Wireshark 3.2.7 Release Notes
The Windows installers now ship with Npcap 0.9997. They previously
shipped with Npcap 0.9994.
The Windows installers now ship with Qt 5.12.9. They previously
shipped with Qt 5.12.8.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-11[1] MIME Multipart dissector crash. Bug 16741[2].
Fixed in master: 2411eae9ed Fixed in master-3.2: 21f082cb6e Fixed
in master-3.0: 14e274f3be Fixed in master-2.6: 5803c7b87b
• wnpa-sec-2020-12[3] TCP dissector crash. Bug 16816[4]. Fixed in
master: c4634b1e99 Fixed in master-3.2: e9b727595b Fixed in
master-3.0: 7f3fe6164a Fixed in master-2.6: 9d7ab8b46f
• wnpa-sec-2020-13[5] BLIP dissector crash. Bug 16866[6]. Fixed in
master: 4a94842710 Fixed in master-3.2: 594d312b12 Fixed in
master-3.0: 2fb6002559 Fixed in master-2.6: n/a
The following bugs have been fixed:
• HTTP dissector fails to display correct UTF-16 XML Bug 9069[7].
• TFTP dissector does not track conversations correctly. Source
file and Destination File redundant or disagree. Bug 10305[8].
• Dissector skips DICOM command Bug 13110[9].
• Editcap time adjustment doesn’t work when both infile and outfile
are ERF Bug 16578[10].
• dissect_tds7_colmetadata_token() has wrong return value if count
is 0 Bug 16682[11].
• "total block length …<U+200B> is too small" for Systemd Journal Export
Block Bug 16734[12].
• MNC 11 is showing Mobile Network Code (MNC): NTT DoCoMo Tokai
Inc. (11) But its belonging to Rakuten Network Bug 16755[13].
• DICOM object extraction: discrepancy between tshark and wireshark
Bug 16771[14].
• S1-U data forwarding info and S103 PDN data forwarding info IE’s
showing improper value Bug 16777[15].
• Wireshark crashes while opening a capture Bug 16780[16].
• Changing preferences via Decode As does not call callback Bug
16787[17].
• Decoding of PFCP IE 'Remote GTP-U Peer' is incorrect Bug
16805[18].
• Ng-enb not decoded correctly for Target Identification IE for
GTPV2 Bug 16822[19].
• The client timestamp is parsed error for Google QUIC (version
Q039) Bug 16839[20].
• NAS-5G : PDU session reactivation result Bug 16842[21].
• Wireshark fails to detect libssh >= 0.9.5 Bug 16845[22].
Wireshark 3.2.3 Release Notes
Wireshark 3.2.0 to 3.2.2 might not update automatically on macOS in
some cases. If you’re running those versions on macOS you might have
to update to a later version manually.
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-07[2] The BACapp dissector could crash.
The following bugs have been fixed:
• Add (IETF) QUIC Dissector.
• Rename profile name loses list selection.
• Dissector bug warning dissecting TLS Certificate Request with
many names.
• Only ACKs, but no DATA frames are visible in -> TCP Stream Graph
-> Time Sequence (tcptrace).
• Copy>Description does not work properly for all tree items.
• Importing profiles in Windows - zip files fail and from directory
crashes Wireshark.
• Packet List selection is gone when adding or removing a display
filter.
• Check for updates, and auto-update, not working in 3.2.1.
• f5ethtrailer: TLS trailer creates incorrect CLIENT keylog
entries.
• Buildbot crash output: randpkt-2020-03-04-18423.pcap.
• File open dialog shows garbled time stamps.
• RTCP Bye without optional reason reported as [Malformed Packet].
• Undefined-shift in dissect_rtcp.
• SOMEIP: SOME/IP-SD dissector fails to register SOME/IP ports, if
IPv6 is being used (BUG).
• tshark logs: "…<U+200B>could not be opened: Too many open files.".
• Typo in About Wireshark > Keyboard Shortcuts > Unignore All
Displayed.
• Buildbot crash output: randpkt-2020-04-02-31746.pcap.
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AFS, BACapp, Bluetooth, CoAP, Diameter3GPP, F5 Ethernet trailer, GSM
RLC MAC, ISIS, ISIS CLV, ISIS HELLO, ISIS LSP, ISIS SNP, NAS 5GS, NR
RRC, pcap, QUIC, RPCAP, RTCP, SOME/IP-SD, TLS, and WSP
New and Updated Capture File Support
pcap
Wireshark 3.2.0
What’s New
This is the last release branch with official support for Windows 7
and Windows Server 2008 R2.
Many improvements have been made. See the “New and Updated Features”
section below for more details.
New and Updated Features
The following features are new (or have been significantly updated)
since version 3.2.0rc2:
• Minor bug fixes.
The following features are new (or have been significantly updated)
since version 3.2.0rc1:
• Minor bug fixes.
The following features are new (or have been significantly updated)
since version 3.1.1:
• Miscellaneous UI fixes and updates.
• The macOS installer now ships with Qt 5.12.6. It previously
shipped with Qt 5.12.5.
The following features are new (or have been significantly updated)
since version 3.1.0:
• Automatic updates are supported on macOS.
• You can now select multiple packets in the packet list at the
same time
• They can be exported as Text by “Ctrl+C” or “Cmd+C” and the
corresponding menu in “Edit › Copy › As …<U+200B>”
• They can be marked/unmarked or ignored/unignored at the same time
• They can be exported and printed using the corresponding menu
entries “File › Export Specified Packets”, “File › Export Packet
Dissections” and “File › Print”
You can now follow HTTP/2 and QUIC streams.
You can once again mark and unmark packets using the middle mouse
button. This feature went missing around 2009 or so.
The Windows packages are now built using Microsoft Visual Studio
2019.
IOGraph automatically adds a graph for the selected display filter if
no previous graph exists
Action buttons for the display filter bar may be aligned left via the
context menu
• The "Expression…<U+200B>" toolbar entry has been moved to "Analyze ›
Display filter Expression …<U+200B>" as well as to the context menu of
the display filter toolbar
Allow extcaps to be loaded from the personal configuration directory
The Wireshark 3.1.0 Windows installers ship with Qt 5.12.6. Previous
installers shipped with Qt 5.12.4.
The following features are new (or have been significantly updated)
since version 3.0.0:
• You can drag and drop a field to a column header to create a
column for that field, or to the display filter input to create a
display filter. If a display filter is applied, the new filter
can be added using the same rules as “Apply Filter”
• You can drag and drop a column entry to the display filter to
create a filter for it.
• You can import profiles from a .zip archive or an existing
directory.
• Dark mode support on macOS and dark theme support on other
platforms has been improved.
• Brotli decompression support in HTTP/HTTP2 (requires the brotli
library).
• The build system now checks for a SpeexDSP system library
installation. The bundled Speex resampler code is still provided
as a fallback.
• WireGuard decryption can now be enabled through keys embedded in
a pcapng in addition to the existing key log preference (Bug
15571[1]).
• A new tap for extracting credentials from the capture file has
been added. It can be accessed through the -z credentials option
in tshark or from the “Tools › Credentials” menu in Wireshark.
• Editcap can now split files on floating point intervals.
• Windows .msi packages are now signed using SHA-2[2]. .exe
installers are still dual-signed using SHA-1 and SHA-2.
• The “Enabled Protocols” Dialog now only enables, disables and
inverts protocols based on the set filter selection. The protocol
type (standard or heuristic) may also be choosen as a filter
value.
• Save RTP stream to .au supports any codec with 8000 Hz rate
supported by Wireshark (shown in RTP player). If save of audio is
not possible (unsupported codec or rate), silence of same length
is saved and warning is shown.
• The “Analyze › Apply as Filter” and “Analyze › Prepare a Filter”
packet list and detail popup menus now show a preview of their
respective filters.
• Protobuf files (*.proto) can now be configured to enable more
precise parsing of serialized Protobuf data (such as gRPC).
• HTTP2 support streaming mode reassembly. To use this feature,
subdissectors can register itself to "streaming_content_type"
dissector table and return pinfo→desegment_len and
pinfo→desegment_offset to tell HTTP2 when to start and how many
additional bytes requires when next called.
• The message of stream gRPC method can now be parsed with
supporting of HTTP2 streaming mode reassembly feature.
• The Wireshark 3.1.0 Windows installers ship with Qt 5.12.4.
Previous installers shipped with Qt 5.12.1.
New Protocol Support
3GPP BICC MST (BICC-MST), 3GPP log packet (LOG3GPP), 3GPP/GSM Cell
Broadcast Service Protocol (cbsp), Asynchronous Management Protocol
(AMP), Bluetooth Mesh Beacon, Bluetooth Mesh PB-ADV, Bluetooth Mesh
Provisioning PDU, Bluetooth Mesh Proxy, CableLabs Layer-3 Protocol
IEEE EtherType 0xb4e3 (CL3), DCOM IProvideClassInfo, DCOM ITypeInfo,
Diagnostic Log and Trace (DLT), Distributed Replicated Block Device
(DRBD), Dual Channel Wi-Fi (CL3DCW), EBHSCR Protocol (EBHSCR), EERO
Protocol (EERO), evolved Common Public Radio Interface (eCPRI), File
Server Remote VSS Protocol (FSRVP), FTDI FT USB Bridging Devices
(FTDI FT), Graylog Extended Log Format over UDP (GELF), GSM/3GPP CBSP
(Cell Broadcast Service Protocol), ITS message - CAMv1, ITS message -
DENMv1, Linux net_dm (network drop monitor) protocol, MIDI System
Exclusive DigiTech (SYSEX DigiTech), Network Controller Sideband
Interface (NCSI), NR Positioning Protocol A (NRPPa) TS 38.455, NVM
Express over Fabrics for TCP (nvme-tcp), OsmoTRX Protocol (GSM
Transceiver control and data), Scalable service-Oriented MiddlewarE
over IP (SOME/IP), USB 2.0 Link Layer (USBLL), and Wi-Fi Neighbour
Awareness Networking (NAN)
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
3gpp phone, Android Logcat Text, Ascend, Busmaster log file, Candump,
Endace ERF, NetScaler, pcapng, and Savvius *Peek
3.0.1:
The Windows installers now ship with Npcap 0.992. They previously shipped with Npcap 0.99-r9.
Bug Fixes
The following vulnerabilities have been fixed:
wnpa-sec-2019-09 NetScaler file parser crash. Bug 15497. CVE-2019-10895.
wnpa-sec-2019-10 SRVLOC dissector crash. Bug 15546. CVE-2019-10899.
wnpa-sec-2019-11 IEEE 802.11 dissector infinite loop. Bug 15553. CVE-2019-10897.
wnpa-sec-2019-12 GSUP dissector infinite loop. Bug 15585. CVE-2019-10898.
wnpa-sec-2019-13 Rbm dissector infinite loop. Bug 15612. CVE-2019-10900.
wnpa-sec-2019-14 GSS-API dissector crash. Bug 15613. CVE-2019-10894.
wnpa-sec-2019-15 DOF dissector crash. Bug 15617. CVE-2019-10896.
wnpa-sec-2019-16 TSDNS dissector crash. Bug 15619. CVE-2019-10902.
wnpa-sec-2019-17 LDSS dissector crash. Bug 15620. CVE-2019-10901.
wnpa-sec-2019-18 DCERPC SPOOLSS dissector crash. Bug 15568. CVE-2019-10903.
