Wireshark 3.4.4 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-03[1] Wireshark could open unsafe URLs. Issue
17232[2]. CVE-2021-22191[3].
The following bugs have been fixed:
• NTP Version 3 Client Decode PDML output issue (Reference ID
Issue) Issue 17112[4].
• 3.4.2: public wireshark include files are including build time
"config.h" Issue 17190[5].
• wireshark-3.4.3/epan/dissectors/packet-s7comm.c:3521: bad array
index ? Issue 17198[6].
• SIP protocol: P-Called-Party-ID header mixed up with
P-Charge-Info header Issue 17215[7].
• Asterix CAT010 Decode Error Issue 17226[8].
• _ws.expert columns not populated for IPv4 Issue 17228[9].
• Buildbot crash output: fuzz-2021-02-12-1651908.pcap Issue
17233[10].
• gQUIC: Wireshark 3.4.3 fails to dissect a packet (gQUIC q024)
that v3.2.6 succeeds. Issue 17250[11].
Wireshark 3.4.3 Release Notes
What’s New
The Windows installers now ship with Npcap 1.10. They previously
shipped with Npcap 1.00.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-01[1] USB HID dissector memory leak. Bug 17124[2].
CVE-2021-22173[3].
• wnpa-sec-2021-02[4] USB HID dissector crash. Bug 17165[5].
CVE-2021-22174[6].
The following bugs have been fixed:
• SIP response single-line multiple Contact-URIs decoding error Bug
13752[7].
• Adding filter while "Telephony→VoIP Calls→Flow Sequence" open
causes OOB memory reads and potential crashes. Bug 16952[8].
• QUIC packet not fully dissected Bug 17077[9].
• SOMEIP-SD hidden entries are off Bug 17091[10].
• Problem with calculation on UDP checksum in SRv6 Bug 17097[11].
• Dark mode not working in Wireshark 3.4.2 on macOS Bug 17098[12].
• Wireshark 3.4.0: build failure on older MacOS releases, due to
'CLOCK_REALTIME' Bug 17101[13].
• TECMP: Status Capture Module messages shows 3 instead of 2 bytes
for HW version Bug 17133[14].
• Documentation - editorial error - README.dissector bad reference
Bug 17141[15].
• Cannot save capture with comments to a format that doesn’t
support it (no pop-up) Bug 17146[16].
• AUTOSAR-NM: PNI TF-String wrong way around Bug 17154[17].
• Fibre Channel parsing errors even with the fix for 17084 Bug
17168[18].
• f5ethtrailer: Won’t find a trailer after an FCS that begins with
a 0x00 byte Bug 17171[19].
• f5ethtrailer: legacy format, low noise only, no vip name trailers
no longer detected Bug 17172[20].
• Buildbot crash output: fuzz-2021-01-22-3387835.pcap Bug
17174[21].
• Dissection error on large ZVT packets Bug 17177[22].
• TShark crashes with -T ek option Bug 17179[23].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AUTOSAR-NM, DHCPv6, DoIP, FC ELS, GQUIC, IPv6, NAS 5GS, NAS EPS,
QUIC, SIP, SOME/IP-SD, TECMP, TLS, TPNCP, USB HID, and ZVT
New and Updated Capture File Support
f5ethtrailer and pcapng
Wireshark 3.4.2 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-20[1] QUIC dissector crash Bug 17073[2].
The following bugs have been fixed:
New and Updated Features
• IETF QUIC TLS decryption errors when packets are coalesced with
random data Bug 16914[3].
• QUIC: missing dissection of some coalesced SH packets Bug
17011[4].
• macos-setup.sh can’t find SDK on macOS Big Sur, as it went to 11
Bug 17043[5].
• Mapping endpoints in browser ⇒ Map file error Bug 17074[6].
• Wireshark 3.4.1 hangs on startup on macOS Big Sur 11.0.1 Bug
17075[7].
• False expect error seen on FCoE frames (not seen with older
release wireshark 1.2.18) Bug 17084[8].
• Several libraries missing in 3.4.1 and 3.2.9 installers for macOS
Bug 17086[9].
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DOCSIS, FC-dNS, FC-SWILS, FCoE, QUIC, SNMP, and USBHID
New and Updated Capture File Support
There is no new or updated capture file support in this release.
Wireshark 3.4.1 Release Notes
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
What’s New
Bug Fixes
• wnpa-sec-2020-16[1] Kafka dissector memory leak. Bug 16739[2].
CVE-2020-26418[3].
• wnpa-sec-2020-17[4] USB HID dissector crash. Bug 16958[5].
CVE-2020-26421[6].
• wnpa-sec-2020-18[7] RTPS dissector memory leak. Bug 16994[8].
CVE-2020-26420[9].
• wnpa-sec-2020-19[10] Multiple dissector memory leak. Bug
17032[11]. CVE-2020-26419[12].
The following bugs have been fixed:
New and Updated Features
• IETF QUIC TLS decryption errors when a NAT rebinding happens for
a connection Bug 16915[13].
• IETF QUIC TLS decryption error with key update Bug 16916[14].
• IETF QUIC TLS decryption error after the second key update Bug
16920[15].
• SOME/IP: Wrong dissection of parameters after Array Bug
16951[16].
• Can editcap properly corrupt pcapng file with systemd journal
export block? Bug 16965[17].
• Crash when a GIOP ior.txt file is present Bug 16984[18].
• Protobuf: failed to parse .proto file contains negative enum
values or option values of number type Bug 16988[19].
• MMRP dissector bug Bug 17005[20].
• QUIC: "Loss bits" capability Bug 17010[21].
• Stdin capture fails on Windows Bug 17018[22].
• SSTP no longer recognized Bug 17024[23].
• RFC2190 encapsulated H.263 bitfields masked wrong in Mode A Bug
17025[24].
