Wireshark · Wireshark-dev: [Wireshark-dev] Re: Wireshark 4.4.0 is now available

Wireshark-dev: [Wireshark-dev] Re: Wireshark 4.4.0 is now available

From: Nyambe Given Linyotwa <linyotwa.ng@xxxxxxxxx>

Date: Mon, 16 Sep 2024 22:07:09 +0200

Thank you for the update .

Am looking forward to see what I can do with it in my current project.

Regards,

Given.

On Thu, 29 Aug 2024, 00:36 Gerald Combs, <gerald@xxxxxxxxxxxxx> wrote:

I'm proud to announce the release of Wireshark 4.4.0.

This is the first release of the 4.4 branch.

What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.

Wireshark is hosted by the Wireshark Foundation, a nonprofit which
promotes protocol analysis education. Wireshark and the foundation
depend on your contributions in order to do their work. If you or your
organization would like to contribute or become a sponsor, please
visit wiresharkfoundation.org[1].

What’s New

Many improvements and fixes to the graphing dialogs, including I/O
Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.

Wireshark now supports automatic profile switching. You can associate
a display filter with a configuration profile, and when you open a
capture file that matches the filter, Wireshark will automatically
switch to that profile.

Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1
and 5.2 has been removed. The Windows and macOS installers now ship
with Lua 5.4.6.

Improved display filter support for value strings (optional string
representations for numeric fields).

Display filter functions can be implemented as plugins, similar to
protocol dissectors and file parsers.

Display filters can be translated to pcap filters using "Edit › Copy ›
Display filter as pcap filter" if each display filter field has a
corresponding pcap filter equivalent.

Custom columns can be defined using any valid field _expression_, such
as display filter functions, packet slices, arithmetic calculations,
logical tests, raw byte addressing, and protocol layer modifiers.

Custom output fields for `tshark -e` can also be defined using any
valid field _expression_.

Wireshark can be built with the zlib-ng instead of zlib for compressed
file support. Zlib-ng is substantially faster than zlib. The official
Windows and macOS packages include this feature.

Many other improvements have been made. See the “New and Updated
Features” section below for more details.

New and Updated Features

The following features are either new or have been significantly
updated since version 4.2.0:

• The Windows installers now ship with Npcap 1.79. They previously
shipped with Npcap 1.78.

• Improvements to the "I/O Graphs" dialog:

• A number of crasher bugs have been fixed.

• The protocol tree context menu can open a I/O graph of the
currently selected field. Issue 11362[2]

• Smaller intervals can be used, down to 1 microsecond. Issue
13682[3]

• A larger number of I/O Graph item buckets can be used, up to
2^25 (33 million) items. Issue 8460[4]

• The size of individual graph items has been reduced, which
reduces memory utilization.

• When the Y field or Y axis changes, the graph displays the new
graph correctly, retapping if necessary, instead of displaying
information based on stale data.

• The graph is smarter about choosing whether to retap
(expensive), recalculate (moderately intensive), or replot
(cheap) in order to display the newly chosen options correctly
with the least amount of calculations. For instance, a graph that
has previously been plotted and is disabled and then reenabled
without any other changes will not require a new retap. Issue
15822[5]

• LOAD graphs are graphed properly again. Issue 18450[6]

• Y axes have human readable units with SI prefixes. Issue
12827[7]

• Bar widths are scaled to the size of the interval.

• Bar border colors are a slightly darker color than that of the
graph itself, instead of always black. Issue 17422[8]

• Time values have the correct width when axes are automatically
reset.

• The precision of the interval time shown in the hint message
depends on the interval.

• The tracer follows the currently selected row on the table of
graphs, and does not appear on an invisible graph.

• The tracer moves to the frame selected in the main window.
Issue 12909[9]

• Pending graph changes are saved when changing profiles when
the I/O Graphs dialog is open.

• I/O Graph dialog windows for closed capture files are no
longer affected by changing the list of graphs (either in that
dialogs or in other dialogs for the currently open file.)

• Newly created temporary graphs, which will not be saved unless
the configuration has changed, are more clearly marked with
italics.