The following bugs have been fixed:
[oss-fuzz] UBSAN: shift exponent 34 is too large for 32-bit type 'guint32' (aka 'unsigned int') in packet-ieee80211.c:15534:49. Bug 14770.
[oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type 'int' in packet-couchbase.c:1674:37. Bug 15439.
Duplicated TCP SEQ field in ICMP packets. Bug 15533.
Wrong length in dhcpv6 NTP Server suboption results in "Malformed Packet" and breaks further dissection. Bug 15542.
Wireshark’s speaker-to-MaxMind is burning up the CPU. Bug 15545.
GSM-A-RR variable bitmap decoding may report ARFCNs > 1023. Bug 15549.
Import hexdump dummy Ethernet header generation ignores direction indication. Bug 15561.
%T not supported for timestamps. Bug 15565.
LWM2M: resource with \r\n badly shown. Bug 15572.
When selecting BSSAP in 'Decode As' for a SCCP payload, it uses BSSAP+ which is not the same protocol. Bug 15578.
Possible buffer overflow in function ssl_md_final for crafted SSL 3.0 sessions. Bug 15599.
Windows console log output delay. Bug 15605.
Syslog dissector processes the UTF-8 BOM incorrectly. Bug 15607.
NFS/NLM: Wrong lock byte range in the "Info" column. Bug 15608.
randpkt -r causes segfault when count > 1. Bug 15627.
Tshark export to ElasticSearch (-Tek) fails with Bad json_dumper state: illegal transition. Bug 15628.
Packets with metadata but no data get the Protocol Info column overwritten. Bug 15630.
BGP MP_REACH_NLRI AFI: Layer-2 VPN, SAFI: EVPN - Label stack not decoded. Bug 15631.
Buildbot crash output: fuzz-2019-03-23-1789.pcap. Bug 15634.
Typo: broli → brotli. Bug 15647.
Wrong dissection of GTPv2 MM Context Used NAS integrity protection algorithm. Bug 15648.
Windows CHM (help file) title displays quoted HTML characters. Bug 15656.
Unable to load 3rd party plugins not signed by Wireshark’s codesigning certificate. Bug 15667.
3.0.0:
Many user interface improvements have been made. See the “New and Updated Features” section below for more details.
Support for a number of legacy features and libraries has been removed. See the “Removed Features and Support” section below for more details.
Bug Fixes
The following bugs have been fixed:
Data following a TCP ZeroWindowProbe is marked as retransmission and not passed to subdissectors (Bug 15427)
Lua Error on startup: init.lua: dofile has been disabled due to running Wireshark as superuser (Bug 15489).
Text and Image columns were handled incorrectly for TDS 7.0 and 7.1. (Bug 3098)
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The following features are new (or have been significantly updated) since version 3.0.0rc1:
The IP map feature (the “Map” button in the “Endpoints” dialog) has been added back in a modernized form (Bug 14693).
The macOS package now ships with Qt 5.12.1. Previously it shipped with Qt 5.9.7.
The macOS package requires version 10.12 or later. If you’re running an older version of macOS, please use Wireshark 2.6.
The following features are new (or have been significantly updated) since version 2.9.0:
Wireshark now supports the Swedish and Ukrainian languages.
Initial support for using PKCS #11 tokens for RSA decryption in TLS. This can be configured at Preferences, RSA Keys.
The build system now produces reproducible builds (Bug 15163).
The Windows installers now ship with Qt 5.12.1. Previously they shipped with Qt 5.12.0.
The following features are new (or have been significantly updated) since version 2.6.0:
The Windows .exe installers now ship with Npcap instead of WinPcap. Besides being actively maintained (by the nmap project), Npcap brings support for loopback capture and 802.11 WiFi monitor mode capture (if supported by the NIC driver).
Conversation timestamps are supported for UDP/UDP-Lite protocols
TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.
The “Capture Information” dialog has been added back (Bug 12004).
The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.
The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order. See the User’s Guide, chapter TCP Reassembly for details.
Decryption support for the new WireGuard dissector (Bug 15011, requires Libgcrypt 1.8).
The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.
The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.
Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.
APT-X has been renamed to aptX.
When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.
The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.
Dumpcap now supports the -a packets:NUM and -b packets:NUM options.
Wireshark now includes a “No Reassembly” configuration profile.
Wireshark now supports the Russian language.
The build system now supports AppImage packages.
The Windows installers now ship with Qt 5.12.0. Previously they shipped with Qt 5.9.7.
Support for DTLS and TLS decryption using pcapng files that embed a Decryption Secrets Block (DSB) containing a TLS Key Log (Bug 15252).
The editcap utility gained a new --inject-secrets option to inject an existing TLS Key Log file into a pcapng file.
A new dfilter function string() has been added. It allows the conversion of non-string fields to strings so string functions (as contains and matches) can be used on them.
The Bash test suite has been replaced by one based on Python unittest/pytest.
The custom window title can now show file path of the capture file and it has a conditional separator.
Removed Features and Support
The legacy (GTK+) user interface has been removed and is no longer supported.
The portaudio library is no longer needed due to the removal of GTK+.
Wireshark requires Qt 5.2 or later. Qt 4 is no longer supported.
Wireshark requires GLib 2.32 or later.
Wireshark requires GnuTLS 3.2 or later as optional dependency.
Building Wireshark requires Python 3.4 or newer, Python 2.7 is unsupported.
Building Wireshark requires CMake. Autotools is no longer supported.
TShark’s -z compare option was removed.
Building with Cygwin is no longer supported on Windows.
Wireshark 2.6.2 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2018-34[1]
• BGP dissector large loop. Bug 13741[2]. CVE-2018-14342[3].
• wnpa-sec-2018-35[4]
• ISMP dissector crash. Bug 14672[5]. CVE-2018-14344[6].
• wnpa-sec-2018-36[7]
• Multiple dissectors could crash. Bug 14675[8]. CVE-2018-14340[9].
• wnpa-sec-2018-37[10]
• ASN.1 BER dissector crash. Bug 14682[11]. CVE-2018-14343[12].
• wnpa-sec-2018-38[13]
• MMSE dissector infinite loop. Bug 14738[14]. CVE-2018-14339[15].
• wnpa-sec-2018-39[16]
• DICOM dissector crash. Bug 14742[17]. CVE-2018-14341[18].
• wnpa-sec-2018-40[19]
• Bazaar dissector infinite loop. Bug 14841[20].
CVE-2018-14368[21].
• wnpa-sec-2018-41[22]
• HTTP2 dissector crash. Bug 14869[23]. CVE-2018-14369[24].
• wnpa-sec-2018-42[25]
• CoAP dissector crash. Bug 14966[26]. CVE-2018-14367[27].
The following bugs have been fixed:
• ISMP.EDP "Tuples" dissected incorrectly. Bug 4943[28].
• Wireshark - Race issue when switching between files using
Wireshark’s "Files in Set" dialog. Bug 10870[29].
• Sorting on "Source port" or "Destination port" column sorts
alphabetically, not numerically. Bug 11460[30].
• Wireshark crashes when changing profiles. Bug 11648[31].
• Crash when starting capture while saving capture file or
rescanning file after display filter change. Bug 13594[32].
• Crash when switching to TRANSUM enabled profile. Bug 13697[33].
• TCP retransmission with additional payload leads to incorrect
bytes and length in stream. Bug 13700[34].
• Wireshark crashes with single quote string display filter. Bug
14084[35].
• randpkt can write packets that libwiretap can’t read. Bug
14107[36].
• Wireshark crashes when loading new file before previous load has
finished. Bug 14351[37].
• Valid packet produces Malformed Packet: OpcUa. Bug 14465[38].
• Error received from dissect_wccp2_hash_assignment_info(). Bug
14573[39].
• CRC checker wrong for FPP. Bug 14610[40].
• Cross-build broken due to make-dissectors and make-taps. Bug
14622[41].
• Extraction of SMB file results in wrong size. Bug 14662[42].
• 6LoWPAN dissector merges fragments from different sources. Bug
14700[43].
• IP address to name resolution doesn’t work in TShark. Bug
14711[44].
• "Decode as" Modbus RTU over USB doesn’t work with 2.6.0 but with
2.4.6. Bug 14717[45].
• proto_tree_add_protocol_format might leak memory. Bug 14719[46].
• tostring for NSTime objects in lua gives wrong results. Bug
14720[47].
• Media type "application/octet-stream" registered for both Thread
and UASIP. Bug 14729[48].
• Crash related to SCTP tap. Bug 14733[49].
• Formatting of OSI area addresses/address prefixes goes past the
end of the area address/address prefix. Bug 14744[50].
• ICMPv6 Router Renumbering - Packet Dissector - malformed. Bug
14755[51].
• WiMAX HARQ MAP decoder segfaults when length is too short. Bug
14780[52].
• HTTP PUT request following a HEAD request is not correctly
decoded. Bug 14793[53].
• SYNC PDU type 3 miss the last PDU length. Bug 14823[54].
• Reversed 128 bits service UUIDs when Bluetooth Low Energy
advertisement data are dissected. Bug 14843[55].
• Issues with Wireshark when the user doesn’t have permission to
capture. Bug 14847[56].
• Wrong description when LE Bluetooth Device Address type is
dissected. Bug 14866[57].
• LE Role advertisement type (0x1c) is not dissected properly
according to the Bluetooth specification. Bug 14868[58].
• Regression: Wireshark 2.6.0 and 2.6.1 are unable to read NetMon
files which were readable by previous versions. Bug 14876[59].
• Wireshark doesn’t properly display (deliberately) invalid 220
responses from Postfix. Bug 14878[60].
• Follow TCP Stream and click reassembled content moves you to
incorrect current packet. Bug 14898[61].
• Crash when changing profiles while loading a capture file. Bug
14918[62].
• Duplicate PDU during C Arrays Output Export. Bug 14933[63].
• DCE/RPC not dissected when "reserved for use by implementations"
flag bits set. Bug 14942[64].
• Follow TCP Stream truncates output on missing (but ACKed)
segments. Bug 14944[65].
• There’s no option to include column headings when printing
packets or exporting packet dissections with Qt Wireshark. Bug
14945[66].
• Qt: SCTP Graph Dialog: Abort when doing analysis. Bug 14971[67].
• CMake is unable to find LUA libraries. Bug 14983[68].
Updated Protocol Support
6LoWPAN, ASN.1 BER, Bazaar, BGP, Bluetooth, Bluetooth HCI_CMD, CIGI,
Cisco ttag, CoAP, Data, DCERPC, Diameter 3GPP, DICOM, DOCSIS, FPP,
GSM A GM, GTPv2, HTTP, HTTP2, IAX2, ICMPv6, IEEE 1722, IEEE 802.11,
IPv4, ISMP, LISP, MMSE, MTP3, MySQL, NFS, OpcUa, PPI GPS, Q.931,
RNSAP, RPCoRDMA, S1AP, SCTP, SMB, SMTP, STUN, SYNC, T.30, TCP,
TRANSUM, WAP, WCCP, Wi-SUN, WiMax HARQ Map Message, and WSP
New and Updated Capture File Support
Alcatel-Lucent Ascend and Microsoft Network Monitor
Bug Fixes
The following vulnerabilities have been fixed:
* [1]wnpa-sec-2016-58
Profinet I/O long loop. ([2]Bug 12851)
* [3]wnpa-sec-2016-59
AllJoyn crash. ([4]Bug 12953)
* [5]wnpa-sec-2016-60
OpenFlow crash. ([6]Bug 13071)
* [7]wnpa-sec-2016-61
DCERPC crash. ([8]Bug 13072)
* [9]wnpa-sec-2016-62
DTN infinite loop. ([10]Bug 13097)
The Windows PortableApps packages were susceptible to a [11]DLL
hijacking flaw.
