5ee5f6fb40
Update manuf, services enterprise numbers, translations, and other items. services failed.
323 lines
13 KiB
Text
323 lines
13 KiB
Text
Wireshark 4.1.0 Release Notes
|
||
|
||
This is an experimental release intended to test new features for
|
||
Wireshark 4.2.
|
||
|
||
What is Wireshark?
|
||
|
||
Wireshark is the world’s most popular network protocol analyzer. It is
|
||
used for troubleshooting, analysis, development and education.
|
||
|
||
What’s New
|
||
|
||
A Windows installer for Arm64 has been added.
|
||
|
||
Windows installer file names now have the format
|
||
Wireshark-<version>-<architecture>.exe.
|
||
|
||
Wireshark is now better about generating valid UTF-8 output.
|
||
|
||
A new display filter feature for filtering raw bytes has been added.
|
||
|
||
Display filter autocomplete is smarter about not suggesting invalid
|
||
syntax.
|
||
|
||
"Tools › Lua Scripts › Launch with SSLKEYLOGFILE" can launch your web
|
||
browser with the SSLKEYLOGFILE environment variable set to the
|
||
appropriate value.
|
||
|
||
The personal extcap plugin folder location on Unix has been changed to
|
||
follow existing conventions for architecture-dependent files. The
|
||
extcap personal folder is now `$HOME/.local/lib/wireshark/extcap`.
|
||
Previously it was `$XDG_CONFIG_HOME/wireshark/extcap`.
|
||
|
||
The installation target no longer installs development headers by
|
||
default. That must be done explicitly using `cmake --install
|
||
<builddir> --component Development`.
|
||
|
||
The Wireshark installation is relocatable on Linux (and other ELF
|
||
platforms with support for relative RPATHs).
|
||
|
||
Support for building an NSIS Windows installer using the MinGW-w64
|
||
toolchain and MSYS2[1]. Read README.msys2 in the distribution for more
|
||
information.
|
||
|
||
When changing the dissector via the Decode As table for values that
|
||
have default dissectors registered, selecting "(none)" will select no
|
||
dissection (while still allowing heuristic dissectors to attempt to
|
||
dissect.) The previous behavior was to reset the dissector to the
|
||
default. To facilitate resetting the dissector, the default dissector
|
||
is now sorted at the top of the list of possible dissector options.
|
||
|
||
Packet list sorting has been updated: * When sorting packet list with
|
||
a filter applied, only the visible packets are sorted, which greatly
|
||
increases sorting speed. * The cache size for column text is limited
|
||
to a default of 10000 rows, which limits the maximum memory usage. The
|
||
maximum value can be changed in Preferences→Appearance→Layout * Due to
|
||
the above, columns that require packet dissection can only be sorted
|
||
if the number of visible rows is less than the cache size. If there
|
||
are more rows visible, a warning will appear. Columns that do not
|
||
require packet dissection (those that calculated directly from the
|
||
capture file frame headers, such as packet number, time, and frame
|
||
length) can be sorted with any number of visible rows. * Sorting can
|
||
be interrupted.
|
||
|
||
Many other improvements have been made. See the “New and Updated
|
||
Features” section below for more details.
|
||
|
||
Bug Fixes
|
||
|
||
The following bugs have been fixed:
|
||
|
||
• Issue 18413[2] - RTP player do not play audio frequently on Win32
|
||
builds with Qt6
|
||
|
||
• Issue 18510[3] - Playback marker do not move after unpause with
|
||
Qt6
|
||
|
||
New and Updated Features
|
||
|
||
The following features are new (or have been significantly updated)
|
||
since version 4.0.0:
|
||
|
||
• The Windows installers now ship with Qt 6.5.2. They previously
|
||
shipped with Qt 6.2.3.
|
||
|
||
• The API has been updated to ensure that the dissection engine
|
||
produces valid UTF-8 strings.
|
||
|
||
• Wireshark now builds with Qt6 by default. To use Qt5 instead pass
|
||
USE_qt6=OFF to CMake.
|
||
|
||
• ciscodump support Cisco IOS XE 17.x
|
||
|
||
• The default interval between GUI updates when capturing has been
|
||
decreased from 500ms to 100ms, and is now configurable.
|
||
|
||
• The -n option also now disables IP address geolocation
|
||
information lookup in configured MaxMind databases (and
|
||
geolocation lookup can be enabled with -Ng.) This is most
|
||
relevant for tshark, where geolocation lookups are synchronous.
|
||
|
||
• Implement built-in dissector for FiRa UWB Controller Interface
|
||
(UCI) protocol. Recognizes PCAP traces with the link type
|
||
LINKTYPE_FIRA_UCI=299.
|
||
|
||
• The reassemble_streaming_data_and_call_subdissector() API has
|
||
been added to provide a simpler way to reassemble the streaming
|
||
data of a high level protocol that is not on top of TCP.
|
||
|
||
• The display filter drop-down list is now sorted by "most recently
|
||
used" instead of "most recently created".
