Wireshark 3.6.1 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-17[1] RTMPT dissector infinite loop. Issue
17745[2]. CVE-2021-4185[3].
• wnpa-sec-2021-18[4] BitTorrent DHT dissector infinite loop. Issue
17754[5]. CVE-2021-4184[6].
• wnpa-sec-2021-19[7] pcapng file parser crash. Issue 17755[8].
CVE-2021-4183[9].
• wnpa-sec-2021-20[10] RFC 7468 file parser infinite loop. Issue
17801[11]. CVE-2021-4182[12].
• wnpa-sec-2021-21[13] Sysdig Event dissector crash.
CVE-2021-4181[14].
• wnpa-sec-2021-22[15] Kafka dissector infinite loop. Issue
17811[16].
The following bugs have been fixed:
• Allow sub-second timestamps in hexdumps Issue 15562[17].
• GRPC: An unnecessary empty Protobuf tree item is displayed if the
GRPC message body length is 0 Issue 17675[18].
• Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system
path.pkg" on M1 MacBook Air Monterey without Rosetta 2 Issue
17757[19].
• TECMP: LIN Payload is cut off by 1 byte Issue 17760[20].
• Wireshark crashes if a 64 bit field of type BASE_CUSTOM is
applied as a column Issue 17762[21].
• Command line option "-o console.log.level" causes wireshark and
tshark to exit on start Issue 17763[22].
• Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture Issue
17764[23].
• Unable to build without tshark Issue 17766[24].
• IEEE 802.11 action frames are not getting parsed and always seen
as malformed Issue 17767[25].
• IEC 60870-5-101 link address field is 1 byte, but should have
configurable length of 0,1 or 2 bytes Issue 17775[26].
• dfilter: 'tcp.port not in {1}' crashes Wireshark Issue 17785[27].
New and Updated Features
• The 'console.log.level' preference was removed in Wireshark
3.6.0. This release adds an '-o console.log.level:'
backward-compatibilty option on the CLI that maps to the new
logging sub-system. Note that this does not have bitmask
semantics and does not correspond to any actual preference. It is
just a transition mechanism for users that were relying on this
CLI option and will be removed in the future. To see the new
diagnostic output options consult the manpages or the output of
'--help'.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11,
IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig
Event, and TECMP
New and Updated Capture File Support
BLF and RFC 7468
New File Format Decoding Support
There is no new or updated file format support in this release.
Wireshark 3.6.0 Release Notes
What’s New
Many improvements have been made. See the “New and Updated Features”
section below for more details. You might want to pay particular
attention to the display filter syntax updates.
New and Updated Features
The following features are new (or have been significantly updated)
since version 3.6.0rc3:
• The macOS Intel packages now ship with Qt 5.15.3 and require
macOS 10.13 or later.
The following features are new (or have been significantly updated)
since version 3.6.0rc2:
• Display filter set elements must now be comma-separated. See
below for more details.
The following features are new (or have been significantly updated)
since version 3.6.0rc1:
• The display filter expression “a != b” now has the same meaning
as “!(a == b)”.
The following features are new (or have been significantly updated)
since version 3.5.0:
• Nothing of note.
The following features are new (or have been significantly updated)
since version 3.4.0:
• Several changes have been made to the display filter syntax:
• The expression “a != b” now always has the same meaning as
“!(a == b)”. In particular this means filter expressions with
multi-value fields like “ip.addr != 1.1.1.1” will work as
expected (the result is the same as typing “ip.src != 1.1.1.1 and
ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a
!= b) being true.
• It is possible to use the syntax “a ~= b” or “a any_ne b” to
recover the previous (inconsistent with "==") logic for not
equal.
• Literal strings can now be specified using raw string syntax,
identical to raw strings in the Python programming language. This
can be used to avoid the complexity of using two levels of
character escapes with regular expressions.
• Set elements must now be separated using a comma. A filter
such as http.request.method in {"GET" "HEAD"} must be written as
…<U+200B> in {"GET", "HEAD"}. Whitespace is not significant. The
previous use of whitespace as separator is deprecated and will be
removed in a future version.
• Support for the syntax "a not in b" with the same meaning as
"not a in b" has been added.
• Packaging updates:
• A macOS Arm 64 (Apple Silicon) package is now available.
• The macOS Intel packages now ship with Qt 5.15.3 and require
macOS 10.13 or later.
• The Windows installers now ship with Npcap 1.55.
• A 64-bit Windows PortableApps package is now available.
• TCP conversations now support a completeness criteria, which
facilitates the identification of TCP streams having any of
opening or closing handshakes, a payload, in any combination. It
can be accessed with the new tcp.completeness filter.
• Protobuf fields that are not serialized on the wire or otherwise
missing in capture files can now be displayed with default values
by setting the new “add_default_value” preference. The default
values might be explicitly declared in “proto2” files, or false
for bools, first value for enums, zero for numeric types.
