Wireshark-announce: [Wireshark-announce] Wireshark 4.6.0rc1 is now available
Date Prev
·
Date Next
·
Thread Prev
·
Thread Next
From: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>
Date: Wed, 17 Sep 2025 12:04:13 -0700
I'm proud to announce the release of Wireshark 4.6.0rc1.
This is an experimental release intended to test new features for
Wireshark 4.6.
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
Wireshark is hosted by the Wireshark Foundation, a nonprofit which
promotes protocol analysis education. Wireshark and the foundation
depend on your contributions in order to do their work. If you or your
organization would like to contribute or become a sponsor, please
visit wiresharkfoundation.org[1].
What’s New
Many other improvements have been made. See the “New and Updated
Features” section below for more details.
New and Updated Features
The following features are either new or have been significantly
updated since version 4.4.0:
• The Windows installers now ship with Npcap 1.83. They previously
shipped with Npcap 1.79.
• The Windows installers now ship with Qt 6.8.3. They previously
shipped with Qt 6.5.3.
• WinPcap is no longer supported. On Windows, use Npcap instead,
uninstalling WinPcap if necessary. The last release ever of
WinPcap, 4.1.3, was on 2013-03-08 and only supports up to Windows
8, which is no longer supported by Microsoft or Wireshark.
• We now ship universal macOS installers instead of separate
packages for Arm64 and Intel. Issue 17294[2]
• Source packages are now compressed using zstd.
• A new “Plots” dialog has been added, which provides scatter plots
in contrast to the “I/O Graphs” dialog, which provides
histograms. The Plots dialog window supports multiple plots,
markers, and automatic scrolling.
• Live captures can be compressed while writing. (Previously there
was support for compressing when performing multiple file
capture, at file rotation time.) The `--compress` option in
TShark works on live captures as well. Issue 9311[3]
• Absolute time fields, regardless of field display in the Packet
Details, are always written in ISO 8601 format in UTC with -T
json. This was already the case for -T ek since version 4.2.0.
JSON is primarily a data interchange format read by software, so
a standard format is desirable.
• When absolute times field are output with -T fields, the "show"
field of -T pdml, or in custom columns (including CSV output of
columns), the formatting similar to asctime (e.g., Dec 18, 2017
05:28:39.071704055 EST) has been deprecated in favor of ISO 8601.
For backwards compatibility, a preference has been added,
protocols.display_abs_time_ascii, which can be set to continue to
format times as before. This preference can also be set to never
use ASCII time and to use ISO 8601 time formatting in the
protocol tree (Packet Details) as well. It is possible that a
future release will remove the ascitime style formatting
entirely.
• UTC frame time column formats (including "Time (format as
specified)" when a UTC time display format is selected) have a
"Z" suffix per ISO 8601. Local time formats remain unqualified
(including if the local time zone is UTC.) Custom columns
displaying FT_ABSOLUTE_TIME already had time zone indication.
• The TShark `-G` option for generating glossary reports does not
need to be the first option given on the command line anymore. In
addition, the reports now are affected by other command line
options such as `-o`, `-d`, and `--disable-protocol`, in addition
to the `-C` option, which was already supported. (The
`defaultprefs` report remains unaffected by any other options.)
As a part of this change, `-G` with no argument, which was
previously deprecated, is no longer supported. Use `tshark -G
fields` to produce the same report. Also, the syntax for only
listing fields with a certain prefix has changed to `tshark -G
fields,prefix`.
• The underlying type of EUI-64 fields has been switched to bytes
when packet matching, similar to most other address formats. This
means that EUI-64 addresses can be sliced and compared to other
bytes types, e.g. the filter `wpan.src64[:3] == eth.src[:3]`.
Fields can still be specified using 64-bit unsigned integer
literals, though arithmetic with other integers is no longer
supported.
• Wireshark can now decrypt NTP packets using NTS (Network Time
Security). To decrypt packets, the NTS-KE (Network Time Security
Key Establishment Protocol) packets need to be present, alongside
the TLS client and exporter secrets. Additionally, the parts of a
NTP packet which can be cryptographically authenticated (from NTP
packet header until the end of the last extension field that
precedes the NTS Authenticator and Encrypted Extension Fields
extension field) are checked for validity.
