Wireshark-dev: [Wireshark-dev] Wireshark 4.6.0rc1 is now available

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Thu, 18 Sep 2025 09:33:04 -0700
I'm proud to announce the release of Wireshark 4.6.0rc1.


  This is an experimental release intended to test new features for
  Wireshark 4.6.

  What is Wireshark?

   Wireshark is the world’s most popular network protocol analyzer. It is
   used for troubleshooting, analysis, development and education.

   Wireshark is hosted by the Wireshark Foundation, a nonprofit which
   promotes protocol analysis education. Wireshark and the foundation
   depend on your contributions in order to do their work. If you or your
   organization would like to contribute or become a sponsor, please
   visit wiresharkfoundation.org[1].

  What’s New

   Many other improvements have been made. See the “New and Updated
   Features” section below for more details.

   New and Updated Features

    The following features are either new or have been significantly
    updated since version 4.4.0:

      • The Windows installers now ship with Npcap 1.83. They previously
        shipped with Npcap 1.79.

      • The Windows installers now ship with Qt 6.8.3. They previously
        shipped with Qt 6.5.3.

      • WinPcap is no longer supported. On Windows, use Npcap instead,
        uninstalling WinPcap if necessary. The last release ever of
        WinPcap, 4.1.3, was on 2013-03-08 and only supports up to Windows
        8, which is no longer supported by Microsoft or Wireshark.

      • We now ship universal macOS installers instead of separate
        packages for Arm64 and Intel. Issue 17294[2]

      • Source packages are now compressed using zstd.

      • A new “Plots” dialog has been added, which provides scatter plots
        in contrast to the “I/O Graphs” dialog, which provides
        histograms. The Plots dialog window supports multiple plots,
        markers, and automatic scrolling.

      • Live captures can be compressed while writing. (Previously there
        was support for compressing when performing multiple file
        capture, at file rotation time.) The `--compress` option in
        TShark works on live captures as well. Issue 9311[3]

      • Absolute time fields, regardless of field display in the Packet
        Details, are always written in ISO 8601 format in UTC with -T
        json. This was already the case for -T ek since version 4.2.0.
        JSON is primarily a data interchange format read by software, so
        a standard format is desirable.

      • When absolute times field are output with -T fields, the "show"
        field of -T pdml, or in custom columns (including CSV output of
        columns), the formatting similar to asctime (e.g., Dec 18, 2017
        05:28:39.071704055 EST) has been deprecated in favor of ISO 8601.
        For backwards compatibility, a preference has been added,
        protocols.display_abs_time_ascii, which can be set to continue to
        format times as before. This preference can also be set to never
        use ASCII time and to use ISO 8601 time formatting in the
        protocol tree (Packet Details) as well. It is possible that a
        future release will remove the ascitime style formatting
        entirely.

      • UTC frame time column formats (including "Time (format as
        specified)" when a UTC time display format is selected) have a
        "Z" suffix per ISO 8601. Local time formats remain unqualified
        (including if the local time zone is UTC.) Custom columns
        displaying FT_ABSOLUTE_TIME already had time zone indication.

      • The TShark `-G` option for generating glossary reports does not
        need to be the first option given on the command line anymore. In
        addition, the reports now are affected by other command line
        options such as `-o`, `-d`, and `--disable-protocol`, in addition
        to the `-C` option, which was already supported. (The
        `defaultprefs` report remains unaffected by any other options.)
        As a part of this change, `-G` with no argument, which was
        previously deprecated, is no longer supported. Use `tshark -G
        fields` to produce the same report. Also, the syntax for only
        listing fields with a certain prefix has changed to `tshark -G
        fields,prefix`.

      • The underlying type of EUI-64 fields has been switched to bytes
        when packet matching, similar to most other address formats. This
        means that EUI-64 addresses can be sliced and compared to other
        bytes types, e.g. the filter `wpan.src64[:3] == eth.src[:3]`.
        Fields can still be specified using 64-bit unsigned integer
        literals, though arithmetic with other integers is no longer
        supported.

      • Wireshark can now decrypt NTP packets using NTS (Network Time
        Security). To decrypt packets, the NTS-KE (Network Time Security
        Key Establishment Protocol) packets need to be present, alongside
        the TLS client and exporter secrets. Additionally, the parts of a
        NTP packet which can be cryptographically authenticated (from NTP
        packet header until the end of the last extension field that
        precedes the NTS Authenticator and Encrypted Extension Fields
        extension field) are checked for validity.

