Wireshark: All versions - Software Informer

v3.6 [Nov 14, 2021]
The following features are new (or have been significantly updated) since version 3.6.0rc3:
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
The following features are new (or have been significantly updated) since version 3.6.0rc2:
- Display filter set elements must now be comma-separated. See below for more details.
The following features are new (or have been significantly updated) since version 3.6.0rc1:
- The display filter expression “a != b” now has the same meaning as “!(a == b)”.
The following features are new (or have been significantly updated) since version 3.5.0:
- Nothing of note.
The following features are new (or have been significantly updated) since version 3.4.0:
- Several changes have been made to the display filter syntax:
- The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true.
- It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal.
- Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions.
- Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as … in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version.
- Support for the syntax "a not in b" with the same meaning as "not a in b" has been added.
- Packaging updates:
- A macOS Arm 64 (Apple Silicon) package is now available.
- The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later.
- The Windows installers now ship with Npcap 1.55.
- A 64-bit Windows PortableApps package is now available.
- TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter.
- Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types.
- Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
- “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams.
- Wireshark now supports dissecting RTP packets with OPUS payloads.
- Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
- The RTP Player has been significantly redesigned and improved. See Playing VoIP Calls and RTP Player Window in the User’s Guide for more details.
- The RTP Player can play many streams in row.
- The UI is more responsive.
- The RTP Player maintains playlist and other tools can add and remove streams to and from it.
- Every stream can be muted or routed to the left or right channel for replay.
- The option to save audio has been moved from the RTP Analysis dialog to the RTP Player. The RTP Player also saves what was played, and it can save in multichannel .au or .wav.
- The RTP Player is now accessible from the Telephony › RTP › RTP Player menu.
- The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal and can stay opened on background.
- The same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …)
- The “Follow Stream” dialog is now able to follow SIP calls based on their Call-ID value.

v3.4 [Oct 30, 2020]
Bug Fixes:
The following vulnerabilities have been fixed:
- wnpa-sec-2021-04 MS-WSP dissector excessive memory consumption. Issue 17331.
The following bugs have been fixed:
- TShark does not print GeoIP information Issue 14691.
- TShark error when piping to "head" Issue 16192.
- Parts of ASCII representation in Packet Bytes pane are missing Issue 17087.
- Buildbot crash output: fuzz-2021-02-22-1012761.pcap Issue 17254.
- NDPE attribute of NAN packet is not dissected Issue 17278.
- TECMP: reserved flag interpreted as part of timestamp Issue 17279.
- Master branch does not compile at least with gcc-11 Issue 17281.
- DNS IXFR/AXFR multiple response Issue 17293.
- File too large Issue 17301.
- Build fails with CMake 3.20 Issue 17314.
Updated Protocol Support:
- DECT, DNS, EAP, Kerberos, LDAP, MS-WSP, SMB2, Sysdig, TECMP, and WiFi NAN.
New and Updated Capture File Support:
- pcapng.

v3.2 [Dec 11, 2019]
Bug Fixes:
The following vulnerabilities have been fixed:
- wnpa-sec-2020-01 WASSP dissector crash. Bug 16324. CVE-2020-7044.
The following bugs have been fixed:
- Incorrect parsing of USB CDC packets. Bug 14587.
- Wireshark fails to create directory if parent directory does not yet exist. Bug 16143.
- Buildbot crash output: randpkt-2019-11-30-22633.pcap. Bug 16240.
- Closing Flow Graph closes (crashes) main GUI window. Bug 16260.
- Wireshark interprets websocket frames after HTTP handshake in a wrong way. Bug 16274.
- A-bis/OML: IPA Destination IP Address attribute contains inverted value (endianness). Bug 16282.
- wiretap/log3gpp.c: 2 * leap before looking ?. Bug 16283.
- Opening shell terminal prints Wireshark: Permission denied. Bug 16284.
- h264: SPS frame_crop_right_offset shown in UI as frame_crop_left_offset. Bug 16285.
- BGP: update of "Sub-TLV Length" by draft-ietf-idr-tunnel-encaps. Bug 16294.
- SPNEGO GSS-API Kerberos ap-options dissection produces "Unknown Bit(s)" expert message. Bug 16301.