• Wiresharks' capability to decrypt MACsec packets has been
expanded to either use the SAK unwrapped by the MKA dissector, or
the PSK configured in the MACsec dissector. To enable the MKA
dissector to unwrap the SAK, the CAK for the applicable CKN can
be entered in the extended CKN/CAK Info UAT in the MKA dissector
preferences. The ability of the MACsec dissector to decrypt
packets using a PSK has been extended to a list of PSKs, which
can entered through a new UAT.
• The TCP Stream Graph axes now use units with SI prefixes. Issue
20197[4]
• Custom columns have an option to show the values using the same
format as in Packet Details.
• Custom column complex expressions (e.g., with arithmetic, filter
functions, etc.) that return numeric results are sorted
numerically instead of lexicographically.
• Display filter functions `float` and `double` are added to allow
explicitly converting field types like integers and times to
single and double precision floats. They can be used to perform
further arithmetic operations on fields of different types,
including in custom column definitions.
• The minimum width of the I/O Graph dialog window has been
reduced, so it should work better on small resolution desktops,
especially in certain languages. To enable this, some checkbox
controls were moved to the graph right-click context menu. Issue
20147[5]
• X.509 certificates, used in TLS and elsewhere, can be exported
via the "File › Export Objects" menu in Wireshark (under the name
"X509AF") and `--export-objects` in TShark (with the protocol
name `x509af`.)
• Zstandard Content-Encoding is supported in the HTTP and HTTP/2
dissectors.
• Follow Stream is supported for MPEG 2 Transport Stream PIDs, and
for Packetized Elementary Streams contained within MPEG 2 TS. The
latter can be used to extract audio or video for playback with
other tools.
• DNP 3 (Distributed Network Protocol 3) is now supported in the
Conversations and Endpoints table dialogs.
• The Lua supplied preloaded libraries `bit` and `rex_pcre2` are
loaded in a way that adds them to the `package.loaded` table, as
though through `require`, so that `require("bit")` and
`require("rex_pcre2")` statements in Lua dissectors, while
usually superfluous, behave as expected. Issue 20213[6]
• The packet list (Wireshark) and event list (Stratoshark) no
longer support rows with multiple lines. Issue 14424[7]
• The `ethers` file can also contain EUI-64 to name mappings. Issue
15487[8]
• Wireshark "Import from Hex Dump" and text2pcap support byte
groups with 2 to 4 bytes (with an option for little-endian byte
order), and support hexadecimal offsets with a `0x` or `0X`
prefix (as produced by `tcpdump -x`, among others). Issue
16193[9]
• Frame timestamps can be added as preamble to hex dumps in
Wireshark from the "Print" and "Export Packet Dissection"
dialogs, and in TShark with the `--hexdump time` option. Issue
17132[10]
• Lua now has a `Conversation` object, which exposes conversations
and conversation data to Lua. Resolves Issue 15396[11]
• Supports "Copy in HTML" format via main menu, context menu and
keyboard shortcut. It also provides an option (via knobs in
preferences) to copy plain text with aligned columns along with
an ability to select a copy format to be used when copied via
keyboard shortcut.
• The "no duplicate keys" version of JSON output that tshark has
supported since 2.6.0 is available through the GUI Export
Dissections Dialog. Note that this format does not necessarily
preserve the ordering of all children in a tree, if sibling with
identical keys are not consecutive.
• The GUI Export Dissections Dialog can output raw hex bytes of the
frame data for each field with or without exporting the field
values, the same formats as the "-T json -x" and "-T jsonraw"
output modes, respectively, of TShark.
• The Conversations and Endpoints dialogs have an option to display
byte counts and bit rates in exact counts instead of
human-readable numbers with SI units. The default setting when
opening a dialog is controlled by a Statistics preference,
"conv.machine_readable". The same preference controls whether
precise byte counts are used in the TShark "-z conv" and "-z
endpoints" taps.