• editcap fails when splitting into multiple pcapng files Bug
17060[25].
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ACDR, DOCSIS, Ericsson HDLC, F5 Ethernet Trailer, GIOP, GSM A, GSM
RLC MAC, HTTP, IEEE 802.11, Kafka, LLC, MBIM, MMRP, NAS 5GS, NAS EPS,
Nordic BLE, ProtoBuf, QUIC, Radiotap, RFC 2190, RTCP, RTPS, S1AP,
SOME/IP, STUN, and USB Video
New and Updated Capture File Support
pcapng
Wireshark 3.4.0
New and Updated Features
The following features are new (or have been significantly updated) since version 3.4.0rc1:
Nothing of note.
The following features are new (or have been significantly updated) since version 3.3.1:
The Protobuf fields defined as google.protobuf.Timestamp type of Protobuf standard library can now be dissected as Wireshark fields of absolute time type.
The following features are new (or have been significantly updated) since version 3.3.0:
The Windows installers now ship with Npcap 1.00. They previously shipped with Npcap 0.9997.
The Windows installers now ship with Qt 5.15.1. They previously shipped with Qt 5.12.8.
The following features are new (or have been significantly updated) since version 3.2.0:
Windows executables and installers are now signed using SHA-2 only.
Save RTP stream to .au supports any codec with 8000 Hz rate supported by Wireshark (shown in RTP player). If save of audio is not possible (unsupported codec or rate), silence of same length is saved and warning is shown.
Asynchronous DNS resolution is always enabled. As a result, the c-ares library is now a required dependency.
Protobuf fields can be dissected as Wireshark (header) fields that allows user input the full names of Protobuf fields or messages in Filter toolbar for searching.
Dissectors based on Protobuf can register themselves to a new 'protobuf_field' dissector table, which is keyed with the full names of fields, for further parsing fields of BYTES or STRING type.
Wireshark is able to decode, play, and save iLBC payload on platforms where the iLBC library is available.
Wireshark is able to decode, play, and save opus payload on platforms where the opus library is available.
“Decode As” entries can now be copied from other profiles using a button in the dialog.
sshdump can now be copied to multiple instances. Each instance will show up a different interface and will have its own profile.
The main window now supports a packet diagram view, which shows each packet as a textbook-style diagram.
Filter buttons (“Preferences → Filter Buttons”) can be grouped by using “//” as a path separator in the filter button label.
IPP Over USB packets can now be dissected and displayed
New Protocol Support
Arinc 615A (A615A), Asphodel Protocol, AudioCodes Debug Recording (ACDR), Bluetooth HCI ISO (BT HCI ISO), Cisco MisCabling Protocol (MCP), Community ID Flow Hashing (CommunityID), DCE/RPC IRemoteWinspool SubSystem, (IREMOTEWINSPOOL), Dynamic Link Exchange Protocol (DLEP), EAP Generalized Pre-Shared Key (EAP-GPSK), EAP Password Authenticated Exchange (EAP-PAX), EAP Pre-Shared Key (EAP-PSK), EAP Shared-secret Authentication and Key Establishment (EAP-SAKE), Fortinet Single Sign-on (FSSO), FTDI Multi-Protocol Synchronous Serial Engine (FTDI MPSSE), Hypertext Transfer Protocol Version 3 (HTTP3), ILDA Digital Network (IDN), Java Debug Wire Protocol (JDWP), LBM Stateful Resolution Service (LBMSRS), Lithionics Battery Management, .NET Message Framing Protocol (MC-NMF), .NET NegotiateStream Protocol (MS-NNS), OBSAI UDP-based Communication Protocol (UDPCP), Palo Alto Heartbeat Backup (PA-HB-Bak), ScyllaDB RPC, Technically Enhanced Capture Module Protocol (TECMP), Tunnel Extensible Authentication Protocol (TEAP), UDP based FTP w/ multicast V5 (UFTP5), and USB Printer (USBPRINTER)
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
MP4 (ISO/IEC 14496-12)
Wireshark 3.2.7 Release Notes
The Windows installers now ship with Npcap 0.9997. They previously
shipped with Npcap 0.9994.
The Windows installers now ship with Qt 5.12.9. They previously
shipped with Qt 5.12.8.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-11[1] MIME Multipart dissector crash. Bug 16741[2].
Fixed in master: 2411eae9ed Fixed in master-3.2: 21f082cb6e Fixed
in master-3.0: 14e274f3be Fixed in master-2.6: 5803c7b87b
• wnpa-sec-2020-12[3] TCP dissector crash. Bug 16816[4]. Fixed in
master: c4634b1e99 Fixed in master-3.2: e9b727595b Fixed in
master-3.0: 7f3fe6164a Fixed in master-2.6: 9d7ab8b46f
• wnpa-sec-2020-13[5] BLIP dissector crash. Bug 16866[6]. Fixed in
master: 4a94842710 Fixed in master-3.2: 594d312b12 Fixed in
master-3.0: 2fb6002559 Fixed in master-2.6: n/a
The following bugs have been fixed:
• HTTP dissector fails to display correct UTF-16 XML Bug 9069[7].
• TFTP dissector does not track conversations correctly. Source
file and Destination File redundant or disagree. Bug 10305[8].
• Dissector skips DICOM command Bug 13110[9].
• Editcap time adjustment doesn’t work when both infile and outfile
are ERF Bug 16578[10].
• dissect_tds7_colmetadata_token() has wrong return value if count
is 0 Bug 16682[11].
• "total block length …<U+200B> is too small" for Systemd Journal Export
Block Bug 16734[12].
• MNC 11 is showing Mobile Network Code (MNC): NTT DoCoMo Tokai
Inc. (11) But its belonging to Rakuten Network Bug 16755[13].
