aboutsummaryrefslogtreecommitdiffstats
path: root/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS258
1 files changed, 221 insertions, 37 deletions
diff --git a/NEWS b/NEWS
index 4f85d6e07f..90a9bce59c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,7 @@
-Wireshark 3.3.0 Release Notes
+Wireshark 4.3.0 Release Notes
This is an experimental release intended to test new features for
- Wireshark 3.4.
+ Wireshark 4.4.
What is Wireshark?
@@ -10,40 +10,209 @@ Wireshark 3.3.0 Release Notes
What’s New
- Many improvements have been made. See the “New and Updated Features”
- section below for more details.
+ Improved display filter support for value strings (optional string
+ representations for numeric fields).
+
+ Display filter functions can be implemented as runtime-loadable C
+ plugins.
+
+ Plugin registration API was refactored. Plugin authors must update
+ their plugins as described below.
+
+ Custom columns can be defined using any valid field expression, such
+ as display filter functions, slices, arithmetic calculations, logical
+ tests, raw byte addressing, and the layer modifier.
+
+ Many other improvements have been made. See the “New and Updated
+ Features” section below for more details.
New and Updated Features
The following features are new (or have been significantly updated)
- since version 3.2.0:
+ since version 4.2.0:
+
+ • Display filter syntax-related enhancements:
+
+ • Better handling of comparisons with value strings. Now the
+ display filter engine can correctly handle cases where multiple
+ different numeric values map to the same value string, including
+ but not limited to range-type value strings.
+
+ • Fields with value strings now support regular expression
+ matching.
+
+ • Date and time values now support arithmetic, with some
+ restrictions: the multiplier/divisor must be an integer or float
+ and appear on the right-hand side of the operator.
+
+ • The keyword "bitand" can be used as an alternative syntax for
+ the bitwise-and operator.
+
+ • Functions alone can now be used as an entire logical
+ expression. The result of the expression is the truthiness of the
+ function return value (or of all values if more than one). This
+ is useful for example to write "len(something)" instead of
+ "len(something) != 0". Even more so if a function returns itself
+ a boolean value, it is now possible to write
+ "bool_test(some.field)" instead of having to write
+ "bool_test(some.field) == True" (both forms are now valid).
+
+ • Display filter references can be written without curly braces.
+ It is now possible to write `$frame.number` instead of
+ `${frame.number}` for example.
+
+ • Added new display filter functions to test various IP address
+ properties. Check the wireshark-filter(5) manpage for more
+ information.
+
+ • Added new display filter functions to convert unsigned integer
+ types to decimal or hexadecimal. Check the wireshark-filter(5)
+ manpage for more information.
+
+ • Display filter macros can be written with a semicolon after
+ the macro name before the argument list, e.g.
+ `${mymacro;arg1;…​;argN}`, instead of `${mymacro:arg1;…​;argN}`.
+ The version with semicolons works better with pop-up suggestions
+ when editing the display filter, so the version with the colon
+ might be removed in the future.
+
+ • Display filter macros can be written using a function-like
+ notation. The macro `${mymacro:arg1;…​;argN}` can be written
+ `$mymacro(arg1,…​,argN)`.
+
+ • Display filter functions can be implemented as libwireshark
+ plugins. Plugins are loaded during startup from the usual binary
+ plugin configuration directories. See the `ipaddr.c` source file
+ in the distribution for an example of a display filter C plugin
+ and the doc/plugins.example folder for generic instructions how
+ to build a plugin.
+
+ • Display filter autocompletions now also include display filter
+ functions.
+
+ • The display filter macro configuration file has changed format.
+ It now uses the same format as the "dfilters" file and has been
+ renamed accordingly to "dmacros". Internally it no longer uses
+ the UAT API and the display filter macro GUI dialog has been
+ updated. There is some basic migration logic implemented but it
+ is advisable to check that the "dfilter_macros" (old) and
+ "dmacros" (new) files in the profile directory are consistent.
