Wireshark · Wireshark-dev: [Wireshark-dev] Wireshark 4.4.4 is now available

Wireshark-dev: [Wireshark-dev] Wireshark 4.4.4 is now available

From: Gerald Combs <gerald@xxxxxxxxxxxxx>

Date: Wed, 19 Feb 2025 12:53:13 -0800

I'm proud to announce the release of Wireshark 4.4.4.

What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.

Wireshark is hosted by the Wireshark Foundation, a nonprofit which
promotes protocol analysis education. Wireshark and the foundation
depend on your contributions in order to do their work. If you or your
organization would like to contribute or become a sponsor, please
visit wiresharkfoundation.org[1].

What’s New

Bug Fixes

The following vulnerabilities have been fixed:

• wnpa-sec-2025-01[2] Bundle Protocol and CBOR dissector
crash. Issue 20373[3].

The following bugs have been fixed:

• Crash when sorting columns during capture with display filter
active. Issue 20263[4].

• OSS-Fuzz 384757274: Invalid-bool-value in dissect_tcp. Issue
20300[5].

• Test failure in 4.4.2/4.4.3: test_sharkd_req_follow_http2. Issue
20330[6].

• Regression in extcap interface toolbar. Issue 20354[7].

• Clicking outside columns in TCP tab of Statistics → Conversations
window causes crash. Issue 20357[8].

• FTBFS with Ubuntu development (25.04) release. Issue 20359[9].

• DNS enable_qname_stats crash Wireshark when QDCOUNT == 0. Issue
20367[10].

• Windows: Android extcap plugin fails with "Broken socket
connection" if there are no new packets for 2sec. Issue
20386[11].

• TECMP: Calculation of lifecycle start in Status message is wrong.
Issue 20387[12].

• MQTT v5.0 properties total length presentation is incorrect.
Issue 20389[13].

• TShark doesn’t resolve addresses in custom "hosts" files. Issue
20391[14].

• Incorrect JA4 fingerprint with empty ciphers. Issue 20394[15].

New and Updated Features

New Protocol Support

There are no new protocols in this release.

Updated Protocol Support

CESoETH, DNS, IEEE 1609.2, ISOBUS, ITS, MPLS, MQTT, PDU Transport,
RTP, TCP, TECMP, WebSocket, and WSMP

New and Updated Capture File Support

CLLog, EMS, and ERF

Updated File Format Decoding Support

There is no updated file format support in this release.

Prior Versions

Wireshark 4.4.3 included the following changes. See the release
notes[16] for details:

• Potential mis-match in GSM MAP dissector for uncertainty radius
and its filter key. Issue 20247[17].

• Macro eNodeB ID and Extended Macro eNodeB ID not decoded by User
Location Information. Issue 20276[18].

• The NFSv2 Dissector appears to be swapping Character Special File
and Directory in mode decoding. Issue 20290[19].

• CMake discovers Strawberry Perl’s zlib DLL when it shouldn’t.
Issue 20304[20].

• VOIP Calls call flow displaying hours. Issue 20311[21].

• Fuzz job issue: fuzz-2024-12-26-7898.pcap. Issue 20313[22].

• sFlow: Incorrect length passed to header sample dissector. Issue
20320[23].

• wsutil: Should link against -lm due to missing fabs() when built
with -fno-builtin. Issue 20326[24].

Wireshark 4.4.2 included the following changes. See the release
notes[25] for details:

• wnpa-sec-2024-14[26] FiveCo RAP dissector infinite loop. Issue
20176[27].

• wnpa-sec-2024-15[28] ECMP dissector crash. Issue 20214[29].

• CIP I/O is not detected by "enip" filter anymore. Issue 19517[30].

• Fuzz job issue: fuzz-2024-09-03-7550.pcap. Issue 20041[31].

• OSS-Fuzz 71476: wireshark:fuzzshark_ip_proto-udp:
Index-out-of-bounds in DOFObjectID_Create_Unmarshal. Issue
20065[32].

• JA4_c hashes an empty field to e3b0c44298fc when it should be
000000000000. Issue 20066[33].

• Opening Wireshark 4.4.0 on macOS 15.0 disconnects iPhone
Mirroring. Issue 20082[34].

• PTP analysis loses track of message associations in case of
sequence number resets. Issue 20099[35].

• USB CCID: response packet in case SetParameters command is
unsupported is flagged as malformed. Issue 20107[36].

• dumpcap crashes when run from TShark with a capture filter. Issue
20108[37].

• SRT dissector: The StreamID (SID) in the handshake extension is
displayed without regarding the control characters and with NUL as
terminating. Issue 20113[38].