• DICOM object extraction: discrepancy between tshark and wireshark
Bug 16771[14].
• S1-U data forwarding info and S103 PDN data forwarding info IE’s
showing improper value Bug 16777[15].
• Wireshark crashes while opening a capture Bug 16780[16].
• Changing preferences via Decode As does not call callback Bug
16787[17].
• Decoding of PFCP IE 'Remote GTP-U Peer' is incorrect Bug
16805[18].
• Ng-enb not decoded correctly for Target Identification IE for
GTPV2 Bug 16822[19].
• The client timestamp is parsed error for Google QUIC (version
Q039) Bug 16839[20].
• NAS-5G : PDU session reactivation result Bug 16842[21].
• Wireshark fails to detect libssh >= 0.9.5 Bug 16845[22].
Wireshark 3.2.6 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-10[1] Kafka dissector crash. Bug 16672[2].
CVE-2020-17498[3].
The following bugs have been fixed:
• Kafka dissector fails parsing FETCH responses. Bug 16623[4].
• Dissector for ASTERIX Category 001 / 210 does not recognize bit 1
as extension. Bug 16662[5].
• "invalid timestamp" for Systemd Journal Export Block. Bug
16664[6].
• Decoding Extended Emergency number list IE length. Bug 16668[7].
• Some macOS Bluetooth PacketLogger capture files aren’t recognized
as PacketLogger files (regression, bisected). Bug 16670[8].
• Short IMSIs (5 digits) lead to wrong decoding+warning. Bug
16676[9].
• Decoding of PFCP IE 'PFD Contents' results in "malformed packet".
Bug 16704[10].
• RFH2 Header with 32 or less bytes of NameValue will not parse out
that info. Bug 16733[11].
• CDP: Port ID TLV followed by Type 1009 TLV triggers [Malformed
Packet]. Bug 16742[12].
• tshark crashed when processing opcda. Bug 16746[13].
• tshark with --export-dicom gives “Segmentation fault (core
dumped)”. Bug 16748[14].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASTERIX, BSSAP, CDP, CoAP, DCERPC SPOOLSS, DCOM, DICOM, DVB-S2,
E.212, GBCS, GSM RR, GSM SMS, IEEE 802.11, Kafka, MQ, Nano, NAS 5GS,
NIS+, NR RRC, PacketLogger, PFCP, RTPS, systemd Journal, TDS, TN3270,
and TN5250
New and Updated Capture File Support
PacketLogger and pcapng
Wireshark 3.2.5 Release Notes
What’s New
The Windows installers now ship with Npcap 0.9994. They previously
shipped with Npcap 0.9991.
The Windows installers now ship with USBPcap 1.5.4.0. They previously
shipped with USBPcap 1.5.3.0.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-09[1] GVCP dissector infinite loop.
CVE-2020-15466[3].
The following bugs have been fixed:
• Add decryption support for QUIC IETF version 0xfaceb001 and
0xfaceb002.
• Windows Uninstall does not remove all files in Program Files.
• The "relative sequence number" is same as "raw sequence number"
when tcp.analyze_sequence_numbers:FALSE.
• Importing profiles from a different Windows PC fails.
• Decode as not working correctly with multiple user profiles.
• Wireshark can misdissect the HE Radiotap field if it’s ever
dissected one with any value unknown.
• Buildbot crash output: fuzz-2020-06-19-5981.pcap.
• Buildbot crash output: fuzz-2020-06-20-7665.pcap.
• mergecap man page contains invalid formatting.
Wireshark 3.2.4 Release Notes
What’s New
The Windows installers now ship with Qt 5.12.8. They previously
shipped with Qt 5.12.6.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-08[1] A dissector went awry.
The following bugs have been fixed:
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
New and Updated Capture File Support
There is no new or updated capture file support in this release.
Wireshark 3.2.3 Release Notes
Wireshark 3.2.0 to 3.2.2 might not update automatically on macOS in
some cases. If you’re running those versions on macOS you might have
to update to a later version manually.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-07[2] The BACapp dissector could crash.
The following bugs have been fixed:
• Add (IETF) QUIC Dissector.
• Rename profile name loses list selection.
• Dissector bug warning dissecting TLS Certificate Request with
many names.
• Only ACKs, but no DATA frames are visible in -> TCP Stream Graph
-> Time Sequence (tcptrace).
• Copy>Description does not work properly for all tree items.
• Importing profiles in Windows - zip files fail and from directory
crashes Wireshark.
• Packet List selection is gone when adding or removing a display
filter.
• Check for updates, and auto-update, not working in 3.2.1.
• f5ethtrailer: TLS trailer creates incorrect CLIENT keylog
entries.
• Buildbot crash output: randpkt-2020-03-04-18423.pcap.
• File open dialog shows garbled time stamps.
• RTCP Bye without optional reason reported as [Malformed Packet].
• Undefined-shift in dissect_rtcp.
• SOMEIP: SOME/IP-SD dissector fails to register SOME/IP ports, if
IPv6 is being used (BUG).
• tshark logs: "…<U+200B>could not be opened: Too many open files.".
• Typo in About Wireshark > Keyboard Shortcuts > Unignore All
Displayed.
• Buildbot crash output: randpkt-2020-04-02-31746.pcap.
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AFS, BACapp, Bluetooth, CoAP, Diameter3GPP, F5 Ethernet trailer, GSM
RLC MAC, ISIS, ISIS CLV, ISIS HELLO, ISIS LSP, ISIS SNP, NAS 5GS, NR
RRC, pcap, QUIC, RPCAP, RTCP, SOME/IP-SD, TLS, and WSP
New and Updated Capture File Support
pcap
Wireshark 3.2.2 Release Notes
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
What’s New
Automatic updates were inadvertently disabled in the Wireshark 3.2.1
64-bit and 32-bit Windows installers. If you’re running Wireshark
3.2.1 on Windows you will have to update to a later version manually.
