Wireshark-dev: [Wireshark-dev] Wireshark 4.0.0 is now available
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Tue, 4 Oct 2022 17:18:08 -0700
I'm proud to announce the release of Wireshark 4.0.0. What is Wireshark? Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education. What’s New We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779[1] The display filter syntax is more powerful with many new extensions. See below for details. The Conversation and Endpoint dialogs have been redesigned. See below for details. The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane. Hex dump imports from Wireshark and from `text2pcap` have been improved. See below for details. Speed when using MaxMind geolocation has been greatly improved. The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details. Many other improvements have been made. See the “New and Updated Features” section below for more details. New and Updated Features The following features are new (or have been significantly updated) since version 4.0.0rc2: Nothing of note. The following features are new (or have been significantly updated) since version 4.0.0rc1: • The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3. • The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70. The following features are new (or have been significantly updated) since version 3.7.2: • The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60. The following features are new (or have been significantly updated) since version 3.7.1: • The 'v' (lower case) and 'V' (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities. • The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted. • New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ. The following features are new (or have been significantly updated) since version 3.7.0: • The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4. • The Conversation and Endpoint dialogs have been redesigned with the following improvements: • The context menu now includes the option to resize all columns, as well as copying elements. • Data may be exported as JSON. • Tabs may be detached and reattached from the dialog. • Adding and removing tabs will keep them in the same order all the time. • If a filter is applied, two columns are shown in either dialog detailing the difference between unmatched and matched packets. • Columns are now sorted via secondary properties if an identical entry is found. • Conversations are sorted via second address and first port number. • Endpoints are sorted via port numbers. • IPv6 addresses are sorted correctly after IPv4 addresses. • The dialog elements have been moved to make it easier to handle for new users. • Selection of tap elements is done via a list. • All configurations and options are done via a left side button row. • Columns for the Conversations and Endpoint dialogs can be hidden by a context menu. • TCP and UDP conversations now include the stream ID and allow filtering on it. The following features are new (or have been significantly updated) since version 3.6.0: • The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55. • The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2. • The display filter syntax has been updated and enhanced: • A syntax to match a specific layer in the protocol stack has been added. For example in an IP-over-IP packet “ip.addr#1 == 1.1.1.1” matches the outer layer addresses and “ip.addr#2 == 1.1.1.2” matches the inner layer addresses. • Universal quantifiers "any" and "all" have been added to any relational operator. For example the expression "all tcp.port > 1024" is true if and only if all tcp.port fields match the condition. Previously only the default behaviour to return true if any one field matches was supported. • Field references, of the form ${some.field}, are now part of the syntax of display filters. Previously they were implemented as macros. The new implementation is more efficient and has the same properties as protocol fields, like matching on multiple values using quantifiers and support for layer filtering. • Arithmetic is supported for numeric fields with the usual operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions must be grouped using curly brackets (not parenthesis). • New display filter functions max(), min() and abs() have been added. • Functions can accept expressions as arguments, including other functions. Previously only protocol fields and slices were syntactically valid function arguments. • A new syntax to disambiguate literals from identifiers has been added. Every value with a leading dot is a protocol or protocol field. Every value in between angle brackets is a literal value. See the User’s Guide[2] for details. • The "bitwise and" operator is now a first-class bit operator, not a boolean operator. In particular this means it is now possible to mask bits, e.g.: frame[0] & 0x0F == 3. • Dates and times can be given in UTC using ISO 8601 (with 'Z' timezone) or by appending the suffix "UTC" to the legacy formats. Otherwise local time is used. • Integer literal constants may be written in binary (in addition to decimal/octal/hexadecimal) using the prefix "0b" or "0B". • Logical AND now has higher precedence than logical OR, in line with most programming languages. • It is now possible to index protocol fields from the end using negative indexes. For example the following expression tests the last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This was a longstanding bug that