values (such as
host name resolution or value string lookup) are not supported
for any of the new expressions yet.
• Custom output fields for `tshark -e <field>` can also be defined
using any valid field expression as above.
• For custom output fields, `X or Y` is the usual logical test;
to output multiple fields use multiple `-e` terms as before.
• The various `-E` options, including `-E occurrence`, all work
as expected.
• When selecting "Manage Interfaces" from "Capture Options",
Wireshark only attempts to reconnect to rpcap (remote) hosts that
were connected to in the last session, instead of every remote
host that the current profile has ever connected to. Issue
17484[27]
• The Resolved Addresses dialog only shows what addresses and ports
are present in the file (not including information from static
files), and selected rows or the entire table can be saved or
copied to the clipboard in several formats. Issue 16419[28]
• Dumpcap and wireshark support the `-F` option when capturing a
file at the command line. Issue 18009[29]
• When capturing at the command line dumpcap accepts a `-Q` option
that is quieter than `-q` and prints only errors to standard
error, similar to tshark. Issue 14491[30]
• When capturing a file and requesting the `pcap` format,
nanosecond resolution time stamps will be written if the device
and version of libpcap supports it.
• When capturing a file, the maximum filesize at which to stop, or
to switch files in multiple file mode, can be 2 TB, up from 2GiB.
Note that you may have problems when the number of packets gets
larger than 231 or 232, though that is also true when no limit is
set.
• When capturing files in multiple file mode, a pattern that places
the date and time before the index number can be used (e.g.,
foo_20240714110102_00001.pcap instead of
foo_00001_20240714110102.pcap). This causes filenames to sort in
chronological order across file sets from different captures. The
File Set dialog has been updated to handle the new pattern, which
has been capable of being produced by tshark since version 3.6.0
• Adding interfaces at startup is about twice as fast, and has many
fewer UAC pop-ups when npcap is installed with access restricted
to Administrators on Windows
• The included Lua version has been updated to 5.4. While most Lua
dissectors should continue to work (the lua_bitop library has
been patched to work with Lua 5.3 and 5.4, in addition to the
native Lua support for bit operations present in those versions),
different versions of Lua are not guaranteed to be compatible. If
a Lua dissector has issues, check the manuals for Lua 5.4[31],
Lua 5.3[32], and Lua 5.2[33] for incompatibilities and suggested
workarounds. Note that features marked as deprecated in one
version are removed in the subsequent version without additional
notice, so it can be worth checking the manual for previous
versions.
• Lua functions have been added to decompress and decode TvbRanges
with other compression types besides zlib, such as Brotli,
Snappy, Zstd, and others, matching the support in the C API.
tvbrange:uncompress() has been deprecated for
tvbrange:uncompress_zlib().
• Lua Dumper now defaults to the pcapng file type, and to
per-packet encapsulation (creating interfaces on demand as
necessary) when writing pcapng Issue 16403[34]
• Editcap has an `--extract-secrets` option to extract embedded
decryption secrets from a capture file. Issue 18197[35]
• Global profiles can be used in tshark by using `--global-profile`
option.
Removed Features and Support
• The tshark `-G` option with no argument is deprecated and will be
removed in a future version. Use `tshark -G fields` to produce
the same report.
Removed Dissectors
The Parlay dissector has been removed.
New Protocol Support
Allied Telesis Resiliency Link (AT RL), ATN Security Label, Bit Index
Explicit Replication (BIER), Bus Mirroring Protocol, EGNOS Message
Server (EMS) file format, Galileo E1-B I/NAV navigation messages, IBM
i RDMA Endpoint (iRDMA-EDP), IWBEMSERVICES, MAC NR Framed
(mac-nr-framed), Matter Bluetooth Transport Protocol (MatterBTP),
MiWi P2P Star, Monero, NMEA 0183, PLDM, RDP authentication
redirection virtual channel protocol (rdpear), RF4CE Network Layer
(RF4CE), RF4CE Profile (RF4CE Profile), RK512, SAP Remote Function
Call (SAPRFC), SBAS L1 Navigation Message, Scanner Access Now Easy
(SANE), TREL, WMIO, and ZeroMQ Message Transport Protocol (ZMTP)
Updated Protocol Support
IPv6: The "show address detail" preference is now enabled by default.