• Wireshark now supports reading Event Tracing for Windows (ETW). A
new extcap named ETW reader is created that now can open an etl
file, convert all events in the file to DLT_ETW packets and write
to a specified FIFO destination. Also, a new packet_etw dissector
is created to dissect DLT_ETW packets so Wireshark can display
the DLT_ETW packet header, its message and packet_etw dissector
calls packet_mbim sub_dissector if its provider matches the MBIM
provider GUID.
• “Follow DCCP stream” feature to filter for and extract the
contents of DCCP streams.
• Wireshark now supports dissecting RTP packets with OPUS payloads.
• Importing captures from text files based on regular expressions
is now possible. By specifying a regex capturing a single packet
including capturing groups for relevant fields a textfile can be
converted to a libpcap capture file. Supported data encodings are
plain-hexadecimal, -octal, -binary and base64. Also the timestamp
format now allows the second-fractions to be placed anywhere in
the timestamp and it will be stored with nanosecond instead of
microsecond precision.
• The RTP Player has been significatnly redesigned and improved.
See Playing VoIP Calls[1] and RTP Player Window[2] in the User’s
Guide for more details.
• The RTP Player can play many streams in row.
• The UI is more responsive.
• The RTP Player maintains playlist and other tools can add and
remove streams to and from it.
• Every stream can be muted or routed to the left or right
channel for replay.
• The option to save audio has been moved from the RTP Analysis
dialog to the RTP Player. The RTP Player also saves what was
played, and it can save in multichannel .au or .wav.
• The RTP Player is now accessible from the Telephony › RTP ›
RTP Player menu.
• The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP
Player, SIP Flows) are non-modal and can stay opened on
background.
• The same tools are provided across all dialogs (Prepare
Filter, Analyse, RTP Player …<U+200B>)
• The “Follow Stream” dialog is now able to follow SIP calls based
on their Call-ID value.
• The “Follow Stream” dialog’s YAML output format has been updated
to add timestamps and peers information For more details see
Following Protocol Streams[3] in the User’s Guide.
• IP fragments between public IPv4 addresses are now reassembled
even if they have different VLAN IDs. Reassembly of IP fragments
where one endpoint is a private (RFC 1918 section 3) or
link-local (RFC 3927) IPv4 address continues to take the VLAN ID
into account, as those addresses can be reused. To revert to the
previous behavior and not reassemble fragments with different
VLAN IDs, turn on the “Enable stricter conversation tracking
heuristics” top level protocol preference.
• USB Link Layer reassembly has been added, which allows hardware
captures to be analyzed at the same level as software captures.
• TShark can now export TLS session keys with the
--export-tls-session-keys option.
• Wireshark participated in the Google Season of Docs 2020 and the
User’s Guide has been extensively updated.
• The “RTP Stream Analysis” dialog CSV export format was slightly
changed. The first line of the export contains column titles as
in other CSV exports.
• Wireshark now supports the Turkish language.
• The settings in the “Import from Hex Dump” dialog is now stored
in a profile import_hexdump.json file.
• Analyze › Reload Lua Plugins has been improved to properly
support FileHandler.
• The “RTP Stream Analysis” and “IAX2 Stream Analysis” dialogs now
show correct calculation mean jitter calculations.
• RTP streams are now created based on Skinny protocol messages in
addition to other types of messages.
• The “VoIP Calls Flow Sequence” window shows more information
about various Skinny messages.
• Initial support for building Wireshark on Windows using GCC and
MinGW-w64 has been added. See README.msys2 in the sources for
more information.
New File Format Decoding Support
Vector Informatik Binary Log File (BLF)
New Protocol Support
5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT
LMP), Bundle Protocol version 7 (BPv7), Bundle Protocol version 7
Security (BPSec), CBOR Object Signing and Encryption (COSE), E2
Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme
extra Eth Header (EXEH), High-Performance Connectivity Tracer
(HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol,
Local Interconnect Network (LIN), Microsoft Task Scheduler Service,
O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio
Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic
Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol
(EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe
Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire
Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC),
Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP),
Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN
DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson
PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI
payload (xIRI)
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
Vector Informatik Binary Log File (BLF)
Wireshark 3.4.10 Release Notes
What’s New
This release fixes a forward compatibility issue[1] with the I/O
Graphs preferences.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-07[2] Bluetooth DHT dissector crash. Issue
17651[3]. CVE-2021-39929[4].
• wnpa-sec-2021-08[5] Bluetooth HCI_ISO dissector crash. Issue
17649[6]. CVE-2021-39926[7].
• wnpa-sec-2021-09[8] Bluetooth SDP dissector crash. Issue
17635[9]. CVE-2021-39925[10].
• wnpa-sec-2021-10[11] Bluetooth DHT dissector large loop. Issue
17677[12]. CVE-2021-39924[13].