The following bugs have been fixed:
* TCP: nextseq incorrect if TCP_MAX_UNACKED_SEGMENTS exceeded & FIN
true. ([12]Bug 12579)
* SMPP schedule_delivery_time displayed wrong in Wireshark 2.1.0.
([13]Bug 12632)
* Upgrading to latest version uninstalls Microsoft Visual C++
redistributable. ([14]Bug 12712)
* dmg for OS X does not install man pages. ([15]Bug 12746)
* Fails to compile against Heimdal 1.5.3. ([16]Bug 12831)
* TCP: Next sequence number off by one when sending payload in SYN
packet (e.g. TFO). ([17]Bug 12838)
* Follow TCP Stream shows duplicate stream data. ([18]Bug 12855)
* Dissection engine falsely asserts that EIGRP packet's checksum is
incorrect. ([19]Bug 12982)
* IEEE 802.15.4 frames erroneously handed over to ZigBee dissector.
([20]Bug 12984)
* Capture Filter Bookmark Inactive in Capture Options page. ([21]Bug
12986)
* CLNP dissector does not parse ER NPDU properly. ([22]Bug 12993)
* SNMP trap bindings for NON scalar OIDs. ([23]Bug 13013)
* BGP LS Link Protection Type TLV (1093) decoding. ([24]Bug 13021)
* Application crash sorting column for tcp.window_size_scalefactor up
and down. ([25]Bug 13023)
* ZigBee Green Power add key during execution. ([26]Bug 13031)
* Malformed AMPQ packets for session.expected and session.confirmed
fields. ([27]Bug 13037)
* Wireshark 2.2.1 crashes when attempting to merge pcap files.
([28]Bug 13060)
* [IS-637A] SMS - Teleservice layer parameter --> IA5 encoded text is
not correctly displayed. ([29]Bug 13065)
*
* Failure to dissect USB Audio feature unit descriptors missing the
iFeature field. ([30]Bug 13085)
* MSISDN not populated/decoded in JSON GTP-C decoding. ([31]Bug
13086)
* E212: 3 digits MNC are identified as 2 digits long if they end with
a 0. ([32]Bug 13092)
* Exception with last unknown Cisco AVP available in a SCCRQ message.
([33]Bug 13103)
* TShark stalls on FreeBSD if androiddump is present. ([34]Bug 13104)
* Dissector skips DICOM command. ([35]Bug 13110)
* UUID (FT_GUID) filtering isn't working. ([36]Bug 13121)
* Manufacturer name resolution fail. ([37]Bug 13126)
* packet-sdp.c allocates transport_info->encoding_name from wrong
memory pool. ([38]Bug 13127)
* Payload type name for dynamic payload is wrong for reverse RTP
channels. ([39]Bug 13132)
Updated Protocol Support
6LoWPAN, AllJoyn, AMPQ, ANSI IS-637 A, BGP, CLNP, DCERPC, DICOM, DTN,
E.212, EIGRP, ERF, GVSP, IEEE 802.11, IEEE 802.15.4, IP, ISO-8583,
Kerberos, L2TP, LACP, MAC LTE, OpenFlow, Profinet I/O, RTPS, SCTP, SDP,
Skype, SMPP, SNA, SNMP, SPNEGO, TCP, USB Audio, XML, and ZigBee
What's New
Bug Fixes
The following vulnerabilities have been fixed:
* [1]wnpa-sec-2016-56
The Bluetooth L2CAP dissector could crash. ([2]Bug 12825)
* [3]wnpa-sec-2016-57
The NCP dissector could crash. ([4]Bug 12945)
The following bugs have been fixed:
* Flow Graph colored data arrows. ([5]Bug 12065)
* Capture File Properties under Statistics Grayed Out after Stopping
a Capture. ([6]Bug 12071)
* Qt: Hidden columns displayed during live capture. ([7]Bug 12377)
* Unable to save changes to coloring rules. ([8]Bug 12814)
* Bad description for NBSS error code 0x81. ([9]Bug 12835)
* Live capture from USBPcap fails immediately. ([10]Bug 12846)
* Cannot decrypt EAP-TTLS traffic (not recognized as conversation).
([11]Bug 12879)
* Export packet dissections Option disabled after capturing traffic.
([12]Bug 12898)
* Failure to open file named with Chinese or other multibyte
characters. ([13]Bug 12900)
* k12 text file format causes errors. ([14]Bug 12903)
* File | File Set | List Files dialog is blank. ([15]Bug 12904)
* Decoding/Display of an INAP CONNECT message goes wrong for the
Destination Routing Address part. ([16]Bug 12911)
* TLS padding extension dissector length parsing bug. ([17]Bug 12922)
* Diameter dictionary bugs. ([18]Bug 12927)
* File open from menu bar with filter in place causes Wireshark to
crash. ([19]Bug 12929)
* Unable to capture USBPcap trace using tshark with extcap built.
([20]Bug 12949)
* P1 dissector fails a TVB assertion. ([21]Bug 12976)
* Multiple PortableApps instances can once again be run at the same
time.
Updated Protocol Support
6LowPAN, BT L2CAP, CIP, DCOM IRemUnknown, Diameter, DMP, EAP, ISUP,
NBT, NCP, NetFlow, SSL / TLS, and U3V
New and Updated Capture File Support
Ascend, and K12
What's New
Bug Fixes
* Upgrading to latest version uninstalls Microsoft Visual C++
redistributable. ([1]Bug 12712)
* Extcap errors not reported back to UI. ([2]Bug 11892)
New and Updated Features
The following features are new (or have been significantly updated)
since version 2.2.0rc1:
"Decode As" supports SSL (TLS) over TCP.
The following features are new (or have been significantly updated)
since version 2.1.1:
* Invalid coloring rules are now disabled instead of discarded. This
will provide backward compatibility with a coloring rule change in
Wireshark 2.2.
The following features are new (or have been significantly updated)
since version 2.1.0:
* Added -d option for Decode As support in Wireshark (mimics TShark
functionality)
* The Qt UI, GTK+ UI, and TShark can now export packets as JSON.
TShark can additionally export packets as Elasticsearch-compatible
JSON.
* The Qt UI now supports the -j, -J, and -l flags. The -m flag is now
deprecated.
* The Conversations and Endpoints dialogs are more responsive when
viewing large numbers of items.
* The RTP player now allows up to 30 minutes of silence frames.
* Packet bytes can now be displayed as EBCDIC.
* The Qt UI loads captures faster on Windows.
* proto_tree_add_checksum was added as an API. This attempts to
standardize how checksums are reported and filtered for within
*Shark. There are no more individual "good" and "bad" filter
fields, protocols now have a "checksum.status" field that records
"Good", "Bad" and "Unverified" (neither good or bad). Color filters
provided with Wireshark have been adjusted to the new display
filter names, but custom ones may need to be updated.
The following features are new (or have been significantly updated)
since version 2.0.0:
* The intelligent scroll bar now sits to the left of a normal scroll
bar and provides a clickable map of nearby packets.
* You can now switch between between Capture and File Format
dissection of the current capture file via the View menu in the Qt
GUI.
* You can now show selected packet bytes as ASCII, HTML, Image, ISO
8859-1, Raw, UTF-8, a C array, or YAML.
* You can now use regular expressions in Find Packet and in the
advanced preferences.
* Name resolution for packet capture now supports asynchronous DNS
lookups only. Therefore the "concurrent DNS resolution" preference
has been deprecated and is a no-op. To enable DNS name resolution
some build dependencies must be present (currently c-ares). If that
is not the case DNS name resolution will be disabled (but other
name resolution mechanisms, such as host files, are still
available).
* The byte under the mouse in the Packet Bytes pane is now
highlighted.
* TShark supports exporting PDUs via the -U flag.
* The Windows and OS X installers now come with the "sshdump" and
"ciscodump" extcap interfaces.
* Most dialogs in the Qt UI now save their size and positions.
* The Follow Stream dialog now supports UTF-16.
* The Firewall ACL Rules dialog has returned.
* The Flow (Sequence) Analysis dialog has been improved.
* We no longer provide packages for 32-bit versions of OS X.
* The Bluetooth Device details dialog has been added.
New File Format Decoding Support
Wireshark is able to display the format of some types of files (rather
than displaying the contents of those files). This is useful when
you're curious about, or debugging, a file and its format. To open a
capture file (such as PCAP) in this mode specify "MIME Files Format" as
the file's format in the Open File dialog.
New Protocol Support
Apache Cassandra - CQL version 3.0, Bachmann bluecom Protocol,
Bluetooth Pseudoheader for BR/EDR, Cisco ERSPAN3 Marker, Cisco ttag,
Digital Equipment Corporation Local Area Transport, Distributed Object
Framework, DOCSIS Upstream Channel Descriptor Type 35, Edge Control
Protocol (ECP), Encrypted UDP based FTP with multicast, Ericsson IPOS
Kernel Packet Header Dissector Added (IPOS), Extensible Control &
Management Protocol (eCMP), FLEXRAY Protocol dissector added
(automotive bus), IEEE 802.1BR E-Tag, Intel Omni-Path Architecture, ISO
8583-1, ISO14443, ITU-T G.7041/Y.1303 Generic Framing Procedure (GFP),
LAT protocol (DECNET), Metamako trailers, Network Service Header for
Ethernet & GRE, Network-Based IP Flow Mobility (NBIFOM), Nokia
Intelligent Service Interface (ISI), Open Mobile Alliance Lightweight
Machine to Machine TLV payload Added (LwM2M TLV), Real Time Location
System (RTLS), RTI TCP Transport Layer (RTITCP), SMB Witness Service,
STANAG 5602 SIMPLE, Standard Interface for Multiple Platform Link
Evaluation (SIMPLE), USB3 Vision Protocol (USB machine vision cameras),
USBIP Protocol, UserLog Protocol, and Zigbee Protocol Clusters
Dissectors Added (Closures Lighting General Measurement & Sensing HVAC
Security & Safety)
Updated Protocol Support
Bluetooth OBEX dissector (btobex) was renamed to Obex Dissector (obex),
allow to DecodeAs it over USB, TCP and UDP.
A preference was added to TCP dissector for handling IPFIX process
information. It has been disabled by default.
New and Updated Capture File Support
Micropross mplog
New and Updated Capture Interfaces support
Non-empty section placeholder.
Major API Changes
The libwireshark API has undergone some major changes:
* The address macros (e.g., SET_ADDRESS) have been removed. Use the
(lower case) functions of the same names instead.
* "old style" dissector functions (that don't return number of bytes
used) have been replaced in name with the "new style" dissector
functions.
