NEWS

Wireshark 4.3.0 Release Notes

 This is an experimental release intended to test new features for
 Wireshark 4.4.

 What is Wireshark?

  Wireshark is the world’s most popular network protocol analyzer. It is
  used for troubleshooting, analysis, development and education.

 What’s New

  Wireshark now supports automatic profile switching. You can associate
  a display filter with a configuration profile, and when you open a
  capture file that matches the filter, Wireshark will automatically
  switch to that profile.

  Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1
  and 5.2 has been removed. The Windows and macOS installers now ship
  with Lua 5.4.6.

  Improved display filter support for value strings (optional string
  representations for numeric fields).

  Display filter functions can be implemented as runtime-loadable C
  plugins.

  Display filters can be translated to pcap filters using "Edit › Copy ›
  Display filter as pcap filter" if each display filter field has a
  corresponding pcap filter equivalent.

  Custom columns can be defined using any valid field expression, such
  as display filter functions, slices, arithmetic calculations, logical
  tests, raw byte addressing, and the layer modifier.

  Custom output fields for `tshark -e` can also be defined using any
  valid field expression.

  Many improvements and fixes to the graphing dialogs, including I/O
  Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.

  Possibility to use zlib-ng to open and write zip compressed files.
  Zlib-ng is substantially faster. Windows and macOS brew packages have
  this feature included.

  Many other improvements have been made. See the “New and Updated
  Features” section below for more details.

  New and Updated Features

   The following features are new (or have been significantly updated)
   since version 4.2.0:

     • Display filter syntax-related enhancements:

        • Better handling of comparisons with value strings. Now the
       display filter engine can correctly handle cases where multiple
       different numeric values map to the same value string, including
       but not limited to range-type value strings.

        • Fields with value strings now support regular expression
       matching.

        • Date and time values now support arithmetic, with some
       restrictions: the multiplier/divisor must be an integer or float
       and appear on the right-hand side of the operator.

        • The keyword "bitand" can be used as an alternative syntax for
       the bitwise-and operator.

        • Functions alone can now be used as an entire logical
       expression. The result of the expression is the truthiness of the
       function return value (or of all values if more than one). This
       is useful for example to write "len(something)" instead of
       "len(something) != 0". Even more so if a function returns itself
       a boolean value, it is now possible to write
       "bool_test(some.field)" instead of having to write
       "bool_test(some.field) == True" (both forms are now valid).

        • Display filter references can be written without curly braces.
       It is now possible to write `$frame.number` instead of
       `${frame.number}` for example.

        • Added new display filter functions to test various IP address
       properties. Check the wireshark-filter(5) manpage for more
       information.

        • Added new display filter functions to convert unsigned integer
       types to decimal or hexadecimal, and convert fields with value
       strings into the associated string for their value (used to
       produce results similar to custom columns). Check the
       wireshark-filter(5) manpage for more information.

        • Display filter macros can be written with a semicolon after
       the macro name before the argument list, e.g.
       `${mymacro;arg1;…​;argN}`, instead of `${mymacro:arg1;…​;argN}`.
       The version with semicolons works better with pop-up suggestions
       when editing the display filter, so the version with the colon
       might be removed in the future.

        • Display filter macros can be written using a function-like
       notation. The macro `${mymacro:arg1;…​;argN}` can be written
       `$mymacro(arg1,…​,argN)`.

        • AX.25 addresses are now filtered using the "CALLSIGN-SSID"
       string syntax. Filtering based on the raw bytes values is still
       possible, like other field types, with the `@` operator. Issue
       17973[1]

     • Display filter functions can be implemented as libwireshark
       plugins. Plugins are loaded during startup from the usual binary
       plugin configuration directories. See the `ipaddr.c` source file
       in the distribution for an example of a display filter C plugin
       and the doc/plugins.example folder for generic instructions how
       to build a plugin.

     • Display filter autocompletions now also include display filter
       functions.

     • The display filter macro configuration file has changed format.
       It now uses the same format as the "dfilters" file and has been
       renamed accordingly to "dmacros". Internally it no longer uses
       the UAT API and the display filter macro GUI dialog has been
       updated. There is some basic migration logic implemented but it
       is advisable to check that the "dfilter_macros" (old) and
       "dmacros" (new) files in the profile directory are consistent.