• The output format for some TShark statistics taps (those selected
with "-z <tap>,tree", which use the stats_tree system) can be
controlled via a preference "-o statistics.output_format".
• The color scheme can be set to Light or Dark mode independently
of the current OS default on Windows and macOS, if Wireshark is
built with Qt 6.8 or later as the official installers do. Issue
19328[12]
• LibXml2 is now a required dependency.
• The View menu has an option to Redissect Packets manually, which
can be useful when address resolution or decryption secrets have
changed.
• HTTP2 tracking of 3GPP session over 5G Service Based Interfaces
is now optional available. When enabled "Associate IMSI" will be
add on HTTP2 streams which has been found belong to a session.
• Building the documentation on Windows no longer requires Java.
• On Linux, capture filters that use BPF extensions like "inbound",
"outbound", and "ifindex" can be used for capturing (and compiled
by the Compiled Filter dialog). Instead of always being rejected
by the syntax checker, they will be marked as unknown.
Removed Features and Support
Wireshark no longer supports AirPcap and WinPcap.
Wireshark no longer supports libnl versions 1 or 2.
The `ENABLE_STATIC` CMake option has been deprecated in favor of
`BUILD_SHARED_LIBS`
New File Format Decoding Support
Resource Interchange File Format (RIFF) and TTL File Format
New Protocol Support
Asymmetric Key Packages (AKP), Binary HTTP, BIST TotalView-ITCH
protocol (BIST-ITCH), BIST TotalView-OUCH protocol (BIST-OUCH),
Bluetooth Android HCI (HCI ANDROID), Bluetooth Intel HCI (HCI INTEL),
BPSec COSE Context, BPSec Default SC, Commsignia Capture Protocol
(C2P), DLMS/COSEM, Ephemeral Diffie-Hellman Over COSE,
Identifier-Locator Network Protocol (ILNP), LDANeo Device trailer
(LDANeo), Lenbrook Service Discovery Protocol (LSDP), LLC V1,
Navitrol messaging, Network Time Security Key Establishment Protocol
(NTS-KE), Ouster VLP-16, Private Line Emulation (PLE), RC V3, RCG,
Roughtime, SBAS L5 Navigation Message, SGP.22 GSMA Remote SIM
Provisioning (SGP.22), SGP.32 GSMA Remote SIM Provisioning (SGP.32),
SICK CoLA Ascii and CoLA Binary protocols, Silabs Debug Channel,
Universal Measurement and Calibration Protocol (XCP), USB Picture
Transfer Protocol (USB-PTP), VLP-16 Data and Position messaging, and
vSomeIP Internal Protocol (vSomeIP)
Updated Protocol Support
Too many protocol updates have been made to list them all here.
New and Updated Capture File Support
BLF is now improved (including writing to BLF)
New and Updated Capture Interfaces support
• On Windows, etwdump’s user-friendliness has been greatly improved
thanks to various extcap changes. It should also now display the
raw bytes of unknown events.
The Lua API now supports Libgcrypt symmetric cipher functions.
Getting Wireshark
Wireshark source code and installation packages are available from
https://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You
can usually install or upgrade Wireshark using the package management
system specific to that platform. A list of third-party packages can
be found on the download page[13] on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
locations vary from platform to platform. You can use "Help › About
Wireshark › Folders" or `tshark -G folders` to find the default
locations on your system.
Getting Help
The User’s Guide, manual pages and various other documentation can be
found at https://www.wireshark.org/docs/
Community support is available on Wireshark’s Q&A site[14] and on the
wireshark-users mailing list. Subscription information and archives
for all of Wireshark’s mailing lists can be found on the mailing list
site[15].
Bugs and feature requests can be reported on the issue tracker[16].
You can learn protocol analysis and meet Wireshark’s developers at
SharkFest[17].
Official Wireshark training and certification are available from the
Wireshark Foundation[18].
How You Can Help
The Wireshark Foundation helps as many people as possible understand
their networks as much as possible. You can find out more and donate
at wiresharkfoundation.org[19].
Frequently Asked Questions
A complete FAQ is available on the Wireshark web site[20].