|
||
|
||
• Display filter syntax-related changes:
|
||
|
||
• It is now possible to filter on raw packet data for any field
|
||
by using the syntax `@some.field == <bytes…>`. This can be
|
||
useful to filter on malformed UTF-8 strings, among other use
|
||
cases where it is necessary to look at the field’s raw data.
|
||
|
||
• Negation (unary minus) now works with any display filter
|
||
arithmetic expression.
|
||
|
||
• Using the slice operator with strings produces a string.
|
||
Previously it would produce a byte array. This is useful to
|
||
index/slice UTF-8 multibyte strings. String byte slices can still
|
||
be obtained using the "@" (raw operator) prefix.
|
||
|
||
• Arithmetic expressions are allowed as set elements.
|
||
|
||
• Absolute date and time values can be written as Unix time.
|
||
|
||
• The limitation where a minus sign needed to be preceded by a
|
||
space character has been removed.
|
||
|
||
• Added XOR logical operator.
|
||
|
||
• Fixed the implementation of `all … in` membership operator
|
||
(#19188[4]).
|
||
|
||
• The deprecated ~≃ operator symbol has been removed. It was
|
||
replaced by !== in version 4.0.
|
||
|
||
• Running the test suite requires the pytest[5] Python module. The
|
||
emulation layer that allowed running tests without pytest
|
||
installed has been removed.
|
||
|
||
• When saving files or exporting packets after changing their time
|
||
with the "Time Shift" dialog, the shifted time is written to the
|
||
new file.
|
||
|
||
• TLS secrets used in decrypting packets can be embedded (or
|
||
discarded) from the capture file via the GUI, similar to the
|
||
options --inject-secrets and --discard-all-secrets in editcap.
|
||
|
||
• The text of any configured column (displayed or hidden) can be
|
||
filtered anywhere that filters are used - in display filters,
|
||
filters in taps, coloring rules, Wireshark read filters, and the
|
||
-Y, -R, and -e options to tshark, the "Apply as Filter" GUI
|
||
option, etc.
|
||
|
||
• The filter field names are prefixed by "ws.col", followed by a
|
||
lowercase version of the COL name found in epan/column-utils.h,
|
||
e.g. "_ws.col.info" or "_ws.col.protocol"
|
||
|
||
• Using the column names as a filter is slower than other filter
|
||
types because the columns must be constructed, so when the same
|
||
filtering can be achieved via other fields, prefer that.
|
||
|
||
• The external name resolution text files "manuf", "enterprises"
|
||
and "services" have been removed and replaced with static binary
|
||
data. You can dump the respective internal data using `tshark -G
|
||
manuf|enterprises|services`.
|
||
|
||
• New GUI dialog (under Tools menu) to lookup a MAC address in the
|
||
IEEE OUI registry.
|
||
|
||
• The Windows build has a new SpeexDSP external dependency
|
||
(https://www.speex.org). The speex code that was previously
|
||
bundled has been removed.
|
||
|
||
Removed Features and Support
|
||
|
||
• With the addition of the universal and consistent filtering
|
||
support for column text, the previous support in the -e option to
|
||
tshark for displaying column text via the column title, e.g.
|
||
"_ws.col.Info", has been removed. The previous implementation
|
||
allowed names that are not legal filter names and Issue 16576[6]
|
||
|
||
New Protocol Support
|
||
|
||
ASAM Capture Module Protocol (CMP), DECT DLC protocol layer
|
||
(DECT-DLC), DECT NWK protocol layer (DECT-NWK), DECT proprietary
|
||
Mitel OMM/RFP Protocol (also named AaMiDe), Digital Object Identifier
|
||
Resolution Protocol (DO-IRP), FiRa UWB Controller Interface (UCI),
|
||
FiveCo’s Register Access Protocol (5CoRAP), GPS L1 C/A LNAV
|
||
navigation messages, High Speed Fahrzeugzugang (HSFZ), ID3v2, Low
|
||
Level Signalling (ATSC3 LLS), Management Component Transport Protocol
|
||
(MCTP), Management Component Transport Protocol - Control Protocol
|
||
(MCTP CP), Matter home automation protocol, Non-volatile Memory
|
||
Express - Management Interface (NVMe-MI) over MCTP, SAP Enqueue
|
||
Server (SAPEnqueue), SAP GUI (SAPDiag), SAP HANA SQL Command Network
|
||
Protocol (SAPHDB), SAP Internet Graphic Server (SAP IGS), SAP Message
|
||
Server (SAPMS), SAP Network Interface (SAPNI), SAP Router
|
||
(SAPROUTER), SAP Secure Network Connection (SNC), SBAS L1 Navigation
|
||
Messages (SBAS L1), SINEC AP1 Protocol (SINEC AP), Train Real-Time
|
||
Data Protocol (TRDP), UBX protocol of u-blox GNSS receivers (UBX),
|
||
UDP Tracker Protocol for BitTorrent (BT-Tracker), Video Protocol 9
|
||
(VP9), Windows Delivery Optimization (MS-DO), and Zabbix Protocol
|
||
(Zabbix)
|
||
|
||
Updated Protocol Support
|
||
|
||
• The JSON dissector now has a preference to enable/disable
|
||
"unescaping" of string values. By default it is off. Previously
|
||
it was always on.