      • Wiresharks' capability to decrypt MACsec packets has been
        expanded to either use the SAK unwrapped by the MKA dissector, or
        the PSK configured in the MACsec dissector. To enable the MKA
        dissector to unwrap the SAK, the CAK for the applicable CKN can
        be entered in the extended CKN/CAK Info UAT in the MKA dissector
        preferences. The ability of the MACsec dissector to decrypt
        packets using a PSK has been extended to a list of PSKs, which
        can entered through a new UAT.

      • The TCP Stream Graph axes now use units with SI prefixes. Issue
        20197[4]

      • Custom columns have an option to show the values using the same
        format as in Packet Details.

      • Custom column complex expressions (e.g., with arithmetic, filter
        functions, etc.) that return numeric results are sorted
        numerically instead of lexicographically.

      • Display filter functions `float` and `double` are added to allow
        explicitly converting field types like integers and times to
        single and double precision floats. They can be used to perform
        further arithmetic operations on fields of different types,
        including in custom column definitions.

      • The minimum width of the I/O Graph dialog window has been
        reduced, so it should work better on small resolution desktops,
        especially in certain languages. To enable this, some checkbox
        controls were moved to the graph right-click context menu. Issue
        20147[5]

      • X.509 certificates, used in TLS and elsewhere, can be exported
        via the "File › Export Objects" menu in Wireshark (under the name
        "X509AF") and `--export-objects` in TShark (with the protocol
        name `x509af`.)

      • Zstandard Content-Encoding is supported in the HTTP and HTTP/2
        dissectors.

      • Follow Stream is supported for MPEG 2 Transport Stream PIDs, and
        for Packetized Elementary Streams contained within MPEG 2 TS. The
        latter can be used to extract audio or video for playback with
        other tools.

      • DNP 3 (Distributed Network Protocol 3) is now supported in the
        Conversations and Endpoints table dialogs.

      • The Lua supplied preloaded libraries `bit` and `rex_pcre2` are
        loaded in a way that adds them to the `package.loaded` table, as
        though through `require`, so that `require("bit")` and
        `require("rex_pcre2")` statements in Lua dissectors, while
        usually superfluous, behave as expected. Issue 20213[6]

      • The packet list (Wireshark) and event list (Stratoshark) no
        longer support rows with multiple lines. Issue 14424[7]

      • The `ethers` file can also contain EUI-64 to name mappings. Issue
        15487[8]

      • Wireshark "Import from Hex Dump" and text2pcap support byte
        groups with 2 to 4 bytes (with an option for little-endian byte
        order), and support hexadecimal offsets with a `0x` or `0X`
        prefix (as produced by `tcpdump -x`, among others). Issue
        16193[9]

      • Frame timestamps can be added as preamble to hex dumps in
        Wireshark from the "Print" and "Export Packet Dissection"
        dialogs, and in TShark with the `--hexdump time` option. Issue
        17132[10]

      • Lua now has a `Conversation` object, which exposes conversations
        and conversation data to Lua. Resolves Issue 15396[11]

      • Supports "Copy in HTML" format via main menu, context menu and
        keyboard shortcut. It also provides an option (via knobs in
        preferences) to copy plain text with aligned columns along with
        an ability to select a copy format to be used when copied via
        keyboard shortcut.

      • The "no duplicate keys" version of JSON output that tshark has
        supported since 2.6.0 is available through the GUI Export
        Dissections Dialog. Note that this format does not necessarily
        preserve the ordering of all children in a tree, if sibling with
        identical keys are not consecutive.

      • The GUI Export Dissections Dialog can output raw hex bytes of the
        frame data for each field with or without exporting the field
        values, the same formats as the "-T json -x" and "-T jsonraw"
        output modes, respectively, of TShark.

      • The Conversations and Endpoints dialogs have an option to display
        byte counts and bit rates in exact counts instead of
        human-readable numbers with SI units. The default setting when
        opening a dialog is controlled by a Statistics preference,
        "conv.machine_readable". The same preference controls whether
        precise byte counts are used in the TShark "-z conv" and "-z
        endpoints" taps.

