Revert "TODO: smb2: simplify preauth_hash calculation..."

[wireshark-sm.git] / NEWS

Wireshark 4.3.0 Release Notes

 This is an experimental release intended to test new features for
 Wireshark 4.4.

 What is Wireshark?

  Wireshark is the world’s most popular network protocol analyzer. It is
  used for troubleshooting, analysis, development and education.

 What’s New

  Wireshark now supports automatic profile switching. You can associate
  a display filter with a configuration profile, and when you open a
  capture file that matches the filter, Wireshark will automatically
  switch to that profile.

  Lua support for older LUA versions has been dropped. Only 5.3 and 5.4
  are supported, and the Lua version included with the Windows and MacOS
  installers is now 5.4.6.

  Improved display filter support for value strings (optional string
  representations for numeric fields).

  Display filter functions can be implemented as runtime-loadable C
  plugins.

  Custom columns can be defined using any valid field expression, such
  as display filter functions, slices, arithmetic calculations, logical
  tests, raw byte addressing, and the layer modifier.

  Custom output fields for `tshark -e` can also be defined using any
  valid field expression.

  Many improvements and fixes to the graphing dialogs, including I/O
  Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs.

  Many other improvements have been made. See the “New and Updated
  Features” section below for more details.

  New and Updated Features

   The following features are new (or have been significantly updated)
   since version 4.2.0:

     • Display filter syntax-related enhancements:

        • Better handling of comparisons with value strings. Now the
       display filter engine can correctly handle cases where multiple
       different numeric values map to the same value string, including
       but not limited to range-type value strings.

        • Fields with value strings now support regular expression
       matching.

        • Date and time values now support arithmetic, with some
       restrictions: the multiplier/divisor must be an integer or float
       and appear on the right-hand side of the operator.

        • The keyword "bitand" can be used as an alternative syntax for
       the bitwise-and operator.

        • Functions alone can now be used as an entire logical
       expression. The result of the expression is the truthiness of the
       function return value (or of all values if more than one). This
       is useful for example to write "len(something)" instead of
       "len(something) != 0". Even more so if a function returns itself
       a boolean value, it is now possible to write
       "bool_test(some.field)" instead of having to write
       "bool_test(some.field) == True" (both forms are now valid).

        • Display filter references can be written without curly braces.
       It is now possible to write `$frame.number` instead of
       `${frame.number}` for example.

        • Added new display filter functions to test various IP address
       properties. Check the wireshark-filter(5) manpage for more
       information.

        • Added new display filter functions to convert unsigned integer
       types to decimal or hexadecimal, and convert fields with value
       strings into the associated string for their value (used to
       produce results similar to custom columns). Check the
       wireshark-filter(5) manpage for more information.

        • Display filter macros can be written with a semicolon after
       the macro name before the argument list, e.g.
       `${mymacro;arg1;…​;argN}`, instead of `${mymacro:arg1;…​;argN}`.
       The version with semicolons works better with pop-up suggestions
       when editing the display filter, so the version with the colon
       might be removed in the future.

        • Display filter macros can be written using a function-like
       notation. The macro `${mymacro:arg1;…​;argN}` can be written
       `$mymacro(arg1,…​,argN)`.

     • Display filter functions can be implemented as libwireshark
       plugins. Plugins are loaded during startup from the usual binary
       plugin configuration directories. See the `ipaddr.c` source file
       in the distribution for an example of a display filter C plugin
       and the doc/plugins.example folder for generic instructions how
       to build a plugin.

     • Display filter autocompletions now also include display filter
       functions.

     • The display filter macro configuration file has changed format.
       It now uses the same format as the "dfilters" file and has been
       renamed accordingly to "dmacros". Internally it no longer uses
       the UAT API and the display filter macro GUI dialog has been
       updated. There is some basic migration logic implemented but it
       is advisable to check that the "dfilter_macros" (old) and
       "dmacros" (new) files in the profile directory are consistent.

     • Custom columns can be defined using any valid field expression:

        • Display filter functions, like `len(tcp.payload)`, including
       nested functions like `min(len(tcp.payload), len(udp.payload)`
       and newly defined functions using the plugin system mentioned
       above. Issue 15990[1] Issue 16181[2]

        • Arithmetic calculations, like `ip.len * 8` or `tcp.srcport +
       tcp.dstport`. Issue 7752[3]

        • Slices, like `tcp.payload[4:4]`. Issue 10154[4]

        • The layer operator, like `ip.proto#1` to return the proto
       field in the first IPv4 layer if there is tunneling. Issue
       18588[5]

        • Raw byte addressing, like `@ip`, useful to return the bytes of
       a protocol or FT_NONE field, among others. Issue 19076[6]

        • Logical tests, like `tcp.port == 443`, which produce a check
       mark if the test matches (similar to protocol and none fields
       without `@`.) This works with all logical operators, including
       e.g. regular expression matching (`matches` or `~`.)

        • Defined display filter macros.

        • Any combination of the above also works.

        • Multifield columns are still available. For backwards
       compatibility, `X or Y` is interpreted as a multifield column as
       before. To represent a logical test for the presence of multiple
       fields instead of concatenating values, use parenthesis, like
       `(tcp.options.timestamp or tcp.options.nop`.