has been fixed in this release. • Set elements must be separated using a comma, e.g: {1, 2, "foo"}. Using only whitespace as a separator was deprecated in 3.6 and is now a syntax error. • Support for some additional character escape sequences in double quoted strings has been added. Along with octal (\<number>) and hex (\x<number>) encoding, the following C escape sequences are now supported with the same meaning: \a, \b, \f, \n, \r, \t, \v. Previously they were only supported with character constants. • Unicode universal character names are now supported with the escape sequences \uNNNN or \UNNNNNNNN, where N is a hexadecimal digit. • Unrecognized escape sequences are now treated as a syntax error. Previously they were treated as a literal character. In addition to the sequences indicated above, backslash, single quotation and double quotation mark are also valid sequences: \\, \', \". • A new strict equality operator "===" or "all_eq" has been added. The expression "a === b" is true if and only if all a’s are equal to b. The negation of "===" can now be written as "!==" (any_ne). • The aliases "any_eq" for "==" and "all_ne" for "!=" have been added. • The operator "~=" is deprecated and will be removed in a future version. Use "!==", which has the same meaning instead. • Floats must be written with a leading and ending digit. For example the values ".7" and "7." are now invalid as floats. They must be written "0.7" and "7.0" respectively. • The display filter engine now uses PCRE2 instead of GRegex (GLib’s bindings to the older and end-of-life PCRE library). PCRE2 is compatible with PCRE so any user-visible changes should be minimal. Some exotic patterns may now be invalid and require rewriting. • Literal strings can handle embedded null bytes (the value '\0') correctly. This includes regular expression patterns. For example the double-quoted string "\0 is a null byte" is a legal literal value. This may be useful to match byte patterns but note that in general protocol fields with a string type still cannot contain embedded null bytes. • Booleans can be written as True/TRUE or False/FALSE. Previously they could only be written as 1 or 0. • It is now possible to test for the existence of a slice. • All integer sizes are now compatible. Unless overflow occurs any integer field can be compared with any other. • The `text2pcap` command and the “Import from Hex Dump” feature have been updated and enhanced: • `text2pcap` supports writing the output file in all the capture file formats that wiretap library supports, using the same `-F` option as `editcap`, `mergecap`, and `tshark`. • Consistent with the other command line tools like `editcap`, `mergecap`, `tshark`, and the "Import from Hex Dump" option within Wireshark, the default capture file format for `text2pcap` is now pcapng. The `-n` flag to select pcapng (instead of the previous default, pcap) has been deprecated and will be removed in a future release. • `text2pcap` supports selecting the encapsulation type of the output file format using the wiretap library short names with an `-E` option, similar to the `-T` option of `editcap`. • `text2pcap` has been updated to use the new logging output options and the `-d` flag has been removed. The "debug" log level corresponds to the old `-d` flag, and the "noisy" log level corresponds to using `-d` multiple times. • `text2pcap` and “Import from Hex Dump” support writing fake IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4, and Raw IPv6 encapsulations, in addition to Ethernet encapsulation available in previous versions. • `text2pcap` supports scanning the input file using a custom regular expression, as supported in “Import from Hex Dump” in Wireshark 3.6.x. • In general, `text2pcap` and wireshark’s “Import from Hex Dump” have feature parity. • The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane. • The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction. • The IEEE 802.11 dissector supports Mesh Connex (MCX). • The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there. • The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk. • It is possible to set extcap passwords in `tshark` and other CLI tools. • The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults. • Support to display JSON mapping for Protobuf message has been added. • macOS debugging symbols are now shipped in separate packages, similar to Windows packages. • In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated • The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list • The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session. • ciscodump now supports IOS, IOS-XE and ASA remote capturing Removed Features and Support • The CMake options starting with DISABLE_something were renamed ENABLE_something for consistency. For example DISABLE_WERROR=On became ENABLE_WERROR=Off. The default values are unchanged. New Protocol Support Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0 (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy Register Access Protocol (5co-legacy), Generic Data Transfer Protocol (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP), Huawei GRE bonding (GREbond), Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0), Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP), Open Control Protocol for OCA/AES70 (OCP.1), Protected Extensible Authentication Protocol (PEAP), Realtek, REdis Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure File Transfer Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP), and ZBOSS Network Coprocessor product (ZB NCP) Updated Protocol Support Too many protocols have been updated to list here. New and Updated Capture File Support There is no new or updated capture file support in this release. Major API Changes • proto.h: The field display types "STR_ASCII" and "STR_UNICODE" have been removed. Use "BASE_NONE" instead. • proto.h: The field display types for floats have been extended and refactored. The type BASE_FLOAT has been removed. Use BASE_NONE instead. New display types for floats are BASE_DEC, BASE_HEX, BASE_EXP and BASE_CUSTOM. • The Wireshark Lua API now uses the lrexlib[3] bindings to PCRE2. Code using the Lua GRegex module will have to be updated to use lrexlib-pcre2 instead. In most cases the API should be compatible and the conversion just requires a module name change. • The tap registration system has been updated and the list of arguments for tap_packet_cb has changed. All taps registered through register_tap_listener have to be updated. Other Development Changes • The PCRE2 library[4] is now required to build Wireshark. • You must now have a compiler with C11 support in order to build Wireshark. • The following libraries and tools have had their minimum required version increased: • CMake 3.10 is required on macOS and Linux. • Qt version 5.12 (was 5.6.0), although compilation with 5.10 and 5.11 is still possible, but will trigger a warning during configuration. • Windows SDK 10.0.18362.0 is required due to issues with C11 support. • macOS version 10.11 to 10.14 (was 10.8) is required depending on the version of Qt: • Qt 5.10 or higher requires macOS version 10.11 • Qt 5.12 or higher requires macOS version 10.12 • Qt 5.14 or higher requires macOS version 10.13 • Qt 6.0 or higher requires macOS version 10.14 • GLib version 2.50.0 (was 2.38.0) is required. • Libgcrypt version 1.8.0 (was 1.5.0) is required. • c-ares version 1.13.0 (was 1.5.0). • Python version 3.6.0 (was 3.4.0). • GnuTLS version 3.5.8 (was 3.3.0). • Nghttp2 minimum version has been set to 1.11.0 (none previous). • Perl is no longer required to build Wireshark, but may be required to build some source code files and run code analysis checks. Getting Wireshark Wireshark source code and installation packages are available from https://www.wireshark.org/download.html. Vendor-supplied Packages Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page[5] on the Wireshark web site. File Locations Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use "Help › About Wireshark › Folders" or `tshark -G folders` to find the default locations on your system. Getting Help The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/ Community support is available on Wireshark’s Q&A site[6] and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the web site[7]. Bugs and feature requests can be reported on the issue tracker[8]. You can learn protocol analysis and meet Wireshark’s developers at SharkFest[9]. Frequently Asked Questions A complete FAQ is available on the Wireshark web site[10]. References 1. https://gitlab.com/wireshark/wireshark/-/issues/17779 2. https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDispla yFilterSection.html#_some_protocol_names_can_be_ambiguous 3. https://github.com/rrthomas/lrexlib 4. https://www.pcre.org/ 5. https://www.wireshark.org/download.html 6. https://ask.wireshark.org/ 7. https://www.wireshark.org/lists/ 8. https://gitlab.com/wireshark/wireshark/-/issues 9. https://sharkfest.wireshark.org 10. https://www.wireshark.org/faq.html Digests wireshark-4.0.0.tar.xz: 41323336 bytes SHA256(wireshark-4.0.0.tar.xz)=3dc125ef85e85c2a756a74cc739b3eb11ce38e30a08e085e77d378ee7fdcaded SHA1(wireshark-4.0.0.tar.xz)=2a495346c46dadeb405d0b89cec18fe7edc77e1a Wireshark-win64-4.0.0.exe: 78091728 bytes SHA256(Wireshark-win64-4.0.0.exe)=aa4c3ae9d50113785c83b441cfdfdf484a308aa7d37bacb5803561e4d1c12902 SHA1(Wireshark-win64-4.0.0.exe)=68a75a061db880ad0ed0b76ea37e38826c85d4e5 Wireshark-win64-4.0.0.msi: 51367936 bytes SHA256(Wireshark-win64-4.0.0.msi)=e5c5d6c2e1f3dc6a0e31fb002f740158f741eb3a8d16cba8a418858366093e3f SHA1(Wireshark-win64-4.0.0.msi)=9bbf17ed4deed17b81f411ff12732f2b2b3e497c WiresharkPortable64_4.0.0.paf.exe: 44811552 bytes SHA256(WiresharkPortable64_4.0.0.paf.exe)=c36ad45773a17330e12ad2721a5518c30f5d96f62b3dbdae9b0f1175a7e419ea SHA1(WiresharkPortable64_4.0.0.paf.exe)=8e98c7ac853e8fd7a2260133cdb43332fab1895d Wireshark 4.0.0 Arm 64.dmg: 62666456 bytes SHA256(Wireshark 4.0.0 Arm 64.dmg)=acaf18778bc0025e48ac5b8795ae8c5adcadcd662c18bd6f8a232381f0bdbc34 SHA1(Wireshark 4.0.0 Arm 64.dmg)=b054a29805b3cce5a577058e366f86400e80e2cb Wireshark 4.0.0 Intel 64.dmg: 65628576 bytes SHA256(Wireshark 4.0.0 Intel 64.dmg)=3880cd9ad35ccdb233a757461ddc8821f26be0a4771fcbc46ccd6d7adca15903 SHA1(Wireshark 4.0.0 Intel 64.dmg)=73b2ab66821a3af35181b53eff442aa140ea6ed6 You can validate these hashes using the following commands (among others): Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256 Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg" Other: openssl sha256 wireshark-x.y.z.tar.xz
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
- Prev by Date: Re: [Wireshark-dev] DBUILD_logray=ON breaks linking
- Next by Date: [Wireshark-dev] pcap display clipping in Wireshark 4.0.0 on Win10/64
- Previous by thread: Re: [Wireshark-dev] DBUILD_logray=ON breaks linking
- Next by thread: [Wireshark-dev] pcap display clipping in Wireshark 4.0.0 on Win10/64
- Index(es):