376 lines
15 KiB
Plaintext
376 lines
15 KiB
Plaintext
include::attributes.adoc[]
|
||
:stylesheet: ws.css
|
||
:linkcss:
|
||
:copycss: {stylesheet}
|
||
|
||
= Wireshark {wireshark-version} Release Notes
|
||
// Asciidoctor Syntax Quick Reference:
|
||
// https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/
|
||
|
||
This is an experimental release intended to test new features for Wireshark 4.2.
|
||
|
||
== What is Wireshark?
|
||
|
||
Wireshark is the world’s most popular network protocol analyzer.
|
||
It is used for troubleshooting, analysis, development and education.
|
||
|
||
== What’s New
|
||
|
||
// Add a summary of **major** changes here.
|
||
// Add other changes to "New and Updated Features" below.
|
||
|
||
A Windows installer for Arm64 has been added.
|
||
|
||
Windows installer file names now have the format Wireshark-<version>-<architecture>.exe.
|
||
|
||
Wireshark is now better about generating valid UTF-8 output.
|
||
|
||
A new display filter feature for filtering raw bytes has been added.
|
||
|
||
Display filter autocomplete is smarter about not suggesting invalid syntax.
|
||
|
||
menu:Tools[MAC Address Blocks] can lookup a MAC address in the IEEE OUI registry.
|
||
|
||
Some external configuration files have been compiled in for improved start-up times.
|
||
|
||
The installation target no longer installs development headers by default.
|
||
|
||
The Wireshark installation is relocatable on Linux (and other ELF platforms
|
||
with support for relative RPATHs).
|
||
|
||
Wireshark can be compiled on Windows using https://www.msys2.org/[MSYS2].
|
||
Check the Developer's guide for instructions.
|
||
|
||
Wireshark can be cross-compiled for Windows using Linux.
|
||
Check the Developer's guide for instructions.
|
||
|
||
Packet list sorting has been updated.
|
||
|
||
menu:Tools[Browser (SSL Keylog)] can launch your web browser with the
|
||
SSLKEYLOGFILE environment variable set to the appropriate value.
|
||
|
||
Many other improvements have been made.
|
||
See the “New and Updated Features” section below for more details.
|
||
|
||
=== Bug Fixes
|
||
|
||
The following bugs have been fixed:
|
||
|
||
* wsbuglink:18413[No Audio in RTP player with Wireshark 4.0.0] - RTP player do not play audio frequently on Windows builds with Qt6.
|
||
|
||
* wsbuglink:18510[Paused playback cannot continue to play] - Playback marker does not move after resume with Qt6.
|
||
|
||
|
||
//* wsbuglink:5000[]
|
||
//* wsbuglink:6000[Wireshark bug]
|
||
//* cveidlink:2014-2486[]
|
||
//* Wireshark grabs your ID at 3 am, goes to Waffle House, and insults people.
|
||
|
||
=== New and Updated Features
|
||
|
||
The following features are new (or have been significantly updated) since version 4.0.0:
|
||
|
||
* The Windows installers now ship with Qt 6.5.2.
|
||
They previously shipped with Qt 6.2.3.
|
||
|
||
// * The Windows installers now ship with Npcap 1.75.
|
||
// They previously shipped with Npcap 1.71.
|
||
|
||
* The API has been updated to ensure that the dissection engine produces valid UTF-8 strings.
|
||
|
||
* Wireshark now builds with Qt6 by default. To use Qt5 instead pass USE_qt6=OFF to CMake.
|
||
|
||
* The "ciscodump" extcap supports Cisco IOS XE 17.x.
|
||
|
||
* The default interval between GUI updates when capturing has been decreased
|
||
from 500ms to 100ms, and is now configurable.
|
||
|
||
* The *-n* option also now disables IP address geolocation information lookup
|
||
in configured MaxMind databases (and geolocation lookup can be enabled with
|
||
*-Ng*.) This is most relevant for tshark, where geolocation lookups are
|
||
synchronous.
|
||
|
||
* The display filter drop-down list is now sorted by "most recently used" instead
|
||
of "most recently created".
|
||
|
||
* Display filter syntax-related changes:
|
||
|
||
** It is now possible to filter on raw packet data for any field by using the syntax ``@some.field == <bytes...>``.
|
||
This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to
|
||
look at the field's raw data.
