170 lines
6.4 KiB
Plaintext
170 lines
6.4 KiB
Plaintext
Wireshark 4.3.0 Release Notes
|
||
|
||
This is an experimental release intended to test new features for
|
||
Wireshark 4.4.
|
||
|
||
What is Wireshark?
|
||
|
||
Wireshark is the world’s most popular network protocol analyzer. It is
|
||
used for troubleshooting, analysis, development and education.
|
||
|
||
What’s New
|
||
|
||
Improved display filter support for value strings (optional string
|
||
representations for numeric fields).
|
||
|
||
Display filter functions can be implemented as runtime-loadable C
|
||
plugins.
|
||
|
||
Many other improvements have been made. See the “New and Updated
|
||
Features” section below for more details.
|
||
|
||
New and Updated Features
|
||
|
||
The following features are new (or have been significantly updated)
|
||
since version 4.2.0:
|
||
|
||
• Display filter syntax-related enhancements:
|
||
|
||
• Better handling of comparisons with value strings. Now the
|
||
display filter engine can correctly handle cases where multiple
|
||
different numeric values map to the same value string, including
|
||
but not limited to range-type value strings.
|
||
|
||
• Fields with value strings now support regular expression
|
||
matching.
|
||
|
||
• Date and time values now support arithmetic, with some
|
||
restrictions: the multiplier/divisor must be an integer or float
|
||
and appear on the right-hand side of the operator.
|
||
|
||
• The keyword "bitand" can be used as an alternative syntax for
|
||
the bitwise-and operator.
|
||
|
||
• Functions alone can now be used as an entire logical
|
||
expression. The result of the expression is the truthiness of the
|
||
function return value (or of all values if more than one). This
|
||
is useful for example to write "len(something)" instead of
|
||
"len(something) != 0". Even more so if a function returns itself
|
||
a boolean value, it is now possible to write
|
||
"bool_test(some.field)" instead of having to write
|
||
"bool_test(some.field) == True" (both forms are now valid).
|
||
|
||
• Display filter references can be written without curly braces.
|
||
It is now possible to write `$frame.number` instead of
|
||
`${frame.number}` for example.
|
||
|
||
• Added new display filter functions to test various IP address
|
||
properties. Check the wireshark-filter(5) manpage for more
|
||
information.
|
||
|
||
• Display filter macros can be written using a function-like
|
||
notation. The macro `${mymacro:arg1; …; argN}` can be written
|
||
$mymacro(arg1, …, argN)`.
|
||
|
||
• Display filter functions can be implemented as libwireshark
|
||
plugins. Plugins are loaded during startup from the usual binary
|
||
plugin configuration directories. See the `ipaddr.c` source file
|
||
in the distribution for an example of a display filter C plugin
|
||
and the doc/plugins.example folder for generic instructions how
|
||
to build a plugin.
|
||
|
||
• Display filter autocompletions now also include display filter
|
||
functions.
|
||
|
||
• The display filter macro configuration file has changed format.
|
||
It now uses the same format as the "dfilters" file and has been
|
||
renamed accordingly to "dmacros". Internally it no longer uses
|
||
the UAT API and the display filter macro GUI dialog has been
|
||
updated. There is some basic migration logic implemented but it
|
||
is advisable to check that the "dfilter_macros" (old) and
|
||
"dmacros" (new) files in the profile directory are consistent.
|
||
|
||
• When selecting "Manage Interfaces" from "Capture Options",
|
||
Wireshark only attempts to reconnect to rpcap (remote) hosts that
|
||
were connected to in the last session, instead of every remote
|
||
host that the current profile has ever connected to. Issue
|
||
17484[1]
|
||
|
||
• Adding interfaces at startup is about twice as fast, and has many
|
||
fewer UAC pop-ups when npcap is installed with access restricted
|
||
to Administrators on Windows
|
||
|
||
New Protocol Support
|
||
|
||
EGNOS Message Server (EMS) file format, MAC NR Framed
|
||
(mac-nr-framed), RF4CE Network Layer (RF4CE), and RF4CE Profile
|
||
(RF4CE Profile)
|
||
|
||
Updated Protocol Support
|
||
|
||
• IPv6: The "show address detail" preference is now enabled by
|
||
default. The address details provided have been extended to
|
||
include more special purpose address block properties
|
||
(forwardable, globally-routable, etc).
|
||
|
||
Too many other protocol updates have been made to list them all here.
|
||
|
||
EGNOS Messager Server (EMS) files
|
||
|
||
Major API Changes
|
||
|
||
• Plugins should provide a `plugin_describe()` function that
|
||
returns an ORed list of flags consisting of the plugin types used
|
||
(declared in wsutil/plugins.h).
|
||
|
||
Getting Wireshark
|
||
|
||
Wireshark source code and installation packages are available from
|
||
https://www.wireshark.org/download.html.
|
||
|
||
Vendor-supplied Packages
|
||
|
||
Most Linux and Unix vendors supply their own Wireshark packages. You
|
||
can usually install or upgrade Wireshark using the package management
|
||
system specific to that platform. A list of third-party packages can
|
||
be found on the download page[2] on the Wireshark web site.
|
||
|
||
File Locations
|
||
|
||
Wireshark and TShark look in several different locations for
|
||
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
|
||
locations vary from platform to platform. You can use "Help › About
|
||
Wireshark › Folders" or `tshark -G folders` to find the default
|
||
locations on your system.
|
||
|
||
Getting Help
|
||
|
||
The User’s Guide, manual pages and various other documentation can be
|
||
found at https://www.wireshark.org/docs/
|
||
|
||
Community support is available on Wireshark’s Q&A site[3] and on the
|
||
wireshark-users mailing list. Subscription information and archives
|
||
for all of Wireshark’s mailing lists can be found on the web site[4].
|
||
|
||
Bugs and feature requests can be reported on the issue tracker[5].
|
||
|
||
You can learn protocol analysis and meet Wireshark’s developers at
|
||
SharkFest[6].
|
||
|
||
How You Can Help
|
||
|
||
The Wireshark Foundation helps as many people as possible understand
|
||
their networks as much as possible. You can find out more and donate
|
||
at wiresharkfoundation.org[7].
|
||
|
||
Frequently Asked Questions
|
||
|
||
A complete FAQ is available on the Wireshark web site[8].
|
||
|
||
References
|
||
|
||
1. https://gitlab.com/wireshark/wireshark/-/issues/17484
|
||
2. https://www.wireshark.org/download.html
|
||
3. https://ask.wireshark.org/
|
||
4. https://www.wireshark.org/lists/
|
||
5. https://gitlab.com/wireshark/wireshark/-/issues
|
||
6. https://sharkfest.wireshark.org
|
||
7. https://wiresharkfoundation.org
|
||
8. https://www.wireshark.org/faq.html
|