References
1. https://wiresharkfoundation.org
2. https://gitlab.com/wireshark/wireshark/-/issues/17294
3. https://gitlab.com/wireshark/wireshark/-/issues/9311
4. https://gitlab.com/wireshark/wireshark/-/issues/20197
5. https://gitlab.com/wireshark/wireshark/-/issues/20147
6. https://gitlab.com/wireshark/wireshark/-/issues/20213
7. https://gitlab.com/wireshark/wireshark/-/issues/14424
8. https://gitlab.com/wireshark/wireshark/-/issues/15487
9. https://gitlab.com/wireshark/wireshark/-/issues/16193
10. https://gitlab.com/wireshark/wireshark/-/issues/17132
11. https://gitlab.com/wireshark/wireshark/-/issues/15396
12. https://gitlab.com/wireshark/wireshark/-/issues/19328
13. https://www.wireshark.org/download.html
14. https://ask.wireshark.org/
15. https://lists.wireshark.org/lists/
16. https://gitlab.com/wireshark/wireshark/-/issues
17. https://sharkfest.wireshark.org
18. https://www.wireshark.org/certifications
19. https://wiresharkfoundation.org
20. https://www.wireshark.org/faq.html
Digests
wireshark-4.6.0rc1.tar.zst: 52224786 bytes
SHA256(wireshark-4.6.0rc1.tar.zst)=2177e639d0adb0806ec88a69b0db6456a6f280209c56fa481d5ddd271df3fdaf
SHA1(wireshark-4.6.0rc1.tar.zst)=35b6edb4ba25ea0c548b946cfb7ed94d0f6e8dea
wireshark-4.6.0rc1.tar.xz: 52850456 bytes
SHA256(wireshark-4.6.0rc1.tar.xz)=646df7495c5b48fa8ad17e0537d040aa190d1d17e48c5a5b10da637ba57ea276
SHA1(wireshark-4.6.0rc1.tar.xz)=ea990af1421fcb179086dcf22bcf0b2724f801db
Wireshark-4.6.0rc1-x64.exe: 95722272 bytes
SHA256(Wireshark-4.6.0rc1-x64.exe)=570d86b8845f77eefe17219b57dedf741f3ae2aac9a11bad3f4f72d120a9b04f
SHA1(Wireshark-4.6.0rc1-x64.exe)=11f2a2a79657462f883575e62fcfb9af22dede1b
Wireshark-4.6.0rc1-arm64.exe: 71915040 bytes
SHA256(Wireshark-4.6.0rc1-arm64.exe)=6c12b92d5630b16759d4a129fa9fa666ae1e62e192f1fe169fd6f497937c20ce
SHA1(Wireshark-4.6.0rc1-arm64.exe)=9299a6230354226763fc9c98a50b7ecd7a7eee98
Wireshark-4.6.0rc1-x64.msi: 73015296 bytes
SHA256(Wireshark-4.6.0rc1-x64.msi)=8b4a41c3f4a476ea7e95ee79974845dc04751a126e748c29611bf07e41553bc4
SHA1(Wireshark-4.6.0rc1-x64.msi)=1a9f1718ef0e23f22b9417442ff3b89672dee664
WiresharkPortable64_4.6.0rc1.paf.exe: 82128552 bytes
SHA256(WiresharkPortable64_4.6.0rc1.paf.exe)=804afbf0fac78aed10d7750af478e2904bc54e3cf0d7e9448d8cc6d472603c5a
SHA1(WiresharkPortable64_4.6.0rc1.paf.exe)=1fb9220cc0387c729fd5874beebe586a6a2c7d4e
Wireshark 4.6.0rc1.dmg: 141517211 bytes
SHA256(Wireshark 4.6.0rc1.dmg)=ff36b50c86320eceb3ada34f95ef19002a5cb92a709ace1e338ad3c0a3c9b405
SHA1(Wireshark 4.6.0rc1.dmg)=1216809aa108b54d91d5ef1f0626ca4fc43015b4
You can validate these hashes using the following commands (among others):
Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
Other: openssl sha256 wireshark-x.y.z.tar.xz
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature