Wireshark-announce: [Wireshark-announce] Wireshark 4.4.0rc1 is now available

Date Prev · Date Next · Thread Prev · Thread Next
From: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>
Date: Wed, 14 Aug 2024 13:17:38 -0700
I'm proud to announce the release of Wireshark 4.4.0rc1.


 This is an experimental release intended to test new features for
 Wireshark 4.4.

 What is Wireshark?

  Wireshark is the world’s most popular network protocol analyzer. It is
  used for troubleshooting, analysis, development and education.

 What’s New

  Many improvements and fixes to the graphing dialogs, including I/O
  Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.

  Wireshark now supports automatic profile switching. You can associate
  a display filter with a configuration profile, and when you open a
  capture file that matches the filter, Wireshark will automatically
  switch to that profile.

  Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1
  and 5.2 has been removed. The Windows and macOS installers now ship
  with Lua 5.4.6.

  Improved display filter support for value strings (optional string
  representations for numeric fields).

  Display filter functions can be implemented as plugins, similar to
  protocol dissectors and file parsers.

  Display filters can be translated to pcap filters using "Edit › Copy ›
  Display filter as pcap filter" if each display filter field has a
  corresponding pcap filter equivalent.

  Custom columns can be defined using any valid field expression, such
  as display filter functions, packet slices, arithmetic calculations,
  logical tests, raw byte addressing, and protocol layer modifiers.

  Custom output fields for `tshark -e` can also be defined using any
  valid field expression.

  Wireshark can be built with the zlib-ng instead of zlib for compressed
  file support. Zlib-ng is substantially faster than zlib. The official
  Windows and macOS packages include this feature.

  Many other improvements have been made. See the “New and Updated
  Features” section below for more details.

  New and Updated Features

   The following features are either new or have been significantly
   updated since version 4.2.0:

     • The Windows installers now ship with Npcap 1.79. They previously
       shipped with Npcap 1.78.

     • Improvements to the "I/O Graphs" dialog:

        • A number of crasher bugs have been fixed.

        • The protocol tree context menu can open a I/O graph of the
       currently selected field. Issue 11362[1]

        • Smaller intervals can be used, down to 1 microsecond. Issue
       13682[2]

        • A larger number of I/O Graph item buckets can be used, up to
       225 (33 million) items. Issue 8460[3]

        • The size of individual graph items has been reduced, which
       reduces memory utilization.

        • When the Y field or Y axis changes, the graph displays the new
       graph correctly, retapping if necessary, instead of displaying
       information based on stale data.

        • The graph is smarter about choosing whether to retap
       (expensive), recalculate (moderately intensive), or replot
       (cheap) in order to display the newly chosen options correctly
       with the least amount of calculations. For instance, a graph that
       has previously been plotted and is disabled and then reenabled
       without any other changes will not require a new retap. Issue
       15822[4]

        • LOAD graphs are graphed properly again. Issue 18450[5]

        • Y axes have human readable units with SI prefixes. Issue
       12827[6]

        • Bar widths are scaled to the size of the interval.

        • Bar border colors are a slightly darker color than that of the
       graph itself, instead of always black. Issue 17422[7]

        • Time values have the correct width when axes are automatically
       reset.

        • The precision of the interval time shown in the hint message
       depends on the interval.

        • The tracer follows the currently selected row on the table of
       graphs, and does not appear on an invisible graph.

        • The tracer moves to the frame selected in the main window.
       Issue 12909[8]

        • Pending graph changes are saved when changing profiles when
       the I/O Graphs dialog is open.

        • I/O Graph dialog windows for closed capture files are no
       longer affected by changing the list of graphs (either in that
       dialogs or in other dialogs for the currently open file.)

        • Newly created temporary graphs, which will not be saved unless
       the configuration has changed, are more clearly marked with
       italics.

        • When "Time of Day" is selected for a graph, the absolute time
       will be saved to CSV exports instead of the relative time. Issue
       13717[9]

        • Graphs can be reordered by dragging and dropping their list
       entries. Issue 13855[10]

        • The graph layer order and legend order always matches the
       order in the graph list. Legends also appear properly. Issue
       13854[11]

        • The legend can be moved to other corners of the graph by
       right-clicking on it and selecting its new location from a menu.

        • For purposes of displaying zero values, graphs with both lines
       and data point symbols are treated as line graphs, not scatter
       plots.

        • Logarithmic ticks are used when the Y axis is logarithmic.

        • The graph crosshairs context menu option works.

        • You can resize the graph list columns to their contents by
       right clicking on the list header. Issue 18102[12]

        • The graph is more responsive to mouse movement, especially on
       Linux Wayland.

     • Improvements to the Sequence Diagram (Flow Graphs and VoIP
       Calls):

        • When exporting the graph as an image, the entire graph is
       shown with up to 1000 items instead of only what was visible
       on-screen. This value can be increased in the preferences. Issue
       13504[13]

        • Endpoints that share the same address now have two distinct
       nodes with a line between them. Issue 12038[14]

        • The "Comment" column can be resized by selecting the axis
       between the "Comment" column and the graph and dragging, and
       auto-resized by double-clicking the column. Issue 4972[15]

        • Tooltips are shown for elided comments.

        • The scroll direction via keyboard is no longer reversed. Issue
       12932[16]

        • The column widths are fixed instead of resizing slightly
       depending on the visible entries. Issue 12931[17]

        • The Y axis labels stay in the correct position without having
       to click the Reset button.

        • The progress bar appears correctly in the Flow Graph (non VoIP
       Calls).

        • The behavior of the "Any" and "Network" combobox is corrected.
       Issue 19818[18]

        • "Limit to Display Filter" is checked if a display filter is
       applied when the Flow Graph is opened, per the documentation.

     • TCP Stream Graphs:

        • A better decision is made about which side is the server and
       thus the initially chosen direction in the graph.

        • The "Window Scaling" graph axis labels are corrected and show
       both graphs.

        • The graph crosshairs context menu option works.

        • Switching between relative and absolute sequence numbers works
       again.

     • The "Follow Stream" dialog can now show delta times between turns
       and all packets and events.

     • A number of graphs using the QCustomPlot widget ("I/O Graphs",
       "Flow Graph", "TCP Stream Graphs", and "RTP Player") are more
       responsive to mouse movement, especially on Linux when Wayland is
       used.

     • The "Find Packet" dialog can search backwards and find additional
       occurrences of a string, hex value, or regular expression in a
       single frame.

     • When using "Go To Packet" with an undisplayed frame, the window
       goes to nearest displayed frame by number. Issue 2988[19]

     • Display filter syntax enhancements:

        • Better handling of comparisons with value strings. Now the
       display filter engine can correctly handle cases where multiple
       different numeric values map to the same value string, including
       but not limited to range-type value strings.

        • Fields with value strings now support regular expression
       matching.

        • Date and time values now support arithmetic, with some
       restrictions: the multiplier/divisor must be an integer or
       floating point number and appear on the right-hand side of the
       operator.

        • The keyword "bitand" can be used as an alternative syntax for
       the bitwise-and operator.

        • Functions alone can now be used as an entire logical
       expression. The result of the expression is the truthiness of the
       function return value (or of all values if more than one). This
       is useful for example to write "len(something)" instead of
       "len(something) != 0". Even more so if a function returns itself
       a boolean value, it is now possible to write
       "bool_test(some.field)" instead of having to write
       "bool_test(some.field) == True". Both forms are now valid.

        • Display filter references can be written without curly braces.
       It is now possible to write `$frame.number` instead of
       `${frame.number}` for example.

        • There are new display filter functions which test various IP
       address properties. Check the wireshark-filter[20](5) man page
       for more information.

        • There are new display filter functions which convert unsigned
       integer types to decimal or hexadecimal, and convert fields with
       value strings into the associated string for their value, which
       can be used to produce results similar to custom columns. Check
       the wireshark-filter[21](5) man page for more information.

        • Display filter macros can be written with a semicolon after
       the macro name before the argument list, e.g.
       `${mymacro;arg1;…​;argN}`, instead of `${mymacro:arg1;…​;argN}`.
       The version with semicolons works better with pop-up suggestions
       when editing the display filter, so the version with the colon
       might be removed in the future.