• When "Time of Day" is selected for a graph, the absolute time
will be saved to CSV exports instead of the relative time. Issue
13717[10]

• Graphs can be reordered by dragging and dropping their list
entries. Issue 13855[11]

• The graph layer order and legend order always matches the
order in the graph list. Legends also appear properly. Issue
13854[12]

• The legend can be moved to other corners of the graph by
right-clicking on it and selecting its new location from a menu.

• For purposes of displaying zero values, graphs with both lines
and data point symbols are treated as line graphs, not scatter
plots.

• Logarithmic ticks are used when the Y axis is logarithmic.

• The graph crosshairs context menu option works.

• You can resize the graph list columns to their contents by
right clicking on the list header. Issue 18102[13]

• The graph is more responsive to mouse movement, especially on
Linux Wayland.

• Improvements to the Sequence Diagram (Flow Graphs and VoIP
Calls):

• When exporting the graph as an image, the entire graph is
shown with up to 1000 items instead of only what was visible
on-screen. This value can be increased in the preferences. Issue
13504[14]

• Endpoints that share the same address now have two distinct
nodes with a line between them. Issue 12038[15]

• The "Comment" column can be resized by selecting the axis
between the "Comment" column and the graph and dragging, and
auto-resized by double-clicking the column. Issue 4972[16]

• Tooltips are shown for elided comments.

• The scroll direction via keyboard is no longer reversed. Issue
12932[17]

• The column widths are fixed instead of resizing slightly
depending on the visible entries. Issue 12931[18]

• The Y axis labels stay in the correct position without having
to click the Reset button.

• The progress bar appears correctly in the Flow Graph (non VoIP
Calls).

• The behavior of the "Any" and "Network" combobox is corrected.
Issue 19818[19]

• "Limit to Display Filter" is checked if a display filter is
applied when the Flow Graph is opened, per the documentation.

• TCP Stream Graphs:

• A better decision is made about which side is the server and
thus the initially chosen direction in the graph.

• The "Window Scaling" graph axis labels are corrected and show
both graphs.

• The graph crosshairs context menu option works.

• Switching between relative and absolute sequence numbers works
again.

• The "Follow Stream" dialog can now show delta times between turns
and all packets and events.

• A number of graphs using the QCustomPlot widget ("I/O Graphs",
"Flow Graph", "TCP Stream Graphs", and "RTP Player") are more
responsive to mouse movement, especially on Linux when Wayland is
used.

• The "Find Packet" dialog can search backwards and find additional
occurrences of a string, hex value, or regular _expression_ in a
single frame.

• When using "Go To Packet" with an undisplayed frame, the window
goes to nearest displayed frame by number. Issue 2988[20]

• Display filter syntax enhancements:

• Better handling of comparisons with value strings. Now the
display filter engine can correctly handle cases where multiple
different numeric values map to the same value string, including
but not limited to range-type value strings.

• Fields with value strings now support regular _expression_
matching.

• Date and time values now support arithmetic, with some
restrictions: the multiplier/divisor must be an integer or
floating point number and appear on the right-hand side of the
operator.

• The keyword "bitand" can be used as an alternative syntax for
the bitwise-and operator.

• Functions alone can now be used as an entire logical
_expression_. The result of the _expression_ is the truthiness of the
function return value (or of all values if more than one). This
is useful for example to write "len(something)" instead of
"len(something) != 0". Even more so if a function returns itself
a boolean value, it is now possible to write
"bool_test(some.field)" instead of having to write
"bool_test(some.field) == True". Both forms are now valid.

• Display filter references can be written without curly braces.
It is now possible to write `$frame.number` instead of
`${frame.number}` for example.

• There are new display filter functions which test various IP
address properties. Check the wireshark-filter[21](5) man page
for more information.

• There are new display filter functions which convert unsigned
integer types to decimal or hexadecimal, and convert fields with
value strings into the associated string for their value, which
can be used to produce results similar to custom columns. Check
the wireshark-filter[22](5) man page for more information.

• Display filter macros can be written with a semicolon after
the macro name before the argument list, e.g.
`${mymacro;arg1;…;argN}`, instead of `${mymacro:arg1;…;argN}`.
The version with semicolons works better with pop-up suggestions
when editing the display filter, so the version with the colon
might be removed in the future.