+
+ • Custom columns can be defined using any valid field expression:
+
+ • Display filter functions, like `len(tcp.payload)`, including
+ nested functions like `min(len(tcp.payload), len(udp.payload)`
+ and newly defined functions using the plugin system mentioned
+ above. Issue 15990[1] Issue 16181[2]
+
+ • Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
+ tcp.dstport`. Issue 7752[3]
+
+ • Slices, like `tcp.payload[4:4]`. Issue 10154[4]
+
+ • The layer operator, like `ip.proto#1` to return the proto
+ field in the first IPv4 layer if there is tunneling. Issue
+ 18588[5]
- • Windows executables and installers are now signed using SHA-2
- only[1].
+ • Raw byte addressing, like `@ip`, useful to return the bytes of
+ a protocol or FT_NONE field, among others. Issue 19076[6]
- • Save RTP stream to .au supports any codec with 8000 Hz rate
- supported by Wireshark (shown in RTP player). If save of audio is
- not possible (unsupported codec or rate), silence of same length
- is saved and warning is shown.
+ • Logical tests, like `tcp.port == 443`, which produce a check
+ mark if the test matches (similar to protocol and none fields
+ without `@`.) This works with all logical operators, including
+ e.g. regular expression matching (`matches` or `~`.)
- • C-ares is now a required dependency.
+ • Defined display filter macros.
- • Protobuf fields can be dissected as wireshark (header) fields
- that allows user input the full names of Protobuf fields or
- messages in Filter toolbar for searching.
+ • Any combination of the above also works.
- • Dissector based on Protobuf can register itself to a new
- 'protobuf_field' dissector table, which is keyed with the full
- names of fields, for further parsing fields of BYETS or STRING
- type.
+ • Multifield columns are still available. For backwards
+ compatibility, `X or Y` is interpreted as a multifield column as
+ before. To represent a logical test for the presence of multiple
+ fields instead of concatenating values, use parenthesis, like
+ `(tcp.options.timestamp or tcp.options.nop`.
+
+ • Field references are not implemented, because there’s no sense
+ of a currently selected frame. "Resolved" column values (such as
+ host name resolution or value string lookup) are not supported
+ for any of the new expressions yet.
+
+ • When selecting "Manage Interfaces" from "Capture Options",
+ Wireshark only attempts to reconnect to rpcap (remote) hosts that
+ were connected to in the last session, instead of every remote
+ host that the current profile has ever connected to. Issue
+ 17484[7]
+
+ • Adding interfaces at startup is about twice as fast, and has many
+ fewer UAC pop-ups when npcap is installed with access restricted
+ to Administrators on Windows
+
+ • The Resolved Addresses dialog only shows what addresses and ports
+ are present in the file (not including information from static
+ files), and selected rows or the entire table can be saved or
+ copied to the clipboard in several formats.
+
+ • New "Tools › Install Plugin" option provides a convenient method
+ to install a binary plugin to the personal folder.
+
+ • The personal binary plugins folder now has higher priority than
+ the global folder.
+
+ • The binary plugins folder path no longer uses an X.Y version
+ component. Plugins are required to add the ABI version to the
+ file name.
+
+ • Truncated fields in the detail view are now displayed as "Field
+ name […]: data" instead of "Field name [truncated]: data"
+
+ • When capturing files in multiple file mode, a pattern that places
+ the date and time before the index number can be used (e.g.,
+ foo_20240714110102_00001.pcap instead of
+ foo_00001_20240714110102.pcap). This causes filenames to sort in
+ chronological order across file sets from different captures. The
+ File Set dialog has been updated to handle the new pattern, which
+ has been capable of being produced by tshark since version 3.6.0
+
+ • The "Follow Stream" dialog can now show delta times between turns
+ and all packets and events.
+
+ Removed Features and Support
+
+ • The tshark `-G` option with no argument is deprecated and will be
+ removed in a future version. Use `tshark -G fields` to produce
+ the same report.
+
+ Removed Dissectors
+
+ The Parlay dissector has been removed.