Bug 16381[1]
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-03[2] LTE RRC dissector memory leak. Bug 16341[3].
• wnpa-sec-2020-04[4] WiMax DLMAP dissector crash. Bug 16368[5].
• wnpa-sec-2020-05[6] EAP dissector crash. Bug 16397[7].
• wnpa-sec-2020-06[8] WireGuard dissector crash. Bug 16394[9].
The following bugs have been fixed:
• Add (IETF) QUIC Dissector. Bug 13881[10].
• Support for CoAP over TCP and WebSockets (RFC 8323). Bug
15910[11].
• SMB IOCTL response packet with BUFFER_OVERFLOW status is
dissected improperly. Bug 16261[12].
• Wireshark fails to build with GCC-9. Bug 16319[13].
• NVMe/TCP ICReq PDU Not Interpreted Correctly. Bug 16333[14].
• ICMP: No response if ICMP reply packet has an ICMP checksum of
0x0000. Bug 16334[15].
• Display filter parsing broken after upgrade from 3.0.7. Bug
16336[16].
• IPv4 fragment offset value is incorrect in IPv4 header decode.
Bug 16344[17].
• RTCP frame length warning for SAT>IP APP packets. Bug 16345[18].
• RTP export to rtpdump file doesn’t work. Bug 16351[19].
• CFDP dissector skips a byte. Bug 16361[20].
• ISAKMP: IKEv2 transforms and proposal have critical bit (BUG).
Bug 16364[21].
• No IPv4/IPv6 hosts in Resolved Addresses dialog. Bug 16366[22].
• Lack of Check for Updates option in the Windows GUI. Bug
16381[23].
• LLDP dissector consumes all octets to the end of the TVB and eth
trailer dissector does not get called. Bug 16387[24].
• LACP dissector consumes all octets to the end of the TVB and eth
trailer dissector does not get called. Bug 16388[25].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ARTNET, CFDP, CoAP, EAP, GTP, ICMP, ICMPv6, IPv4, ISAKMP, LACP, LLDP,
LTE RRC, NBAP, NVME-TCP, QUIC, RDM, RTCP, RTP, SMB, SOME/IP, TLS,
WiMax DLMAP, and WireGuard
Wireshark 3.2.1 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-01[1] WASSP dissector crash. Bug 16324[2].
CVE-2020-7044[3].
The following bugs have been fixed:
• Incorrect parsing of USB CDC packets. Bug 14587[4].
• Wireshark fails to create directory if parent directory does not
yet exist. Bug 16143[5].
• Buildbot crash output: randpkt-2019-11-30-22633.pcap. Bug
16240[6].
• Closing Flow Graph closes (crashes) main GUI window. Bug
16260[7].
• Wireshark interprets websocket frames after HTTP handshake in a
wrong way. Bug 16274[8].
• A-bis/OML: IPA Destination IP Address attribute contains inverted
value (endianness). Bug 16282[9].
• wiretap/log3gpp.c: 2 * leap before looking ?. Bug 16283[10].
• Opening shell terminal prints Wireshark: Permission denied. Bug
16284[11].
• h264: SPS frame_crop_right_offset shown in UI as
frame_crop_left_offset. Bug 16285[12].
• BGP: update of "Sub-TLV Length" by draft-ietf-idr-tunnel-encaps.
Bug 16294[13].
• SPNEGO+GSS-API+Kerberos+ap-options dissection produces "Unknown
Bit(s)" expert message. Bug 16301[14].
• USB Audio feature unit descriptor is incorrectly dissected. Bug
16305[15].
• Compiling the .y files fails with Berkeley YACC. Bug 16306[16].
• PDB files in Windows installer. Bug 16307[17].
• NAS-5GS 5GS network feature support lacks MCSI, EMCN3 two fields
(octet 4). Bug 16310[18].
• Option to change “Packet List” columns header right click pop-up
menu behavior. Bug 16317[19].
• DLT: Dissector does not parse multiple DLT messages in single UDP
packet. Bug 16321[20].
• ISAKMP Dissection: Enhance Source id and Destination ID field of
GDOI SA TEK payload for non IP ID type. Bug 16233[21].
• DOIP: Typo in "identifcation request messages". Bug 16325[22].
• Toolbar "?" help button - no text/help displayed. Bug 16327[23].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
802.11 Radiotap, ASN.1 BER, BGP, DLT, DOIP, GSM A RR, GSM A-bis/OML,
H264, HTTP, IEC 60870-5-104, IEEE 802.11, IPv4, ISAKMP, NAS 5GS,
rtnetlink, SIP, TIPC, USB Audio, USB CDC, and WASSP
New and Updated Capture File Support
3gpp phone log
Fixes build problem on NetBSD:
[ 85%] Building C object epan/CMakeFiles/epan.dir/protobuf_lang.c.o
wireshark-3.2.0/epan/protobuf_lang.y: In function 'run_pbl_parser':
wireshark-3.2.0/epan/protobuf_lang.y:602:5: error: 'protobuf_langdebug' undeclared (first use in this function); did you mean
'protobuf_langtable'?
protobuf_langdebug = debug ? 1 : 0;
^~~~~~~~~~~~~~~~~~
protobuf_langtable
Wireshark 3.2.0
What’s New
This is the last release branch with official support for Windows 7
and Windows Server 2008 R2.
Many improvements have been made. See the “New and Updated Features”
section below for more details.
New and Updated Features
The following features are new (or have been significantly updated)
since version 3.2.0rc2:
• Minor bug fixes.
The following features are new (or have been significantly updated)
since version 3.2.0rc1:
• Minor bug fixes.