* tvb_get_string and tvb_get_stringz have been replaced with
tvb_get_string_enc and tvb_get_stringz_enc respectively.
Bug Fixes
The following vulnerabilities have been fixed:
* [1]wnpa-sec-2016-01
DLL hijacking vulnerability. [2]CVE-2016-2521
* [3]wnpa-sec-2016-02
ASN.1 BER dissector crash. ([4]Bug 11828) [5]CVE-2016-2522
* [6]wnpa-sec-2016-03
DNP dissector infinite loop. ([7]Bug 11938) [8]CVE-2016-2523
* [9]wnpa-sec-2016-04
X.509AF dissector crash. ([10]Bug 12002) [11]CVE-2016-2524
* [12]wnpa-sec-2016-05
HTTP/2 dissector crash. ([13]Bug 12077) [14]CVE-2016-2525
* [15]wnpa-sec-2016-06
HiQnet dissector crash. ([16]Bug 11983) [17]CVE-2016-2526
* [18]wnpa-sec-2016-07
3GPP TS 32.423 Trace file parser crash. ([19]Bug 11982)
[20]CVE-2016-2527
* [21]wnpa-sec-2016-08
LBMC dissector crash. ([22]Bug 11984) [23]CVE-2016-2528
* [24]wnpa-sec-2016-09
iSeries file parser crash. ([25]Bug 11985) [26]CVE-2016-2529
* [27]wnpa-sec-2016-10
RSL dissector crash. ([28]Bug 11829) [29]CVE-2016-2530
[30]CVE-2016-2531
* [31]wnpa-sec-2016-11
LLRP dissector crash. ([32]Bug 12048) [33]CVE-2016-2532
* [34]wnpa-sec-2016-12
Ixia IxVeriWave file parser crash. ([35]Bug 11795)
* [36]wnpa-sec-2016-13
IEEE 802.11 dissector crash. ([37]Bug 11818)
* [38]wnpa-sec-2016-14
GSM A-bis OML dissector crash. ([39]Bug 11825)
* [40]wnpa-sec-2016-15
ASN.1 BER dissector crash. ([41]Bug 12106)
* [42]wnpa-sec-2016-16
SPICE dissector large loop. ([43]Bug 12151)
* [44]wnpa-sec-2016-17
NFS dissector crash.
* [45]wnpa-sec-2016-18
ASN.1 BER dissector crash. ([46]Bug 11822)
The following bugs have been fixed:
* HTTP 302 decoded as TCP when "Allow subdissector to reassemble TCP
streams" option is enabled. ([47]Bug 9848)
* Questionable calling of ethernet dissector by encapsulating
protocol dissectors. ([48]Bug 9933)
* [Qt & Legacy & probably TShark too] Delta Time Conversation column
is empty. ([49]Bug 11559)
* extcap: abort when validating capture filter for DLT 147. ([50]Bug
11656)
* Missing columns in Qt Flow Graph. ([51]Bug 11710)
* Interface list doesn't show well when the list is very long.
([52]Bug 11733)
* Unable to use saved Capture Filters in Qt UI. ([53]Bug 11836)
* extcap: Capture interface options snaplen, buffer and promiscuous
not being used. ([54]Bug 11865)
* Improper RPC reassembly ([55]Bug 11913)
* GTPv1 Dual Stack with one static and one Dynamic IP. ([56]Bug
11945)
* Wireshark 2.0.1 MPLS dissector not decoding payload when control
word is present in pseudowire. ([57]Bug 11949)
* "...using this filter" turns white (not green or red). Plus
dropdown arrow does nothing. ([58]Bug 11950)
* EIGRP field eigrp.ipv4.destination does not show the correct
destination. ([59]Bug 11953)
* tshark -z conv,type[,filter] swapped frame / byte values from / to
columns. ([60]Bug 11959)
* The field name nstrace.tcpdbg.tcpack should be
nstrace.tcpdbg.tcprtt. ([61]Bug 11964)
* 6LoWPAN IPHC traffic class not decompressed correctly. ([62]Bug
11971)
* Crash with snooping NFS file handles. ([63]Bug 11972)
* 802.11 dissector fails to decrypt some broadcast messages. ([64]Bug
11973)
* Wireshark hangs when adding a new profile. ([65]Bug 11979)
* Issues when closing the application with a running capture without
packets. ([66]Bug 11981)
* New Qt UI lacks ability to step through multiple TCP streams with
Analyze > Follow > TCP Stream. ([67]Bug 11987)
* GTK: plugin_if_goto_frame causes Access Violation if called before
capture file is loaded. ([68]Bug 11989)
* Wireshark 2.0.1 crash on start. ([69]Bug 11992)
* Wi-Fi 4-way handshake 4/4 is displayed as 2/4. ([70]Bug 11994)
* ACN: acn.dmx.data has incorrect type. ([71]Bug 11999)
* editcap packet comment won't add multiple comments. ([72]Bug 12007)
* DICOM Sequences no longer able to be expanded. ([73]Bug 12011)
* Wrong TCP stream when port numbers are reused. ([74]Bug 12022)
* SSL decryption fails in presence of a Client certificate. ([75]Bug
12042)
* LUA: TVBs backing a data source is freed too early. ([76]Bug 12050)
* PIM: pim.group filter have the same name for IPv4 and IPv6.
([77]Bug 12061)
* Failed to parse M3AP IE (TNL information). ([78]Bug 12070)
* Wrong interpretation of Instance ID value in OSPFv3 packet.
([79]Bug 12072)
* MP2T Dissector does parse RTP properly in 2.0.1. ([80]Bug 12099)
* editcap does not adjust time for frames with absolute timestamp 0 <
t < 1 secs. ([81]Bug 12116)
* Guard Interval is not consistent between Radiotap & wlan_radio.
([82]Bug 12123)
* Calling dumpcap -i- results in access violation. ([83]Bug 12143)
* Qt: Friendly Name and Interface Name columns should not be
editable. ([84]Bug 12146)
* PPTP GRE call ID not always decoded. ([85]Bug 12149)
* Interface list does not show device description anymore. ([86]Bug
12156)
* Find Packet does not highlight the matching tree item or packet
bytes. ([87]Bug 12157)
* "total block length ... is too large" error when opening pcapng
file with multiple SHB sections. ([88]Bug 12167)
* http.request.full_uri is malformed if an HTTP Proxy is used.
([89]Bug 12176)
* SNMP dissector fails at msgSecurityParameters with long length
encoding. ([90]Bug 12181)
Updated Protocol Support
6LoWPAN, ACN, ASN.1 BER, BATADV, DICOM, DNP3, DOCSIS INT-RNG-REQ, E100,
EIGRP, GSM A DTAP, GSM SMS, GTP, HiQnet, HTTP, HTTP/2, IEEE 802.11,
IKEv2, InfiniBand, IPv4, IPv6, LBMC, LLRP, M3AP, MAC LTE, MP2T, MPLS,
NFS, NS Trace, OSPF, PIM, PPTP, RLC LTE, RoHC, RPC, RSL, SNMP, SPICE,
SSL, TCP, TRILL, VXLAN, WaveAgent, and X.509AF
New and Updated Capture File Support
3GPP TS 32.423 Trace, iSeries, Ixia IxVeriWave, pcap, and pcapng
Full ChangeLog since 1.10.14 is too long to include. A few highlights:
- Expert information is now filterable when the new API is in use.
- "malformed" display filter has been renamed to "_ws.malformed".
- Transport name resolution is now disabled by default.
- Support has been added for all versions of the DCBx protocol.
- Cleanup of LLDP code, all dissected fields are now navigable.
- Dissector output may be encoded as UTF-8. This includes TShark output.
- The ASN1 plugin has been removed as it s deemed obsolete.
- The GNM dissector has been removed as it was never used.
- The Kerberos dissector has been replaced by one generated from ASN1 code.
- A more flexible, modular memory manager (wmem) has been added.
- A new API for expert information has been added, replacing the old one.
- The tvbuff API has been cleaned up.
- Support for 80+ new protocols
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2014-20
SigComp UDVM buffer overflow. (Bug 10662)
CVE-2014-8710
* wnpa-sec-2014-21
AMQP crash. (Bug 10582) CVE-2014-8711
* wnpa-sec-2014-22
NCP crashes. (Bug 10552, Bug 10628) CVE-2014-8712
CVE-2014-8713
* wnpa-sec-2014-23
TN5250 infinite loops. (Bug 10596) CVE-2014-8714
The following bugs have been fixed:
* 6LoWPAN Mesh headers not treated as encapsulating address.
(Bug 10462)
* UCP dissector bug of operation 31 - PID 0639 not
recognized. (Bug 10463)
* iSCSI dissector rejects PDUs with "expected data transfer
length" > 16M. (Bug 10469)
* GTPv2: trigging_tree under Trace information has wrong
length. (Bug 10470)
* Attempt to render an SMS-DELIVER-REPORT instead of an
SMS-DELIVER. (Bug 10547)
* IPv6 Mobility Option IPv6 Address/Prefix marks too many
bytes for the address/prefix field. (Bug 10576)
* IPv6 Mobility Option Binding Authorization Data for FMIPv6
Authenticator field is read beyond the option data.
(Bug 10577)
* IPv6 Mobility Option Mobile Node Link Layer Identifier
Link-layer Identifier field is read beyond the option data.
(Bug 10578)
* Malformed PTPoE announce packet. (Bug 10611)
* IPv6 Permanent Home Keygen Token mobility option includes
too many bytes for the token field. (Bug 10619)
* IPv6 Redirect Mobility Option K and N bits are parsed
incorrectly. (Bug 10622)
* IPv6 Care Of Test mobility option includes too many bytes
for the Keygen Token field. (Bug 10624)
* IPv6 MESG-ID mobility option is parsed incorrectly.
(Bug 10625)
* IPv6 AUTH mobility option parses Mobility SPI and
Authentication Data incorrectly. (Bug 10626)
* IPv6 DNS-UPDATE-TYPE mobility option includes too many
bytes for the MD identity field. (Bug 10629)
* IPv6 Local Mobility Anchor Address mobility option's code
and reserved fields are parsed as 2 bytes instead of 1.
(Bug 10630)
* TShark crashes when running with PDML on a specific packet.
(Bug 10651)
* IPv6 Mobility Option Context Request reads an extra
request. (Bug 10676)
- Updated Protocol Support
6LoWPAN, AMQP, GSM MAP, GTPv2, H.223, IEEE 802.11, iSCSI, MIH,
Mobile IPv6, PTPoE, TN5250, and UCP
- New and Updated Capture File Support
Catapult DCT2000, HP-UX nettl, pcap-ng, and Sniffer (DOS)
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2013-66
The SIP dissector could go into an infinite loop.
Discovered by Alain Botti. (Bug 9388)
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7112
* wnpa-sec-2013-67
The BSSGP dissector could crash. Discovered by Laurent
Butti. (Bug 9488)
Versions affected: 1.10.0 to 1.10.3
CVE-2013-7113
* wnpa-sec-2013-68
The NTLMSSP v2 dissector could crash. Discovered by Garming
Sam.
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7114
The following bugs have been fixed:
* "On-the-wire" packet lengths are limited to 65535 bytes.
(Bug 8808, ws-buglink:9390)
* Tx MCS set is not interpreted properly in WLAN beacon
frame. (Bug 8894)
* VoIP Graph Analysis window - some calls are black. (Bug
8966)
* Wireshark fails to decode single-line, multiple Contact:
URIs in SIP responses. (Bug 9031)
* epan/follow.c - Incorrect "bytes missing in capture file"
in "check_fragments" due to an unsigned int wraparound?.
(Bug 9112)
* gsm_map doesn't decode MAPv3 reportSM-DeliveryStatus
result. (Bug 9382)
* Incorrect NFSv4 FATTR4_SECURITY_LABEL value. (Bug 9383)
* Timestamp decoded for Gigamon trailer is not padded
correctly. (Bug 9433)
* SEL Fast Message Bug-fix for Signed 16-bit Integer Fast
Meter Messages. (Bug 9435)
* DNP3 Bug Fix for Analog Data Sign Bit Handling. (Bug
9442)
* GSM SMS User Data header fill bits are wrong when using a 7
bits ASCII / IA5 encoding. (Bug 9478)
* WCDMA RLC dissector cannot assemble PDUs with SNs skipped
and wrap-arounded. (Bug 9505)
* DTLS: fix buffer overflow in mac check. (Bug 9512)
* Correct data length in SCSI_DATA_IN packets (within
iSCSI). (Bug 9521)
* GSM SMS UDH EMS control expects 4 octets instead of 3 with
OPTIONAL 4th. (Bug 9550)
* Fix "decode as ..." for packet-time.c. (Bug 9563)
- Updated Protocol Support
ANSI IS-637-A, BSSGP, DNP3, DVB-BAT, DVB-CI, GSM MAP, GSM SMS,
IEEE 802.11, iSCSI, NFSv4, NTLMSSP v2, RLC, SEL FM, SIP, and Time
- Bug Fixes
The following vulnerabilities have been fixed.
* wnpa-sec-2013-54
The Bluetooth HCI ACL dissector could crash. Discovered by
Laurent Butti. (Bug 8827)
Versions affected: 1.10.0 to 1.10.1
* wnpa-sec-2013-55
The NBAP dissector could crash. Discovered by Laurent
Butti. (Bug 9005)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-56
The ASSA R3 dissector could go into an infinite loop.
Discovered by Ben Schmidt. (Bug 9020)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-57
The RTPS dissector could overflow a buffer. Discovered by
Ben Schmidt. (Bug 9019)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-58
The MQ dissector could crash. (Bug 9079)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-59
The LDAP dissector could crash. Versions affected: 1.10.0
to 1.10.1, 1.8.0 to 1.8.9
* wnpa-sec-2013-60
The Netmon file parser could crash. Discovered by G.
Geshev. (Bug 8742)
Versions affected: 1.10.0 to 1.10.1, 1.8.0 to 1.8.9
- The following bugs have been fixed:
* Lua ByteArray:append() causes wireshark crash. (Bug
4461)
* Lua script can not get "data-text-lines" protocol data.
(Bug 5200)
* Lua: Trying to use Field.new("tcp.segments") to get
reassembled TCP data is failed. (Bug 5201)
* "Edit Interface Settings": "Capture Filter" combo box is
not populated across Wireshark sessions. (Bug 7278)
* PER normally small non-negative whole number decoding is
wrong when >= 64. (Bug 8841)
* Strange behavior of tree expand/collapse in packet details.
(Bug 8908)
* Incorrect parsing of IPFIX *IpTotalLength elements.
(Bug 8918)
* IO graph/advanced, max/min/summ error on frames with
multiple Diameter messages. (Bug 8980)
* pod2man error on reordercap.pod. (Bug 8982)
* SGI Nsym disambiguation is unconditionally displayed when
dissecting VHT. (Bug 8989)
* The Wireshark icon doesn't show up in OS X 10.5. (Bug
8993)
* Build fails if system Python is version 3+. (Bug 8995)
* SCSI dissector does not parse PERSISTENT RESERVE commands
correctly. (Bug 9012)
* SDP messages throws an assert. (Bug 9022)
* Wireshark fails to decode single-line, multiple Contact:
URIs in SIP responses. (Bug 9031)
* PN_MRP LinkUp Message is shown as LinkDown in info.
(Bug 9035)
* Dissector for EtherCAT: ADS highlighting in the Packet
Bytes Pane is incorrect. (Bug 9036)
* 802.11 HT Extended Capabilities B10 decode incorrect.
(Bug 9038)
* Wrong dissection of MSTI Root Identifiers for all MSTIs.
(Bug 9088)
* Weird malformed HTTP error. (Bug 9101)
* Warning for attempting to install 64-bit Wireshark on a
32-bit machine has an embedded "\n". (Bug 9103)
* Wireshark crashes when using "Export Specified Packets" >
"Displayed". (Bug 9106)
- Updated Protocol Support
ASN.1 PER, ASSA R3, Bluetooth HCI ACL, EtherCAT AMS, GTPv2,
HTTP, IEEE 802.11, IPFIX, ISDN SUP, LDAP, MQ, NBAP, Novell SSS,
PROFINET MRP, Radiotap, ROHC, RTPS, SCSI, SIP, and STP
- New and Updated Capture File Support
Microsoft Network Monitor, pcap-ng.
- The following vulnerabilities have been fixed.
* wnpa-sec-2013-41
The DCP ETSI dissector could crash. (Bug 8717)
Versions affected: 1.10.0, 1.8.0 to 1.8.7
CVE-2013-4083
* wnpa-sec-2013-42
The P1 dissector could crash. Discovered by Laurent Butti.
(Bug 8826)
Versions affected: 1.10.0
CVE-2013-4920
* wnpa-sec-2013-43
The Radiotap dissector could crash. Discovered by Laurent
Butti. (Bug 8830)
Versions affected: 1.10.0
CVE-2013-4921
* wnpa-sec-2013-44
The DCOM ISystemActivator dissector could crash. Discovered
by Laurent Butti. (Bug 8828)
Versions affected: 1.10.0
CVE-2013-4924
CVE-2013-4926
* wnpa-sec-2013-45
The Bluetooth SDP dissector could go into a large loop.
Discovered by Laurent Butti. (Bug 8831)
Versions affected: 1.10.0, 1.8.0 to 1.8.8
CVE-2013-4927
* wnpa-sec-2013-46
The Bluetooth OBEX dissector could go into an infinite
loop. (Bug 8875)
Versions affected: 1.10.0
CVE-2013-4928
* wnpa-sec-2013-47
The DIS dissector could go into a large loop. (Bug
8911)
Versions affected: 1.10.0, 1.8.0 to 1.8.8
CVE-2013-4929
* wnpa-sec-2013-48
The DVB-CI dissector could crash. Discovered by Laurent
Butti. (Bug 8916)
Versions affected: 1.10.0, 1.8.0 to 1.8.8
CVE-2013-4930
* wnpa-sec-2013-49
The GSM RR dissector (and possibly others) could go into a
large loop. (Bug 8923)
Versions affected: 1.10.0, 1.8.0 to 1.8.8
CVE-2013-4931
* wnpa-sec-2013-50
The GSM A Common dissector could crash. (Bug 8940)
Versions affected: 1.10.0, 1.8.0 to 1.8.8
CVE-2013-4932
* wnpa-sec-2013-51
The Netmon file parser could crash. Discovered by G.
Geshev. (Bug 8742)
Versions affected: 1.10.0, 1.8.0 to 1.8.8
CVE-2013-4934
* wnpa-sec-2013-52
The ASN.1 PER dissector could crash. Discovered by
Oliver-Tobias Ripka. (Bug 8722)
Versions affected: 1.10.0, 1.8.0 to 1.8.8
CVE-2013-4935
* wnpa-sec-2013-53
The PROFINET Real-Time dissector could crash. (Bug
8904)
Versions affected: 1.10.0
CVE-2013-4936
- The following bugs have been fixed:
* Mark retransmitted SYN and FIN packets as retransmissions.
* Wireshark hides under Taskbar. (Bug 3034)
* IEEE 802.15.4 frame check sequence in "Chipcon mode" not
displayed correctly. (Bug 4507)
* Mask in Lua ProtoField.uint32() does not work as expected.
(Bug 5734)
* Crash when applying filter with Voip calls. (Bug 6090)
* Delta time regressions to tshark introduced with SVN 45071.
(Bug 8160)
* Add MAC-DATA support to TETRA dissector and other minor
improvements. (Bug 8708)
* Crash analyzing VoIP Calls (T38). (Bug 8736)
* Wireshark writes empty NRB FQDN which makes trace
unloadable. (Bug 8763)
* Quick launch icon is absent, so it shows up as a generic
icon. (Bug 8773)
* Wrong encoding for 2 pod files, UTF-8 characters in
another. (Bug 8774)
* SCSI (SPC) sense key specific information field must not
include SKSV. (Bug 8782)
* Wireshark crashes when closing Flow Graph with Graph
Analysis opened. (Bug 8793)
* Wrong size of LLRP ProtocolID Parameter in Accessspec
Parameter. (Bug 8809)
* Detection of IPv6 works only on Solaris 8. (Bug 8813)
* ip.opt.type triggers for TCP NOP option. (Bug 8823)
* DCOM-SYSACT dissector crash. (Bug 8828)
* Incorrect decoding of MPLS Echo Request with BGP FEC.
(Bug 8835)
* Buggy IEC104 dissector caused by commit r48958. (Bug
8849)
* ansi_637_tele dissector displays MSB as MBS for Call-Back
Number. (Bug 8851)
* LISP Map-Notify flags I and R shown incorrectly. (Bug
8852)
* ONTAP_V4 fhandle decoding leads to dissector bug. (Bug
8853)
* Dropped bytes in imap dissector. (Bug 8857)
* Kismet drone/server dissector improvements. (Bug 8864)
* TShark iostat_draw sizeof mismatch. (Bug 8888)
* SCTP bytes graph crash. (Bug 8889)
* Patch to Wireshark/tshark usage info and man pages to
document all timestamp (-t) options. (Bug 8906)
* Strange behavior of tree expand/collapse in packet details.
(Bug 8908)
* Graph Filter field limited to 256 characters. (Bug
8909)
* Filter doesn't support cflow ASN larger than 65535.
(Bug 8959)
* Wireshark crashes when switching from a v1.11.0 profile to
a v1.4.6 prof and then to a v1.5.1 prof. (Bug 8884)
* SIP stats shows incorrect values for Max/Ave setup times.
(Bug 8897)
* NFSv4 delegation not reported correctly. (Bug 8920)
* Issue with Capture Options Adapter List. (Bug 8932)
* RFC 5844 - IPv4 Support for Proxy Mobile IPv6 - Mobility
option IPv4 DHCP Support Mode Option malformed packet.
(Bug 8957)
* RFC 3775 - Mobility Support in IPv6 - Mobility option PadN
incorrectly highlights + 2 bytes. (Bug 8958)
* All mongodb query show as .