• wnpa-sec-2021-11[14] PNRP dissector large loop. Issue 17684[15].
• wnpa-sec-2021-12[16] C12.22 dissector crash. Issue 17636[17].
CVE-2021-39922[18].
• wnpa-sec-2021-13[19] IEEE 802.11 dissector crash. Issue
17704[20]. CVE-2021-39928[21].
• wnpa-sec-2021-14[22] Modbus dissector crash. Issue 17703[23].
CVE-2021-39921[24].
• wnpa-sec-2021-15[25] IPPUSB dissector crash. Issue 17705[26].
CVE-2021-39920[27].
The following bugs have been fixed:
• OSS-Fuzz: Heap-use-after-free in ROS Issue 16342[28].
• Allow for '\0' (NULL) character as filter instead of requiring
0x00 for the character match Issue 16525[29].
• Dumpcap with threads reports double received count vs captured
Issue 17089[30].
• I/O Graphs values reset to default with 3.5 due to change of UAT
Issue 17623[31].
• HTTP2 dissector reports an assertion error on large data frames
Issue 17633[32].
• TShark stops capturing when capturing with multiple files and
packet printing enabled Issue 17654[33].
• Wireshark is unable to decode the IMSI IE received in BSSMAP
Perform Location request Issue 17667[34].
• WSLUA: Crash on reload if Proto has no fields Issue 17668[35].
• Crash in flow analysis for TCP Issue 17722[36].
Updated Protocol Support
BT HCI_ISO, BT SDP, BT-DHT, C12.22, CAN FD, CSN1, EAPOL-MKA, EVS, GSM
BSSMAP LE, HTTP2, IDMP, IEEE 1905.1a, IEEE 802.11, IPPUSB, Modbus,
PNRP, and TCP
New and Updated Capture File Support
pcap
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
Wireshark 3.4.9 Release Notes
Bug Fixes
The following bugs have been fixed:
• TShark PDML output embeds "proto" elements within other "proto"
elements Issue 10588[1].
• Filter expressions comparing against single-octet hex strings
where the hex digit string equals a protocol name don’t work
Issue 12810[2].
• AMQP 0.9: dissector fails to handle Content-Body frame split
across TCP packets Issue 14217[3].
• IEEE 802.15.4: Missing check on "PAN ID Present" bit of the
Multipurpose Frame Control field Issue 17496[4].
• Wireshark ignored some character in filename when exporting SMB
objects. Issue 17530[5].
• tshark -z credentials: assertion failed: (allocator→in_scope)
Issue 17576[6].
• IS-IS Extended IP Reachability Prefix-SID not decoded properly
Issue 17610[7].
• Error when reloading lua plugins with a capture file loaded via a
custom lua file handler Issue 17615[8].
• Absolute time UTC field filters are constructed incorrectly,
don’t match the packet Issue 17617[9].
• GUI freezes when clicking on large (non-capture) file in File
chooser Issue 17620[10].
• Crash after selecting a different profile while capturing Issue
17622[11].
• BT-DHT reports malformed packets that are actually uTP on same
connection Issue 17626[12].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AMQP, Aruba IAP, BGP, BT-DHT, CoAP, DCERPC SPOOLSS, Diameter, EPL,
GSM A-bis OML, GSM A-I/F COMMON, GSM SIM, IEEE 1905.1a, IEEE
802.15.4, IMAP, InfiniBand, ISIS LSP, ISObus VT, JPEG, MP2T,
NORDIC_BLE, QUIC, RTCP, SDP, SMB, TWAMP-Control, USB HID, and VSS
Monitoring
New and Updated Capture File Support
CAM Inspector, Ixia IxVeriWave, pcapng, and USBDump
Wireshark 3.4.8 Release Notes
Bug Fixes
The following bugs have been fixed:
• Dissector bug reported for Bluetooth Cycling Power Measurement
characteristic for extreme angles value Issue 17505[1].
• vcruntime140_1.dll deleted on Wireshark update/install Issue
17506[2].
• Raknet Addresses are incorrectly identified. Issue 17509[3].
• Editcap saving files as ethernet when specifying '-T
ieee-802-11-*' Issue 17520[4].
• CoAP dissector confuses Content-Format with Accept Issue
17536[5].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BT ATT, BT LE LL, CoAP, DLM3, GSM SIM, iLBC, and RakNet
New and Updated Capture File Support
There is no new or updated capture file support in this release.
Wireshark 3.4.7
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-06[1] DNP dissector crash. Issue 17462[2].
CVE-2021-22235[3].
The following bugs have been fixed:
• TCP dissector - Erroneous DSACK reporting Issue 17315[4].
• No wlan_radio.duration calculated for PHY type: 802.11ac (VHT)
Issue 17419[5].
