Wireshark 4.1.0 Release Notes This is an experimental release intended to test new features for Wireshark 4.2. What is Wireshark? Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education. What’s New A Windows installer for Arm64 has been added. Windows installer file names now have the format Wireshark--.exe. Wireshark is now better about generating valid UTF-8 output. A new display filter feature for filtering raw bytes has been added. Display filter autocomplete is smarter about not suggesting invalid syntax. "Tools › Lua Scripts › Launch with SSLKEYLOGFILE" can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value. The Windows build has a new SpeexDSP external dependency (https://www.speex.org). The speex code that was previously bundled has been removed. The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files. The extcap personal folder is now `$HOME/.local/lib/wireshark/extcap`. Previously it was `$XDG_CONFIG_HOME/wireshark/extcap`. The installation target no longer installs development headers by default. That must be done explicitly using `cmake --install --component Development`. The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs). Support for building an NSIS Windows installer using the MinGW-w64 toolchain and MSYS2[1]. Read README.msys2 in the distribution for more information. When changing the dissector via the Decode As table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect.) The previous behavior was to reset the dissector to the default. To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options. Sorting changes: * When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed. * The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage. The maximum value can be changed in Preferences→Appearance→Layout * Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size. If there are more rows visible, a warning will appear. Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows. * Sorting can be interrupted. Many other improvements have been made. See the “New and Updated Features” section below for more details. Bug Fixes The following bugs have been fixed: • Issue 18413[2] - RTP player do not play audio frequently on Win32 builds with Qt6 • Issue 18510[3] - Playback marker do not move after unpause with Qt6 New and Updated Features The following features are new (or have been significantly updated) since version 4.0.0: • The API has been updated to ensure that the dissection engine produces valid UTF-8 strings. • Wireshark now builds with Qt6 by default. To use Qt5 instead pass USE_qt6=OFF to CMake. • ciscodump support Cisco IOS XE 17.x • The default interval between GUI updates when capturing has been decreased from 500ms to 100ms, and is now configurable. • The -n option also now disables IP address geolocation information lookup in configured MaxMind databases (and geolocation lookup can be enabled with -Ng.) This is most relevant for tshark, where geolocation lookups are synchronous. • Implement built-in dissector for FiRa UWB Controller Interface (UCI) protocol. Recognizes PCAP traces with the link type LINKTYPE_FIRA_UCI=299. • The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to reassemble the streaming data of a high level protocol that is not on top of TCP. • The display filter drop-down list is now sorted by "most recently used" instead of "most recently created". • Display filter syntax-related changes: • It is now possible to filter on raw packet data for any field by using the syntax `@some.field == `. This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field’s raw data. • Negation (unary minus) now works with any display filter arithmetic expression. • Using the slice operator with strings produces a string. Previously it would produce a byte array. This is useful to index/slice UTF-8 multibyte strings. String byte slices can still be obtained using the "@" (raw operator) prefix. • Arithmetic expressions are allowed as set elements. • Absolute date and time values can be written as Unix time. • The limitation where a minus sign needed to be preceded by a space character has been removed. • Added XOR logical operator. • Running the test suite requires the pytest[4] Python module. The emulation layer that allowed running tests without pytest installed has been removed. • When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file. • TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap. New Protocol Support DECT DLC protocol layer (DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe), FiRa UWB Controller Interface (UCI), FiveCo’s Register Access Protocol (5CoRAP), GPS L1 C/A LNAV navigation messages, ID3v2, Low Level Signalling (ATSC3 LLS), Management Component Transport Protocol (MCTP), Management Component Transport Protocol - Control Protocol (MCTP CP), Matter home automation protocol, Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP, SAP Enqueue Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message Server (SAPMS), SAP Network Interface (SAPNI), SAP Router (SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), Support for almost all WoW 1.12 messages has been added., Train Real-Time Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX), UDP Tracker Protocol for BitTorrent (BT-Tracker), Windows Delivery Optimization (MS-DO), and World of Warcraft World (WOWW) display filters have been changed to be more internally consistent. Updated Protocol Support • The JSON dissector now has a preference to enable/disable "unescaping" of string values. By default it is off. Previously it was always on. • The JSON dissector now supports "Display JSON in raw form". • The IPv6 dissector has a new preference to show some semantic details about addresses (default off). • The IPv6 dissector now supports dissecting Application-aware IPv6 Networking (APN6) option[5] in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH). This feature supports to dissect all three types of APN ID, which are 32-bit, 64-bit and 128-bit in length. • The XML dissector now supports display character according to the "encoding" attribute of the XML declaration, and has a new preference to set default character encoding for some XML document without "encoding" attribute. • The SIP dissector now has a new preference to set default charset for displaying the body of SIP messages in raw text view. • The HTTP dissector now supports dissecting chunked data in streaming reassembly mode. Subdissectors of HTTP can register itself in "streaming_content_type" subdissector table for enabling streaming reassembly mode while transferring in chunked encoding. This feature ensures the server stream messages of GRPC-Web over HTTP/1.1 can be dissected even if the last chunk is absent. • The media type dissector table now properly treats media types and subtypes as case-insensitive automatically, per RFC 6838. Media types no longer need to be lower cased before registering or looking up in the table. • The CFM dissector has been overhauled and updated to the level of IEEE std 802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015). This includes dissection of additional PDU types and TLVs as well as deeper dissection of existing PDUs and TLVs. Too many other protocols have been updated to list them all here. New and Updated Capture File Support New and Updated Codec support Adaptive Multi-Rate (AMR), if compiled with opencore-amr[6] Getting Wireshark Wireshark source code and installation packages are available from https://www.wireshark.org/download.html. Vendor-supplied Packages Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page[7] on the Wireshark web site. File Locations Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use "Help › About Wireshark › Folders" or `tshark -G folders` to find the default locations on your system. Getting Help The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/ Community support is available on Wireshark’s Q&A site[8] and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the web site[9]. Bugs and feature requests can be reported on the issue tracker[10]. You can learn protocol analysis and meet Wireshark’s developers at SharkFest[11]. How You Can Help The Wireshark Foundation helps as many people as possible understand their networks as much as possible. You can find out more and donate at wiresharkfoundation.org[12]. Frequently Asked Questions A complete FAQ is available on the Wireshark web site[13]. References 1. https://www.msys2.org/ 2. https://gitlab.com/wireshark/wireshark/-/issues/18413 3. https://gitlab.com/wireshark/wireshark/-/issues/18510 4. https://pypi.org/project/pytest/ 5. https://www.ipv6plus.net/Phase3/apn6/ 6. https://sourceforge.net/projects/opencore-amr/ 7. https://www.wireshark.org/download.html 8. https://ask.wireshark.org/ 9. https://www.wireshark.org/lists/ 10. https://gitlab.com/wireshark/wireshark/-/issues 11. https://sharkfest.wireshark.org 12. https://wiresharkfoundation.org 13. https://www.wireshark.org/faq.html