The following features are new (or have been significantly updated)
since version 3.1.1:
• Miscellaneous UI fixes and updates.
• The macOS installer now ships with Qt 5.12.6. It previously
shipped with Qt 5.12.5.
The following features are new (or have been significantly updated)
since version 3.1.0:
• Automatic updates are supported on macOS.
• You can now select multiple packets in the packet list at the
same time
• They can be exported as Text by “Ctrl+C” or “Cmd+C” and the
corresponding menu in “Edit › Copy › As …<U+200B>”
• They can be marked/unmarked or ignored/unignored at the same time
• They can be exported and printed using the corresponding menu
entries “File › Export Specified Packets”, “File › Export Packet
Dissections” and “File › Print”
You can now follow HTTP/2 and QUIC streams.
You can once again mark and unmark packets using the middle mouse
button. This feature went missing around 2009 or so.
The Windows packages are now built using Microsoft Visual Studio
2019.
IOGraph automatically adds a graph for the selected display filter if
no previous graph exists
Action buttons for the display filter bar may be aligned left via the
context menu
• The "Expression…<U+200B>" toolbar entry has been moved to "Analyze ›
Display filter Expression …<U+200B>" as well as to the context menu of
the display filter toolbar
Allow extcaps to be loaded from the personal configuration directory
The Wireshark 3.1.0 Windows installers ship with Qt 5.12.6. Previous
installers shipped with Qt 5.12.4.
The following features are new (or have been significantly updated)
since version 3.0.0:
• You can drag and drop a field to a column header to create a
column for that field, or to the display filter input to create a
display filter. If a display filter is applied, the new filter
can be added using the same rules as “Apply Filter”
• You can drag and drop a column entry to the display filter to
create a filter for it.
• You can import profiles from a .zip archive or an existing
directory.
• Dark mode support on macOS and dark theme support on other
platforms has been improved.
• Brotli decompression support in HTTP/HTTP2 (requires the brotli
library).
• The build system now checks for a SpeexDSP system library
installation. The bundled Speex resampler code is still provided
as a fallback.
• WireGuard decryption can now be enabled through keys embedded in
a pcapng in addition to the existing key log preference (Bug
15571[1]).
• A new tap for extracting credentials from the capture file has
been added. It can be accessed through the -z credentials option
in tshark or from the “Tools › Credentials” menu in Wireshark.
• Editcap can now split files on floating point intervals.
• Windows .msi packages are now signed using SHA-2[2]. .exe
installers are still dual-signed using SHA-1 and SHA-2.
• The “Enabled Protocols” Dialog now only enables, disables and
inverts protocols based on the set filter selection. The protocol
type (standard or heuristic) may also be choosen as a filter
value.
• Save RTP stream to .au supports any codec with 8000 Hz rate
supported by Wireshark (shown in RTP player). If save of audio is
not possible (unsupported codec or rate), silence of same length
is saved and warning is shown.
• The “Analyze › Apply as Filter” and “Analyze › Prepare a Filter”
packet list and detail popup menus now show a preview of their
respective filters.
• Protobuf files (*.proto) can now be configured to enable more
precise parsing of serialized Protobuf data (such as gRPC).
• HTTP2 support streaming mode reassembly. To use this feature,
subdissectors can register itself to "streaming_content_type"
dissector table and return pinfo→desegment_len and
pinfo→desegment_offset to tell HTTP2 when to start and how many
additional bytes requires when next called.
• The message of stream gRPC method can now be parsed with
supporting of HTTP2 streaming mode reassembly feature.
• The Wireshark 3.1.0 Windows installers ship with Qt 5.12.4.
Previous installers shipped with Qt 5.12.1.
New Protocol Support
3GPP BICC MST (BICC-MST), 3GPP log packet (LOG3GPP), 3GPP/GSM Cell
Broadcast Service Protocol (cbsp), Asynchronous Management Protocol
(AMP), Bluetooth Mesh Beacon, Bluetooth Mesh PB-ADV, Bluetooth Mesh
Provisioning PDU, Bluetooth Mesh Proxy, CableLabs Layer-3 Protocol
IEEE EtherType 0xb4e3 (CL3), DCOM IProvideClassInfo, DCOM ITypeInfo,
Diagnostic Log and Trace (DLT), Distributed Replicated Block Device
(DRBD), Dual Channel Wi-Fi (CL3DCW), EBHSCR Protocol (EBHSCR), EERO
Protocol (EERO), evolved Common Public Radio Interface (eCPRI), File
Server Remote VSS Protocol (FSRVP), FTDI FT USB Bridging Devices
(FTDI FT), Graylog Extended Log Format over UDP (GELF), GSM/3GPP CBSP
(Cell Broadcast Service Protocol), ITS message - CAMv1, ITS message -
DENMv1, Linux net_dm (network drop monitor) protocol, MIDI System
Exclusive DigiTech (SYSEX DigiTech), Network Controller Sideband
Interface (NCSI), NR Positioning Protocol A (NRPPa) TS 38.455, NVM
Express over Fabrics for TCP (nvme-tcp), OsmoTRX Protocol (GSM
Transceiver control and data), Scalable service-Oriented MiddlewarE
over IP (SOME/IP), USB 2.0 Link Layer (USBLL), and Wi-Fi Neighbour
Awareness Networking (NAN)
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
3gpp phone, Android Logcat Text, Ascend, Busmaster log file, Candump,
Endace ERF, NetScaler, pcapng, and Savvius *Peek
Wireshark 3.0.7 Release Notes
What’s New
The Windows and macOS installers now ship with Qt 5.12.6. They
previously shipped with Qt 5.12.5.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2019-22[1] CMS dissector crash. Bug 15961[2].
CVE-2019-19553[3].