• Ghost error message on POP3 packets. Issue 20124[39].

• Building against c-ares 1.34 fails. Issue 20125[40].

• D-Bus is not optional anymore. Issue 20126[41].

• macOS Intel DMGs aren’t fully notarized. Issue 20129[42].

• Incorrect name for MLD Capabilities and Operations Present flag in
dissection of MLD Capabilities for MLO wifi-7 capture. Issue
20134[43].

• CQL Malformed Packet v4 S → C Type RESULT: Prepared[Malformed
Packet] Issue 20142[44].

• Wi-Fi: 256 Block Ack (BA) is not parsed properly. Issue 20156[45].

• BACnet ReadPropertyMultiple request Maximum allowed recursion
depth reached. Issue 20159[46].

• Statistics→I/O Graph crashes when using simple moving average.
Issue 20163[47].

• HTTP2 body decompression fails on DATA with a single padded frame.
Issue 20167[48].

• Compiler warning for ui/tap-rtp-common.c (ignoring return value)
Issue 20169[49].

• SIP dissector bug due to "be-route" param in VIA header. Issue
20173[50].

• Coredump after trying to open 'Follow TCP stream' Issue 20174[51].

• Protobuf JSON mapping error. Issue 20182[52].

• Display filter "!stp.pvst.origvlan in { vlan.id }" causes a crash
(Version 4.4.1) Issue 20183[53].

• Extcap plugins shipped with Wireshark Portable are not found in
version 4.4.1. Issue 20184[54].

• IEEE 802.11be: Wrong regulatory info in HE Operation IE in Beacon
frame. Issue 20187[55].

• Wireshark 4.4.1 does not decode RTCP packets. Issue 20188[56].

• Qt: Display filter sub-menu can only be opened on the triangle,
not the full name. Issue 20190[57].

• Qt: Changing the display filter does not update the Conversations
or Endpoints dialogs. Issue 20191[58].

• MODBUS Dissector bug. Issue 20192[59].

• Modbus dissector bug - Field Occurence and Layer Operator
modbus.bitval field. Issue 20193[60].

• Wireshark crashes when a field is dragged from packet details
towards the find input. Issue 20204[61].

• Lua DissectorTable("") : set ("10,11") unexpected behavior in
locales with comma as decimal separator. Issue 20216[62].

The TCP dissector no longer falls back to using the client port as a
criterion for selecting a payload dissector when the server port does
not select a payload dissector (except for port 20, active FTP). This
behavior can be changed using the "Client port dissectors" preference.

Display filters now correctly handle floating point conversion errors.

The Lua API now has better support for comma-separated ranges in
different locales.

Wireshark 4.4.1 included the following changes. See the release
notes[63] for details:

• wnpa-sec-2024-12[64] ITS dissector crash. Issue 20026[65].

• wnpa-sec-2024-13[66] AppleTalk and RELOAD Framing dissector
crashes. Issue 20114[67].

• Refresh interface during live-capture leads to corrupt interface
handling. Issue 11176[68].

• Media type "application/octet-stream" registered for both Thread
and UASIP. Issue 14729[69].

• Extcap toolbar stops working when new interface is added. Issue
19854[70].

• Decoding error ITS CPM version 2.1.1. Issue 19886[71].

• Build error in 4.3.0: sync_pipe_run_command_actual error: argument
2 is null but the corresponding size argument 3 value is 512004
[-Werror=nonnull] Issue 19930[72].

• html2text.py doesn’t handle the `<sup>` tag. Issue 20020[73].

• Incorrect NetFlow v8 TOS AS aggregation dissection. Issue
20021[74].

• The Windows packages don’t ship with the IP address plugin. Issue
20030[75].

• O_PATH is Linux-and-FreeBSD-specific. Issue 20031[76].

• Wireshark 4.4.0 doesn’t install USBcap USBcapCMD.exe in the
correct directory. Issue 20040[77].

• OER dissector is not considering the preamble if ASN.1 SEQUENCE
definition includes extension marker but no OPTIONAL items. Issue
20044[78].

• Bluetooth classic L2CAP incorrect dissection with connectionless
reception channel. Issue 20047[79].

• Profile auto switch filters : Grayed Display Filter Expression
dialog box when opened from Configuration Profiles dialog box.
Issue 20049[80].

• Wireshark 4.4.0 / macOS 14.6.1 wifi if monitor mode. Issue
20051[81].

• TECMP Data Type passes too much data to sub dissectors. Issue
20052[82].

• Wireshark and tshark 4.4.0 ignore extcap options specified on the
command line. Issue 20054[83].

• Cannot open release notes due to incorrect path with duplicated
directory components. Issue 20055[84].

