diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 258 |
1 files changed, 221 insertions, 37 deletions
@@ -1,7 +1,7 @@ -Wireshark 3.3.0 Release Notes +Wireshark 4.3.0 Release Notes This is an experimental release intended to test new features for - Wireshark 3.4. + Wireshark 4.4. What is Wireshark? @@ -10,40 +10,209 @@ Wireshark 3.3.0 Release Notes What’s New - Many improvements have been made. See the “New and Updated Features” - section below for more details. + Improved display filter support for value strings (optional string + representations for numeric fields). + + Display filter functions can be implemented as runtime-loadable C + plugins. + + Plugin registration API was refactored. Plugin authors must update + their plugins as described below. + + Custom columns can be defined using any valid field expression, such + as display filter functions, slices, arithmetic calculations, logical + tests, raw byte addressing, and the layer modifier. + + Many other improvements have been made. See the “New and Updated + Features” section below for more details. New and Updated Features The following features are new (or have been significantly updated) - since version 3.2.0: + since version 4.2.0: + + • Display filter syntax-related enhancements: + + • Better handling of comparisons with value strings. Now the + display filter engine can correctly handle cases where multiple + different numeric values map to the same value string, including + but not limited to range-type value strings. + + • Fields with value strings now support regular expression + matching. + + • Date and time values now support arithmetic, with some + restrictions: the multiplier/divisor must be an integer or float + and appear on the right-hand side of the operator. + + • The keyword "bitand" can be used as an alternative syntax for + the bitwise-and operator. + + • Functions alone can now be used as an entire logical + expression. The result of the expression is the truthiness of the + function return value (or of all values if more than one). This + is useful for example to write "len(something)" instead of + "len(something) != 0". Even more so if a function returns itself + a boolean value, it is now possible to write + "bool_test(some.field)" instead of having to write + "bool_test(some.field) == True" (both forms are now valid). + + • Display filter references can be written without curly braces. + It is now possible to write `$frame.number` instead of + `${frame.number}` for example. + + • Added new display filter functions to test various IP address + properties. Check the wireshark-filter(5) manpage for more + information. + + • Added new display filter functions to convert unsigned integer + types to decimal or hexadecimal. Check the wireshark-filter(5) + manpage for more information. + + • Display filter macros can be written with a semicolon after + the macro name before the argument list, e.g. + `${mymacro;arg1;…;argN}`, instead of `${mymacro:arg1;…;argN}`. + The version with semicolons works better with pop-up suggestions + when editing the display filter, so the version with the colon + might be removed in the future. + + • Display filter macros can be written using a function-like + notation. The macro `${mymacro:arg1;…;argN}` can be written + `$mymacro(arg1,…,argN)`. + + • Display filter functions can be implemented as libwireshark + plugins. Plugins are loaded during startup from the usual binary + plugin configuration directories. See the `ipaddr.c` source file + in the distribution for an example of a display filter C plugin + and the doc/plugins.example folder for generic instructions how + to build a plugin. + + • Display filter autocompletions now also include display filter + functions. + + • The display filter macro configuration file has changed format. + It now uses the same format as the "dfilters" file and has been + renamed accordingly to "dmacros". Internally it no longer uses + the UAT API and the display filter macro GUI dialog has been + updated. There is some basic migration logic implemented but it + is advisable to check that the "dfilter_macros" (old) and + "dmacros" (new) files in the profile directory are consistent. + + • Custom columns can be defined using any valid field expression: + + • Display filter functions, like `len(tcp.payload)`, including + nested functions like `min(len(tcp.payload), len(udp.payload)` + and newly defined functions using the plugin system mentioned + above. Issue 15990[1] Issue 16181[2] + + • Arithmetic calculations, like `ip.len * 8` or `tcp.srcport + + tcp.dstport`. Issue 7752[3] + + • Slices, like `tcp.payload[4:4]`. Issue 10154[4] + + • The layer operator, like `ip.proto#1` to return the proto + field in the first IPv4 layer if there is tunneling. Issue + 18588[5] - • Windows executables and installers are now signed using SHA-2 - only[1]. + • Raw byte addressing, like `@ip`, useful to return the bytes of + a protocol or FT_NONE field, among others. Issue 19076[6] - • Save RTP stream to .au supports any codec with 8000 Hz rate - supported by Wireshark (shown in RTP player). If save of audio is - not possible (unsupported codec or rate), silence of same length - is saved and warning is shown. + • Logical tests, like `tcp.port == 443`, which produce a check + mark if the test matches (similar to protocol and none fields + without `@`.) This works with all logical operators, including + e.g. regular expression matching (`matches` or `~`.) - • C-ares is now a required dependency. + • Defined display filter macros. - • Protobuf fields can be dissected as wireshark (header) fields - that allows user input the full names of Protobuf fields or - messages in Filter toolbar for searching. + • Any combination of the above also works. - • Dissector based on Protobuf can register itself to a new - 'protobuf_field' dissector table, which is keyed with the full - names of fields, for further parsing fields of BYETS or STRING - type. + • Multifield columns are still available. For backwards + compatibility, `X or Y` is interpreted as a multifield column as + before. To represent a logical test