The following bugs have been fixed:
• ws_pipe_wait_for_pipe() can wait on closed handles. Bug 15696[4].
• Support for 11ax in PEEKREMOTE. Bug 15740[5].
• The temporary file …<U+200B> could not be opened: Invalid argument. Bug
15751[6].
• Reassembling of the two TLS records is not working correctly. Bug
16109[7].
• Display Filter Area: Dropdown Missing pkt_comment and
tcp.options.sack_perm (likely others). Bug 16130[8].
• Display Filter autocompletion should be disabled. Bug 16132[9].
• BGP Linkstate IP Reachability information is incorrect. Bug
16144[10].
• NGAP: ExpectedUEActivityBehaviour decode error. Bug 16145[11].
• HomePlug AV dissector: MMTYPE and FMI fields are dissected
incorrectly. Bug 16158[12].
• JPEG files cannot be saved on Windows with french language. Bug
16165[13].
• X11 --display interpreted as --display-filter which maps to -Y
option. Bug 16167[14].
• "Create new file automatically after" not working with extcap.
Bug 16178[15].
• Encrypted TLS alerts sometimes listed as decrypted. Bug
16180[16].
• The "Remove Wireshark from the system path" package has "Add
Wireshark to the system PATH" as its title. Bug 16200[17].
• tshark -T ek -x causes get_field_data: code should not be
reached. Bug 16218[18].
• Crash on Go → Next/Previous Packet in Conversation when no packet
is selected.
Wireshark 3.0.6:
What’s New
• On macOS, Wireshark can now be installed by dropping Wireshark.app
onto the Applications folder.
• The macOS installer now ships with Qt 5.12.5. It previously
shipped with Qt 5.12.3.
Bug Fixes
The following bugs have been fixed:
• macOS installer uses wrong user ID. Bug 6991[1].
• Using macosx-setup seems to prevent installing pre-built binary.
Bug 11399[2].
• macOS installer package is configured to disallow downgrades. Bug
12593[3].
• extcap: Several issues when capturing from multiple extcap
interfaces. Bug 13653[4].
• Expert Infos Incorrectly Displays Info Column instead of comment.
Bug 15516[5].
• Wireshark does not support USB packets with size greater than 256
KiB. Bug 15985[6].
• IS-IS: add support for decoding TE TLV Type 138 as per RFC 5307.
Bug 16012[7].
• NET-SNMP EngineID Length handling Warning. Bug 16051[8].
• TLS decryption is very slow on Windows when using a large PMS
file compared to Linux/macOS. Bug 16059[9].
• wireshark-3.0.5/epan/dissectors/packet-nas_5gs.c:2459: bad test
?. Bug 16075[10].
• ERSPAN Type III over GRE without sequence number not decoded
correctly. Bug 16089[11].
• Windows dumpcap -v does not display capture library info. Bug
16108[12].
• [Regression] FT_CHAR fields not supported in Lua API. Bug
16129[13].
Updated Protocol Support
AgentX, BT L2CAP, ERSPAN, GRE, IPv4, IS-IS, NAS 5GS, OpcUa, SNMP, and
SRT
Wireshark 3.0.5
The following bugs have been fixed:
* Qt interface crashes on a profile with packet list only.
* Wireshark 3.0.4 does not start on macOS 10.13 after an upgrade from 3.0.3.
* NET-SNMP EngineID Length handling Warning.
* Upgrade from Wireshark 3.0.2/3.0.3 to 3.0.4/later is confusing and may not complete properly.
* Crash SIGSEGV when decrypting IEEE 802.11 EAP re-authentications.
Wireshark 3.0.4 Release Notes
What’s New
• The Windows installers now ship with Npcap 0.9983. They previously
shipped with Npcap 0.996.
• The macOS installer now ships with Qt 5.12.3. It previously
shipped with Qt 5.12.4.
The following vulnerabilities have been fixed:
• wnpa-sec-2019-21[1] Gryphon dissector infinite loop.
The following bugs have been fixed:
• Coloring Rules dialog - enable/disable coloring rule issues.
• Enabling Time-Of-Day in IO Graph causes the x-axis origin to be
set to 01.01.1970.
• Wireshark GUI crashes when attempting to DnD multiple (possibly
corrupted) pcapng files.
• Buildbot crash output: randpkt-2019-06-14-14291.pcap.
• 802.11 RSN IE may be shorter than 18 bytes.
• Tshark outputs two data rate instead of one.
• Typo in checkbox label at bottom of sshdump configuration screen
(save parameters).
• Invalid pkcs11_libs entry crashes on Windows.
• Add additional text output for DNS types (DNSSEC).
• LSD bittorent.
• dfilter_macros is missing from Configuration Files article.
• Pane configuration inconsistencies.
• Packet list is sorted in reverse order after applying a display
filter in Qt 5.13.
• EAP-TLS fragments are repeatedly displayed.
• Broken TLS handshake reassembly in EAP-TTLS with multiple TLS
sessions.
• Wireshark does not support USB packets with size greater than 256
KiB.
• "Unable to drop files during capture." when drag’n’drop entry to
create display filter or filter button.
• Packet Bytes highlight for dns.qry.name.len and dns.count.labels
off by one.
• Segmentation fault in nfs_name_snoop_fh.
• Changing the protocol preferences caused a crash.
• DCERPC dissector broken for functions with only scalar variables.
Updated Protocol Support
BACnet, DCERPC, DNS, EAP, FC-dNS, Gryphon, IEEE 802.11, LSD, NFS, and
Radiotap
Wireshark 3.0.3 Release Notes
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
What’s New
• The Windows installers now ship with Qt 5.12.4. They previously
shipped with Qt 5.12.3.
• The Windows installers now ship with Npcap 0.996. They previously
shipped with Npcap 0.995.
• The macOS installer now ships with Qt 5.12.4. It previously
shipped with Qt 5.12.1.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2019-20[1] ASN.1 BER and related dissectors crash. Bug
15870[2]. CVE-2019-13619[3].
The following bugs have been fixed:
• "ninja install" installs help/faq.py instead of help/faq.txt. Bug
15543[4].
• In Wireshark 3.0, encrypted DOCSIS PDU packets no longer match
the filter "eth.dst". Bug 15731[5].
• Developer’s Guide section 3.9 "Contribute your changes" should
incorporate or link "Writing a good commit message" from the
Wiki. Bug 15752[6].
• RSL dissector bugs in presence of optional IEs. Bug 15789[7].
• The "Media Attribute Value" field is missed in rtcp SDP
dissection (packet-sdp.c). Bug 15791[8].
• BTLE doesn’t properly detect start fragment of L2CAP PDUs. Bug
15807[9].
• Wi-SUN FAN decoder error, Channel Spacing and Reserved fields are
swapped. Bug 15821[10].
• tshark: Display filter error message references "-d" when it
should reference "-Y". Bug 15825[11].
• Open "protocol" preferences …<U+200B> does not work for protocol in
subtree. Bug 15836[12].
• Problems with sshdump "Error by extcap pipe: sh: sudo: command
not found". Bug 15845[13].
• editcap won’t change encapsulation type when writing pcap format.
Bug 15873[14].
• ITU-T G.8113.1 MPLS-TP OAM CC,LMM,LMR,DMM and DMR are not seen in
the 3.0.2. Bug 15887[15].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AERON, ASN.1, BTLE, CUPS, DNS, DOCSIS, DPNSS, GSM RLC/MAC, HiQnet,
ISO 14443, ISObus VT, LDAP, MAC LTE, MIME multipart, MPLS, MQ, RSL,
SDP, SMB, TNEF, and Wi-SUN
New and Updated Capture File Support
Ascend
New and Updated Capture Interfaces support
There is no new or updated capture file support in this release.
3.0.2:
What’s New
• The Windows installers now ship with Qt 5.12.3. They previously
shipped with Qt 5.12.1.
• The Windows installers now ship with Npcap 0.995. They previously
shipped with Npcap 0.992.
• The macOS packages are now notarized[1].
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2019-19[2] Wireshark dissection engine crash. Bug
15778[3].
The following bugs have been fixed:
• Add (IETF) QUIC Dissector. Bug 13881[4].
• Wireshark Hangs on startup initializing external capture plugins.
Bug 14657[5].
• [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more
than 1000000 items in the tree — possible infinite loop. Bug
14978[6].
• Wireshark can call extcap with empty multicheck argument. Bug
15065[7].
• CMPv2 KUR message disection gives unexpected value for
serialNumber under OldCertId fields. Bug 15154[8].
• "(Git Rev Unknown from unknown)" in version string for official
tarball. Bug 15544[9].
• External extcap does not get all arguments sometimes. Bug
15586[10].
• Help file doesn’t display for extcap interfaces. Bug 15592[11].
• Buildbot crash output: randpkt-2019-03-14-4670.pcap. Bug
15604[12].
• Building only libraries on windows fails due to CLEAN_C_FILES
empty. Bug 15662[13].
• Statistics→Conversations→TCP→Follow Stream - incorrect behavior.
Bug 15672[14].
• Wrong NTP timestamp for RTCP XR RR packets (hf_rtcp_xr_timestamp
field). Bug 15687[15].
• ws_pipe: leaks pipe handles on errors. Bug 15689[16].
• Build issue in Wireshark - 3.0.1 on RHEL6. Bug 15706[17].
• ISAKMP: Segmentation fault with non-hex string for IKEv1
Decryption Table Initiator Cookie. Bug 15709[18].
• extcap: non-boolean call arguments can be appended without value
on selector Reload. Bug 15725[19].
• Incorrectly interpreted format of MQTT PUBLISH payload data. Bug
15738[20].
• print.c: Memory leak in ek_check_protocolfilter. Bug 15758[21].
• IETF QUIC dissector incorrectly parses retry packet. Bug
15764[22].
• Bacnet(app): fix wrong value for id 183 (logging-device →
logging-object). Bug 15767[23].
• The SMB2 code to look up decryption keys by session ID assumes
it’s running on a little-endian machine. Bug 15772[24].
• tshark -G folders leaves mmdbresolve process behind. Bug
15777[25].
• Dissector bug, protocol TLS - failed assertion "data". Bug
15780[26].
• WSMP : header_opt_ind field is not correctly set.
3.0.1:
The Windows installers now ship with Npcap 0.992. They previously shipped with Npcap 0.99-r9.
Bug Fixes
The following vulnerabilities have been fixed:
wnpa-sec-2019-09 NetScaler file parser crash. Bug 15497. CVE-2019-10895.
wnpa-sec-2019-10 SRVLOC dissector crash. Bug 15546. CVE-2019-10899.
wnpa-sec-2019-11 IEEE 802.11 dissector infinite loop. Bug 15553. CVE-2019-10897.
wnpa-sec-2019-12 GSUP dissector infinite loop. Bug 15585. CVE-2019-10898.
wnpa-sec-2019-13 Rbm dissector infinite loop. Bug 15612. CVE-2019-10900.
wnpa-sec-2019-14 GSS-API dissector crash. Bug 15613. CVE-2019-10894.
wnpa-sec-2019-15 DOF dissector crash. Bug 15617. CVE-2019-10896.
wnpa-sec-2019-16 TSDNS dissector crash. Bug 15619. CVE-2019-10902.
wnpa-sec-2019-17 LDSS dissector crash. Bug 15620. CVE-2019-10901.
wnpa-sec-2019-18 DCERPC SPOOLSS dissector crash. Bug 15568. CVE-2019-10903.