• Display filter macros can be written using a function-like
notation. The macro `${mymacro:arg1;…;argN}` can be written
`$mymacro(arg1,…,argN)`.

• AX.25 addresses are now filtered using the "CALLSIGN-SSID"
string syntax. Filtering based on the raw bytes values is still
possible, like other field types, with the `@` operator. Issue
17973[23]

• Display filter functions can be implemented as libwireshark
plugins. Plugins are loaded during startup from the usual binary
plugin configuration directories. See the `ipaddr.c` source file
in the distribution for an example of a display filter C plugin
and the doc/plugins.example folder for generic instructions how
to build a plugin.

• Display filter autocompletions now also include display filter
functions.

• The display filter macro configuration file has changed format.
It now uses the same format as the "dfilters" file and has been
renamed accordingly to "dmacros". Internally it no longer uses
the UAT API and the display filter macro GUI dialog has been
updated. There is some basic migration logic implemented but it
is advisable to check that the "dfilter_macros" (old) and
"dmacros" (new) files in the profile directory are consistent.

• Custom columns can be defined using any valid field _expression_:

• Display filter functions, like `len(tcp.payload)`, including
nested functions like `min(len(tcp.payload), len(udp.payload))`
and newly defined functions using the plugin system mentioned
above. Issue 15990[24] Issue 16181[25]

• Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
tcp.dstport`. Issue 7752[26]

• Slices, like `tcp.payload[4:4]`. Issue 10154[27]

• The layer operator, like `ip.proto#1`, which will return the
protocol field in the first IPv4 layer if there is tunneling.
Issue 18588[28]

• Raw byte addressing, like `@ip`, which will return the bytes
of protocol or FT_NONE fields, among others. Issue 19076[29]

• Logical tests, like `tcp.port == 443`, which produce a check
mark if the test matches (similar to protocol and FT_NONE fields
without `@`.) This works with all logical operators, including
e.g. regular _expression_ matching (`matches` or `~`.)

• Defined display filter macros.

• Any combination of the above also works.

• Multifield columns are still available. For backwards
compatibility, `X or Y` is interpreted as a multifield column as
before. To represent a logical test for the presence of multiple
fields instead of concatenating values, use parenthesis, e.g.
`(tcp.options.timestamp or tcp.options.nop)`.

• Field references are not implemented because there’s no sense
of a currently selected frame. "Resolved" column values (such as
host name resolution or value string lookup) are not supported
for any of the new expressions yet.

• Custom output fields for `tshark -e <field>` can also be defined
using any valid field _expression_ as above.

• For custom output fields, `X or Y` is the usual logical test;
to output multiple fields use multiple `-e` terms as before.

• The various `-E` options, including `-E occurrence`, all work
as expected.

• When selecting "Manage Interfaces" from "Capture Options",
Wireshark only attempts to reconnect to rpcap hosts that were
active in the last session, instead of every remote host that the
current profile has ever connected to. Issue 17484[30]

• The "Resolved Addresses" dialog only shows what addresses and
ports are present in the file (not including information from
static files), and selected rows or the entire table can be saved
or copied to the clipboard in several formats. Issue 16419[31]

• Dumpcap and Wireshark support the `-F` option when capturing a
file on the command line. Issue 18009[32]

• When capturing on the command line dumpcap accepts a `-Q` option
that is quieter than `-q` and prints only errors to standard
error, similar to tshark. Issue 14491[33]

• When capturing a file and requesting the `pcap` format,
nanosecond resolution time stamps will be written if the device
and version of libpcap supports it.

• When capturing using a file size autostop or ring buffer
condition, the maximum value is now 2 TB, up from 2GiB. Note that
you may have problems when the number of packets gets larger than
2^31 or 2^32, though that is also true when no limit is set.

• When capturing files in multiple file mode, a pattern that places
the date and time before the index number can be used (e.g.,
foo_20240714110102_00001.pcap instead of
foo_00001_20240714110102.pcap). This makes file names sortable in
chronological order across file sets from different captures. The
"File Set" dialog has been updated to handle the new pattern,
which has been capable of being produced by tshark since version
3.6.0.