|
||
|
||
** Negation (unary minus) now works with any display filter arithmetic expression.
|
||
|
||
** Using the slice operator with strings produces a string. Previously it
|
||
would produce a byte array. This is useful to index/slice UTF-8 multibyte strings.
|
||
String byte slices can still be obtained using the "@" (raw operator) prefix.
|
||
|
||
** Arithmetic expressions are allowed as set elements.
|
||
|
||
** Absolute date and time values can be written as Unix time.
|
||
|
||
** The limitation where a minus sign needed to be preceded by a space character
|
||
has been removed.
|
||
|
||
** Added XOR logical operator.
|
||
|
||
** Fixed the implementation of `all ... in` membership operator
|
||
(https://gitlab.com/wireshark/wireshark/-/issues/19188[#19188]).
|
||
|
||
** The deprecated ~≃ operator symbol has been removed. It was replaced by !== in version 4.0.
|
||
|
||
* Running the test suite requires the https://pypi.org/project/pytest/[pytest]
|
||
Python module. The emulation layer that allowed running tests without pytest
|
||
installed has been removed.
|
||
|
||
* When saving files or exporting packets after changing their time with the
|
||
"Time Shift" dialog, the shifted time is written to the new file.
|
||
|
||
* TLS secrets used in decrypting packets can be embedded (or discarded) from
|
||
the capture file via the GUI, similar to the options --inject-secrets and
|
||
--discard-all-secrets in editcap.
|
||
|
||
* The text of any configured column (displayed or hidden) can be filtered
|
||
anywhere that filters are used - in display filters, filters in taps, coloring
|
||
rules, Wireshark read filters, and the -Y, -R, and -e options to tshark,
|
||
the "Apply as Filter" GUI option, etc.
|
||
|
||
** The filter field names are prefixed by "_ws.col", followed by a lowercase
|
||
version of the COL_ name found in epan/column-utils.h, e.g. "_ws.col.info"
|
||
or "_ws.col.protocol"
|
||
|
||
** Using the column names as a filter is slower than other filter types
|
||
because the columns must be constructed, so when the same filtering
|
||
can be achieved via other fields, prefer that.
|
||
|
||
* The external name resolution text files "manuf", "enterprises" and "services"
|
||
have been removed and replaced with static binary data. You can dump the
|
||
respective internal data using `tshark -G manuf|enterprises|services`.
|
||
|
||
* The Lua console dialogs under the menu:Tools[] menu were refactored and redesigned.
|
||
It now consists of a single dialog window for input and output.
|
||
|
||
* Wireshark now shows byte units in the statistics in the user-selected language
|
||
(uses the system default language by default).
|
||
|
||
* Packet list sorting has been improved:
|
||
|
||
** When sorting packet list with a filter applied, only the visible packets are
|
||
sorted, which greatly increases sorting speed.
|
||
|
||
** The cache size for column text is limited to a default of 10000 rows,
|
||
which limits the maximum memory usage. The maximum value can be changed in
|
||
Preferences->Appearance->Layout
|
||
|
||
** Due to the above, columns that require packet dissection can only be sorted
|
||
if the number of visible rows is less than the cache size. If there are
|
||
more rows visible, a warning will appear. Columns that do not require packet
|
||
dissection (those that calculated directly from the capture file frame
|
||
headers, such as packet number, time, and frame length) can be sorted with
|
||
any number of visible rows.
|
||
|
||
** Sorting can be interrupted.
|
||
|
||
* When changing the dissector via the "Decode As" table for values that
|
||
have default dissectors registered, selecting "(none)" will select
|
||
no dissection (while still allowing heuristic dissectors to attempt to
|
||
dissect.) The previous behavior was to reset the dissector to the default.
|
||
To facilitate resetting the dissector, the default dissector is now sorted
|
||
at the top of the list of possible dissector options.
|
||
|
||
* The personal extcap plugin folder location on Unix has been changed to
|
||
follow existing conventions for architecture-dependent files.
|
||
The extcap personal folder is now ``$HOME/.local/lib/wireshark/extcap``.
|
||
Previously it was ``$XDG_CONFIG_HOME/wireshark/extcap``.
|
||
|
||
* The "init.lua" file is now loaded from any of the Lua plugin directories.
|
||
Previously it was loaded from the personal configuration directory. (For
|
||
backward-compatibility this is still allowed; note that deprecated features
|
||
may be removed in a future release).
|
||
|
||
* Installation of development headers must be done explicitly using the CMake
|
||
command `cmake --install <builddir> --component Development`.