(Bug 8960)
- Updated Protocol Support
ANSI IS-637-A, ASN.1, ASN.1 PER, Bluetooth OBEX, Bluetooth SDB,
DCERPC NDR, DCOM ISystemActivator, DCP ETSI, Diameter 3GPP,
DIS, DVB-CI, Ethernet, GSM Common, GSM SMS, H.235, IEC104, IEEE
802.15.4, IEEE 802a, IMAP, IP, KDSP, LISP, LLRP, MAC-LTE,,
Mobile IPv6, MONGO, MPLS Echo, Netflow, NFS, NFSv4, P1,
PDCP-LTE, PN-IO, PN-RT, PPP, Radiotap, RLC,, RLC-LTE,, SCSI,
SIP, SMTP, SoulSeek, TCP, TETRA, and VNC
- New and Updated Capture File Support
Microsoft Network Monitor, pcap-ng.
Wireshark on 32- and 64-bit Windows supports automatic updates.
The packet bytes view is faster.
You can now display a list of resolved host names in "hosts" format within Wireshark.
The wireless toolbar has been updated.
Wireshark on Linux does a better job of detecting interface addition and removal.
It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
USB type and product name support has been improved.
All Bluetooth profiles and protocols are now supported.
Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
Capinfos now prints human-readable statistics with SI suffixes by default.
It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
Wireshark can be compiled using GTK+ 3.
The Wireshark application icon, capture toolbar icons, and other icons have been updated.
Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.
Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add "gtk-scrolled-window-placement = top-right" in the config file, which might be called /.gtkrc-2.0 or /.config/gtk-3.0/settings.ini).
Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.
The LOAD() metric in the IO-graph now shows the load in IO units instead of thousands of IO units.
- Bug Fixes
The following vulnerabilities have been fixed.
o wnpa-sec-2013-10
The TCP dissector could crash. (Bug 8274)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2475
o wnpa-sec-2013-11
The HART/IP dissectory could go into an infinite loop. (Bug
8360)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2476
o wnpa-sec-2013-12
The CSN.1 dissector could crash. Discovered by Laurent Butti.
(Bug 8383)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2477
o wnpa-sec-2013-13
The MS-MMS dissector could crash. Discovered by Laurent Butti.
(Bug 8382)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2478
o wnpa-sec-2013-14
The MPLS Echo dissector could go into an infinite loop.
Discovered by Laurent Butti. (Bug 8039)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2479
o wnpa-sec-2013-15
The RTPS and RTPS2 dissectors could crash. Discovered by
Alyssa Milburn. (Bug 8332)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2480
o wnpa-sec-2013-16
The Mount dissector could crash. Discovered by Alyssa Milburn.
(Bug 8335)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2481
o wnpa-sec-2013-17
The AMPQ dissector could go into an infinite loop. Discovered
by Moshe Kaplan. (Bug 8337)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2482
o wnpa-sec-2013-18
The ACN dissector could attempt to divide by zero. Discovered
by Alyssa Milburn. (Bug 8340)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2483
o wnpa-sec-2013-19
The CIMD dissector could crash. Discovered by Moshe Kaplan.
(Bug 8346)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2484
o wnpa-sec-2013-20
The FCSP dissector could go into an infinite loop. Discovered
by Moshe Kaplan. (Bug 8359)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2485
o wnpa-sec-2013-21
The RELOAD dissector could go into an infinite loop.
Discovered by Even Jensen. (Bug 8364)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2486
CVE-2013-2487
o wnpa-sec-2013-22
The DTLS dissector could crash. Discovered by Laurent Butti.
(Bug 8380)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2488
The following bugs have been fixed:
o Lua pinfo.cols.protocol not holding value in postdissector.
(Bug 6020)
o data combined via ssl_desegment_app_data not visible via
"Follow SSL Stream" only decrypted ssl data tabs. (Bug 6434)
o HTTP application/json-rpc should be decoded/shown as
application/json. (Bug 7939)
o Maximum value of 802.11-2012 Duration field should be 32767.
(Bug 8056)
o Voice RTP player crash if player is closed while playing. (Bug
8065)
o Display Filter Macros crash. (Bug 8073)
o RRC RadioBearerSetup message decoding issue. (Bug 8290)
o R-click filters add ! in front of field when choosing "apply
as filter>selected". (Bug 8297)
o BACnet - Loop Object - Setpoint-Reference property does not
decode correctly. (Bug 8306)
o WMM TSPEC Element Parsing is not done is wrong due to a wrong
switch case number. (Bug 8320)
o Incorrect RTP statistics (Lost Packets indication not ok).
(Bug 8321)
o Registering ieee802154 dissector for IEEE802.15.4 frames
inside Linux SLL frames. (Bug 8325)
o Version Field is skipped while parsing WMM_TSPEC causing wrong
dissecting (1 byte offset missing) of all fields in the TSPEC.
(Bug 8330)
o [BACnet] UCS-2 strings longer than 127 characters do not
decode correctly. (Bug 8331)
o Malformed IEEE80211 frame triggers DISSECTOR_ASSERT. (Bug
8345)
o Decoding of GSM MAP SMS Diagnostics. (Bug 8378)
o Incorrect packet length displayed for Flight Message Transfer
Protocol (FMTP). (Bug 8407)
o Netflow dissector flowDurationMicroseconds nanosecond
conversion wrong. (Bug 8410)
o BE (3) AC is wrongly named as "Video" in (qos_acs). (Bug 8432)
- Updated Protocol Support
ACN, AMQP, ASN.1 PER, BACnet, CIMD, CSN.1, DOCSIS TLVs, DTLS,
FCSP, FMP/NOTIFY, FMTP, GSM MAP SMS, HART/IP, IEEE 802.11, IEEE
802.15.4, JSON, Linux SLL, LTE RRC, Mount, MPLS Echo, Netflow,
RELOAD, RSL, RTP, RTPS, RTPS2, SABP, SIP, SSL, TCP
- Bug Fixes
The following vulnerabilities have been fixed.
o wnpa-sec-2012-26
The HSRP dissector could go into an infinite loop. (Bug 7581)
Versions affected: 1.8.0 to 1.8.2.
CVE-2012-5237
o wnpa-sec-2012-27
The PPP dissector could abort. (Bug 7316, bug 7668)
Versions affected: 1.8.0 to 1.8.2.
CVE-2012-5238
o wnpa-sec-2012-28
Martin Wilck discovered an infinite loop in the DRDA
dissector. (Bug 7666)
Versions affected: 1.6.0 to 1.6.10, 1.8.0 to 1.8.2.
CVE-2012-5239
o wnpa-sec-2012-29
Laurent Butti discovered a buffer overflow in the LDP
dissector. (Bug 7567)
Versions affected: 1.8.0 to 1.8.2.
CVE-2012-5240
The following bugs have been fixed:
o The HTTP dissector does not reassemble headers when the first
TCP segment does not contain a full header line.
o HDCP2 uses the wrong protocol id.
o Several I/O graph problems have been fixed.
o No markers show up when maps are displayed. (Bug 5016)
o Assertion when using tshark/wireshark on large captures. (Bug
5699)
o Volume label field of "SMB/TRANS2-QUERY_FS_INFO/InfoVolume
level" reply packet is not displayed correctly due alignment
issue. (Bug 5778)
o 64-bit Wireshark appears to hit 2-Gbyte memory limit on 64-bit
Windows. (Bug 5979)
o Truncated/partial JPEG files are not dissected. (Bug 6230)
o Support for MPLS Packet Loss and Delay Measurement, RFC 6374.
(Bug 6881)
o Memory leak in voip_calls.c. (Bug 7320)
o When listing protocols available for "Decode As", plugins are
sorted after built-ins. (Bug 7348)
o Hidden columns should not be printed when printing packet
summary line. (Bug 7356)
o Size wrong in "File Set List" for just-finished captures. (Bug
7370)
o Error: no dependency information found for
debian/wireshark-common/usr/lib/wireshark/libwsutil.so.2 (used
by debian/wireshark/usr/bin/wireshark). (Bug 7408)
o Parse and properly display LTE RADIUS AVP
3GPP-User-Location-Info. (Bug 7474)
o [PATCH] HomeplugAV dissector: decode device id. (Bug 7548)
o BACnet GetEnrollmentSummary-ACK does not decode correctly.
(Bug 7556)
o epan/dissectors/packet-per.c
dissect_per_constrained_integer_64b fails for 64 bits. (Bug
7624)
o New SCTP PPID 48. (Bug 7635)
o dissector of Qos attribute "Reliability Class" in GMM/SM
message. (Bug 7670)
o Performance regression in tshark -z io,stat. (Bug 7674)
o Incorrect io-stat table format when unsupported "-t" operand
is specified and when using AVG of relative_time fields. (Bug
7685)
o IEEE 802.11 TKIP dissection : wrong IS_TKIP macro. (Bug 7691)
o Homeplug AV dissectors does not properly dissect short frames.
(Bug 7707)
o mm_context_nas_dl_cnt and mm_context_nas_ul_cnt are not
dissected properly in ContextResponse message in Gtpv2. (Bug
7718)
o This trace causes Wireshark to crash when VoIP Calls selected.
(Bug 7724)
o Some diameter Gx enumerations are missing values or value is
incorrect. (Bug 7727)
o Wireshark 1.8.2 is only displaying 2 filters from the
drop-down menu even when preferences are set to higher
integer. (Bug 7731)
o BGP bad decoding for Graceful Restart Capability with only
helper support & for Enhanced Route Refresh Capability. (Bug
7734)
o Dissection error of D-RELEASE and D-CONNECT in TETRA
dissector. (Bug 7736)
o DND can cause Wireshark to crash. (Bug 7744)
o SCSI: WRITE BUFFER fields always display as zero. (Bug 7753)
- Updated Protocol Support
ASN.1 PER, BACnet, BGP, DIAMETER, DRDA, DVB CI, DVB, GSM
Management, GTP, GTPv2, HDCP2, HomePlug AV, ICMP, ICMPv6, IEEE
802.11, IEEE 802a, Interlink, JPEG, LDP, LPP, MPEG, MPLS, PCAP,
PPP, RANAP, RRC, RRLP, SCCP, SCSI, SCTP, SDP, SMB, TETRA
- Bug Fixes
The following vulnerabilities have been fixed.
o wnpa-sec-2012-01
Laurent Butti discovered that Wireshark failed to properly
check record sizes for many packet capture file formats. (Bug
6663, bug 6666, bug 6667, bug 6668, bug 6669, bug 6670)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
o wnpa-sec-2012-02
Wireshark could dereference a NULL pointer and crash. (Bug
6634)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
o wnpa-sec-2012-03
The RLC dissector could overflow a buffer. (Bug 6391)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
The following bugs have been fixed:
o "Closing File!" Dialog Hangs. (Bug 3046)
o Sub-fields of data field should appear in exported PDML as
children of the data field instead of as siblings to it. (Bug
3809)
o Incorrect time differences displayed with time reference set.
(Bug 5580)
o Wrong packet type association of SNMP trap after TFTP
transfer. (Bug 5727)
o SSL/TLS decryption needs wireshark to be rebooted. (Bug 6032)
o Export HTTP Objects -> save all crashes Wireshark. (Bug 6250)
o Wireshark Netflow dissector complains there is no template
found though the template is exported. (Bug 6325)
o DCERPC EPM tower UUID must be interpreted always as little
endian. (Bug 6368)
o Crash if no recent files. (Bug 6549)
o IPv6 frame containing routing header with 0 segments left
calculates wrong UDP checksum. (Bug 6560)
o IPv4 UDP/TCP Checksum incorrect if routing header present.