• NAN Dissector has wrong minimum length for availability attribute
Issue 17431[6].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASTERIX, BT LE LL, DCE RPC, DNP, GTPv2, IEEE 802.11 Radio, LDAP, NAN,
NORDIC_BLE, NR RRC, OSPF, pcapng, PNIO, RSL, S101, Snort config, and
TCP
New and Updated Capture File Support
Catapult DCT2000, ERF, and pcap
Wireshark 3.4.6 Release Notes
What’s New
The Windows installers now ship with Npcap 1.31. They previously
shipped with Npcap 1.10.
The Windows installers now ship with Qt 5.15.2. They previously
shipped with Qt 5.12.1.
Bug Fixes
• wnpa-sec-2021-04[1] DVB-S2-BB dissector infinite loop
The following bugs have been fixed:
• Macro filters can’t handle escaped characters Issue 17160[2].
• Display filter crashes Wireshark Issue 17316[3].
• IEEE-1588 Signalling Unicast TLV incorrectly reported as being
malformed Issue 17355[4].
• IETF QUIC TLS decryption error with extraneous packets during the
handshake Issue 17383[5].
• Statistics → Resolved Addresses: multi-protocol (TCP/UDP/…<U+200B>)
ports not displayed Issue 17395[6].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DNP, DVB-S2-BB, ProtoBuf, PTP, QUIC, RANAP, and TACACS
New and Updated Capture File Support
Ascend, ERF, K12, NetScaler, and pcapng
Wireshark 3.4.5 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-04[1] MS-WSP dissector excessive memory
consumption. Issue 17331[2].
The following bugs have been fixed:
• TShark does not print GeoIP information Issue 14691[3].
• TShark error when piping to "head" Issue 16192[4].
• Parts of ASCII representation in Packet Bytes pane are missing
Issue 17087[5].
• Buildbot crash output: fuzz-2021-02-22-1012761.pcap Issue
17254[6].
• NDPE attribute of NAN packet is not dissected Issue 17278[7].
• TECMP: reserved flag interpreted as part of timestamp Issue
17279[8].
• Master branch does not compile at least with gcc-11 Issue
17281[9].
• DNS IXFR/AXFR multiple response Issue 17293[10].
• File too large Issue 17301[11].
• Build fails with CMake 3.20 Issue 17314[12].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DECT, DNS, EAP, Kerberos, LDAP, MS-WSP, SMB2, Sysdig, TECMP, and WiFi
NAN
New and Updated Capture File Support
pcapng
Wireshark 3.4.4 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-03[1] Wireshark could open unsafe URLs. Issue
17232[2]. CVE-2021-22191[3].
The following bugs have been fixed:
• NTP Version 3 Client Decode PDML output issue (Reference ID
Issue) Issue 17112[4].
• 3.4.2: public wireshark include files are including build time
"config.h" Issue 17190[5].
• wireshark-3.4.3/epan/dissectors/packet-s7comm.c:3521: bad array
index ? Issue 17198[6].
• SIP protocol: P-Called-Party-ID header mixed up with
P-Charge-Info header Issue 17215[7].
• Asterix CAT010 Decode Error Issue 17226[8].
• _ws.expert columns not populated for IPv4 Issue 17228[9].
• Buildbot crash output: fuzz-2021-02-12-1651908.pcap Issue
17233[10].
• gQUIC: Wireshark 3.4.3 fails to dissect a packet (gQUIC q024)
that v3.2.6 succeeds. Issue 17250[11].
Wireshark 3.4.3 Release Notes
What’s New
The Windows installers now ship with Npcap 1.10. They previously
shipped with Npcap 1.00.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-01[1] USB HID dissector memory leak. Bug 17124[2].
CVE-2021-22173[3].
• wnpa-sec-2021-02[4] USB HID dissector crash. Bug 17165[5].
CVE-2021-22174[6].
The following bugs have been fixed:
• SIP response single-line multiple Contact-URIs decoding error Bug
13752[7].
• Adding filter while "Telephony→VoIP Calls→Flow Sequence" open
causes OOB memory reads and potential crashes. Bug 16952[8].
• QUIC packet not fully dissected Bug 17077[9].
• SOMEIP-SD hidden entries are off Bug 17091[10].
• Problem with calculation on UDP checksum in SRv6 Bug 17097[11].
• Dark mode not working in Wireshark 3.4.2 on macOS Bug 17098[12].
• Wireshark 3.4.0: build failure on older MacOS releases, due to
'CLOCK_REALTIME' Bug 17101[13].
• TECMP: Status Capture Module messages shows 3 instead of 2 bytes
for HW version Bug 17133[14].
• Documentation - editorial error - README.dissector bad reference
Bug 17141[15].
• Cannot save capture with comments to a format that doesn’t
support it (no pop-up) Bug 17146[16].
• AUTOSAR-NM: PNI TF-String wrong way around Bug 17154[17].
• Fibre Channel parsing errors even with the fix for 17084 Bug
17168[18].