|
||
|
||
• The JSON dissector now supports "Display JSON in raw form".
|
||
|
||
• The IPv6 dissector has a new preference to show some semantic
|
||
details about addresses (default off).
|
||
|
||
• The IPv6 dissector now supports dissecting Application-aware IPv6
|
||
Networking (APN6) option[7] in the Hop-by-Hop Options Header
|
||
(HBH) and Destination Options Header (DOH). This feature supports
|
||
to dissect all three types of APN ID, which are 32-bit, 64-bit
|
||
and 128-bit in length.
|
||
|
||
• The XML dissector now supports display character according to the
|
||
"encoding" attribute of the XML declaration, and has a new
|
||
preference to set default character encoding for some XML
|
||
document without "encoding" attribute.
|
||
|
||
• The SIP dissector now has a new preference to set default charset
|
||
for displaying the body of SIP messages in raw text view.
|
||
|
||
• The HTTP dissector now supports dissecting chunked data in
|
||
streaming reassembly mode. Subdissectors of HTTP can register
|
||
itself in "streaming_content_type" subdissector table for
|
||
enabling streaming reassembly mode while transferring in chunked
|
||
encoding. This feature ensures the server stream messages of
|
||
GRPC-Web over HTTP/1.1 can be dissected even if the last chunk is
|
||
absent.
|
||
|
||
• The media type dissector table now properly treats media types
|
||
and subtypes as case-insensitive automatically, per RFC 6838.
|
||
Media types no longer need to be lower cased before registering
|
||
or looking up in the table.
|
||
|
||
• The CFM dissector has been overhauled and updated to the level of
|
||
IEEE std 802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015). This
|
||
includes dissection of additional PDU types and TLVs as well as
|
||
deeper dissection of existing PDUs and TLVs.
|
||
|
||
Too many other protocols have been updated to list them all here.
|
||
|
||
New and Updated Capture File Support
|
||
|
||
New and Updated Codec support
|
||
|
||
Adaptive Multi-Rate (AMR), if compiled with opencore-amr[8]
|
||
|
||
Getting Wireshark
|
||
|
||
Wireshark source code and installation packages are available from
|
||
https://www.wireshark.org/download.html.
|
||
|
||
Vendor-supplied Packages
|
||
|
||
Most Linux and Unix vendors supply their own Wireshark packages. You
|
||
can usually install or upgrade Wireshark using the package management
|
||
system specific to that platform. A list of third-party packages can
|
||
be found on the download page[9] on the Wireshark web site.
|
||
|
||
File Locations
|
||
|
||
Wireshark and TShark look in several different locations for
|
||
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
|
||
locations vary from platform to platform. You can use "Help › About
|
||
Wireshark › Folders" or `tshark -G folders` to find the default
|
||
locations on your system.
|
||
|
||
Getting Help
|
||
|
||
The User’s Guide, manual pages and various other documentation can be
|
||
found at https://www.wireshark.org/docs/
|
||
|
||
Community support is available on Wireshark’s Q&A site[10] and on the
|
||
wireshark-users mailing list. Subscription information and archives
|
||
for all of Wireshark’s mailing lists can be found on the web site[11].
|
||
|
||
Bugs and feature requests can be reported on the issue tracker[12].
|
||
|
||
You can learn protocol analysis and meet Wireshark’s developers at
|
||
SharkFest[13].
|
||
|
||
How You Can Help
|
||
|
||
The Wireshark Foundation helps as many people as possible understand
|
||
their networks as much as possible. You can find out more and donate
|
||
at wiresharkfoundation.org[14].
|
||
|
||
Frequently Asked Questions
|
||
|
||
A complete FAQ is available on the Wireshark web site[15].
|
||
|
||
References
|
||
|
||
1. https://www.msys2.org/
|
||
2. https://gitlab.com/wireshark/wireshark/-/issues/18413
|
||
3. https://gitlab.com/wireshark/wireshark/-/issues/18510
|
||
4. https://gitlab.com/wireshark/wireshark/-/issues/19188
|
||
5. https://pypi.org/project/pytest/
|
||
6. https://gitlab.com/wireshark/wireshark/-/issues/16576
|
||
7. https://www.ipv6plus.net/Phase3/apn6/
|
||
8. https://sourceforge.net/projects/opencore-amr/
|
||
9. https://www.wireshark.org/download.html
|
||
10. https://ask.wireshark.org/
|
||
11. https://www.wireshark.org/lists/
|
||
12. https://gitlab.com/wireshark/wireshark/-/issues
|
||
13. https://sharkfest.wireshark.org
|
||
14. https://wiresharkfoundation.org
|
||
15. https://www.wireshark.org/faq.html
|