|
||
|
||
* The Windows build has a new SpeexDSP external dependency (https://www.speex.org).
|
||
The speex code that was previously bundled has been removed.
|
||
|
||
=== Removed Features and Support
|
||
|
||
* With the addition of the universal and consistent filtering support for
|
||
column text, the previous support in the -e option to tshark for displaying
|
||
column text via the column title has been removed in general. Those field names
|
||
cannot be used elsewhere (as they may not be legal filter names) and create
|
||
confusion if more than one column has the same title or if a column is renamed.
|
||
Prefer the column format instead, e.g. "_ws.col.info" for "_ws.col.Info".
|
||
However, for backwards compatibilty with existing tools and scripts, the
|
||
titles of the default columns can continue to be used with "tshark -e"
|
||
(but not elsewhere.)
|
||
|
||
* The bundled script "dtd_gen.lua" that was disabled by default has been removed
|
||
from the installation. link:https://wiki.wireshark.org/Contrib[It can be found in the Wireshark Wiki under "Contrib"].
|
||
|
||
// === Removed Dissectors
|
||
|
||
// === New File Format Decoding Support
|
||
|
||
// [commaize]
|
||
// --
|
||
// --
|
||
|
||
=== New Protocol Support
|
||
|
||
// Add one protocol per line between the -- delimiters in the format
|
||
// “Full protocol name (Abbreviation)”
|
||
// git log --oneline --diff-filter=A --stat v3.7.0rc0.. epan/dissectors plugins
|
||
[commaize]
|
||
--
|
||
ASAM Capture Module Protocol (CMP)
|
||
DECT DLC protocol layer (DECT-DLC)
|
||
DECT NWK protocol layer (DECT-NWK)
|
||
DECT proprietary Mitel OMM/RFP Protocol (also named AaMiDe)
|
||
Digital Object Identifier Resolution Protocol (DO-IRP)
|
||
FiRa UWB Controller Interface (UCI)
|
||
FiveCo's Register Access Protocol (5CoRAP)
|
||
Fortinet FortiGate Cluster Protocol (FGCP)
|
||
GPS L1 C/A LNAV navigation messages
|
||
High Speed Fahrzeugzugang (HSFZ)
|
||
ID3v2
|
||
Low Level Signalling (ATSC3 LLS)
|
||
Management Component Transport Protocol - Control Protocol (MCTP CP)
|
||
Management Component Transport Protocol (MCTP)
|
||
Matter home automation protocol
|
||
Multi-Drop Bus (MDB)
|
||
Non-volatile Memory Express - Management Interface (NVMe-MI) over MCTP
|
||
SAP Enqueue Server (SAPEnqueue)
|
||
SAP GUI (SAPDiag)
|
||
SAP HANA SQL Command Network Protocol (SAPHDB)
|
||
SAP Internet Graphic Server (SAP IGS)
|
||
SAP Message Server (SAPMS)
|
||
SAP Network Interface (SAPNI)
|
||
SAP Router (SAPROUTER)
|
||
SAP Secure Network Connection (SNC)
|
||
SBAS L1 Navigation Messages (SBAS L1)
|
||
SINEC AP1 Protocol (SINEC AP)
|
||
Train Real-Time Data Protocol (TRDP)
|
||
UBX protocol of u-blox GNSS receivers (UBX)
|
||
UDP Tracker Protocol for BitTorrent (BT-Tracker)
|
||
Video Protocol 9 (VP9)
|
||
Windows Delivery Optimization (MS-DO)
|
||
Zabbix Protocol (Zabbix)
|
||
--
|
||
|
||
=== Updated Protocol Support
|
||
|
||
* JSON: The dissector now has a preference to enable/disable "unescaping"
|
||
of string values. By default it is off. Previously it was always on.
|
||
|
||
* JSON: The dissector now supports "Display JSON in raw form".
|
||
|
||
* IPv6: The dissector has a new preference to show some semantic details
|
||
about addresses (default off).
|
||
|
||
* IPv6: The dissector now supports dissecting
|
||
https://www.ipv6plus.net/Phase3/apn6/[
|
||
Application-aware IPv6 Networking (APN6) option]
|
||
in the Hop-by-Hop Options Header (HBH) and Destination Options Header (DOH).
|
||
This feature supports to dissect all three types of APN ID,
|
||
which are 32-bit, 64-bit and 128-bit in length.