• f5ethtrailer: Won’t find a trailer after an FCS that begins with
a 0x00 byte Bug 17171[19].
• f5ethtrailer: legacy format, low noise only, no vip name trailers
no longer detected Bug 17172[20].
• Buildbot crash output: fuzz-2021-01-22-3387835.pcap Bug
17174[21].
• Dissection error on large ZVT packets Bug 17177[22].
• TShark crashes with -T ek option Bug 17179[23].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AUTOSAR-NM, DHCPv6, DoIP, FC ELS, GQUIC, IPv6, NAS 5GS, NAS EPS,
QUIC, SIP, SOME/IP-SD, TECMP, TLS, TPNCP, USB HID, and ZVT
New and Updated Capture File Support
f5ethtrailer and pcapng
Wireshark 3.4.2 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-20[1] QUIC dissector crash Bug 17073[2].
The following bugs have been fixed:
New and Updated Features
• IETF QUIC TLS decryption errors when packets are coalesced with
random data Bug 16914[3].
• QUIC: missing dissection of some coalesced SH packets Bug
17011[4].
• macos-setup.sh can’t find SDK on macOS Big Sur, as it went to 11
Bug 17043[5].
• Mapping endpoints in browser ⇒ Map file error Bug 17074[6].
• Wireshark 3.4.1 hangs on startup on macOS Big Sur 11.0.1 Bug
17075[7].
• False expect error seen on FCoE frames (not seen with older
release wireshark 1.2.18) Bug 17084[8].
• Several libraries missing in 3.4.1 and 3.2.9 installers for macOS
Bug 17086[9].
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DOCSIS, FC-dNS, FC-SWILS, FCoE, QUIC, SNMP, and USBHID
New and Updated Capture File Support
There is no new or updated capture file support in this release.
Wireshark 3.4.1 Release Notes
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
What’s New
Bug Fixes
• wnpa-sec-2020-16[1] Kafka dissector memory leak. Bug 16739[2].
CVE-2020-26418[3].
• wnpa-sec-2020-17[4] USB HID dissector crash. Bug 16958[5].
CVE-2020-26421[6].
• wnpa-sec-2020-18[7] RTPS dissector memory leak. Bug 16994[8].
CVE-2020-26420[9].
• wnpa-sec-2020-19[10] Multiple dissector memory leak. Bug
17032[11]. CVE-2020-26419[12].
The following bugs have been fixed:
New and Updated Features
• IETF QUIC TLS decryption errors when a NAT rebinding happens for
a connection Bug 16915[13].
• IETF QUIC TLS decryption error with key update Bug 16916[14].
• IETF QUIC TLS decryption error after the second key update Bug
16920[15].
• SOME/IP: Wrong dissection of parameters after Array Bug
16951[16].
• Can editcap properly corrupt pcapng file with systemd journal
export block? Bug 16965[17].
• Crash when a GIOP ior.txt file is present Bug 16984[18].
• Protobuf: failed to parse .proto file contains negative enum
values or option values of number type Bug 16988[19].
• MMRP dissector bug Bug 17005[20].
• QUIC: "Loss bits" capability Bug 17010[21].
• Stdin capture fails on Windows Bug 17018[22].
• SSTP no longer recognized Bug 17024[23].
• RFC2190 encapsulated H.263 bitfields masked wrong in Mode A Bug
17025[24].
• editcap fails when splitting into multiple pcapng files Bug
17060[25].
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ACDR, DOCSIS, Ericsson HDLC, F5 Ethernet Trailer, GIOP, GSM A, GSM
RLC MAC, HTTP, IEEE 802.11, Kafka, LLC, MBIM, MMRP, NAS 5GS, NAS EPS,
Nordic BLE, ProtoBuf, QUIC, Radiotap, RFC 2190, RTCP, RTPS, S1AP,
SOME/IP, STUN, and USB Video
New and Updated Capture File Support
pcapng
Wireshark 3.4.0
New and Updated Features
The following features are new (or have been significantly updated) since version 3.4.0rc1:
Nothing of note.
The following features are new (or have been significantly updated) since version 3.3.1:
The Protobuf fields defined as google.protobuf.Timestamp type of Protobuf standard library can now be dissected as Wireshark fields of absolute time type.
The following features are new (or have been significantly updated) since version 3.3.0:
The Windows installers now ship with Npcap 1.00. They previously shipped with Npcap 0.9997.
The Windows installers now ship with Qt 5.15.1. They previously shipped with Qt 5.12.8.
The following features are new (or have been significantly updated) since version 3.2.0:
Windows executables and installers are now signed using SHA-2 only.
Save RTP stream to .au supports any codec with 8000 Hz rate supported by Wireshark (shown in RTP player). If save of audio is not possible (unsupported codec or rate), silence of same length is saved and warning is shown.
Asynchronous DNS resolution is always enabled. As a result, the c-ares library is now a required dependency.