        • Display filter macros can be written using a function-like
       notation. The macro `${mymacro:arg1;…​;argN}` can be written
       `$mymacro(arg1,…​,argN)`.

        • AX.25 addresses are now filtered using the "CALLSIGN-SSID"
       string syntax. Filtering based on the raw bytes values is still
       possible, like other field types, with the `@` operator. Issue
       17973[22]

     • Display filter functions can be implemented as libwireshark
       plugins. Plugins are loaded during startup from the usual binary
       plugin configuration directories. See the `ipaddr.c` source file
       in the distribution for an example of a display filter C plugin
       and the doc/plugins.example folder for generic instructions how
       to build a plugin.

     • Display filter autocompletions now also include display filter
       functions.

     • The display filter macro configuration file has changed format.
       It now uses the same format as the "dfilters" file and has been
       renamed accordingly to "dmacros". Internally it no longer uses
       the UAT API and the display filter macro GUI dialog has been
       updated. There is some basic migration logic implemented but it
       is advisable to check that the "dfilter_macros" (old) and
       "dmacros" (new) files in the profile directory are consistent.

     • Custom columns can be defined using any valid field expression:

        • Display filter functions, like `len(tcp.payload)`, including
       nested functions like `min(len(tcp.payload), len(udp.payload))`
       and newly defined functions using the plugin system mentioned
       above. Issue 15990[23] Issue 16181[24]

        • Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
       tcp.dstport`. Issue 7752[25]

        • Slices, like `tcp.payload[4:4]`. Issue 10154[26]

        • The layer operator, like `ip.proto#1`, which will return the
       protocol field in the first IPv4 layer if there is tunneling.
       Issue 18588[27]

        • Raw byte addressing, like `@ip`, which will return the bytes
       of protocol or FT_NONE fields, among others. Issue 19076[28]

        • Logical tests, like `tcp.port == 443`, which produce a check
       mark if the test matches (similar to protocol and FT_NONE fields
       without `@`.) This works with all logical operators, including
       e.g. regular expression matching (`matches` or `~`.)

        • Defined display filter macros.

        • Any combination of the above also works.

        • Multifield columns are still available. For backwards
       compatibility, `X or Y` is interpreted as a multifield column as
       before. To represent a logical test for the presence of multiple
       fields instead of concatenating values, use parenthesis, e.g.
       `(tcp.options.timestamp or tcp.options.nop)`.

        • Field references are not implemented because there’s no sense
       of a currently selected frame. "Resolved" column values (such as
       host name resolution or value string lookup) are not supported
       for any of the new expressions yet.

     • Custom output fields for `tshark -e <field>` can also be defined
       using any valid field expression as above.

        • For custom output fields, `X or Y` is the usual logical test;
       to output multiple fields use multiple `-e` terms as before.

        • The various `-E` options, including `-E occurrence`, all work
       as expected.

     • When selecting "Manage Interfaces" from "Capture Options",
       Wireshark only attempts to reconnect to rpcap hosts that were
       active in the last session, instead of every remote host that the
       current profile has ever connected to. Issue 17484[29]

     • The "Resolved Addresses" dialog only shows what addresses and
       ports are present in the file (not including information from
       static files), and selected rows or the entire table can be saved
       or copied to the clipboard in several formats. Issue 16419[30]

     • Dumpcap and Wireshark support the `-F` option when capturing a
       file on the command line. Issue 18009[31]

     • When capturing on the command line dumpcap accepts a `-Q` option
       that is quieter than `-q` and prints only errors to standard
       error, similar to tshark. Issue 14491[32]

     • When capturing a file and requesting the `pcap` format,
       nanosecond resolution time stamps will be written if the device
       and version of libpcap supports it.

     • When capturing using a file size autostop or ring buffer
       condition, the maximum value is now 2 TB, up from 2GiB. Note that
       you may have problems when the number of packets gets larger than
       231 or 232, though that is also true when no limit is set.