• Adding interfaces at startup is about twice as fast, and has many
fewer UAC pop-ups when Npcap is installed with access restricted
to Administrators on Windows.

• The Lua version included with the Windows and macOS installers
has been updated to 5.4. While we have tried to help with
backward compatibility by including lua_bitop library with Lua
5.3 and 5.4 in addition to the native Lua support for bit
operations present in those versions, different versions of Lua
are not guaranteed to be compatible. If a Lua dissector has
issues, check the manuals for Lua 5.4[34], Lua 5.3[35], and Lua
5.2[36] for incompatibilities and suggested workarounds. Note
that features marked as deprecated in one version are removed in
the subsequent version without additional notice, so it can be
worth checking the manual for previous versions.

• Lua scripts in the plugins directories are now initially loaded
via the same internal Lua methods as `require()`. This avoids
errors from loading plugins twice, once by scanning the directory
initially, and once by `require()`, and also results in globals
defined in plugins entering the global namespace. Previously
globals defined in plugins only entered the global namespace when
placed in the global plugins directory, but not the personal
plugins directory. Using globals in plugins remains deprecated
style (both by Wireshark and in Lua generally), that should be
avoided via using other methods. Issue 18589[37]

• Lua functions have been added to decompress and decode TvbRanges
with other compression types besides zlib, such as Brotli,
Snappy, Zstd, and others, matching the support in the C API.
tvbrange:uncompress() has been deprecated in favor of
tvbrange:uncompress_zlib().

• Lua Dumper now defaults to the pcapng file type, and to
per-packet encapsulation (creating interfaces on demand as
necessary) when writing pcapng Issue 16403[38]

• Editcap has an `--extract-secrets` option to extract embedded
decryption secrets from a capture file. Issue 18197[39]

• Global profiles can be used in tshark by using `--global-profile`
option.

• Capture files can be saved with LZ4 compression. LZ4 has an
emphasis on speed and may be particularly useful for large files.

• Fast random access is supported with LZ4 compressed files when
compressed with independent blocks, which is the default. This
provides much more responsive GUI performance when jumping to
different packets. Fast random access has been supported with
gzip compressed files since version 1.8.0, but this is not
supported for Zstd compressed files.

• Mergecap, Editcap, TShark and Text2pcap have an `--compress`
option to compress output to different formats. For now, it
supports the gzip and LZ4 compression formats. When the option is
not given, the desired compression format can also be deduced
from the output filename extension, e.g. gzip for .gz.

• Wireshark’s Git repostory tags are now signed using SSH. See the
Developer’s Guide[40] for more details.

Removed Features and Support

• The tshark `-G` option with no argument is deprecated and will be
removed in a future version. Use `tshark -G fields` to produce
the same report.

Removed Dissectors

The Parlay dissector has been removed.

New Protocol Support

Allied Telesis Resiliency Link (AT RL), ATN Security Label, Bit Index
Explicit Replication (BIER), Bus Mirroring Protocol, EGNOS Message
Server (EMS) file format, Galileo E1-B I/NAV navigation messages, IBM
i RDMA Endpoint (iRDMA-EDP), IWBEMSERVICES, MAC NR Framed
(mac-nr-framed), Matter Bluetooth Transport Protocol (MatterBTP),
MiWi P2P Star, Monero, NMEA 0183, PLDM, RDP authentication
redirection virtual channel protocol (rdpear), RF4CE Network Layer
(RF4CE), RF4CE Profile (RF4CE Profile), RK512, SAP Remote Function
Call (SAPRFC), SBAS L1 Navigation Message, Scanner Access Now Easy
(SANE), TREL, WMIO, and ZeroMQ Message Transport Protocol (ZMTP)

Updated Protocol Support

IPv6: The "show address detail" preference is now enabled by default.
The address details provided have been extended to include more
special purpose address block properties (forwardable,
globally-routable, etc).

Too many other protocol updates have been made to list them all here.