The address details provided have been extended to include more
special purpose address block properties (forwardable,
globally-routable, etc).
Too many other protocol updates have been made to list them all here.
EGNOS Messager Server (EMS) files
u-blox GNSS receivers
Major API Changes
• Plugins should provide a `plugin_describe()` function that
returns an ORed list of flags consisting of the plugin types used
(declared in wsutil/plugins.h).
• The entire code base has been updated to use C99 types instead of
GLib types. This includes changing occurrences `gboolean`, which
is an integer, to C99’s native `bool` type in many places.
• The `tvb_get_guintX` and `tvb_get_gintX` functions in the tvbuff
API have been renamed to `tvb_get_uintX` and `tvb_get_intX` (the
GLib-style "g" has been removed). You can still use the old-style
names, but they have been deprecated.
Getting Wireshark
Wireshark source code and installation packages are available from
https://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You
can usually install or upgrade Wireshark using the package management
system specific to that platform. A list of third-party packages can
be found on the download page[36] on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
locations vary from platform to platform. You can use "Help › About
Wireshark › Folders" or `tshark -G folders` to find the default
locations on your system.
Getting Help
The User’s Guide, manual pages and various other documentation can be
found at https://www.wireshark.org/docs/
Community support is available on Wireshark’s Q&A site[37] and on the
wireshark-users mailing list. Subscription information and archives
for all of Wireshark’s mailing lists can be found on the mailing list
site[38].
Bugs and feature requests can be reported on the issue tracker[39].
You can learn protocol analysis and meet Wireshark’s developers at
SharkFest[40].
How You Can Help
The Wireshark Foundation helps as many people as possible understand
their networks as much as possible. You can find out more and donate
at wiresharkfoundation.org[41].
Frequently Asked Questions
A complete FAQ is available on the Wireshark web site[42].
References
1. https://gitlab.com/wireshark/wireshark/-/issues/11362
2. https://gitlab.com/wireshark/wireshark/-/issues/13682
3. https://gitlab.com/wireshark/wireshark/-/issues/8460
4. https://gitlab.com/wireshark/wireshark/-/issues/15822
5. https://gitlab.com/wireshark/wireshark/-/issues/18450
6. https://gitlab.com/wireshark/wireshark/-/issues/12827
7. https://gitlab.com/wireshark/wireshark/-/issues/17422
8. https://gitlab.com/wireshark/wireshark/-/issues/12909
9. https://gitlab.com/wireshark/wireshark/-/issues/13717
10. https://gitlab.com/wireshark/wireshark/-/issues/13855
11. https://gitlab.com/wireshark/wireshark/-/issues/13854
12. https://gitlab.com/wireshark/wireshark/-/issues/18102
13. https://gitlab.com/wireshark/wireshark/-/issues/13504
14. https://gitlab.com/wireshark/wireshark/-/issues/12038
15. https://gitlab.com/wireshark/wireshark/-/issues/4972
16. https://gitlab.com/wireshark/wireshark/-/issues/12932
17. https://gitlab.com/wireshark/wireshark/-/issues/12931
18. https://gitlab.com/wireshark/wireshark/-/issues/19818