• Unable to open "Release Notes" from the "Help" menu. Issue
20056[85].

• No capture interfaces if Wireshark is started from command line
with certain paths. Issue 20057[86].

• Wireshark 4.4.0 extcap path change breaks third party extcap
installers. Issue 20069[87].

• Fuzz job UTF-8 encoding issue: fuzz-2024-09-10-7618.pcap. Issue
20071[88].

• Unable to create larger files than 99 size units. Issue 20079[89].

• Opening Wireshark 4.4.0 on macOS 15.0 disconnects iPhone
Mirroring. Issue 20082[90].

• PRP trailer not shown for L2 IEC 61850 GOOSE packets in 4.4.0 (was
working in 4.2.7) Issue 20088[91].

• GUI lags because NetworkManager keeps turning 802.11 monitor mode
off. Issue 20090[92].

• Error while getting Bluetooth application process id by <shell:ps
-A | grep com.*android.bluetooth> Issue 20100[93].

• Fuzz job assertion: randpkt-2024-10-05-7200.pcap. Issue 20110[94].

Wireshark 4.4.0 included the following changes. See the release
notes[95] for details:

Many improvements and fixes to the graphing dialogs, including I/O
Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.

Wireshark now supports automatic profile switching. You can associate
a display filter with a configuration profile, and when you open a
capture file that matches the filter, Wireshark will automatically
switch to that profile.

Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1
and 5.2 has been removed. The Windows and macOS installers now ship
with Lua 5.4.6.

Improved display filter support for value strings (optional string
representations for numeric fields).

Display filter functions can be implemented as plugins, similar to
protocol dissectors and file parsers.

Display filters can be translated to pcap filters using "Edit › Copy ›
Display filter as pcap filter" if each display filter field has a
corresponding pcap filter equivalent.

Custom columns can be defined using any valid field expression, such
as display filter functions, packet slices, arithmetic calculations,
logical tests, raw byte addressing, and protocol layer modifiers.

Custom output fields for `tshark -e` can also be defined using any
valid field expression.

Wireshark can be built with the zlib-ng instead of zlib for compressed
file support. Zlib-ng is substantially faster than zlib. The official
Windows and macOS packages include this feature.

Getting Wireshark

Wireshark source code and installation packages are available from
https://www.wireshark.org/download.html.

Vendor-supplied Packages

Most Linux and Unix vendors supply their own Wireshark packages. You
can usually install or upgrade Wireshark using the package management
system specific to that platform. A list of third-party packages can
be found on the download page[96] on the Wireshark web site.

File Locations

Wireshark and TShark look in several different locations for
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
locations vary from platform to platform. You can use "Help › About
Wireshark › Folders" or `tshark -G folders` to find the default
locations on your system.

Getting Help

The User’s Guide, manual pages and various other documentation can be
found at https://www.wireshark.org/docs/

Community support is available on Wireshark’s Q&A site[97] and on the
wireshark-users mailing list. Subscription information and archives
for all of Wireshark’s mailing lists can be found on the mailing list
site[98].

Bugs and feature requests can be reported on the issue tracker[99].

You can learn protocol analysis and meet Wireshark’s developers at
SharkFest[100].

How You Can Help

The Wireshark Foundation helps as many people as possible understand
their networks as much as possible. You can find out more and donate
at wiresharkfoundation.org[101].

Frequently Asked Questions

A complete FAQ is available on the Wireshark web site[102].