New and Updated Capture File Support

EGNOS Messager Server (EMS) files

New and Updated Capture Interfaces support

u-blox GNSS receivers

Major API Changes

• The entire code base has been updated to use C99 types instead of
GLib types. This includes changing occurrences `gboolean`, which
is an integer, to C99’s native `bool` type in many places. See
issue 19116[41] for more details.

• The `tvb_get_guintX` and `tvb_get_gintX` functions in the tvbuff
API have been renamed to `tvb_get_uintX` and `tvb_get_intX` (the
GLib-style "g" has been removed). You can still use the old-style
names, but they have been deprecated.

• Plugins should provide a `plugin_describe()` function that
returns an ORed list of flags consisting of the plugin types
used. See wsutil/plugins.h for details.

Getting Wireshark

Wireshark source code and installation packages are available from
https://www.wireshark.org/download.html.

Vendor-supplied Packages

Most Linux and Unix vendors supply their own Wireshark packages. You
can usually install or upgrade Wireshark using the package management
system specific to that platform. A list of third-party packages can
be found on the download page[42] on the Wireshark web site.

File Locations

Wireshark and TShark look in several different locations for
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
locations vary from platform to platform. You can use "Help › About
Wireshark › Folders" or `tshark -G folders` to find the default
locations on your system.

Getting Help

The User’s Guide, manual pages and various other documentation can be
found at https://www.wireshark.org/docs/

Community support is available on Wireshark’s Q&A site[43] and on the
wireshark-users mailing list. Subscription information and archives
for all of Wireshark’s mailing lists can be found on the mailing list
site[44].

Bugs and feature requests can be reported on the issue tracker[45].

You can learn protocol analysis and meet Wireshark’s developers at
SharkFest[46].

How You Can Help

The Wireshark Foundation helps as many people as possible understand
their networks as much as possible. You can find out more and donate
at wiresharkfoundation.org[47].

Frequently Asked Questions

A complete FAQ is available on the Wireshark web site[48].

References

1. https://wiresharkfoundation.org
2. https://gitlab.com/wireshark/wireshark/-/issues/11362
3. https://gitlab.com/wireshark/wireshark/-/issues/13682
4. https://gitlab.com/wireshark/wireshark/-/issues/8460
5. https://gitlab.com/wireshark/wireshark/-/issues/15822
6. https://gitlab.com/wireshark/wireshark/-/issues/18450
7. https://gitlab.com/wireshark/wireshark/-/issues/12827
8. https://gitlab.com/wireshark/wireshark/-/issues/17422
9. https://gitlab.com/wireshark/wireshark/-/issues/12909
10. https://gitlab.com/wireshark/wireshark/-/issues/13717
11. https://gitlab.com/wireshark/wireshark/-/issues/13855
12. https://gitlab.com/wireshark/wireshark/-/issues/13854
13. https://gitlab.com/wireshark/wireshark/-/issues/18102
14. https://gitlab.com/wireshark/wireshark/-/issues/13504
15. https://gitlab.com/wireshark/wireshark/-/issues/12038
16. https://gitlab.com/wireshark/wireshark/-/issues/4972
17. https://gitlab.com/wireshark/wireshark/-/issues/12932
18. https://gitlab.com/wireshark/wireshark/-/issues/12931
19. https://gitlab.com/wireshark/wireshark/-/issues/19818
20. https://gitlab.com/wireshark/wireshark/-/issues/2988
21. https://www.wireshark.org/docs/man-pages/wireshark-filter.html
22. https://www.wireshark.org/docs/man-pages/wireshark-filter.html
23. https://gitlab.com/wireshark/wireshark/-/issues/17973
24. https://gitlab.com/wireshark/wireshark/-/issues/15990
25. https://gitlab.com/wireshark/wireshark/-/issues/16181
26. https://gitlab.com/wireshark/wireshark/-/issues/7752
27. https://gitlab.com/wireshark/wireshark/-/issues/10154
28. https://gitlab.com/wireshark/wireshark/-/issues/18588
29. https://gitlab.com/wireshark/wireshark/-/issues/19076
30. https://gitlab.com/wireshark/wireshark/-/issues/17484
31. https://gitlab.com/wireshark/wireshark/-/issues/16419
32. https://gitlab.com/wireshark/wireshark/-/issues/18009
33. https://gitlab.com/wireshark/wireshark/-/issues/14491
34. https://www.lua.org/manual/5.4/manual.html#8
35. https://www.lua.org/manual/5.3/manual.html#8
36. https://www.lua.org/manual/5.2/manual.html#8
37. https://gitlab.com/wireshark/wireshark/-/issues/18589
38. https://gitlab.com/wireshark/wireshark/-/issues/16403
39. https://gitlab.com/wireshark/wireshark/-/issues/18197
40. https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcGitRepositor
y.html#ChSrcWebInterface
41. https://gitlab.com/wireshark/wireshark/-/issues/19116
42. https://www.wireshark.org/download.html
43. https://ask.wireshark.org/
44. https://lists.wireshark.org/lists/
45. https://gitlab.com/wireshark/wireshark/-/issues
46. https://sharkfest.wireshark.org
47. https://wiresharkfoundation.org
48. https://www.wireshark.org/faq.html