|
||
|
||
* XML: The dissector now supports display character according to the "encoding"
|
||
attribute of the XML declaration, and has a new preference to set default
|
||
character encoding for some XML document without "encoding" attribute.
|
||
|
||
* SIP: The dissector now has a new preference to set default charset for
|
||
displaying the body of SIP messages in raw text view.
|
||
|
||
* HTTP: The dissector now supports dissecting chunked data in streaming reassembly
|
||
mode. Subdissectors of HTTP can register itself in "streaming_content_type"
|
||
subdissector table for enabling streaming reassembly mode while transferring in
|
||
chunked encoding. This feature ensures the server stream messages of GRPC-Web
|
||
over HTTP/1.1 can be dissected even if the last chunk is absent.
|
||
|
||
* The media type dissector table now properly treats media types and subtypes
|
||
as case-insensitive automatically, per RFC 6838. Media types no longer need
|
||
to be lower cased before registering or looking up in the table.
|
||
|
||
* CFM: The dissector has been overhauled and updated to the level of IEEE std
|
||
802.1Q-2022 and ITU-T Rec. G.8013/Y.1371 (08/2015). This includes dissection
|
||
of additional PDU types and TLVs as well as deeper dissection of existing PDUs
|
||
and TLVs.
|
||
|
||
Too many other protocol updates have been made to list them all here.
|
||
|
||
//=== New and Updated Capture File Support
|
||
|
||
// There is no new or updated capture file support in this release.
|
||
// Add one file type per line between the -- delimiters.
|
||
//[commaize]
|
||
//--
|
||
//--
|
||
|
||
// === New and Updated Capture Interfaces support
|
||
|
||
=== New and Updated Codec support
|
||
|
||
Adaptive Multi-Rate (AMR), if compiled with https://sourceforge.net/projects/opencore-amr/[opencore-amr]
|
||
|
||
//_Non-empty section placeholder._
|
||
|
||
=== Major API Changes
|
||
|
||
* Lua function "package.prepend_path" has been removed. If you need it please
|
||
consider adding your own package.path customization code or installing your
|
||
dependencies in Wireshark's default paths.
|
||
|
||
* The reassemble_streaming_data_and_call_subdissector() API has been added to provide a simpler way to
|
||
reassemble the streaming data of a high level protocol that is not on top of TCP.
|
||
|
||
== Getting Wireshark
|
||
|
||
Wireshark source code and installation packages are available from
|
||
https://www.wireshark.org/download.html.
|
||
|
||
=== Vendor-supplied Packages
|
||
|
||
Most Linux and Unix vendors supply their own Wireshark packages.
|
||
You can usually install or upgrade Wireshark using the package management system specific to that platform.
|
||
A list of third-party packages can be found on the
|
||
https://www.wireshark.org/download.html[download page]
|
||
on the Wireshark web site.
|
||
|
||
== File Locations
|
||
|
||
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries.
|
||
These locations vary from platform to platform.
|
||
You can use menu:Help[About Wireshark,Folders] or `tshark -G folders` to find the default locations on your system.
|
||
|
||
== Getting Help
|
||
|
||
The User’s Guide, manual pages and various other documentation can be found at
|
||
https://www.wireshark.org/docs/
|
||
|
||
Community support is available on
|
||
https://ask.wireshark.org/[Wireshark’s Q&A site]
|
||
and on the wireshark-users mailing list.
|
||
Subscription information and archives for all of Wireshark’s mailing lists can be found on
|
||
https://www.wireshark.org/lists/[the web site].
|
||
|
||
Bugs and feature requests can be reported on
|
||
https://gitlab.com/wireshark/wireshark/-/issues[the issue tracker].
|
||
|
||
You can learn protocol analysis and meet Wireshark’s developers at
|
||
https://sharkfest.wireshark.org[SharkFest].
|
||
|
||
// Official Wireshark training and certification are available from
|
||
// https://www.wiresharktraining.com/[Wireshark University].
|
||
|
||
== How You Can Help
|
||
|
||
The Wireshark Foundation helps as many people as possible understand their networks as much as possible.
|
||
You can find out more and donate at https://wiresharkfoundation.org[wiresharkfoundation.org].
|
||
|
||
== Frequently Asked Questions
|
||
|
||
A complete FAQ is available on the
|
||
https://www.wireshark.org/faq.html[Wireshark web site].
|