Protobuf fields can be dissected as Wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching.
Dissectors based on Protobuf can register themselves to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYTES or STRING type.
Wireshark is able to decode, play, and save iLBC payload on platforms where the iLBC library is available.
Wireshark is able to decode, play, and save opus payload on platforms where the opus library is available.
“Decode As” entries can now be copied from other profiles using a button in the dialog.
sshdump can now be copied to multiple instances. Each instance will show up a different interface and will have its own profile.
The main window now supports a packet diagram view, which shows each packet as a textbook-style diagram.
Filter buttons (“Preferences → Filter Buttons”) can be grouped by using “//” as a path separator in the filter button label.
IPP Over USB packets can now be dissected and displayed
New Protocol Support
Arinc 615A (A615A), Asphodel Protocol, AudioCodes Debug Recording (ACDR), Bluetooth HCI ISO (BT HCI ISO), Cisco MisCabling Protocol (MCP), Community ID Flow Hashing (CommunityID), DCE/RPC IRemoteWinspool SubSystem, (IREMOTEWINSPOOL), Dynamic Link Exchange Protocol (DLEP), EAP Generalized Pre-Shared Key (EAP-GPSK), EAP Password Authenticated Exchange (EAP-PAX), EAP Pre-Shared Key (EAP-PSK), EAP Shared-secret Authentication and Key Establishment (EAP-SAKE), Fortinet Single Sign-on (FSSO), FTDI Multi-Protocol Synchronous Serial Engine (FTDI MPSSE), Hypertext Transfer Protocol Version 3 (HTTP3), ILDA Digital Network (IDN), Java Debug Wire Protocol (JDWP), LBM Stateful Resolution Service (LBMSRS), Lithionics Battery Management, .NET Message Framing Protocol (MC-NMF), .NET NegotiateStream Protocol (MS-NNS), OBSAI UDP-based Communication Protocol (UDPCP), Palo Alto Heartbeat Backup (PA-HB-Bak), ScyllaDB RPC, Technically Enhanced Capture Module Protocol (TECMP), Tunnel Extensible Authentication Protocol (TEAP), UDP based FTP w/ multicast V5 (UFTP5), and USB Printer (USBPRINTER)
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
MP4 (ISO/IEC 14496-12)
Wireshark 3.2.7 Release Notes
The Windows installers now ship with Npcap 0.9997. They previously
shipped with Npcap 0.9994.
The Windows installers now ship with Qt 5.12.9. They previously
shipped with Qt 5.12.8.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-11[1] MIME Multipart dissector crash. Bug 16741[2].
Fixed in master: 2411eae9ed Fixed in master-3.2: 21f082cb6e Fixed
in master-3.0: 14e274f3be Fixed in master-2.6: 5803c7b87b
• wnpa-sec-2020-12[3] TCP dissector crash. Bug 16816[4]. Fixed in
master: c4634b1e99 Fixed in master-3.2: e9b727595b Fixed in
master-3.0: 7f3fe6164a Fixed in master-2.6: 9d7ab8b46f
• wnpa-sec-2020-13[5] BLIP dissector crash. Bug 16866[6]. Fixed in
master: 4a94842710 Fixed in master-3.2: 594d312b12 Fixed in
master-3.0: 2fb6002559 Fixed in master-2.6: n/a
The following bugs have been fixed:
• HTTP dissector fails to display correct UTF-16 XML Bug 9069[7].
• TFTP dissector does not track conversations correctly. Source
file and Destination File redundant or disagree. Bug 10305[8].
• Dissector skips DICOM command Bug 13110[9].
• Editcap time adjustment doesn’t work when both infile and outfile
are ERF Bug 16578[10].
• dissect_tds7_colmetadata_token() has wrong return value if count
is 0 Bug 16682[11].
• "total block length …<U+200B> is too small" for Systemd Journal Export
Block Bug 16734[12].
• MNC 11 is showing Mobile Network Code (MNC): NTT DoCoMo Tokai
Inc. (11) But its belonging to Rakuten Network Bug 16755[13].
• DICOM object extraction: discrepancy between tshark and wireshark
Bug 16771[14].
• S1-U data forwarding info and S103 PDN data forwarding info IE’s
showing improper value Bug 16777[15].
• Wireshark crashes while opening a capture Bug 16780[16].
• Changing preferences via Decode As does not call callback Bug
16787[17].
• Decoding of PFCP IE 'Remote GTP-U Peer' is incorrect Bug
16805[18].
• Ng-enb not decoded correctly for Target Identification IE for
GTPV2 Bug 16822[19].
• The client timestamp is parsed error for Google QUIC (version
Q039) Bug 16839[20].
• NAS-5G : PDU session reactivation result Bug 16842[21].
• Wireshark fails to detect libssh >= 0.9.5 Bug 16845[22].