     • Custom columns can be defined using any valid field expression:

        • Display filter functions, like `len(tcp.payload)`, including
       nested functions like `min(len(tcp.payload), len(udp.payload)`
       and newly defined functions using the plugin system mentioned
       above. Issue 15990[2] Issue 16181[3]

        • Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
       tcp.dstport`. Issue 7752[4]

        • Slices, like `tcp.payload[4:4]`. Issue 10154[5]

        • The layer operator, like `ip.proto#1` to return the proto
       field in the first IPv4 layer if there is tunneling. Issue
       18588[6]

        • Raw byte addressing, like `@ip`, useful to return the bytes of
       a protocol or FT_NONE field, among others. Issue 19076[7]

        • Logical tests, like `tcp.port == 443`, which produce a check
       mark if the test matches (similar to protocol and none fields
       without `@`.) This works with all logical operators, including
       e.g. regular expression matching (`matches` or `~`.)

        • Defined display filter macros.

        • Any combination of the above also works.

        • Multifield columns are still available. For backwards
       compatibility, `X or Y` is interpreted as a multifield column as
       before. To represent a logical test for the presence of multiple
       fields instead of concatenating values, use parenthesis, like
       `(tcp.options.timestamp or tcp.options.nop`.

        • Field references are not implemented, because there’s no sense
       of a currently selected frame. "Resolved" column values (such as
       host name resolution or value string lookup) are not supported
       for any of the new expressions yet.

     • Custom output fields for `tshark -e <field>` can also be defined
       using any valid field expression as above.

        • For custom output fields, `X or Y` is the usual logical test;
       to output multiple fields use multiple `-e` terms as before.

        • The various `-E` options, including `-E occurrence`, all work
       as expected.

     • When selecting "Manage Interfaces" from "Capture Options",
       Wireshark only attempts to reconnect to rpcap (remote) hosts that
       were connected to in the last session, instead of every remote
       host that the current profile has ever connected to. Issue
       17484[8]

     • Adding interfaces at startup is about twice as fast, and has many
       fewer UAC pop-ups when npcap is installed with access restricted
       to Administrators on Windows

     • The Resolved Addresses dialog only shows what addresses and ports
       are present in the file (not including information from static
       files), and selected rows or the entire table can be saved or
       copied to the clipboard in several formats. Issue 16419[9]

     • Dumpcap and wireshark support the `-F` option when capturing a
       file at the command line. Issue 18009[10]

     • When capturing at the command line dumpcap accepts a `-Q` option
       that is quieter than `-q` and prints only errors to standard
       error, similar to tshark. Issue 14491[11]

     • When capturing a file and requesting the `pcap` format,
       nanosecond resolution time stamps will be written if the device
       and version of libpcap supports it.

     • When capturing a file, the maximum filesize at which to stop, or
       to switch files in multiple file mode, can be 2 TB, up from 2GiB.
       Note that you may have problems when the number of packets gets
       larger than 231 or 232, though that is also true when no limit is
       set.

     • When capturing files in multiple file mode, a pattern that places
       the date and time before the index number can be used (e.g.,
       foo_20240714110102_00001.pcap instead of
       foo_00001_20240714110102.pcap). This causes filenames to sort in
       chronological order across file sets from different captures. The
       File Set dialog has been updated to handle the new pattern, which
       has been capable of being produced by tshark since version 3.6.0

     • The "Follow Stream" dialog can now show delta times between turns
       and all packets and events.

     • The "Find Packet" dialog can search backwards, and find
       additional occurrences of a string, hex value, or regular
       expression in a single frame.

     • When using "Go To Packet" with an undisplayed frame, the window
       goes to nearest displayed frame (by number.) Issue 2988[12]

     • A number of graphs using QCustomPlot ("I/O Graphs", "Flow Graph",
       "TCP Stream Graphs", and "RTP Player") are more responsive during
       mouse moves, especially on Linux when Wayland is used.

     • Improvements to the "I/O Graphs" dialog:

        • A number of crasher bugs have been fixed.

        • The protocol tree context menu can open a I/O graph of the
       currently selected field. Issue 11362[13]

        • Smaller intervals can be used, down to 1 microsecond. Issue
       13682[14]

        • A larger number of I/O Graph item buckets can be used, up to
       225 items. Issue 8460[15]

        • The memory usage has been improved, the size of an item has
       been reduced from 152 bytes to 88 bytes.

        • When the Y field or Y axis changes, the graph displays the new
       graph correctly, retapping if necessary, instead of displaying
       information based on stale data.

        • The graph is smarter about choosing whether to retap
       (expensive), recalculate (moderately intensive), or replot
       (cheap) in order to display the newly chosen options correctly
       with the least amount of calculations. For instance, a graph that
       has previously been plotted and is disabled and then reenabled
       without any other changes will not require a new retap. Issue
       15822[16]

        • LOAD graphs are graphed properly again. Issue 18450[17]

        • The I/O Graph y-axis has human readable units with SI
       prefixes. Issue 12827[18]

        • I/O Graph bar widths are scaled to the size of the interval.