- USB Audio feature unit descriptor is incorrectly dissected. Bug 16305.
- Compiling the .y files fails with Berkeley YACC. Bug 16306.
- PDB files in Windows installer. Bug 16307.
- NAS-5GS 5GS network feature support lacks MCSI, EMCN3 two fields (octet 4). Bug 16310.
- Option to change “Packet List” columns header right click pop-up menu behavior. Bug 16317.
- DLT: Dissector does not parse multiple DLT messages in single UDP packet. Bug 16321.
- ISAKMP Dissection: Enhance Source id and Destination ID field of GDOI SA TEK payload for non IP ID type. Bug 16233.
- DOIP: Typo in "identifcation request messages". Bug 16325.
- Toolbar "?" help button - no text/help displayed. Bug 16327.
New and Updated Features:
- There are no new features in this release.
New Protocol Support:
- There are no new protocols in this release.
Updated Protocol Support:
- 802.11 Radiotap, ASN.1 BER, BGP, DLT, DOIP, GSM A RR, GSM A-bis/OML, H264, HTTP, IEC 60870-5-104, IEEE 802.11, IPv4, ISAKMP, NAS 5GS, rtnetlink, SIP, TIPC, USB Audio, USB CDC, and WASSP.
New and Updated Capture File Support:
- 3gpp phone log.

v3.0 [Feb 27, 2019]
- The Windows installers now ship with Npcap 0.992. They previously shipped with Npcap 0.99-r9.
The following vulnerabilities have been fixed:
- wnpa-sec-2019-09[1] NetScaler file parser crash. Bug 15497[2].
- wnpa-sec-2019-10[4] SRVLOC dissector crash. Bug 15546[5].
- wnpa-sec-2019-11[7] IEEE 802.11 dissector infinite loop. Bug
- wnpa-sec-2019-12[10] GSUP dissector infinite loop. Bug 15585[11].
- wnpa-sec-2019-13[13] Rbm dissector infinite loop. Bug 15612[14].
- wnpa-sec-2019-14[16] GSS-API dissector crash. Bug 15613[17].
- wnpa-sec-2019-15[19] DOF dissector crash. Bug 15617[20].
- wnpa-sec-2019-16[22] TSDNS dissector crash. Bug 15619[23].
- wnpa-sec-2019-17[25] LDSS dissector crash. Bug 15620[26].
- wnpa-sec-2019-18[28] DCERPC SPOOLSS dissector crash. Bug
The following bugs have been fixed:
- [oss-fuzz] UBSAN: shift exponent 34 is too large for 32-bit type 'guint32' (aka 'unsigned int') in packet-ieee80211.c:15534:49. Bug 14770[31].
- [oss-fuzz] UBSAN: shift exponent 35 is too large for 32-bit type 'int' in packet-couchbase.c:1674:37. Bug 15439[32].
- Duplicated TCP SEQ field in ICMP packets. Bug 15533[33].
- Wrong length in dhcpv6 NTP Server suboption results in "Malformed Packet" and breaks further dissection. Bug 15542[34].
- Wireshark’s speaker-to-MaxMind is burning up the CPU. Bug 15545[35].
- GSM-A-RR variable bitmap decoding may report ARFCNs > 1023. Bug 15549[36].
- Import hexdump dummy Ethernet header generation ignores direction indication. Bug 15561[37].
- %T not supported for timestamps. Bug 15565[38].
- LWM2M: resource with \r\n badly shown. Bug 15572[39].
- When selecting BSSAP in 'Decode As' for a SCCP payload, it uses BSSAP which is not the same protocol. Bug 15578[40].
- Possible buffer overflow in function ssl_md_final for crafted SSL 3.0 sessions. Bug 15599[41].
- Windows console log output delay. Bug 15605[42].
- Syslog dissector processes the UTF-8 BOM incorrectly. Bug 15607[43].
- NFS/NLM: Wrong lock byte range in the "Info" column. Bug 15608[44].
- randpkt -r causes segfault when count > 1. Bug 15627[45].
- Tshark export to ElasticSearch (-Tek) fails with Bad json_dumper state: illegal transition. Bug 15628[46].
- Packets with metadata but no data get the Protocol Info column overwritten. Bug 15630[47].