Wireshark 3.2.6 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-10[1] Kafka dissector crash. Bug 16672[2].
CVE-2020-17498[3].
The following bugs have been fixed:
• Kafka dissector fails parsing FETCH responses. Bug 16623[4].
• Dissector for ASTERIX Category 001 / 210 does not recognize bit 1
as extension. Bug 16662[5].
• "invalid timestamp" for Systemd Journal Export Block. Bug
16664[6].
• Decoding Extended Emergency number list IE length. Bug 16668[7].
• Some macOS Bluetooth PacketLogger capture files aren’t recognized
as PacketLogger files (regression, bisected). Bug 16670[8].
• Short IMSIs (5 digits) lead to wrong decoding+warning. Bug
16676[9].
• Decoding of PFCP IE 'PFD Contents' results in "malformed packet".
Bug 16704[10].
• RFH2 Header with 32 or less bytes of NameValue will not parse out
that info. Bug 16733[11].
• CDP: Port ID TLV followed by Type 1009 TLV triggers [Malformed
Packet]. Bug 16742[12].
• tshark crashed when processing opcda. Bug 16746[13].
• tshark with --export-dicom gives “Segmentation fault (core
dumped)”. Bug 16748[14].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASTERIX, BSSAP, CDP, CoAP, DCERPC SPOOLSS, DCOM, DICOM, DVB-S2,
E.212, GBCS, GSM RR, GSM SMS, IEEE 802.11, Kafka, MQ, Nano, NAS 5GS,
NIS+, NR RRC, PacketLogger, PFCP, RTPS, systemd Journal, TDS, TN3270,
and TN5250
New and Updated Capture File Support
PacketLogger and pcapng
Wireshark 3.2.5 Release Notes
What’s New
The Windows installers now ship with Npcap 0.9994. They previously
shipped with Npcap 0.9991.
The Windows installers now ship with USBPcap 1.5.4.0. They previously
shipped with USBPcap 1.5.3.0.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-09[1] GVCP dissector infinite loop.
CVE-2020-15466[3].
The following bugs have been fixed:
• Add decryption support for QUIC IETF version 0xfaceb001 and
0xfaceb002.
• Windows Uninstall does not remove all files in Program Files.
• The "relative sequence number" is same as "raw sequence number"
when tcp.analyze_sequence_numbers:FALSE.
• Importing profiles from a different Windows PC fails.
• Decode as not working correctly with multiple user profiles.
• Wireshark can misdissect the HE Radiotap field if it’s ever
dissected one with any value unknown.
• Buildbot crash output: fuzz-2020-06-19-5981.pcap.
• Buildbot crash output: fuzz-2020-06-20-7665.pcap.
• mergecap man page contains invalid formatting.
Wireshark 3.2.4 Release Notes
What’s New
The Windows installers now ship with Qt 5.12.8. They previously
shipped with Qt 5.12.6.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-08[1] A dissector went awry.
The following bugs have been fixed:
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
New and Updated Capture File Support
There is no new or updated capture file support in this release.
Wireshark 3.2.3 Release Notes
Wireshark 3.2.0 to 3.2.2 might not update automatically on macOS in
some cases. If you’re running those versions on macOS you might have
to update to a later version manually.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-07[2] The BACapp dissector could crash.
The following bugs have been fixed:
• Add (IETF) QUIC Dissector.
• Rename profile name loses list selection.
• Dissector bug warning dissecting TLS Certificate Request with
many names.
• Only ACKs, but no DATA frames are visible in -> TCP Stream Graph
-> Time Sequence (tcptrace).
• Copy>Description does not work properly for all tree items.
• Importing profiles in Windows - zip files fail and from directory
crashes Wireshark.
• Packet List selection is gone when adding or removing a display
filter.
• Check for updates, and auto-update, not working in 3.2.1.
• f5ethtrailer: TLS trailer creates incorrect CLIENT keylog
entries.
• Buildbot crash output: randpkt-2020-03-04-18423.pcap.
• File open dialog shows garbled time stamps.
• RTCP Bye without optional reason reported as [Malformed Packet].
• Undefined-shift in dissect_rtcp.
• SOMEIP: SOME/IP-SD dissector fails to register SOME/IP ports, if
IPv6 is being used (BUG).
• tshark logs: "…<U+200B>could not be opened: Too many open files.".
• Typo in About Wireshark > Keyboard Shortcuts > Unignore All
Displayed.
• Buildbot crash output: randpkt-2020-04-02-31746.pcap.
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AFS, BACapp, Bluetooth, CoAP, Diameter3GPP, F5 Ethernet trailer, GSM
RLC MAC, ISIS, ISIS CLV, ISIS HELLO, ISIS LSP, ISIS SNP, NAS 5GS, NR
RRC, pcap, QUIC, RPCAP, RTCP, SOME/IP-SD, TLS, and WSP
New and Updated Capture File Support
pcap
Wireshark 3.2.2 Release Notes
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
What’s New
Automatic updates were inadvertently disabled in the Wireshark 3.2.1
64-bit and 32-bit Windows installers. If you’re running Wireshark
3.2.1 on Windows you will have to update to a later version manually.