References

1. https://wiresharkfoundation.org
2. https://www.wireshark.org/security/wnpa-sec-2025-01
3. https://gitlab.com/wireshark/wireshark/-/issues/20373
4. https://gitlab.com/wireshark/wireshark/-/issues/20263
5. https://gitlab.com/wireshark/wireshark/-/issues/20300
6. https://gitlab.com/wireshark/wireshark/-/issues/20330
7. https://gitlab.com/wireshark/wireshark/-/issues/20354
8. https://gitlab.com/wireshark/wireshark/-/issues/20357
9. https://gitlab.com/wireshark/wireshark/-/issues/20359
10. https://gitlab.com/wireshark/wireshark/-/issues/20367
11. https://gitlab.com/wireshark/wireshark/-/issues/20386
12. https://gitlab.com/wireshark/wireshark/-/issues/20387
13. https://gitlab.com/wireshark/wireshark/-/issues/20389
14. https://gitlab.com/wireshark/wireshark/-/issues/20391
15. https://gitlab.com/wireshark/wireshark/-/issues/20394
16. https://www.wireshark.org/docs/relnotes/wireshark-4.4.3.html
17. https://gitlab.com/wireshark/wireshark/-/issues/20247
18. https://gitlab.com/wireshark/wireshark/-/issues/20276
19. https://gitlab.com/wireshark/wireshark/-/issues/20290
20. https://gitlab.com/wireshark/wireshark/-/issues/20304
21. https://gitlab.com/wireshark/wireshark/-/issues/20311
22. https://gitlab.com/wireshark/wireshark/-/issues/20313
23. https://gitlab.com/wireshark/wireshark/-/issues/20320
24. https://gitlab.com/wireshark/wireshark/-/issues/20326
25. https://www.wireshark.org/docs/relnotes/wireshark-4.4.2.html
26. https://www.wireshark.org/security/wnpa-sec-2024-14
27. https://gitlab.com/wireshark/wireshark/-/issues/20176
28. https://www.wireshark.org/security/wnpa-sec-2024-15
29. https://gitlab.com/wireshark/wireshark/-/issues/20214
30. https://gitlab.com/wireshark/wireshark/-/issues/19517
31. https://gitlab.com/wireshark/wireshark/-/issues/20041
32. https://gitlab.com/wireshark/wireshark/-/issues/20065
33. https://gitlab.com/wireshark/wireshark/-/issues/20066
34. https://gitlab.com/wireshark/wireshark/-/issues/20082
35. https://gitlab.com/wireshark/wireshark/-/issues/20099
36. https://gitlab.com/wireshark/wireshark/-/issues/20107
37. https://gitlab.com/wireshark/wireshark/-/issues/20108
38. https://gitlab.com/wireshark/wireshark/-/issues/20113
39. https://gitlab.com/wireshark/wireshark/-/issues/20124
40. https://gitlab.com/wireshark/wireshark/-/issues/20125
41. https://gitlab.com/wireshark/wireshark/-/issues/20126
42. https://gitlab.com/wireshark/wireshark/-/issues/20129
43. https://gitlab.com/wireshark/wireshark/-/issues/20134
44. https://gitlab.com/wireshark/wireshark/-/issues/20142
45. https://gitlab.com/wireshark/wireshark/-/issues/20156
46. https://gitlab.com/wireshark/wireshark/-/issues/20159
47. https://gitlab.com/wireshark/wireshark/-/issues/20163
48. https://gitlab.com/wireshark/wireshark/-/issues/20167
49. https://gitlab.com/wireshark/wireshark/-/issues/20169
50. https://gitlab.com/wireshark/wireshark/-/issues/20173
51. https://gitlab.com/wireshark/wireshark/-/issues/20174
52. https://gitlab.com/wireshark/wireshark/-/issues/20182
53. https://gitlab.com/wireshark/wireshark/-/issues/20183
54. https://gitlab.com/wireshark/wireshark/-/issues/20184
55. https://gitlab.com/wireshark/wireshark/-/issues/20187
56. https://gitlab.com/wireshark/wireshark/-/issues/20188
57. https://gitlab.com/wireshark/wireshark/-/issues/20190
58. https://gitlab.com/wireshark/wireshark/-/issues/20191
59. https://gitlab.com/wireshark/wireshark/-/issues/20192
60. https://gitlab.com/wireshark/wireshark/-/issues/20193
61. https://gitlab.com/wireshark/wireshark/-/issues/20204
62. https://gitlab.com/wireshark/wireshark/-/issues/20216
63. https://www.wireshark.org/docs/relnotes/wireshark-4.4.1.html
64. https://www.wireshark.org/security/wnpa-sec-2024-12
65. https://gitlab.com/wireshark/wireshark/-/issues/20026
66. https://www.wireshark.org/security/wnpa-sec-2024-13
67. https://gitlab.com/wireshark/wireshark/-/issues/20114
68. https://gitlab.com/wireshark/wireshark/-/issues/11176
69. https://gitlab.com/wireshark/wireshark/-/issues/14729
70. https://gitlab.com/wireshark/wireshark/-/issues/19854
71. https://gitlab.com/wireshark/wireshark/-/issues/19886
72. https://gitlab.com/wireshark/wireshark/-/issues/19930
73. https://gitlab.com/wireshark/wireshark/-/issues/20020
74. https://gitlab.com/wireshark/wireshark/-/issues/20021
75. https://gitlab.com/wireshark/wireshark/-/issues/20030
76. https://gitlab.com/wireshark/wireshark/-/issues/20031
77. https://gitlab.com/wireshark/wireshark/-/issues/20040
78. https://gitlab.com/wireshark/wireshark/-/issues/20044
79. https://gitlab.com/wireshark/wireshark/-/issues/20047
80. https://gitlab.com/wireshark/wireshark/-/issues/20049
81. https://gitlab.com/wireshark/wireshark/-/issues/20051
82. https://gitlab.com/wireshark/wireshark/-/issues/20052
83. https://gitlab.com/wireshark/wireshark/-/issues/20054
84. https://gitlab.com/wireshark/wireshark/-/issues/20055
85. https://gitlab.com/wireshark/wireshark/-/issues/20056
86. https://gitlab.com/wireshark/wireshark/-/issues/20057
87. https://gitlab.com/wireshark/wireshark/-/issues/20069
88. https://gitlab.com/wireshark/wireshark/-/issues/20071
89. https://gitlab.com/wireshark/wireshark/-/issues/20079
90. https://gitlab.com/wireshark/wireshark/-/issues/20082
91. https://gitlab.com/wireshark/wireshark/-/issues/20088
92. https://gitlab.com/wireshark/wireshark/-/issues/20090
93. https://gitlab.com/wireshark/wireshark/-/issues/20100
94. https://gitlab.com/wireshark/wireshark/-/issues/20110
95. https://www.wireshark.org/docs/relnotes/wireshark-4.4.0.html
96. https://www.wireshark.org/download.html
97. https://ask.wireshark.org/
98. https://lists.wireshark.org/lists/
99. https://gitlab.com/wireshark/wireshark/-/issues
100. https://sharkfest.wireshark.org
101. https://wiresharkfoundation.org
102. https://www.wireshark.org/faq.html

