1 Wireshark 4.3.0 Release Notes
3 This is an experimental release intended to test new features for
8 Wireshark is the world’s most popular network protocol analyzer. It is
9 used for troubleshooting, analysis, development and education.
13 Wireshark now supports automatic profile switching. You can associate
14 a display filter with a configuration profile, and when you open a
15 capture file that matches the filter, Wireshark will automatically
16 switch to that profile.
18 Lua support for older LUA versions has been dropped. Only 5.3 and 5.4
19 are supported, and the Lua version included with the Windows and MacOS
20 installers is now 5.4.6.
22 Improved display filter support for value strings (optional string
23 representations for numeric fields).
25 Display filter functions can be implemented as runtime-loadable C
28 Custom columns can be defined using any valid field expression, such
29 as display filter functions, slices, arithmetic calculations, logical
30 tests, raw byte addressing, and the layer modifier.
32 Custom output fields for `tshark -e` can also be defined using any
33 valid field expression.
35 Many improvements and fixes to the graphing dialogs, including I/O
36 Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.
38 Many other improvements have been made. See the “New and Updated
39 Features” section below for more details.
41 New and Updated Features
43 The following features are new (or have been significantly updated)
46 • Display filter syntax-related enhancements:
48 • Better handling of comparisons with value strings. Now the
49 display filter engine can correctly handle cases where multiple
50 different numeric values map to the same value string, including
51 but not limited to range-type value strings.
53 • Fields with value strings now support regular expression
56 • Date and time values now support arithmetic, with some
57 restrictions: the multiplier/divisor must be an integer or float
58 and appear on the right-hand side of the operator.
60 • The keyword "bitand" can be used as an alternative syntax for
61 the bitwise-and operator.
63 • Functions alone can now be used as an entire logical
64 expression. The result of the expression is the truthiness of the
65 function return value (or of all values if more than one). This
66 is useful for example to write "len(something)" instead of
67 "len(something) != 0". Even more so if a function returns itself
68 a boolean value, it is now possible to write
69 "bool_test(some.field)" instead of having to write
70 "bool_test(some.field) == True" (both forms are now valid).
72 • Display filter references can be written without curly braces.
73 It is now possible to write `$frame.number` instead of
74 `${frame.number}` for example.
76 • Added new display filter functions to test various IP address
77 properties. Check the wireshark-filter(5) manpage for more
80 • Added new display filter functions to convert unsigned integer
81 types to decimal or hexadecimal, and convert fields with value
82 strings into the associated string for their value (used to
83 produce results similar to custom columns). Check the
84 wireshark-filter(5) manpage for more information.
86 • Display filter macros can be written with a semicolon after
87 the macro name before the argument list, e.g.
88 `${mymacro;arg1;…;argN}`, instead of `${mymacro:arg1;…;argN}`.
89 The version with semicolons works better with pop-up suggestions
90 when editing the display filter, so the version with the colon
91 might be removed in the future.
93 • Display filter macros can be written using a function-like
94 notation. The macro `${mymacro:arg1;…;argN}` can be written
95 `$mymacro(arg1,…,argN)`.
97 • Display filter functions can be implemented as libwireshark
98 plugins. Plugins are loaded during startup from the usual binary
99 plugin configuration directories. See the `ipaddr.c` source file
100 in the distribution for an example of a display filter C plugin
101 and the doc/plugins.example folder for generic instructions how
104 • Display filter autocompletions now also include display filter
107 • The display filter macro configuration file has changed format.
108 It now uses the same format as the "dfilters" file and has been
109 renamed accordingly to "dmacros". Internally it no longer uses
110 the UAT API and the display filter macro GUI dialog has been
111 updated. There is some basic migration logic implemented but it
112 is advisable to check that the "dfilter_macros" (old) and
113 "dmacros" (new) files in the profile directory are consistent.