     • When capturing files in multiple file mode, a pattern that places
       the date and time before the index number can be used (e.g.,
       foo_20240714110102_00001.pcap instead of
       foo_00001_20240714110102.pcap). This makes file names sortable in
       chronological order across file sets from different captures. The
       "File Set" dialog has been updated to handle the new pattern,
       which has been capable of being produced by tshark since version
       3.6.0.

     • Adding interfaces at startup is about twice as fast, and has many
       fewer UAC pop-ups when Npcap is installed with access restricted
       to Administrators on Windows.

     • The Lua version included with the Windows and macOS installers
       has been updated to 5.4. While we have tried to help with
       backward compatibility by including lua_bitop library with Lua
       5.3 and 5.4 in addition to the native Lua support for bit
       operations present in those versions, different versions of Lua
       are not guaranteed to be compatible. If a Lua dissector has
       issues, check the manuals for Lua 5.4[33], Lua 5.3[34], and Lua
       5.2[35] for incompatibilities and suggested workarounds. Note
       that features marked as deprecated in one version are removed in
       the subsequent version without additional notice, so it can be
       worth checking the manual for previous versions.

     • Lua scripts in the plugins directories are now initially loaded
       via the same internal Lua methods as `require()`. This avoids
       errors from loading plugins twice, once by scanning the directory
       initially, and once by `require()`, and also results in globals
       defined in plugins entering the global namespace. Previously
       globals defined in plugins only entered the global namespace when
       placed in the global plugins directory, but not the personal
       plugins directory. Using globals in plugins remains deprecated
       style (both by Wireshark and in Lua generally), that should be
       avoided via using other methods. Issue 18589[36]

     • Lua functions have been added to decompress and decode TvbRanges
       with other compression types besides zlib, such as Brotli,
       Snappy, Zstd, and others, matching the support in the C API.
       tvbrange:uncompress() has been deprecated in favor of
       tvbrange:uncompress_zlib().

     • Lua Dumper now defaults to the pcapng file type, and to
       per-packet encapsulation (creating interfaces on demand as
       necessary) when writing pcapng Issue 16403[37]

     • Editcap has an `--extract-secrets` option to extract embedded
       decryption secrets from a capture file. Issue 18197[38]

     • Global profiles can be used in tshark by using `--global-profile`
       option.

     • Capture files can be saved with LZ4 compression. LZ4 has an
       emphasis on speed and may be particularly useful for large files.

     • Fast random access is supported with LZ4 compressed files when
       compressed with independent blocks, which is the default. This
       provides much more responsive GUI performance when jumping to
       different packets. Fast random access has been supported with
       gzip compressed files since version 1.8.0, but this is not
       supported for Zstd compressed files.

     • Wireshark’s Git repostory tags are now signed using SSH. See the
       Developer’s Guide[39] for more details.

  Removed Features and Support

     • The tshark `-G` option with no argument is deprecated and will be
       removed in a future version. Use `tshark -G fields` to produce
       the same report.

  Removed Dissectors

   The Parlay dissector has been removed.

  New Protocol Support

   Allied Telesis Resiliency Link (AT RL), ATN Security Label, Bit Index
   Explicit Replication (BIER), Bus Mirroring Protocol, EGNOS Message
   Server (EMS) file format, Galileo E1-B I/NAV navigation messages, IBM
   i RDMA Endpoint (iRDMA-EDP), IWBEMSERVICES, MAC NR Framed
   (mac-nr-framed), Matter Bluetooth Transport Protocol (MatterBTP),
   MiWi P2P Star, Monero, NMEA 0183, PLDM, RDP authentication
   redirection virtual channel protocol (rdpear), RF4CE Network Layer
   (RF4CE), RF4CE Profile (RF4CE Profile), RK512, SAP Remote Function
   Call (SAPRFC), SBAS L1 Navigation Message, Scanner Access Now Easy
   (SANE), TREL, WMIO, and ZeroMQ Message Transport Protocol (ZMTP)

  Updated Protocol Support

   IPv6: The "show address detail" preference is now enabled by default.
   The address details provided have been extended to include more
   special purpose address block properties (forwardable,
   globally-routable, etc).

   Too many other protocol updates have been made to list them all here.