(Bug 6561)
o Incorrect Parsing of SCPS Capabilities Option introduced in
response to bug 6194. (Bug 6562)
o Various crashes after loading NetMon2.x capture file. (Bug
6578)
o Fixed compilation of dumpcap on some systems (when
MUST_DO_SELECT is defined). (Bug 6614)
o SIGSEGV in SVN 40046. (Bug 6634)
o Wireshark dissects TCP option 25 as an "April 1" option. (Bug
6643)
o ZigBee ZCL Dissector reports invalid status. (Bug 6649)
o ICMPv6 DNSSL option malformed on padding. (Bug 6660)
o Wrong tvb_get_bits function call in packet-csn1.c. (Bug 6708)
o [UDP] - Length Field of Pseudo Header while computing CheckSum
is not correct. (Bug 6711)
o pcapio.c: bug in libpcap_write_interface_description_block.
(Bug 6719)
o Memory leaks in various dissectors.
o Bytes highlighted in wrong Byte pane when field selected in
Details pane.
- Updated Protocol Support
BGP, BMC CSN1, DCERPC EPM, DCP(ETSI) DMP DTLS GSM Management, H245
HPTEAM, ICMPv6, IEEE 802.15.4 IPSEC IPv4, IPv6, ISAKMP KERBEROS
LDSS NFS RLC, RPC-NETLOGON RRC RTMPT SIGCOMP SSL SYSLOG TCP, UDP,
XML ZigBee ZCL
- New and Updated Capture File Support
Accellent 5Views, AIX iptrace, HP-UX nettl, I4B, Microsoft Network
Monitor, Novell LANalyzer, PacketLogger, Pcap-ng, Sniffer,
Tektronix K12, WildPackets {Airo,Ether}Peek.
The major changes since version 1.4.* are:
- Wireshark is now distributed as an installation package rather
than a drag-installer on OS X. The installer adds a startup
item that should make it easier to capture packets.
- Large file (greater than 2 GB) support has been improved.
- Wireshark and TShark can import text dumps, similar to
text2pcap.
- You can now view Wireshark's dissector tables (for example the
TCP port to dissector mappings) from the main window.
- Wireshark can export SSL session keys via File→Export→SSL
Session Keys...
- TShark can show a specific occurrence of a field when using
'-T fields'.
- Custom columns can show a specific occurrence of a field.
- You can hide columns in the packet list.
- Wireshark can now export SMB objects.
- dftest and randpkt now have manual pages.
- TShark can now display iSCSI, ICMP and ICMPv6 service response
times.
- Dumpcap can now save files with a user-specified group id.
- Syntax checking is done for capture filters.
- You can display the compiled BPF code for capture filters in
the Capture Options dialog.
- You can now navigate backwards and forwards through TCP and
UDP sessions using Ctrl+, and Ctrl+. .
- Packet length is (finally) a default column.
- TCP window size is now avaiable both scaled and unscaled. A
TCP window scaling graph is available in the GUI.
- 802.1q VLAN tags are now shown in the Ethernet II protocol
tree instead of a separate tree.
- Various dissectors now display some UTF-16 strings as proper
Unicode including the DCE/RPC and SMB dissectors.
- The RTP player now has an option to show the time of day in
the graph in addition to the seconds since beginning of
capture.
- The RTP player now shows why media interruptions occur.
- Graphs now save as PNG images by default.
- TShark can read and write host name information from and to
pcapng-formatted files. Wireshark can read it. TShark can dump
host name information via
[-z hosts]
.
- TShark's -z option now uses the
[-z <proto>,srt]
syntax instead of
[-z <proto>,rtt]
for all protocols that support service response time
statistics. This matches Wireshark's syntax for this option.
- Wireshark and TShark can now read compressed Windows Sniffer
files.
- New Protocol Support
ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing
Protocol, Broadcast/Multicast Control, Constrained Application
Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol,
Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB),
Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol
(SDP), JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet,
MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol,
MUX27010, Network Monitor 802.11 radio header, OPC UA
ExtensionObjects, openSAFETY, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD
Framing, RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP,
SGSAP, Tektronix Teklink, USB/AT Commands, uTorrent Transport
Protocol, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
- New and Updated Capture File Support
Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP
OpenVMS TCPTrace, IPFIX (the file format, not the protocol),
Lucent/Ascend debug, Microsoft Network Monitor, Network
Instruments, TamoSoft CommView
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that Wireshark could free an uninitialized pointer
while reading a malformed pcap-ng file. (Bug 5652)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0538
o Huzaifa Sidhpurwala of the Red Hat Security Response Team
discovered that a large packet length in a pcap-ng file could
crash Wireshark. (Bug 5661)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
o Wireshark could overflow a buffer while reading a Nokia DCT3
trace file. (Bug 5661)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0713
o Paul Makowski working for SEI/CERT discovered that Wireshark
on 32 bit systems could crash while reading a malformed
6LoWPAN packet. (Bug 5661)
Versions affected: 1.4.0 to 1.4.3.
o joernchen of Phenoelit discovered that the LDAP and SMB
dissectors could overflow the stack. (Bug 5717)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior
versions including 1.0.x are also affected.)
o Xiaopeng Zhang of Fortinet's Fortiguard Labs discovered that
large LDAP Filter strings can consume excessive amounts of
memory. (Bug 5732)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior
versions including 1.0.x are also affected.)
The following bugs have been fixed:
o A TCP stream would not always be recognized as the same
stream. (Bug 2907)
o Wireshark Crashing by pressing 2 Buttons. (Bug 4645)
o A crash can occur in the NTLMSSP dissector. (Bug 5157)
o The column texts from a Lua dissector could be mangled. (Bug
5326) (Bug 5630)
o Corrections to ANSI MAP ASN.1 specifications. (Bug 5584)
o When searching in packet bytes, the field and bytes are not
immediately shown. (Bug 5585)
o Malformed Packet: ULP reported when dissecting ULP SessionID
PDU. (Bug 5593)
o Wrong IEI in container of decode_gtp_mm_cntxt. (Bug 5598)
o Display filter does not work for expressions of type BASE_DEC,
BASE_DEC_HEX and BASE_HEX_DEC. (Bug 5606)
o NTLMSSP dissector may fail to compile due to space embedded in
C comment delimiters. (Bug 5614)
o Allow for name resolution of link-scope and multicast IPv6
addresses from local host file. (Bug 5615)
o DHCPv6 dissector formats DUID_LLT time incorrectly. (Bug 5627)
o Allow for IEEE 802.3bc-2009 style PoE TLVs. (Bug 5639)
o Various fixes to the HIP packet dissector. (Bug 5646)
o Display "Day of Year" for January 1 as 1, not 0. (Bug 5653)
o Accommodate the CMake build on Ubuntu 10.10. (Bug 5665)
o E.212 MCC 260 Poland update according to local national
regulatory. (Bug 5668)
o IPP on ports other than 631 not recognized. (Bug 5677)
o Potential access violation when writing to LANalyzer files.
(Bug 5698)
o IEEE 802.15.4 Superframe Specification - Final CAP Slot always
0. (Bug 5700)
o Peer SRC and DST AS numbers are swapped for cflow. (Bug 5702)
o dumpcap: -q option behavior doesn't match documentation. (Bug
5716)
- Updated Protocol Support
ANSI MAP, BitTorrent, DCM, DHCPv6, DTAP, DTPT, E.212, GSM
Management, GTP, HIP, IEEE 802.15.4, IPP, LDAP, LLDP, Netflow,
NTLMSSP, P_Mul, Quake, Skinny, SMB, SNMP, ULP
- New and Updated Capture File Support
LANalyzer, Nokia DCT3, Pcap-ng
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
- FRAsse discovered that the MAC-LTE dissector could overflow a
buffer. (Bug 5530)
Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
- FRAsse discovered that the ENTTEC dissector could overflow a
buffer. (Bug 5539)
Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
CVE-2010-4538
- The ASN.1 BER dissector could assert and make Wireshark exit
prematurely. (Bug 5537)
Versions affected: 1.4.0 to 1.4.2.
The following bugs have been fixed:
- AMQP failed assertion. (Bug 4048)
- Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
- Fuzz testing reports possible dissector bug: TCP. (Bug 4211)
- Wrong length calculation in new_octet_aligned_subset_bits()
(PER dissector). (Bug 5393)
- Function dissect_per_bit_string_display might read more bytes
than available (PER dissector). (Bug 5394)
- Cannot load wpcap.dll & packet.dll from Wireshark program
directory. (Bug 5420)
- Wireshark crashes with Copy -> Description on date/time
fields. (Bug 5421)
- DHCPv6 OPTION_CLIENT_FQDN parse error. (Bug 5426)
- Information element Error for supported channels. (Bug 5430)
- Assert when using ASN.1 dissector with loading a 'type table'.
(Bug 5447)
- Bug with RWH parsing in Infiniband dissector. (Bug 5444)
- Help->About Wireshark mis-reports OS. (Bug 5453)
- Delegated-IPv6-Prefix(123) is shown incorrect as
X-Ascend-Call-Attempt-Limit(123). (Bug 5455)
- "tshark -r file -T fields" is truncating exported data. (Bug 5463)
- gsm_a_dtap: incorrect "Extraneous Data" when decoding Packet
Flow Identifier. (Bug 5475)
- Improper decode of TLS 1.2 packet containing both
CertificateRequest and ServerHelloDone messages. (Bug 5485)
- LTE-PDCP UL and DL problem. (Bug 5505)
- CIGI 3.2/3.3 support broken. (Bug 5510)
- Prepare Filter in RTP Streams dialog does not work correctly.
(Bug 5513)
- Wrong decode at ethernet OAM Y.1731 ETH-CC. (Bug 5517)
- WPS: RF bands decryption. (Bug 5523)
- Incorrect LTP SDNV value handling. (Bug 5521)
- LTP bug found by randpkt. (Bug 5323)
- Buffer overflow in SNMP EngineID preferences. (Bug 5530)
- Updated Protocol Support
AMQP, ASN.1 BER, ASN.1 PER, CFM, CIGI, DHCPv6, Diameter, ENTTEC,
GSM A GM, IEEE 802.11, InfiniBand, LTE-PDCP, LTP, MAC-LTE, MP2T,
RADIUS, SAMR, SCCP, SIP, SNMP, TCP, TLS, TN3270, UNISTIM, WPS
- New and Updated Capture File Support
Endace ERF, Microsoft Network Monitor, VMS TCPtrace.
- Bug Fixes
The following vulnerabilities have been fixed. See the security
advisory for details and a workaround.
o The Penetration Test Team of NCNIPC (China) discovered that
the ASN.1 BER dissector was susceptible to a stack overflow.
(Bug 5230)
[A patch for this bug was already in version 1.4.0 in "pkgsrc".]
- The following bugs have been fixed:
o Incorrect behavior using sorting in the packet list. (Bug
2225)
o Cooked-capture dissector should omit the source address field
if empty. (Bug 2519)
o MySQL dissector doesn't dissect MySQL stream. (Bug 2691)
o Wireshark crashes if active display filter macro is renamed.