115 • Custom columns can be defined using any valid field expression:
117 • Display filter functions, like `len(tcp.payload)`, including
118 nested functions like `min(len(tcp.payload), len(udp.payload)`
119 and newly defined functions using the plugin system mentioned
120 above. Issue 15990[1] Issue 16181[2]
122 • Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
123 tcp.dstport`. Issue 7752[3]
125 • Slices, like `tcp.payload[4:4]`. Issue 10154[4]
127 • The layer operator, like `ip.proto#1` to return the proto
128 field in the first IPv4 layer if there is tunneling. Issue
131 • Raw byte addressing, like `@ip`, useful to return the bytes of
132 a protocol or FT_NONE field, among others. Issue 19076[6]
134 • Logical tests, like `tcp.port == 443`, which produce a check
135 mark if the test matches (similar to protocol and none fields
136 without `@`.) This works with all logical operators, including
137 e.g. regular expression matching (`matches` or `~`.)
139 • Defined display filter macros.
141 • Any combination of the above also works.
143 • Multifield columns are still available. For backwards
144 compatibility, `X or Y` is interpreted as a multifield column as
145 before. To represent a logical test for the presence of multiple
146 fields instead of concatenating values, use parenthesis, like
147 `(tcp.options.timestamp or tcp.options.nop`.
149 • Field references are not implemented, because there’s no sense
150 of a currently selected frame. "Resolved" column values (such as
151 host name resolution or value string lookup) are not supported
152 for any of the new expressions yet.
154 • Custom output fields for `tshark -e <field>` can also be defined
155 using any valid field expression as above.
157 • For custom output fields, `X or Y` is the usual logical test;
158 to output multiple fields use multiple `-e` terms as before.
160 • The various `-E` options, including `-E occurrence`, all work
163 • When selecting "Manage Interfaces" from "Capture Options",
164 Wireshark only attempts to reconnect to rpcap (remote) hosts that
165 were connected to in the last session, instead of every remote
166 host that the current profile has ever connected to. Issue
169 • Adding interfaces at startup is about twice as fast, and has many
170 fewer UAC pop-ups when npcap is installed with access restricted
171 to Administrators on Windows
173 • The Resolved Addresses dialog only shows what addresses and ports
174 are present in the file (not including information from static
175 files), and selected rows or the entire table can be saved or
176 copied to the clipboard in several formats. Issue 16419[8]
178 • When capturing files in multiple file mode, a pattern that places
179 the date and time before the index number can be used (e.g.,
180 foo_20240714110102_00001.pcap instead of
181 foo_00001_20240714110102.pcap). This causes filenames to sort in
182 chronological order across file sets from different captures. The
183 File Set dialog has been updated to handle the new pattern, which
184 has been capable of being produced by tshark since version 3.6.0
186 • The "Follow Stream" dialog can now show delta times between turns
187 and all packets and events.
189 • The "Find Packet" dialog can search backwards, and find
190 additional occurrences of a string, hex value, or regular
191 expression in a single frame.
193 • When using "Go To Packet" with an undisplayed frame, the window
194 goes to nearest displayed frame (by number.) Issue 2988[9]
196 • A number of graphs using QCustomPlot ("I/O Graphs", "Flow Graph",
197 "TCP Stream Graphs", and "RTP Player") are more responsive during
198 mouse moves, especially on Linux when Wayland is used.
200 • Improvements to the "I/O Graphs" dialog:
202 • A number of crasher bugs have been fixed.
204 • Smaller intervals can be used, down to 1 microsecond. Issue
207 • A larger number of I/O Graph item buckets can be used, up to
208 225 items. Issue 8460[11]
210 • The memory usage has been improved, the size of an item has
211 been reduced from 152 bytes to 88 bytes.
213 • When the Y field or Y axis changes, the graph displays the new
214 graph correctly, retapping if necessary, instead of displaying
215 information based on stale data.
217 • The graph is smarter about choosing whether to retap
218 (expensive), recalculate (moderately intensive), or replot
219 (cheap) in order to display the newly chosen options correctly
220 with the least amout of calculations. For instance, a graph that
221 has previously been plotted and is disabled and then reenabled
222 without any other changes will not require a new retap. Issue
225 • LOAD graphs are graphed properly again. Issue 18450[13]
227 • The I/O Graph y-axis has human readable units with SI
228 prefixes. Issue 12827[14]
230 • I/O Graph bar widths are scaled to the size of the interval.
232 • I/O Graph bar border colors are a slightly darker color than
233 that of the graph itself, instead of always black. Issue
236 • The correct width of times that appear on the graph are used
237 when automatically resetting the axes.
239 • The precision of the interval time shown in the hint message
240 depends on the interval.
242 • The tracer follows the currently selected row on the table of
243 graphs, and does not appear on an invisible graph.
245 • The tracer moves to the frame selected in the main window.
248 • Pending graph changes are saved when changing profiles with
249 the I/O Graphs dialog open.
251 • I/O Graph dialog windows for closed capture files are no
252 longer affected by changing the list of graphs (either in that
253 dialogs or in other dialogs for the currently open file.)
255 • Temporary graphs that have just been added and will not be
256 saved unless the configuration has changed are more clearly
259 • When Time of Day is selected on the graph, the absolute time
260 is copied to the CSV instead of relative time. Issue 13717[17]
262 • The graph layer order and order in the legend always matches
263 the order in the table, and the legend appears properly. Issue
266 • Graphs with both lines and data point symbols are treated as
267 line graphs, not scatter plots, for purposes of displaying zero
270 • Logarithmic ticks are used when the Y-scale is logarithmic.
272 • The graph crosshairs context menu option works.
274 • The columns on the table of graphs can be all resized at once
275 via the header context menu. Issue 18102[19]
277 • The graph is more responsive to mouse moves, especially on
280 • Improvements to the Sequence Diagram (Flow Graph / VoIP Calls):
282 • When exporting the graph as an image, the entire graph is
283 shown, up to 1000 items (which can be changed in preferences),
284 instead of only what was visible on-screen. Issue 13504[20]
286 • Endpoints that share a same address now have two distinct
287 nodes with a line between them. Issue 12038[21]
289 • Tooltips are shown for elided comments
291 • The scroll direction via keyboard is no longer reversed. Issue
294 • The column widths are fixed, instead of resizing slightly
295 depending on the visible entries. Issue 12931[23]
297 • The Y-axis labels stay in the correct position without having
300 • The progress bar appears correctly in the Flow Graph (non VoIP
303 • The behavior of the "Any" and "Network" combobox is corrected.
306 • "Limit to Display Filter" is checked if a display filter is
307 applied when the Flow Graph is opened, per the documentation.
311 • A better decision is made about which side is the server and
312 thus the initially chosen direction in the graph.
314 • The Window Scaling graph axis labels are corrected and show
317 • The graph crosshairs context menu option works.
319 • Switching between relative and absolute sequence numbers works
322 • The included Lua version has been updated to 5.4. While most Lua
323 dissectors should continue to work (the lua_bitop library has
324 been patched to work with Lua 5.3 and 5.4, in addition to the
325 native Lua support for bit operations present in those versions),
326 different versions of Lua are not guaranteed to be compatible. If
327 a Lua dissector has issues, check the manuals for Lua 5.4[25],
328 Lua 5.3[26], and Lua 5.2[27] for incompatibilities and suggested
329 workarounds. Note that features marked as deprecated in one
330 version are removed in the subsequent version without additional
331 notice, so it can be worth checking the manual for previous
334 Removed Features and Support
336 • The tshark `-G` option with no argument is deprecated and will be
337 removed in a future version. Use `tshark -G fields` to produce
342 The Parlay dissector has been removed.
346 Allied Telesis Resiliency Link (AT RL), EGNOS Message Server (EMS)
347 file format, Galileo E1-B I/NAV navigation messages, MAC NR Framed
348 (mac-nr-framed), RF4CE Network Layer (RF4CE), RF4CE Profile (RF4CE
349 Profile), and ZeroMQ Message Transport Protocol (ZMTP)
351 Updated Protocol Support
353 • IPv6: The "show address detail" preference is now enabled by
354 default. The address details provided have been extended to
355 include more special purpose address block properties
356 (forwardable, globally-routable, etc).
358 Too many other protocol updates have been made to list them all here.
360 EGNOS Messager Server (EMS) files
362 u-blox GNSS receivers
366 • Plugins should provide a `plugin_describe()` function that
367 returns an ORed list of flags consisting of the plugin types used
368 (declared in wsutil/plugins.h).
372 Wireshark source code and installation packages are available from
373 https://www.wireshark.org/download.html.
375 Vendor-supplied Packages
377 Most Linux and Unix vendors supply their own Wireshark packages. You
378 can usually install or upgrade Wireshark using the package management
379 system specific to that platform. A list of third-party packages can
380 be found on the download page[28] on the Wireshark web site.
384 Wireshark and TShark look in several different locations for
385 preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
386 locations vary from platform to platform. You can use "Help › About
387 Wireshark › Folders" or `tshark -G folders` to find the default
388 locations on your system.
392 The User’s Guide, manual pages and various other documentation can be
393 found at https://www.wireshark.org/docs/
395 Community support is available on Wireshark’s Q&A site[29] and on the
396 wireshark-users mailing list. Subscription information and archives
397 for all of Wireshark’s mailing lists can be found on the web site[30].
399 Bugs and feature requests can be reported on the issue tracker[31].
401 You can learn protocol analysis and meet Wireshark’s developers at
406 The Wireshark Foundation helps as many people as possible understand
407 their networks as much as possible. You can find out more and donate
408 at wiresharkfoundation.org[33].
410 Frequently Asked Questions
412 A complete FAQ is available on the Wireshark web site[34].
416 1. https://gitlab.com/wireshark/wireshark/-/issues/15990
417 2. https://gitlab.com/wireshark/wireshark/-/issues/16181
418 3. https://gitlab.com/wireshark/wireshark/-/issues/7752
419 4. https://gitlab.com/wireshark/wireshark/-/issues/10154
420 5. https://gitlab.com/wireshark/wireshark/-/issues/18588
421 6. https://gitlab.com/wireshark/wireshark/-/issues/19076
422 7. https://gitlab.com/wireshark/wireshark/-/issues/17484
423 8. https://gitlab.com/wireshark/wireshark/-/issues/16419
424 9. https://gitlab.com/wireshark/wireshark/-/issues/2988
425 10. https://gitlab.com/wireshark/wireshark/-/issues/13682
426 11. https://gitlab.com/wireshark/wireshark/-/issues/8460
427 12. https://gitlab.com/wireshark/wireshark/-/issues/15822
428 13. https://gitlab.com/wireshark/wireshark/-/issues/18450
429 14. https://gitlab.com/wireshark/wireshark/-/issues/12827
430 15. https://gitlab.com/wireshark/wireshark/-/issues/17422
431 16. https://gitlab.com/wireshark/wireshark/-/issues/12909
432 17. https://gitlab.com/wireshark/wireshark/-/issues/13717
433 18. https://gitlab.com/wireshark/wireshark/-/issues/13854
434 19. https://gitlab.com/wireshark/wireshark/-/issues/18102
435 20. https://gitlab.com/wireshark/wireshark/-/issues/13504
436 21. https://gitlab.com/wireshark/wireshark/-/issues/12038
437 22. https://gitlab.com/wireshark/wireshark/-/issues/12932
438 23. https://gitlab.com/wireshark/wireshark/-/issues/12931
439 24. https://gitlab.com/wireshark/wireshark/-/issues/19818
440 25. https://www.lua.org/manual/5.4/manual.html#8
441 26. https://www.lua.org/manual/5.3/manual.html#8
442 27. https://www.lua.org/manual/5.2/manual.html#8
443 28. https://www.wireshark.org/download.html
444 29. https://ask.wireshark.org/
445 30. https://www.wireshark.org/lists/
446 31. https://gitlab.com/wireshark/wireshark/-/issues
447 32. https://sharkfest.wireshark.org
448 33. https://wiresharkfoundation.org
449 34. https://www.wireshark.org/faq.html