Bug 16381[1]
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-03[2] LTE RRC dissector memory leak. Bug 16341[3].
• wnpa-sec-2020-04[4] WiMax DLMAP dissector crash. Bug 16368[5].
• wnpa-sec-2020-05[6] EAP dissector crash. Bug 16397[7].
• wnpa-sec-2020-06[8] WireGuard dissector crash. Bug 16394[9].
The following bugs have been fixed:
• Add (IETF) QUIC Dissector. Bug 13881[10].
• Support for CoAP over TCP and WebSockets (RFC 8323). Bug
15910[11].
• SMB IOCTL response packet with BUFFER_OVERFLOW status is
dissected improperly. Bug 16261[12].
• Wireshark fails to build with GCC-9. Bug 16319[13].
• NVMe/TCP ICReq PDU Not Interpreted Correctly. Bug 16333[14].
• ICMP: No response if ICMP reply packet has an ICMP checksum of
0x0000. Bug 16334[15].
• Display filter parsing broken after upgrade from 3.0.7. Bug
16336[16].
• IPv4 fragment offset value is incorrect in IPv4 header decode.
Bug 16344[17].
• RTCP frame length warning for SAT>IP APP packets. Bug 16345[18].
• RTP export to rtpdump file doesn’t work. Bug 16351[19].
• CFDP dissector skips a byte. Bug 16361[20].
• ISAKMP: IKEv2 transforms and proposal have critical bit (BUG).
Bug 16364[21].
• No IPv4/IPv6 hosts in Resolved Addresses dialog. Bug 16366[22].
• Lack of Check for Updates option in the Windows GUI. Bug
16381[23].
• LLDP dissector consumes all octets to the end of the TVB and eth
trailer dissector does not get called. Bug 16387[24].
• LACP dissector consumes all octets to the end of the TVB and eth
trailer dissector does not get called. Bug 16388[25].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ARTNET, CFDP, CoAP, EAP, GTP, ICMP, ICMPv6, IPv4, ISAKMP, LACP, LLDP,
LTE RRC, NBAP, NVME-TCP, QUIC, RDM, RTCP, RTP, SMB, SOME/IP, TLS,
WiMax DLMAP, and WireGuard
Wireshark 3.2.1 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-01[1] WASSP dissector crash. Bug 16324[2].
CVE-2020-7044[3].
The following bugs have been fixed:
• Incorrect parsing of USB CDC packets. Bug 14587[4].
• Wireshark fails to create directory if parent directory does not
yet exist. Bug 16143[5].
• Buildbot crash output: randpkt-2019-11-30-22633.pcap. Bug
16240[6].
• Closing Flow Graph closes (crashes) main GUI window. Bug
16260[7].
• Wireshark interprets websocket frames after HTTP handshake in a
wrong way. Bug 16274[8].
• A-bis/OML: IPA Destination IP Address attribute contains inverted
value (endianness). Bug 16282[9].
• wiretap/log3gpp.c: 2 * leap before looking ?. Bug 16283[10].
• Opening shell terminal prints Wireshark: Permission denied. Bug
16284[11].
• h264: SPS frame_crop_right_offset shown in UI as
frame_crop_left_offset. Bug 16285[12].
• BGP: update of "Sub-TLV Length" by draft-ietf-idr-tunnel-encaps.
Bug 16294[13].
• SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown
Bit(s)" expert message. Bug 16301[14].
• USB Audio feature unit descriptor is incorrectly dissected. Bug
16305[15].
• Compiling the .y files fails with Berkeley YACC. Bug 16306[16].
• PDB files in Windows installer. Bug 16307[17].
• NAS-5GS 5GS network feature support lacks MCSI, EMCN3 two fields
(octet 4). Bug 16310[18].
• Option to change “Packet List” columns header right click pop-up
menu behavior. Bug 16317[19].
• DLT: Dissector does not parse multiple DLT messages in single UDP
packet. Bug 16321[20].
• ISAKMP Dissection: Enhance Source id and Destination ID field of
GDOI SA TEK payload for non IP ID type. Bug 16233[21].
• DOIP: Typo in "identifcation request messages". Bug 16325[22].
• Toolbar "?" help button - no text/help displayed. Bug 16327[23].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
802.11 Radiotap, ASN.1 BER, BGP, DLT, DOIP, GSM A RR, GSM A-bis/OML,
H264, HTTP, IEC 60870-5-104, IEEE 802.11, IPv4, ISAKMP, NAS 5GS,
rtnetlink, SIP, TIPC, USB Audio, USB CDC, and WASSP
New and Updated Capture File Support
3gpp phone log