   EGNOS Messager Server (EMS) files

   u-blox GNSS receivers

  Major API Changes

     • The entire code base has been updated to use C99 types instead of
       GLib types. This includes changing occurrences `gboolean`, which
       is an integer, to C99’s native `bool` type in many places.

     • The `tvb_get_guintX` and `tvb_get_gintX` functions in the tvbuff
       API have been renamed to `tvb_get_uintX` and `tvb_get_intX` (the
       GLib-style "g" has been removed). You can still use the old-style
       names, but they have been deprecated.

     • Plugins should provide a `plugin_describe()` function that
       returns an ORed list of flags consisting of the plugin types
       used. See wsutil/plugins.h for details.

 Getting Wireshark

  Wireshark source code and installation packages are available from
  https://www.wireshark.org/download.html.

  Vendor-supplied Packages

   Most Linux and Unix vendors supply their own Wireshark packages. You
   can usually install or upgrade Wireshark using the package management
   system specific to that platform. A list of third-party packages can
   be found on the download page[40] on the Wireshark web site.

 File Locations

  Wireshark and TShark look in several different locations for
  preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
  locations vary from platform to platform. You can use "Help › About
  Wireshark › Folders" or `tshark -G folders` to find the default
  locations on your system.

 Getting Help

  The User’s Guide, manual pages and various other documentation can be
  found at https://www.wireshark.org/docs/

  Community support is available on Wireshark’s Q&A site[41] and on the
  wireshark-users mailing list. Subscription information and archives
  for all of Wireshark’s mailing lists can be found on the mailing list
  site[42].

  Bugs and feature requests can be reported on the issue tracker[43].

  You can learn protocol analysis and meet Wireshark’s developers at
  SharkFest[44].

 How You Can Help

  The Wireshark Foundation helps as many people as possible understand
  their networks as much as possible. You can find out more and donate
  at wiresharkfoundation.org[45].

 Frequently Asked Questions

  A complete FAQ is available on the Wireshark web site[46].

 References

   1. https://gitlab.com/wireshark/wireshark/-/issues/11362
   2. https://gitlab.com/wireshark/wireshark/-/issues/13682
   3. https://gitlab.com/wireshark/wireshark/-/issues/8460
   4. https://gitlab.com/wireshark/wireshark/-/issues/15822
   5. https://gitlab.com/wireshark/wireshark/-/issues/18450
   6. https://gitlab.com/wireshark/wireshark/-/issues/12827
   7. https://gitlab.com/wireshark/wireshark/-/issues/17422
   8. https://gitlab.com/wireshark/wireshark/-/issues/12909
   9. https://gitlab.com/wireshark/wireshark/-/issues/13717
  10. https://gitlab.com/wireshark/wireshark/-/issues/13855
  11. https://gitlab.com/wireshark/wireshark/-/issues/13854
  12. https://gitlab.com/wireshark/wireshark/-/issues/18102
  13. https://gitlab.com/wireshark/wireshark/-/issues/13504
  14. https://gitlab.com/wireshark/wireshark/-/issues/12038
  15. https://gitlab.com/wireshark/wireshark/-/issues/4972
  16. https://gitlab.com/wireshark/wireshark/-/issues/12932
  17. https://gitlab.com/wireshark/wireshark/-/issues/12931
  18. https://gitlab.com/wireshark/wireshark/-/issues/19818
  19. https://gitlab.com/wireshark/wireshark/-/issues/2988
  20. https://www.wireshark.org/docs/man-pages/wireshark-filter.html
  21. https://www.wireshark.org/docs/man-pages/wireshark-filter.html
  22. https://gitlab.com/wireshark/wireshark/-/issues/17973
  23. https://gitlab.com/wireshark/wireshark/-/issues/15990
  24. https://gitlab.com/wireshark/wireshark/-/issues/16181
  25. https://gitlab.com/wireshark/wireshark/-/issues/7752
  26. https://gitlab.com/wireshark/wireshark/-/issues/10154
  27. https://gitlab.com/wireshark/wireshark/-/issues/18588
  28. https://gitlab.com/wireshark/wireshark/-/issues/19076
  29. https://gitlab.com/wireshark/wireshark/-/issues/17484
  30. https://gitlab.com/wireshark/wireshark/-/issues/16419
  31. https://gitlab.com/wireshark/wireshark/-/issues/18009
  32. https://gitlab.com/wireshark/wireshark/-/issues/14491
  33. https://www.lua.org/manual/5.4/manual.html#8
  34. https://www.lua.org/manual/5.3/manual.html#8
  35. https://www.lua.org/manual/5.2/manual.html#8
  36. https://gitlab.com/wireshark/wireshark/-/issues/18589
  37. https://gitlab.com/wireshark/wireshark/-/issues/16403
  38. https://gitlab.com/wireshark/wireshark/-/issues/18197
  39. https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcGitRepositor
  y.html#ChSrcWebInterface
  40. https://www.wireshark.org/download.html
  41. https://ask.wireshark.org/
  42. https://lists.wireshark.org/lists/
  43. https://gitlab.com/wireshark/wireshark/-/issues
  44. https://sharkfest.wireshark.org
  45. https://wiresharkfoundation.org
  46. https://www.wireshark.org/faq.html