- BGP MP_REACH_NLRI AFI: Layer-2 VPN, SAFI: EVPN- Label stack not decoded. Bug 15631[48].
- Buildbot crash output: fuzz-2019-03-23-1789.pcap. Bug 15634[49].
- Typo: broli → brotli. Bug 15647[50].
- Wrong dissection of GTPv2 MM Context Used NAS integrity protection algorithm. Bug 15648[51].
- Windows CHM (help file) title displays quoted HTML characters. Bug 15656[52].
- Unable to load 3rd party plugins not signed by Wireshark’s codesigning certificate. Bug 15667[53].

v2.6 [Apr 25, 2018]
The following vulnerabilities have been fixed:
- wnpa-sec-2018-34[1]
- BGP dissector large loop. Bug 13741[2]. CVE-2018-14342[3].
- wnpa-sec-2018-35[4]
- ISMP dissector crash. Bug 14672[5]. CVE-2018-14344[6].
- wnpa-sec-2018-36[7]
- Multiple dissectors could crash. Bug 14675[8]. CVE-2018-14340[9].
- wnpa-sec-2018-37[10]
- ASN.1 BER dissector crash. Bug 14682[11]. CVE-2018-14343[12].
- wnpa-sec-2018-38[13]
- MMSE dissector infinite loop. Bug 14738[14]. CVE-2018-14339[15].
- wnpa-sec-2018-39[16]
- DICOM dissector crash. Bug 14742[17]. CVE-2018-14341[18].
- wnpa-sec-2018-40[19]
- Bazaar dissector infinite loop. Bug 14841[20]. CVE-2018-14368[21].
- wnpa-sec-2018-41[22]
- HTTP2 dissector crash. Bug 14869[23]. CVE-2018-14369[24].
- wnpa-sec-2018-42[25]
- CoAP dissector crash. Bug 14966[26]. CVE-2018-14367[27].
The following bugs have been fixed:
- ISMP.EDP "Tuples" dissected incorrectly. Bug 4943[28].
- Wireshark - Race issue when switching between files using Wireshark’s "Files in Set" dialog. Bug 10870[29].
- Sorting on "Source port" or "Destination port" column sorts alphabetically, not numerically. Bug 11460[30].
- Wireshark crashes when changing profiles. Bug 11648[31].
- Crash when starting capture while saving capture file or rescanning file after display filter change. Bug 13594[32].
- Crash when switching to TRANSUM enabled profile. Bug 13697[33].
- TCP retransmission with additional payload leads to incorrect bytes and length in stream. Bug 13700[34].
- Wireshark crashes with single quote string display filter. Bug 14084[35].
- randpkt can write packets that libwiretap can’t read. Bug 14107[36].
- Wireshark crashes when loading new file before previous load has finished. Bug 14351[37].
- Valid packet produces Malformed Packet: OpcUa. Bug 14465[38].
- Error received from dissect_wccp2_hash_assignment_info(). Bug 14573[39].
- CRC checker wrong for FPP. Bug 14610[40].
- Cross-build broken due to make-dissectors and make-taps. Bug 14622[41].
- Extraction of SMB file results in wrong size. Bug 14662[42].
- 6LoWPAN dissector merges fragments from different sources. Bug 14700[43].
- IP address to name resolution doesn’t work in TShark. Bug 14711[44].
- "Decode as" Modbus RTU over USB doesn’t work with 2.6.0 but with 2.4.6. Bug 14717[45].
- proto_tree_add_protocol_format might leak memory. Bug 14719[46].
- tostring for NSTime objects in lua gives wrong results. Bug 14720[47].
- Media type "application/octet-stream" registered for both Thread and UASIP. Bug 14729[48].
- Crash related to SCTP tap. Bug 14733[49].
- Formatting of OSI area addresses/address prefixes goes past the end of the area address/address prefix. Bug 14744[50].
- ICMPv6 Router Renumbering - Packet Dissector - malformed. Bug 14755[51].
- WiMAX HARQ MAP decoder segfaults when length is too short. Bug 14780[52].
- HTTP PUT request following a HEAD request is not correctly decoded. Bug 14793[53].