      • The output format for some TShark statistics taps (those selected
        with "-z <tap>,tree", which use the stats_tree system) can be
        controlled via a preference "-o statistics.output_format".

      • The color scheme can be set to Light or Dark mode independently
        of the current OS default on Windows and macOS, if Wireshark is
        built with Qt 6.8 or later as the official installers do. Issue
        19328[12]

      • LibXml2 is now a required dependency.

      • The View menu has an option to Redissect Packets manually, which
        can be useful when address resolution or decryption secrets have
        changed.

      • HTTP2 tracking of 3GPP session over 5G Service Based Interfaces
        is now optional available. When enabled "Associate IMSI" will be
        add on HTTP2 streams which has been found belong to a session.

      • Building the documentation on Windows no longer requires Java.

      • On Linux, capture filters that use BPF extensions like "inbound",
        "outbound", and "ifindex" can be used for capturing (and compiled
        by the Compiled Filter dialog). Instead of always being rejected
        by the syntax checker, they will be marked as unknown.

   Removed Features and Support

    Wireshark no longer supports AirPcap and WinPcap.

    Wireshark no longer supports libnl versions 1 or 2.

    The `ENABLE_STATIC` CMake option has been deprecated in favor of
    `BUILD_SHARED_LIBS`

   New File Format Decoding Support

    Resource Interchange File Format (RIFF) and TTL File Format

   New Protocol Support

    Asymmetric Key Packages (AKP), Binary HTTP, BIST TotalView-ITCH
    protocol (BIST-ITCH), BIST TotalView-OUCH protocol (BIST-OUCH),
    Bluetooth Android HCI (HCI ANDROID), Bluetooth Intel HCI (HCI INTEL),
    BPSec COSE Context, BPSec Default SC, Commsignia Capture Protocol
    (C2P), DLMS/COSEM, Ephemeral Diffie-Hellman Over COSE,
    Identifier-Locator Network Protocol (ILNP), LDANeo Device trailer
    (LDANeo), Lenbrook Service Discovery Protocol (LSDP), LLC V1,
    Navitrol messaging, Network Time Security Key Establishment Protocol
    (NTS-KE), Ouster VLP-16, Private Line Emulation (PLE), RC V3, RCG,
    Roughtime, SBAS L5 Navigation Message, SGP.22 GSMA Remote SIM
    Provisioning (SGP.22), SGP.32 GSMA Remote SIM Provisioning (SGP.32),
    SICK CoLA Ascii and CoLA Binary protocols, Silabs Debug Channel,
    Universal Measurement and Calibration Protocol (XCP), USB Picture
    Transfer Protocol (USB-PTP), VLP-16 Data and Position messaging, and
    vSomeIP Internal Protocol (vSomeIP)

   Updated Protocol Support

    Too many protocol updates have been made to list them all here.

  New and Updated Capture File Support

   BLF is now improved (including writing to BLF)

   New and Updated Capture Interfaces support

      • On Windows, etwdump’s user-friendliness has been greatly improved
        thanks to various extcap changes. It should also now display the
        raw bytes of unknown events.

    The Lua API now supports Libgcrypt symmetric cipher functions.

  Getting Wireshark

   Wireshark source code and installation packages are available from
   https://www.wireshark.org/download.html.

   Vendor-supplied Packages

    Most Linux and Unix vendors supply their own Wireshark packages. You
    can usually install or upgrade Wireshark using the package management
    system specific to that platform. A list of third-party packages can
    be found on the download page[13] on the Wireshark web site.

  File Locations

   Wireshark and TShark look in several different locations for
   preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
   locations vary from platform to platform. You can use "Help › About
   Wireshark › Folders" or `tshark -G folders` to find the default
   locations on your system.

  Getting Help

   The User’s Guide, manual pages and various other documentation can be
   found at https://www.wireshark.org/docs/

   Community support is available on Wireshark’s Q&A site[14] and on the
   wireshark-users mailing list. Subscription information and archives
   for all of Wireshark’s mailing lists can be found on the mailing list
   site[15].

   Bugs and feature requests can be reported on the issue tracker[16].

   You can learn protocol analysis and meet Wireshark’s developers at
   SharkFest[17].

   Official Wireshark training and certification are available from the
   Wireshark Foundation[18].

  How You Can Help

   The Wireshark Foundation helps as many people as possible understand
   their networks as much as possible. You can find out more and donate
   at wiresharkfoundation.org[19].