New Protocol Support
+ Allied Telesis Resiliency Link (AT RL), EGNOS Message Server (EMS)
+ file format, MAC NR Framed (mac-nr-framed), RF4CE Network Layer
+ (RF4CE), and RF4CE Profile (RF4CE Profile)
+
Updated Protocol Support
- Too many protocols have been updated to list here.
+ • IPv6: The "show address detail" preference is now enabled by
+ default. The address details provided have been extended to
+ include more special purpose address block properties
+ (forwardable, globally-routable, etc).
+
+ Too many other protocol updates have been made to list them all here.
+
+ EGNOS Messager Server (EMS) files
+
+ u-blox GNSS receivers
- New and Updated Capture File Support
+ Major API Changes
+
+ • Plugin registration API was refactored. Plugin authors must do
+ the following: 1 - Remove the existing boilerplate (version,
+ want_major` and `want_minor` and plugin API declarations. 2 - Add
+ a struct ws_module to the plugin. 3 - Call one of the
+ WIRESHARK_PLUGIN_REGISTER_* macros. See README.plugins sections 5
+ and doc/plugins.example/hello.c for details and examples.
Getting Wireshark
@@ -55,38 +224,53 @@ Wireshark 3.3.0 Release Notes
Most Linux and Unix vendors supply their own Wireshark packages. You
can usually install or upgrade Wireshark using the package management
system specific to that platform. A list of third-party packages can
- be found on the download page[2] on the Wireshark web site.
+ be found on the download page[8] on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
- locations vary from platform to platform. You can use About→Folders to
- find the default locations on your system.
+ locations vary from platform to platform. You can use "Help › About
+ Wireshark › Folders" or `tshark -G folders` to find the default
+ locations on your system.
Getting Help
The User’s Guide, manual pages and various other documentation can be
found at https://www.wireshark.org/docs/
- Community support is available on Wireshark’s Q&A site[3] and on the
+ Community support is available on Wireshark’s Q&A site[9] and on the
wireshark-users mailing list. Subscription information and archives
- for all of Wireshark’s mailing lists can be found on the web site[4].
+ for all of Wireshark’s mailing lists can be found on the web site[10].
- Bugs and feature requests can be reported on the bug tracker[5].
+ Bugs and feature requests can be reported on the issue tracker[11].
- Frequently Asked Questions
+ You can learn protocol analysis and meet Wireshark’s developers at
+ SharkFest[12].
+
+ How You Can Help
- A complete FAQ is available on the Wireshark web site[6].
+ The Wireshark Foundation helps as many people as possible understand
+ their networks as much as possible. You can find out more and donate
+ at wiresharkfoundation.org[13].
+
+ Frequently Asked Questions
- Last updated 2020-01-05 08:07:26 UTC
+ A complete FAQ is available on the Wireshark web site[14].
References
- 1. https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-s
- igning-support-requirement-for-windows-and-wsus
- 2. https://www.wireshark.org/download.html#thirdparty
- 3. https://ask.wireshark.org/
- 4. https://www.wireshark.org/lists/
- 5. https://bugs.wireshark.org/
- 6. https://www.wireshark.org/faq.html
+ 1. https://gitlab.com/wireshark/wireshark/-/issues/15990
+ 2. https://gitlab.com/wireshark/wireshark/-/issues/16181
+ 3. https://gitlab.com/wireshark/wireshark/-/issues/7752
+ 4. https://gitlab.com/wireshark/wireshark/-/issues/10154
+ 5. https://gitlab.com/wireshark/wireshark/-/issues/18588
+ 6. https://gitlab.com/wireshark/wireshark/-/issues/19076
+ 7. https://gitlab.com/wireshark/wireshark/-/issues/17484
+ 8. https://www.wireshark.org/download.html
+ 9. https://ask.wireshark.org/
+ 10. https://www.wireshark.org/lists/
+ 11. https://gitlab.com/wireshark/wireshark/-/issues
+ 12. https://sharkfest.wireshark.org
+ 13. https://wiresharkfoundation.org
+ 14. https://www.wireshark.org/faq.html