- SYNC PDU type 3 miss the last PDU length. Bug 14823[54].
- Reversed 128 bits service UUIDs when Bluetooth Low Energy advertisement data are dissected. Bug 14843[55].
- Issues with Wireshark when the user doesn’t have permission to capture. Bug 14847[56].
- Wrong description when LE Bluetooth Device Address type is dissected. Bug 14866[57].
- LE Role advertisement type (0x1c) is not dissected properly according to the Bluetooth specification. Bug 14868[58].
- Regression: Wireshark 2.6.0 and 2.6.1 are unable to read NetMon files which were readable by previous versions. Bug 14876[59].
- Wireshark doesn’t properly display (deliberately) invalid 220 responses from Postfix. Bug 14878[60].
- Follow TCP Stream and click reassembled content moves you to incorrect current packet. Bug 14898[61].
- Crash when changing profiles while loading a capture file. Bug 14918[62].
- Duplicate PDU during C Arrays Output Export. Bug 14933[63].
- DCE/RPC not dissected when "reserved for use by implementations" flag bits set. Bug 14942[64].
- Follow TCP Stream truncates output on missing (but ACKed) segments. Bug 14944[65].
- There’s no option to include column headings when printing packets or exporting packet dissections with Qt Wireshark. Bug 14945[66].
- Qt: SCTP Graph Dialog: Abort when doing analysis. Bug 14971[67].
- CMake is unable to find LUA libraries. Bug 14983[68].
New and Updated Features:
- There are no new features in this release.
New Protocol Support:
- There are no new protocols in this release.
Updated Protocol Support
- 6LoWPAN, ASN.1 BER, Bazaar, BGP, Bluetooth, Bluetooth HCI_CMD, CIGI, Cisco ttag, CoAP, Data, DCERPC, Diameter 3GPP, DICOM, DOCSIS, FPP, GSM A GM, GTPv2, HTTP, HTTP2, IAX2, ICMPv6, IEEE 1722, IEEE 802.11, IPv4, ISMP, LISP, MMSE, MTP3, MySQL, NFS, OpcUa, PPI GPS, Q.931, RNSAP, RPCoRDMA, S1AP, SCTP, SMB, SMTP, STUN, SYNC, T.30, TCP, TRANSUM, WAP, WCCP, Wi-SUN, WiMax HARQ Map Message, and WSP.

v2.4 [Jun 10, 2017]
The following bugs have been fixed:
- Incorrect presentation of Ascend-Data-Filter (RADIUS attribute 242). (Bug 11630)
- Confusing "Apply a display filter " keyboard shortcut. (Bug 12450)
- Wireshark crashes at startup if it needs to display a dialog early in the startup process. (Bug 13275)
- RADIUS dictionary: BEGIN-VENDOR does not support format=Extended-Vendor-Specific-\*. (Bug 13745)
- Dumpcap on big-endian machines writes out corrupt, unreadable Enhanced Packet Blocks. (Bug 13802)
- Interface Toolbar support for Windows. (Bug 13833)
- Wireshark should behave better on high resolution displays on Windows. (Bug 13877)
- Udpdump.pod missing from build. (Bug 13903)
- RTP Player Format Error. (Bug 13906)
- VNC Protocol disector : Framebuffer Updates. (Bug 13910)
- DNS LOC RRs with out-of-range longitude or latitude aren’t shown as errors. (Bug 13914)
- DIS Dissector Entity Appearance Record displayed in wrong location. (Bug 13917)
- Win64 CMake bug - (CYGWIN_INSTALL_PATH redefinition) causing missing packages when using CMake 3.9.0. (Bug 13922)
- APL records parsed incorrectly for IPv4 prefixes. (Bug 13923)
- File→Merge dialog doesn’t show all options. Resizing doesn’t help. (Bug 13924)
- TCAP SRT Analysis incorrectly matched TCAP begins and ends. (Bug 13926)
- Error in MKA Distributed SAK parameter set dissection. (Bug 13927)
- E.212: Check length before trying 3-digits MNC. (Bug 13935)
- mpeg_descriptor: AC3 System A: Respect descriptor length. (Bug 13939)
- Crash in Wireshark using Dumper:dump() from Lua. (Bug 13944)
- MRCPv2 not decoded correctly. (Bug 13952)
- UDP Checksum verification not working for 0x0000 checksum. (Bug 13955)