  Frequently Asked Questions

   A complete FAQ is available on the Wireshark web site[20].

  References

    1. https://wiresharkfoundation.org
    2. https://gitlab.com/wireshark/wireshark/-/issues/17294
    3. https://gitlab.com/wireshark/wireshark/-/issues/9311
    4. https://gitlab.com/wireshark/wireshark/-/issues/20197
    5. https://gitlab.com/wireshark/wireshark/-/issues/20147
    6. https://gitlab.com/wireshark/wireshark/-/issues/20213
    7. https://gitlab.com/wireshark/wireshark/-/issues/14424
    8. https://gitlab.com/wireshark/wireshark/-/issues/15487
    9. https://gitlab.com/wireshark/wireshark/-/issues/16193
   10. https://gitlab.com/wireshark/wireshark/-/issues/17132
   11. https://gitlab.com/wireshark/wireshark/-/issues/15396
   12. https://gitlab.com/wireshark/wireshark/-/issues/19328
   13. https://www.wireshark.org/download.html
   14. https://ask.wireshark.org/
   15. https://lists.wireshark.org/lists/
   16. https://gitlab.com/wireshark/wireshark/-/issues
   17. https://sharkfest.wireshark.org
   18. https://www.wireshark.org/certifications
   19. https://wiresharkfoundation.org
   20. https://www.wireshark.org/faq.html


Digests

wireshark-4.6.0rc1.tar.zst: 52224786 bytes
SHA256(wireshark-4.6.0rc1.tar.zst)=2177e639d0adb0806ec88a69b0db6456a6f280209c56fa481d5ddd271df3fdaf
SHA1(wireshark-4.6.0rc1.tar.zst)=35b6edb4ba25ea0c548b946cfb7ed94d0f6e8dea

wireshark-4.6.0rc1.tar.xz: 52850456 bytes
SHA256(wireshark-4.6.0rc1.tar.xz)=646df7495c5b48fa8ad17e0537d040aa190d1d17e48c5a5b10da637ba57ea276
SHA1(wireshark-4.6.0rc1.tar.xz)=ea990af1421fcb179086dcf22bcf0b2724f801db

Wireshark-4.6.0rc1-x64.exe: 95722272 bytes
SHA256(Wireshark-4.6.0rc1-x64.exe)=570d86b8845f77eefe17219b57dedf741f3ae2aac9a11bad3f4f72d120a9b04f
SHA1(Wireshark-4.6.0rc1-x64.exe)=11f2a2a79657462f883575e62fcfb9af22dede1b

Wireshark-4.6.0rc1-arm64.exe: 71915040 bytes
SHA256(Wireshark-4.6.0rc1-arm64.exe)=6c12b92d5630b16759d4a129fa9fa666ae1e62e192f1fe169fd6f497937c20ce
SHA1(Wireshark-4.6.0rc1-arm64.exe)=9299a6230354226763fc9c98a50b7ecd7a7eee98

Wireshark-4.6.0rc1-x64.msi: 73015296 bytes
SHA256(Wireshark-4.6.0rc1-x64.msi)=8b4a41c3f4a476ea7e95ee79974845dc04751a126e748c29611bf07e41553bc4
SHA1(Wireshark-4.6.0rc1-x64.msi)=1a9f1718ef0e23f22b9417442ff3b89672dee664

WiresharkPortable64_4.6.0rc1.paf.exe: 82128552 bytes
SHA256(WiresharkPortable64_4.6.0rc1.paf.exe)=804afbf0fac78aed10d7750af478e2904bc54e3cf0d7e9448d8cc6d472603c5a
SHA1(WiresharkPortable64_4.6.0rc1.paf.exe)=1fb9220cc0387c729fd5874beebe586a6a2c7d4e

Wireshark 4.6.0rc1.dmg: 141517211 bytes
SHA256(Wireshark 4.6.0rc1.dmg)=ff36b50c86320eceb3ada34f95ef19002a5cb92a709ace1e338ad3c0a3c9b405
SHA1(Wireshark 4.6.0rc1.dmg)=1216809aa108b54d91d5ef1f0626ca4fc43015b4

You can validate these hashes using the following commands (among others):

     Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
     Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
     macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
     Other: openssl sha256 wireshark-x.y.z.tar.xz