(Bug 5002)
o Incorrect dissection of MAP V2 PRN_ACK. (Bug 5076)
o TCP bytes_in_flight becomes inflated with lost packets. (Bug
5132)
o GTP header is exported in PDML with an incorrect size. (Bug
5162)
o Packet list hidden columns will not be parsed correctly from
preferences file. (Bug 5163)
o Wireshark does not display the t.38 graph. (Bug 5165)
o Wireshark don't show mgcp calls in "Telephony → VoIP calls".
(Bug 5167)
o Wireshark 1.4.0 & VoIP calls "Prepare Filter" problem. (Bug
5172)
o GTPv2: IMSI is decoded improperly. (Bug 5179)
o [NAS EPS] EPS Quality of Service IE decoding is wrong. (Bug
5186)
o Wireshark mistakenly writes "not all data available" for IPv4
checksum. (Bug 5194)
o GSM: Cell Channel Description, range 1024 format. (Bug 5214)
o Wrong SDP interpretation on VoIP call flow chart. (Bug 5220)
o The CLDAP attribute value on a CLDAP reply is no longer being
decoded. (Bug 5239)
o [NAS EPS] Traffic Flow Template IE dissection bugs. (Bug 5243)
o [NAS EPS] Use Request Type IE defined in 3GPP 24.008. (Bug
5246)
o NTLMSSP_AUTH domain and username truncated to first letter
with IE8/Windows7 (generating the NTLM packet). (Bug 5251)
o IPv6 RH0: dest addr is to be used i.s.o. last RH address when
0 segments remain. (Bug 5252)
o EIGRP dissection error in Flags field in external route TLVs.
(Bug 5261)
o MRP packet is not correctly parsed in PROFINET multiple write
record request. (Bug 5267)
o MySQL Enhancement: support of Show Fields and bug fix. (Bug
5271)
o [NAS EPS] Fix TFT decoding when having several Packet Filters
defined. (Bug 5274)
o Crash if using ssl.debug.file with no password for
ssl.keys_list. (Bug 5277)
- Updated Protocol Support
ASN.1 BER, ASN.1 PER, EIGRP, GSM A RR, GSM Management, GSM MAP,
GTP, GTPv2, ICMPv6, Interlink, IPv4, IPv6, IPX, LDAP, LLC, MySQL,
NAS EPS, NTLMSSP, PN-IO, PPP, RPC, SDP, SLL, SSL, TCP
Approved by Alistair Crooks.
- The following bugs have been fixed:
- Update time display in background. (Bug 1275)
- Tshark returns 0 even with an invalid interface or capture
filter. (Bug 4735)
- The following features are new (or have been significantly
updated) since version 1.2:
- The packet list internals have been rewritten and are now more
efficient.
- Columns are easier to use. You can add a protocol field as a
column by right-clicking on its packet detail item, and you
can adjust some column preferences by right-clicking the
column header.
- Preliminary Python scripting support has been added.
- Many memory leaks have been fixed.
- Packets can now be ignored (excluded from dissection), similar
to the way they can be marked.
- Manual IP address resolution is now supported.
- Columns with seconds can now be displayed as hours, minutes
and seconds.
- You can now set the capture buffer size on UNIX and Linux if
you have libpcap 1.0.0 or greater.
- TShark no longer needs elevated privileges on UNIX or Linux to
list interfaces. Only dumpcap requires privileges now.
- Wireshark and TShark can enable 802.11 monitor mode directly
if you have libpcap 1.0.0 or greater.
- You can play RTP streams directly from the RTP Analysis
window.
- Capinfos and editcap now respectively support time order
checking and forcing.
- Wireshark now has a "jump to timestamp" command-line option.
- You can open JPEG files directly in Wireshark.
- New Protocol Support
3GPP Nb Interface RTP Multiplex, Access Node Control Protocol,
Apple Network-MIDI Session Protocol, ARUBA encapsulated remote
mirroring, Assa Abloy R3, Asynchronous Transfer Mode, B.A.T.M.A.N.
Advanced Protocol, Bluetooth AMP Packet, Bluetooth OBEX, Bundle
Protocol, CIP Class Generic, CIP Connection Configuration Object,
CIP Connection Manager, CIP Message Router, collectd network data,
Control And Provisioning of Wireless Access Points, Controller
Area Network, Device Level Ring, DOCSIS Bonded Initial Ranging
Message, Dropbox LAN sync Discovery Protocol, Dropbox LAN sync
Protocol, DTN TCP Convergence Layer Protocol, EtherCAT Switch
Link, Fibre Channel Delimiters, File Replication Service DFS-R,
Gateway Load Balancing Protocol, Gigamon Header, GigE Vision
Control Protocol, Git Smart Protocol, GSM over IP ip.access CCM
sub-protocol, GSM over IP protocol as used by ip.access, GSM
Radiotap, HI2Operations, Host Identity Protocol, HP encapsulated
remote mirroring, HP NIC Teaming Heartbeat, IEC61850 Sampled
Values, IEEE 1722 Protocol, InfiniBand Link, Interlink Protocol,
IPv6 over IEEE 802.15.4, ISO 10035-1 OSI Connectionless
Association Control Service, ISO 9548-1 OSI Connectionless Session
Protocol, ISO 9576-1 OSI Connectionless Presentation Protocol,
ITU-T Q.708 ISPC Analysis, Juniper Packet Mirror, Licklider
Transmission Protocol, MPLS PW ATM AAL5 CPCS-SDU mode
encapsulation, MPLS PW ATM Cell Header, MPLS PW ATM Control Word,
MPLS PW ATM N-to-One encapsulation, no CW, MPLS PW ATM N-to-One
encapsulation, with CW, MPLS PW ATM One-to-One or AAL5 PDU
encapsulation, Multiple Stream Reservation Protocol, NetPerfMeter
Protocol, NetScaler Trace, NexusWare C7 MTP, NSN FLIP, OMRON FINS
Protocol, packetbb Protocol, Peer Network Resolution Protocol,
PKIX Attribute Certificate, Pseudowire Padding, Server/Application
State Protocol, Solaris IPNET, TN3270 Protocol, TN5250 Protocol,
TRILL, Twisted Banana, UMTS FP Hint, UMTS MAC, UMTS Metadata, UMTS
RLC, USB HID, USB HUB, UTRAN Iuh interface HNBAP signalling, UTRAN
Iuh interface RUA signalling, V5.2, Vendor Specific Control
Protocol, Vendor Specific Network Protocol, VMware Lab Manager,
VXI-11 Asynchronous Abort, VXI-11 Core Protocol, VXI-11 Interrupt,
X.411 Message Access Service, ZigBee Cluster Library
- Updated Protocol Support
There are too many to list here.
- New and Updated Capture File Support
Accellent 5Views, ASN.1 Basic Encoding Rules, Catapult DCT2000,
Daintree SNA, Endace ERF, EyeSDN, Gammu DCT3 trace, IBM iSeries,
JPEG/JFIF, libpcap, Lucent/Ascend access server trace, NetScaler,
PacketLogger, pcapng, Shomiti/Finisar Surveyor, Sun snoop, Symbian
OS btsnoop, Visual Networks
Pkgsrc changes:
A fix for the security vulnerability reported in SA41535 has been
integrated from the Wireshark SVN repository.
New features:
- Wireshark has a spiffy new start page.
- Display filters now autocomplete.
- Support for the c-ares resolver library has been added. It has many
- advantages over ADNS.
- Many new protocol dissectors and capture file formats have been added.
- Macintosh OS X support has been improved.
- GeoIP database lookups.
- OpenStreetMap + GeoIP integration.
- Improved Postscript(R) print output.
- The preference handling code is now much smarter about changes.
- Support for Pcap-ng, the next-generation capture file format.
- Support for process information correlation via IPFIX.
- Column widths are now saved.
- The last used configuration profile is now saved.
- Protocol preferences are changeable from the packet details context menu.
- Support for IP packet comparison.
- Capinfos now shows the average packet rate.
Security fixes:
- The AFS dissector could crash.
- The Infiniband dissector could crash on some platforms.
this pkg can be built against a gnutls which was built without
"openssl emulation". We build against the real openssl anyway, and
having both the real openssl and one emulated by gnutls has some
potential for namespace collisions, thus I'm considering to build
the pkgsrc gnutls w/o openssl emulation.
(This is just a build issue as far as wireshark is concerned, so
no PKGREV bump is needed.)
Changes between 1.0.5 and 1.0.6.:
- The following vulnerabilities have been fixed:
* On non-Windows systems, Wireshark could crash if the HOME environment
variable contained sprintf-style string formatting characters.
* Wireshark could crash while reading a malformed NetScreen snoop file.
* Wireshark could crash while reading a Tektronix K12 text capture file.
- The following bugs have been fixed:
* Crash when loading capture file and Preferences: NO Info column
* Some Lua scripts may lead to corruption via out of bounds stack
* Build with GLib 1.2 fails with error: 'G_MININT32' undeclared
* Wrong decoding IMSI with GSM MAP protocol
* Segmentation fault for "Follow TCP stream" (Bug 3119)
* SMPP optional parameter 'network_error_code' incorrectly decoded
* DHCPv6 dissector doesn't handle malformed FQDN
* WCCP overrides CFLOW as decoded protocol (Bug 3175)
* Improper decoding of MPLS echo reply IPv4 Interface and Label Stack Object
* ANSI MAP fix for TRN digits/SMS and OTA subdissection (Bug 3214)
- Updated Protocol Support
* AFS, ATM, DHCPv6, DIS, E.212, RTP, UDP, USB, WCCP, WPS
- New and Updated Capture File Support
* NetScreen snoop
Changes between version 1.0.4 and 1.0.5:
- The following vulnerabilities have been fixed. See the security advisory
for details and a workaround.
* The SMTP dissector could consume excessive amounts of CPU and memory.
* The WLCCP dissector could go into an infinte loop.
- The following bugs have been fixed:
* Missing CRLF during HTTP POST in the "packet details" window
* Memory assertion in time_secs_to_str_buf() when compiled with GCC 4.2.3
* Diameter dissector fails RFC 4005 compliance
* LDP vendor private TLV type is not correctly shown
* Wireshark on MacOS does not run when there are spaces in its path
* Compilation broke when compiling without zlib
* Memory leak: saved_repoid
* Memory leak: follow_info
* Memory leak: follow_info
* Memory leak: tacplus_data
* Memory leak: col_arrows
* Memory leak: col_arrows
* Incorrect address structure assigned for find_conversation() in WSP
* Memory leak with unistim in voip_calls
* Error parsing the BSSGP protocol
* Assertion thrown in fvalue_get_uinteger when decoding TIPC
* LUA script : Wireshark crashes after closing and opening again a window
used by a listener.draw() function.
- Updated Protocol Support
* ANSI MAP, BSSGP, CIP, Diameter, ENIP, GIOP, H.263, H.264, HTTP, MPEG PES
* PostgreSQL, PPI, PTP, Rsync, RTP, SMTP, SNMP, STANAG 5066, TACACS, TIPC
* WLCCP, WSP
The package update was provided by Matthias Drochner in private e-mail.
- Security-related vulnerabilities in the SCTP, SNMP, and TFTP dissectors
have been fixed.
- This release adds configuration profiles, temporary coloring rules,
enhanced I/O graphs, WLAN traffic statistics, and many other useful
features.
adam
wiz
markd
tnn
dsainty
tron
christos
drochner
roy