19. https://gitlab.com/wireshark/wireshark/-/issues/2988
20. https://gitlab.com/wireshark/wireshark/-/issues/17973
21. https://gitlab.com/wireshark/wireshark/-/issues/15990
22. https://gitlab.com/wireshark/wireshark/-/issues/16181
23. https://gitlab.com/wireshark/wireshark/-/issues/7752
24. https://gitlab.com/wireshark/wireshark/-/issues/10154
25. https://gitlab.com/wireshark/wireshark/-/issues/18588
26. https://gitlab.com/wireshark/wireshark/-/issues/19076
27. https://gitlab.com/wireshark/wireshark/-/issues/17484
28. https://gitlab.com/wireshark/wireshark/-/issues/16419
29. https://gitlab.com/wireshark/wireshark/-/issues/18009
30. https://gitlab.com/wireshark/wireshark/-/issues/14491
31. https://www.lua.org/manual/5.4/manual.html#8
32. https://www.lua.org/manual/5.3/manual.html#8
33. https://www.lua.org/manual/5.2/manual.html#8
34. https://gitlab.com/wireshark/wireshark/-/issues/16403
35. https://gitlab.com/wireshark/wireshark/-/issues/18197
36. https://www.wireshark.org/download.html
37. https://ask.wireshark.org/
38. https://lists.wireshark.org/lists/
39. https://gitlab.com/wireshark/wireshark/-/issues
40. https://sharkfest.wireshark.org
41. https://wiresharkfoundation.org
42. https://www.wireshark.org/faq.html
Digests
wireshark-4.3.1.tar.xz: 46740748 bytes
SHA256(wireshark-4.3.1.tar.xz)=0fd7d0337e54d76eaa86c5bd1b504f78c0168df5ea675affa80bdb2f8e6ae7bd
SHA1(wireshark-4.3.1.tar.xz)=030ddb5adb99d8c0f30fa75d7553c8d9a187762c
Wireshark-4.3.1-x64.exe: 87220656 bytes
SHA256(Wireshark-4.3.1-x64.exe)=60cf890f278d8fc4566e2c98be0b6467371c27dd71b33dbf351cb5850bbdedbc
SHA1(Wireshark-4.3.1-x64.exe)=3844496ce1d91fab45cf9203405ef47094b8fe94
Wireshark-4.3.1-arm64.exe: 68622968 bytes
SHA256(Wireshark-4.3.1-arm64.exe)=f3a3b1a310b6a75fbb8c968590b08cb479b112f9c5bd7c1690048c7f2a61b72b
SHA1(Wireshark-4.3.1-arm64.exe)=4a0e219b19266bdb735699f28333ae9dcf8a3910
Wireshark-4.3.1-x64.msi: 63741952 bytes
SHA256(Wireshark-4.3.1-x64.msi)=b8a466092048757589b42f410b642ab0e5b6c46c27a654641be6dcdd4acdba36
SHA1(Wireshark-4.3.1-x64.msi)=bc6db8eeda3ac63e4f12688b530d00529c90f804
WiresharkPortable64_4.3.1.paf.exe: 73365464 bytes
SHA256(WiresharkPortable64_4.3.1.paf.exe)=96243be603bff3b4ca13a1b8850c77116e0c1db7945cfec3a916015f4dd593a3
SHA1(WiresharkPortable64_4.3.1.paf.exe)=8a03bba192dfecada7c9159f8b8fe2fe5af6d681
Wireshark 4.3.1 Arm 64.dmg: 65243685 bytes
SHA256(Wireshark 4.3.1 Arm 64.dmg)=53084eaf8e1057c7bc8ccf3c484c5ee39022791bb79bac433176fd2a6185af3f
SHA1(Wireshark 4.3.1 Arm 64.dmg)=ee16e0c6bf1210a9c33c8499e393b03b8740ea1e
Wireshark 4.3.1 Intel 64.dmg: 68659394 bytes
SHA256(Wireshark 4.3.1 Intel 64.dmg)=317ad16d12a25538186c21a3f89ba2ef42511a8aef3c0301426015263d3fe823
SHA1(Wireshark 4.3.1 Intel 64.dmg)=f5c1b5046634f4dd88817d7e4b2d058ab3f26ea3
You can validate these hashes using the following commands (among others):
Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
Other: openssl sha256 wireshark-x.y.z.tar.xz
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
- Prev by Date: [Wireshark-announce] The Wireshark mailing lists have been upgraded
- Previous by thread: [Wireshark-announce] The Wireshark mailing lists have been upgraded
- Index(es):