The following bugs have been fixed:
[oss-fuzz] UBSAN: shift exponent 34 is too large for 32-bit type 'guint32' (aka 'unsigned int') in packet-ieee80211.c:15534:49. Bug 14770.
[oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type 'int' in packet-couchbase.c:1674:37. Bug 15439.
Duplicated TCP SEQ field in ICMP packets. Bug 15533.
Wrong length in dhcpv6 NTP Server suboption results in "Malformed Packet" and breaks further dissection. Bug 15542.
Wireshark’s speaker-to-MaxMind is burning up the CPU. Bug 15545.
GSM-A-RR variable bitmap decoding may report ARFCNs > 1023. Bug 15549.
Import hexdump dummy Ethernet header generation ignores direction indication. Bug 15561.
%T not supported for timestamps. Bug 15565.
LWM2M: resource with \r\n badly shown. Bug 15572.
When selecting BSSAP in 'Decode As' for a SCCP payload, it uses BSSAP+ which is not the same protocol. Bug 15578.
Possible buffer overflow in function ssl_md_final for crafted SSL 3.0 sessions. Bug 15599.
Windows console log output delay. Bug 15605.
Syslog dissector processes the UTF-8 BOM incorrectly. Bug 15607.
NFS/NLM: Wrong lock byte range in the "Info" column. Bug 15608.
randpkt -r causes segfault when count > 1. Bug 15627.
Tshark export to ElasticSearch (-Tek) fails with Bad json_dumper state: illegal transition. Bug 15628.
Packets with metadata but no data get the Protocol Info column overwritten. Bug 15630.
BGP MP_REACH_NLRI AFI: Layer-2 VPN, SAFI: EVPN - Label stack not decoded. Bug 15631.
Buildbot crash output: fuzz-2019-03-23-1789.pcap. Bug 15634.
Typo: broli → brotli. Bug 15647.
Wrong dissection of GTPv2 MM Context Used NAS integrity protection algorithm. Bug 15648.
Windows CHM (help file) title displays quoted HTML characters. Bug 15656.
Unable to load 3rd party plugins not signed by Wireshark’s codesigning certificate. Bug 15667.
3.0.0:
Many user interface improvements have been made. See the “New and Updated Features” section below for more details.
Support for a number of legacy features and libraries has been removed. See the “Removed Features and Support” section below for more details.
Bug Fixes
The following bugs have been fixed:
Data following a TCP ZeroWindowProbe is marked as retransmission and not passed to subdissectors (Bug 15427)
Lua Error on startup: init.lua: dofile has been disabled due to running Wireshark as superuser (Bug 15489).
Text and Image columns were handled incorrectly for TDS 7.0 and 7.1. (Bug 3098)
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The following features are new (or have been significantly updated) since version 3.0.0rc1:
The IP map feature (the “Map” button in the “Endpoints” dialog) has been added back in a modernized form (Bug 14693).
The macOS package now ships with Qt 5.12.1. Previously it shipped with Qt 5.9.7.
The macOS package requires version 10.12 or later. If you’re running an older version of macOS, please use Wireshark 2.6.
The following features are new (or have been significantly updated) since version 2.9.0:
Wireshark now supports the Swedish and Ukrainian languages.
Initial support for using PKCS #11 tokens for RSA decryption in TLS. This can be configured at Preferences, RSA Keys.
The build system now produces reproducible builds (Bug 15163).
The Windows installers now ship with Qt 5.12.1. Previously they shipped with Qt 5.12.0.
The following features are new (or have been significantly updated) since version 2.6.0:
The Windows .exe installers now ship with Npcap instead of WinPcap. Besides being actively maintained (by the nmap project), Npcap brings support for loopback capture and 802.11 WiFi monitor mode capture (if supported by the NIC driver).
Conversation timestamps are supported for UDP/UDP-Lite protocols
TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.
The “Capture Information” dialog has been added back (Bug 12004).
The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.
The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order. See the User’s Guide, chapter TCP Reassembly for details.
Decryption support for the new WireGuard dissector (Bug 15011, requires Libgcrypt 1.8).
The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.
The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.
Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.
APT-X has been renamed to aptX.
When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.
The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.
Dumpcap now supports the -a packets:NUM and -b packets:NUM options.
Wireshark now includes a “No Reassembly” configuration profile.
Wireshark now supports the Russian language.
The build system now supports AppImage packages.
The Windows installers now ship with Qt 5.12.0. Previously they shipped with Qt 5.9.7.
Support for DTLS and TLS decryption using pcapng files that embed a Decryption Secrets Block (DSB) containing a TLS Key Log (Bug 15252).
The editcap utility gained a new --inject-secrets option to inject an existing TLS Key Log file into a pcapng file.
A new dfilter function string() has been added. It allows the conversion of non-string fields to strings so string functions (as contains and matches) can be used on them.
The Bash test suite has been replaced by one based on Python unittest/pytest.
The custom window title can now show file path of the capture file and it has a conditional separator.
Removed Features and Support
The legacy (GTK+) user interface has been removed and is no longer supported.
The portaudio library is no longer needed due to the removal of GTK+.
Wireshark requires Qt 5.2 or later. Qt 4 is no longer supported.
Wireshark requires GLib 2.32 or later.
Wireshark requires GnuTLS 3.2 or later as optional dependency.
Building Wireshark requires Python 3.4 or newer, Python 2.7 is unsupported.
Building Wireshark requires CMake. Autotools is no longer supported.
TShark’s -z compare option was removed.
Building with Cygwin is no longer supported on Windows.
Otherwise, they are built when asciidoctor is detected, and the result
is a PLIST mismatch.
No version bump: the build was broken iff this change makes a difference.