for the presence of multiple + fields instead of concatenating values, use parenthesis, like + `(tcp.options.timestamp or tcp.options.nop`. + + • Field references are not implemented, because there’s no sense + of a currently selected frame. "Resolved" column values (such as + host name resolution or value string lookup) are not supported + for any of the new expressions yet. + + • When selecting "Manage Interfaces" from "Capture Options", + Wireshark only attempts to reconnect to rpcap (remote) hosts that + were connected to in the last session, instead of every remote + host that the current profile has ever connected to. Issue + 17484[7] + + • Adding interfaces at startup is about twice as fast, and has many + fewer UAC pop-ups when npcap is installed with access restricted + to Administrators on Windows + + • The Resolved Addresses dialog only shows what addresses and ports + are present in the file (not including information from static + files), and selected rows or the entire table can be saved or + copied to the clipboard in several formats. + + • New "Tools › Install Plugin" option provides a convenient method + to install a binary plugin to the personal folder. + + • The personal binary plugins folder now has higher priority than + the global folder. + + • The binary plugins folder path no longer uses an X.Y version + component. Plugins are required to add the ABI version to the + file name. + + • Truncated fields in the detail view are now displayed as "Field + name […]: data" instead of "Field name [truncated]: data" + + • When capturing files in multiple file mode, a pattern that places + the date and time before the index number can be used (e.g., + foo_20240714110102_00001.pcap instead of + foo_00001_20240714110102.pcap). This causes filenames to sort in + chronological order across file sets from different captures. The + File Set dialog has been updated to handle the new pattern, which + has been capable of being produced by tshark since version 3.6.0 + + • The "Follow Stream" dialog can now show delta times between turns + and all packets and events. + + Removed Features and Support + + • The tshark `-G` option with no argument is deprecated and will be + removed in a future version. Use `tshark -G fields` to produce + the same report. + + Removed Dissectors + + The Parlay dissector has been removed. New Protocol Support + Allied Telesis Resiliency Link (AT RL), EGNOS Message Server (EMS) + file format, MAC NR Framed (mac-nr-framed), RF4CE Network Layer + (RF4CE), and RF4CE Profile (RF4CE Profile) + Updated Protocol Support - Too many protocols have been updated to list here. + • IPv6: The "show address detail" preference is now enabled by + default. The address details provided have been extended to + include more special purpose address block properties + (forwardable, globally-routable, etc). + + Too many other protocol updates have been made to list them all here. + + EGNOS Messager Server (EMS) files + + u-blox GNSS receivers - New and Updated Capture File Support + Major API Changes + + • Plugin registration API was refactored. Plugin authors must do + the following: 1 - Remove the existing boilerplate (version, + want_major` and `want_minor` and plugin API declarations. 2 - Add + a struct ws_module to the plugin. 3 - Call one of the + WIRESHARK_PLUGIN_REGISTER_* macros. See README.plugins sections 5 + and doc/plugins.example/hello.c for details and examples. Getting Wireshark @@ -55,38 +224,53 @@ Wireshark 3.3.0 Release Notes Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can - be found on the download page[2] on the Wireshark web site. + be found on the download page[8] on the Wireshark web site. File Locations Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These - locations vary from platform to platform. You can use About→Folders to - find the default locations on your system. + locations vary from platform to platform. You can use "Help › About + Wireshark › Folders" or `tshark -G folders` to find the default + locations on your system. Getting Help The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/ - Community support is available on Wireshark’s Q&A site[3] and on the + Community support is available on Wireshark’s Q&A site[9] and on the wireshark-users mailing list. Subscription information and archives - for all of Wireshark’s mailing lists can be found on the web site[4]. + for all of Wireshark’s mailing lists can be found on the web site[10]. - Bugs and feature requests can be reported on the bug tracker[5]. + Bugs and feature requests can be reported on the issue tracker[11]. - Frequently Asked Questions + You can learn protocol analysis and meet Wireshark’s developers at + SharkFest[12]. + + How You Can Help - A complete FAQ is available on the Wireshark web site[6]. + The Wireshark Foundation helps as many people as possible understand + their networks as much as possible. You can find out more and donate + at wiresharkfoundation.org[13]. + + Frequently Asked Questions - Last updated 2020-01-05 08:07:26 UTC + A complete FAQ is available on the Wireshark web site[14]. References - 1. https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-s - igning-support-requirement-for-windows-and-wsus - 2. https://www.wireshark.org/download.html#thirdparty - 3. https://ask.wireshark.org/ - 4. https://www.wireshark.org/lists/ - 5. https://bugs.wireshark.org/ - 6. https://www.wireshark.org/faq.html + 1. https://gitlab.com/wireshark/wireshark/-/issues/15990 + 2. https://gitlab.com/wireshark/wireshark/-/issues/16181 + 3. https://gitlab.com/wireshark/wireshark/-/issues/7752 + 4. https://gitlab.com/wireshark/wireshark/-/issues/10154 + 5. https://gitlab.com/wireshark/wireshark/-/issues/18588 + 6. https://gitlab.com/wireshark/wireshark/-/issues/19076 + 7. https://gitlab.com/wireshark/wireshark/-/issues/17484 + 8. https://www.wireshark.org/download.html + 9. https://ask.wireshark.org/ + 10. https://www.wireshark.org/lists/ + 11. https://gitlab.com/wireshark/wireshark/-/issues + 12. https://sharkfest.wireshark.org + 13. https://wiresharkfoundation.org + 14. https://www.wireshark.org/faq.html |