- OSPF v3 LSA Type not well parsed. (Bug 13979)
- GTPv2 - decoding issue for Packet Flow ID (type 123). (Bug 13987)
- TRANSUM fails to calculate RTE figures for DCE-RPC where request Packet Type is zero. (Bug 13988)
- BTLE Hop and SCA fields incorrectly dissected in BLE CONNECT_REQ. (Bug 13990)
- [oss-fuzz] BGP memleak: ASAN: 276 byte(s) leaked in 5 allocation(s). (Bug 13995)
- Some Infiniband Connect Req fields are not decoded correctly. (Bug 13997)
- GTP: gtp.ext_comm_flags_II_pmtsmi bit not decoded correctly. (Bug 14001)
- InfiniBand: sIP and dIP inside IP CM Private Data are decoded in the wrong order. (Bug 14002)
- 802.11 wlan.ft.subelem.r0kh_id should be sequence of bytes. (Bug 14004)
- USB capture: Unrecognized libpcap format or not libpcap data. (Bug 14006)
- SQ Header Pointer in NVMoF response capsule is decoded with the wrong endian. (Bug 14008).

v1.6 [Jun 7, 2011]
Bug Fixes :
- The Lucent/Ascend file parser was susceptible to an infinite loop.
- The ANSI MAP dissector was susceptible to an infinite loop
- TCP dissector doesn't decode TCP segments of length 1.
- Missing LUA function.
- Lua API description about creating a new Tvb from a bytearray is not correct in wireshark's user guide.
- Character echo pauses in Capture Filter field in Capture Options.
- "File not found" box uses wrong filename encoding.
- Decoding of MQ ASCII and EBCDIC Traffic Flow - ASCII shows fine, EBCDIC does not.
- Tshark custom columns: Why don't I get an error message?
New Features :
- Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets.
- Large file (greater than 2 GB) support has been improved.
- Wireshark and TShark can import text dumps, similar to text2pcap.
- You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
- Wireshark can export SSL session keys via File→Export→SSL Session Keys...
- TShark can show a specific occurrence of a field when using '-T fields'.
- Custom columns can show a specific occurrence of a field.
- You can hide columns in the packet list.
- Wireshark can now export SMB objects.
- dftest and randpkt now have manual pages.
- TShark can now display iSCSI, ICMP and ICMPv6 service response times.
- Dumpcap can now save files with a user-specified group id.
- Syntax checking is done for capture filters.
- You can display the compiled BPF code for capture filters in the Capture Options dialog.
- You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
- Packet length is (finally) a default column.

v1.2 [May 28, 2009]
Bug Fixes
The following bugs have been fixed:
SNMPv3 Engine ID registration. (Bug 2426)
Open file dialog always displayed when clicking anywhere on Wireshark. (Bug 2478)
tshark reports wrong number of bytes on big dumpfiles with -z io,stat. (Bug 3205)
Negative INTEGER number displayed as positive number in SNMP dissector. (Bug 3230)
Add support for FT_BOOLEAN fields to wslua FieldInfo. (Bug 4049)
Wireshark crashes w/ GLib error when trying to play RTP stream. (Bug 4119)
Windows 2000 support has been restored. (Bug 4176)
Wrong dissection on be_cell_id_list for bssmap. (Bug 4437)
I/O Graph dropdown boxes not working correctly. (Bug 4487)
Runtime Error when right-clicking field and selecting "Filter Field Reference". (Bug 4522)
In GSM SMS PDU TPVPF showing wrong. (Bug 4524)
Profinet: May be wrong defined byte meaning. (Bug 4525)
GLib-CRITICAL ** Message. (Bug 4547)
Certain EDP display filters trigger Wireshark/tshark runtime error. (Bug 4563)
Some NCP frames trigger "Dissector bug, protocol NCP". (Bug 4565)
The encapsulation abbreviation "bluetooth-h4" is ambiguous. (Bug 4613)
Updated Protocol Support
BSSMAP, DMP, GSM SMS, LDSS, NCP, PN/IO, PPP, SIP, SNMP