Digests

wireshark-4.4.4.tar.xz: 46845832 bytes
SHA256(wireshark-4.4.4.tar.xz)=5154d2b741ec928b1bdb5eba60e29536f78907b21681a7fe18c652f4db44b1f1
SHA1(wireshark-4.4.4.tar.xz)=f9eae804b248bbfb928eb36bae8c31a96998771c

Wireshark-4.4.4-arm64.exe: 68763208 bytes
SHA256(Wireshark-4.4.4-arm64.exe)=68c6d3ab4656e8d8d0f4e63a9000aeaf6d7f0a61493f4031e891618a189298b0
SHA1(Wireshark-4.4.4-arm64.exe)=9e2eebd9d24d4ac6d5e81fc4eb1a9c9d9041eb1a

Wireshark-4.4.4-x64.exe: 87303952 bytes
SHA256(Wireshark-4.4.4-x64.exe)=7511107872088965cc781fe877f79371fee441bdcfeae28ab78faa591f780a51
SHA1(Wireshark-4.4.4-x64.exe)=0065bf07c94426a3210e1b2314dfbe8de458507d

Wireshark-4.4.4-x64.msi: 63881216 bytes
SHA256(Wireshark-4.4.4-x64.msi)=425e2175bb5b31a2cfe60f34696cfacfdee73ff13692bea1c2eddc1e859c5db1
SHA1(Wireshark-4.4.4-x64.msi)=f51c8687c283e2111473490c8626e6375f3e7aac

WiresharkPortable64_4.4.4.paf.exe: 64449856 bytes
SHA256(WiresharkPortable64_4.4.4.paf.exe)=863aa32ebc8090dfb358345c16467619c284c4303472e37ee0e94fc10d4727ed
SHA1(WiresharkPortable64_4.4.4.paf.exe)=a1a245542356157a86d81f09db2d640f27f99489

Wireshark 4.4.4 Arm 64.dmg: 65447441 bytes
SHA256(Wireshark 4.4.4 Arm 64.dmg)=24cdce2f5869653b98032e8f6f06a08bd4f4899f178a27eb6d751fc27ac9cb47
SHA1(Wireshark 4.4.4 Arm 64.dmg)=6ba4d0c608e709902f9bb8db1e5cb23d8dea6da2

Wireshark 4.4.4 Intel 64.dmg: 69174110 bytes
SHA256(Wireshark 4.4.4 Intel 64.dmg)=46b267bdd78222aa272937a65fa91b09c3755bc0ec01fa52e8b63984699c0afb
SHA1(Wireshark 4.4.4 Intel 64.dmg)=28ed35eb30051820eb4cc1ecc006d4eff0ce2209

You can validate these hashes using the following commands (among others):

Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
Other: openssl sha256 wireshark-x.y.z.tar.xz

Prev by Date: [Wireshark-dev] Stable and nightly Wireshark PPA-s for Ubuntu
Next by Date: [Wireshark-dev] Wireshark 4.4.4 is now available
Previous by thread: [Wireshark-dev] Stable and nightly Wireshark PPA-s for Ubuntu
Next by thread: [Wireshark-dev] Wireshark 4.4.4 is now available
Index(es):
- Date
- Thread