        • I/O Graph bar border colors are a slightly darker color than
       that of the graph itself, instead of always black. Issue
       17422[19]

        • The correct width of times that appear on the graph are used
       when automatically resetting the axes.

        • The precision of the interval time shown in the hint message
       depends on the interval.

        • The tracer follows the currently selected row on the table of
       graphs, and does not appear on an invisible graph.

        • The tracer moves to the frame selected in the main window.
       Issue 12909[20]

        • Pending graph changes are saved when changing profiles with
       the I/O Graphs dialog open.

        • I/O Graph dialog windows for closed capture files are no
       longer affected by changing the list of graphs (either in that
       dialogs or in other dialogs for the currently open file.)

        • Temporary graphs that have just been added and will not be
       saved unless the configuration has changed are more clearly
       marked with italics.

        • When Time of Day is selected on the graph, the absolute time
       is copied to the CSV instead of relative time. Issue 13717[21]

        • The graphs can be reordered via drag and drop. Issue 13855[22]

        • The graph layer order and order in the legend always matches
       the order in the table, and the legend appears properly. Issue
       13854[23]

        • Graphs with both lines and data point symbols are treated as
       line graphs, not scatter plots, for purposes of displaying zero
       values.

        • Logarithmic ticks are used when the Y-scale is logarithmic.

        • The graph crosshairs context menu option works.

        • The columns on the table of graphs can be all resized at once
       via the header context menu. Issue 18102[24]

        • The graph is more responsive to mouse moves, especially on
       Linux Wayland

     • Improvements to the Sequence Diagram (Flow Graph / VoIP Calls):

        • When exporting the graph as an image, the entire graph is
       shown, up to 1000 items (which can be changed in preferences),
       instead of only what was visible on-screen. Issue 13504[25]

        • Endpoints that share a same address now have two distinct
       nodes with a line between them. Issue 12038[26]

        • Tooltips are shown for elided comments

        • The scroll direction via keyboard is no longer reversed. Issue
       12932[27]

        • The column widths are fixed, instead of resizing slightly
       depending on the visible entries. Issue 12931[28]

        • The Y-axis labels stay in the correct position without having
       to click Reset.

        • The progress bar appears correctly in the Flow Graph (non VoIP
       Calls.)

        • The behavior of the "Any" and "Network" combobox is corrected.
       Issue 19818[29]

        • "Limit to Display Filter" is checked if a display filter is
       applied when the Flow Graph is opened, per the documentation.

     • TCP Stream Graphs:

        • A better decision is made about which side is the server and
       thus the initially chosen direction in the graph.

        • The Window Scaling graph axis labels are corrected and show
       both graphs.

        • The graph crosshairs context menu option works.

        • Switching between relative and absolute sequence numbers works
       again.

     • The included Lua version has been updated to 5.4. While most Lua
       dissectors should continue to work (the lua_bitop library has
       been patched to work with Lua 5.3 and 5.4, in addition to the
       native Lua support for bit operations present in those versions),
       different versions of Lua are not guaranteed to be compatible. If
       a Lua dissector has issues, check the manuals for Lua 5.4[30],
       Lua 5.3[31], and Lua 5.2[32] for incompatibilities and suggested
       workarounds. Note that features marked as deprecated in one
       version are removed in the subsequent version without additional
       notice, so it can be worth checking the manual for previous
       versions.

     • Lua functions have been added to decompress and decode TvbRanges
       with other compression types besides zlib, such as Brotli,
       Snappy, Zstd, and others, matching the support in the C API.
       tvbrange:uncompress() has been deprecated for
       tvbrange:uncompress_zlib().

     • Lua Dumper now defaults to the pcapng file type, and to
       per-packet encapsulation (creating interfaces on demand as
       necessary) when writing pcapng Issue 16403[33]

  Removed Features and Support

     • The tshark `-G` option with no argument is deprecated and will be
       removed in a future version. Use `tshark -G fields` to produce
       the same report.

  Removed Dissectors

   The Parlay dissector has been removed.

  New Protocol Support

   Allied Telesis Resiliency Link (AT RL), ATN Security Label, Bit Index
   Explicit Replication (BIER), Bus Mirroring Protocol, EGNOS Message
   Server (EMS) file format, Galileo E1-B I/NAV navigation messages, IBM
   i RDMA Endpoint (iRDMA-EDP), IWBEMSERVICES, MAC NR Framed
   (mac-nr-framed), Matter Bluetooth Transport Protocol (MatterBTP),
   MiWi P2P Star, Monero, NMEA 0183, PLDM, RDP authentication
   redirection virtual channel protocol (rdpear), RF4CE Network Layer
   (RF4CE), RF4CE Profile (RF4CE Profile), RK512, SAP Remote Function
   Call (SAPRFC), SBAS L1 Navigation Message, Scanner Access Now Easy
   (SANE), TREL, WMIO, and ZeroMQ Message Transport Protocol (ZMTP)

  Updated Protocol Support

   IPv6: The "show address detail" preference is now enabled by default.
   The address details provided have been extended to include more
   special purpose address block properties (forwardable,
   globally-routable, etc).