Digests

wireshark-4.4.0rc1.tar.xz: 46774764 bytes
SHA256(wireshark-4.4.0rc1.tar.xz)=2f75b7ec8b594750d2417477568e79013110057d36735b69b02f83335eee9c9e
SHA1(wireshark-4.4.0rc1.tar.xz)=065c6bb53b91c35f2f1fd88793d103a45b034e1b

Wireshark-4.4.0rc1-arm64.exe: 68639704 bytes
SHA256(Wireshark-4.4.0rc1-arm64.exe)=983f160027c9c394f23ca86477b813644b229b70a6ed987341dfa57687b88159
SHA1(Wireshark-4.4.0rc1-arm64.exe)=1cea1b3e042ad92ff8023351f3f2b6cb0c00c6e7

Wireshark-4.4.0rc1-x64.exe: 87242304 bytes
SHA256(Wireshark-4.4.0rc1-x64.exe)=74404a98d7655c7c21f539c10e83a6415b14b216b12f90349c22e3d48a6cfa97
SHA1(Wireshark-4.4.0rc1-x64.exe)=ea6a2b6887113f9d79da2b9e4f47784dd96819b5

Wireshark-4.4.0rc1-x64.msi: 63737856 bytes
SHA256(Wireshark-4.4.0rc1-x64.msi)=cdb64b6678a87db038689e9375ab4099ad41586e87f345f16482a9a65b3b019c
SHA1(Wireshark-4.4.0rc1-x64.msi)=3f59fd9a6a2698483288c08e27e7986a587aef01

WiresharkPortable64_4.4.0rc1.paf.exe: 73355304 bytes
SHA256(WiresharkPortable64_4.4.0rc1.paf.exe)=ae9938ebf6134b3398477fcf6b4f3f8df2fd941ab3305857b6da679e11e7fcb9
SHA1(WiresharkPortable64_4.4.0rc1.paf.exe)=5aa757ce3921426f315707b84f9ae0bce123c7b5

Wireshark 4.4.0rc1 Arm 64.dmg: 65271598 bytes
SHA256(Wireshark 4.4.0rc1 Arm 64.dmg)=f77ff712637114178cfc7e54350d6974cd837cb65c27411f2b4fd83cef92d61f
SHA1(Wireshark 4.4.0rc1 Arm 64.dmg)=219c36c3da5f692563ecb1f7160c7c21322e9fd2

Wireshark 4.4.0rc1 Intel 64.dmg: 68680089 bytes
SHA256(Wireshark 4.4.0rc1 Intel 64.dmg)=6fce63437700ddd1a81c1e632073e7eae6ef903cd99a30f4715a9a578fe78d11
SHA1(Wireshark 4.4.0rc1 Intel 64.dmg)=1aa82e47515618626985315995e1425648e364c5

You can validate these hashes using the following commands (among others):

    Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
    Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
    macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
    Other: openssl sha256 wireshark-x.y.z.tar.xz