Digests

wireshark-4.4.0.tar.xz: 46786568 bytes
SHA256(wireshark-4.4.0.tar.xz)=ead5cdcc08529a2e7ce291e01defc3b0f8831ba24c938db0762b1ebc59c71269
SHA1(wireshark-4.4.0.tar.xz)=4869b9fbfab3f1b02801a38f83ef8f6f740f9277

Wireshark-4.4.0-x64.exe: 87262448 bytes
SHA256(Wireshark-4.4.0-x64.exe)=f635e68ef536fe85b2c0d5ac12a1197ba015cacc0c866c1995ae75b2b5d957fd
SHA1(Wireshark-4.4.0-x64.exe)=22ffbb76ea80bcd35cc4d5153d85ed4e493f7dcf

Wireshark-4.4.0-arm64.exe: 68671040 bytes
SHA256(Wireshark-4.4.0-arm64.exe)=c6dd8e0300fd3b12ba56184e0f9e2c6b91861e73f795d80e4fddb748390bd83f
SHA1(Wireshark-4.4.0-arm64.exe)=36ddd3ef612fb739df33ae01ea95dd8810932e7b

Wireshark-4.4.0-x64.msi: 63766528 bytes
SHA256(Wireshark-4.4.0-x64.msi)=6518c93481d2269d04158c7a632ddf912e6eb332b0e4da4fd247d6e0e3d7d363
SHA1(Wireshark-4.4.0-x64.msi)=ac73a59b92d7f4f9c9d01d26145dd081a4d90773

WiresharkPortable64_4.4.0.paf.exe: 73410312 bytes
SHA256(WiresharkPortable64_4.4.0.paf.exe)=01fef28f7896da47f552ac859954bb086291006b0424a70b0d30689af2354da7
SHA1(WiresharkPortable64_4.4.0.paf.exe)=3acc608ef3bf66241b86b6111e5e7023a1ae6ce9

Wireshark 4.4.0 Arm 64.dmg: 65304242 bytes
SHA256(Wireshark 4.4.0 Arm 64.dmg)=13349959456d29b9b5d2214ba7bfd8d88016f5ac24bf5a7a5a4945ff46584a29
SHA1(Wireshark 4.4.0 Arm 64.dmg)=781f76c7216f8bf06697ddf49b23d18607b23191

Wireshark 4.4.0 Intel 64.dmg: 68727761 bytes
SHA256(Wireshark 4.4.0 Intel 64.dmg)=edb07ee6afbce6b5231d08b301bab31c0ba6c31f7277f1a74bd370ec59369ef7
SHA1(Wireshark 4.4.0 Intel 64.dmg)=c5300f53d02f14f1f2415a3d35409d8dd65fcec2

You can validate these hashes using the following commands (among others):

Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
Other: openssl sha256 wireshark-x.y.z.tar.xz
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx

Prev by Date: [no subject]
Next by Date: [Wireshark-dev] Re: Latest Protocol dissectors
Previous by thread: [no subject]
Next by thread: [Wireshark-dev] Re: Latest Protocol dissectors
Index(es):
- Date
- Thread