   Too many other protocol updates have been made to list them all here.

   EGNOS Messager Server (EMS) files

   u-blox GNSS receivers

  Major API Changes

     • Plugins should provide a `plugin_describe()` function that
       returns an ORed list of flags consisting of the plugin types used
       (declared in wsutil/plugins.h).

 Getting Wireshark

  Wireshark source code and installation packages are available from
  https://www.wireshark.org/download.html.

  Vendor-supplied Packages

   Most Linux and Unix vendors supply their own Wireshark packages. You
   can usually install or upgrade Wireshark using the package management
   system specific to that platform. A list of third-party packages can
   be found on the download page[34] on the Wireshark web site.

 File Locations

  Wireshark and TShark look in several different locations for
  preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
  locations vary from platform to platform. You can use "Help › About
  Wireshark › Folders" or `tshark -G folders` to find the default
  locations on your system.

 Getting Help

  The User’s Guide, manual pages and various other documentation can be
  found at https://www.wireshark.org/docs/

  Community support is available on Wireshark’s Q&A site[35] and on the
  wireshark-users mailing list. Subscription information and archives
  for all of Wireshark’s mailing lists can be found on the web site[36].

  Bugs and feature requests can be reported on the issue tracker[37].

  You can learn protocol analysis and meet Wireshark’s developers at
  SharkFest[38].

 How You Can Help

  The Wireshark Foundation helps as many people as possible understand
  their networks as much as possible. You can find out more and donate
  at wiresharkfoundation.org[39].

 Frequently Asked Questions

  A complete FAQ is available on the Wireshark web site[40].

 References

   1. https://gitlab.com/wireshark/wireshark/-/issues/17973
   2. https://gitlab.com/wireshark/wireshark/-/issues/15990
   3. https://gitlab.com/wireshark/wireshark/-/issues/16181
   4. https://gitlab.com/wireshark/wireshark/-/issues/7752
   5. https://gitlab.com/wireshark/wireshark/-/issues/10154
   6. https://gitlab.com/wireshark/wireshark/-/issues/18588
   7. https://gitlab.com/wireshark/wireshark/-/issues/19076
   8. https://gitlab.com/wireshark/wireshark/-/issues/17484
   9. https://gitlab.com/wireshark/wireshark/-/issues/16419
  10. https://gitlab.com/wireshark/wireshark/-/issues/18009
  11. https://gitlab.com/wireshark/wireshark/-/issues/14491
  12. https://gitlab.com/wireshark/wireshark/-/issues/2988
  13. https://gitlab.com/wireshark/wireshark/-/issues/11362
  14. https://gitlab.com/wireshark/wireshark/-/issues/13682
  15. https://gitlab.com/wireshark/wireshark/-/issues/8460
  16. https://gitlab.com/wireshark/wireshark/-/issues/15822
  17. https://gitlab.com/wireshark/wireshark/-/issues/18450
  18. https://gitlab.com/wireshark/wireshark/-/issues/12827
  19. https://gitlab.com/wireshark/wireshark/-/issues/17422
  20. https://gitlab.com/wireshark/wireshark/-/issues/12909
  21. https://gitlab.com/wireshark/wireshark/-/issues/13717
  22. https://gitlab.com/wireshark/wireshark/-/issues/13855
  23. https://gitlab.com/wireshark/wireshark/-/issues/13854
  24. https://gitlab.com/wireshark/wireshark/-/issues/18102
  25. https://gitlab.com/wireshark/wireshark/-/issues/13504
  26. https://gitlab.com/wireshark/wireshark/-/issues/12038
  27. https://gitlab.com/wireshark/wireshark/-/issues/12932
  28. https://gitlab.com/wireshark/wireshark/-/issues/12931
  29. https://gitlab.com/wireshark/wireshark/-/issues/19818
  30. https://www.lua.org/manual/5.4/manual.html#8
  31. https://www.lua.org/manual/5.3/manual.html#8
  32. https://www.lua.org/manual/5.2/manual.html#8
  33. https://gitlab.com/wireshark/wireshark/-/issues/16403
  34. https://www.wireshark.org/download.html
  35. https://ask.wireshark.org/
  36. https://www.wireshark.org/lists/
  37. https://gitlab.com/wireshark/wireshark/-/issues
  38. https://sharkfest.wireshark.org
  39. https://wiresharkfoundation.org
  40. https://www.wireshark.org/faq.html