        • Field references are not implemented, because there’s no sense
       of a currently selected frame. "Resolved" column values (such as
       host name resolution or value string lookup) are not supported
       for any of the new expressions yet.

     • Custom output fields for `tshark -e <field>` can also be defined
       using any valid field expression as above.

        • For custom output fields, `X or Y` is the usual logical test;
       to output multiple fields use multiple `-e` terms as before.

        • The various `-E` options, including `-E occurrence`, all work
       as expected.

     • When selecting "Manage Interfaces" from "Capture Options",
       Wireshark only attempts to reconnect to rpcap (remote) hosts that
       were connected to in the last session, instead of every remote
       host that the current profile has ever connected to. Issue
       17484[7]

     • Adding interfaces at startup is about twice as fast, and has many
       fewer UAC pop-ups when npcap is installed with access restricted
       to Administrators on Windows

     • The Resolved Addresses dialog only shows what addresses and ports
       are present in the file (not including information from static
       files), and selected rows or the entire table can be saved or
       copied to the clipboard in several formats. Issue 16419[8]

     • When capturing files in multiple file mode, a pattern that places
       the date and time before the index number can be used (e.g.,
       foo_20240714110102_00001.pcap instead of
       foo_00001_20240714110102.pcap). This causes filenames to sort in
       chronological order across file sets from different captures. The
       File Set dialog has been updated to handle the new pattern, which
       has been capable of being produced by tshark since version 3.6.0

     • The "Follow Stream" dialog can now show delta times between turns
       and all packets and events.

     • The "Find Packet" dialog can search backwards, and find
       additional occurrences of a string, hex value, or regular
       expression in a single frame.

     • When using "Go To Packet" with an undisplayed frame, the window
       goes to nearest displayed frame (by number.) Issue 2988[9]

     • A number of graphs using QCustomPlot ("I/O Graphs", "Flow Graph",
       "TCP Stream Graphs", and "RTP Player") are more responsive during
       mouse moves, especially on Linux when Wayland is used.

     • Improvements to the "I/O Graphs" dialog:

        • A number of crasher bugs have been fixed.

        • Smaller intervals can be used, down to 1 microsecond. Issue
       13682[10]

        • A larger number of I/O Graph item buckets can be used, up to
       225 items. Issue 8460[11]

        • The memory usage has been improved, the size of an item has
       been reduced from 152 bytes to 88 bytes.

        • When the Y field or Y axis changes, the graph displays the new
       graph correctly, retapping if necessary, instead of displaying
       information based on stale data.

        • The graph is smarter about choosing whether to retap
       (expensive), recalculate (moderately intensive), or replot
       (cheap) in order to display the newly chosen options correctly
       with the least amout of calculations. For instance, a graph that
       has previously been plotted and is disabled and then reenabled
       without any other changes will not require a new retap. Issue
       15822[12]

        • LOAD graphs are graphed properly again. Issue 18450[13]

        • The I/O Graph y-axis has human readable units with SI
       prefixes. Issue 12827[14]

        • I/O Graph bar widths are scaled to the size of the interval.

        • I/O Graph bar border colors are a slightly darker color than
       that of the graph itself, instead of always black. Issue
       17422[15]

        • The correct width of times that appear on the graph are used
       when automatically resetting the axes.

        • The precision of the interval time shown in the hint message
       depends on the interval.

        • The tracer follows the currently selected row on the table of
       graphs, and does not appear on an invisible graph.

        • The tracer moves to the frame selected in the main window.
       Issue 12909[16]

        • Pending graph changes are saved when changing profiles with
       the I/O Graphs dialog open.

        • I/O Graph dialog windows for closed capture files are no
       longer affected by changing the list of graphs (either in that
       dialogs or in other dialogs for the currently open file.)

        • Temporary graphs that have just been added and will not be
       saved unless the configuration has changed are more clearly
       marked with italics.

        • When Time of Day is selected on the graph, the absolute time
       is copied to the CSV instead of relative time. Issue 13717[17]

        • The graph layer order and order in the legend always matches
       the order in the table, and the legend appears properly. Issue
       13854[18]

        • Graphs with both lines and data point symbols are treated as
       line graphs, not scatter plots, for purposes of displaying zero
       values.

        • Logarithmic ticks are used when the Y-scale is logarithmic.

        • The graph crosshairs context menu option works.

        • The columns on the table of graphs can be all resized at once
       via the header context menu. Issue 18102[19]

        • The graph is more responsive to mouse moves, especially on
       Linux Wayland

     • Improvements to the Sequence Diagram (Flow Graph / VoIP Calls):

        • When exporting the graph as an image, the entire graph is
       shown, up to 1000 items (which can be changed in preferences),
       instead of only what was visible on-screen. Issue 13504[20]

        • Endpoints that share a same address now have two distinct
       nodes with a line between them. Issue 12038[21]

        • Tooltips are shown for elided comments

        • The scroll direction via keyboard is no longer reversed. Issue
       12932[22]

        • The column widths are fixed, instead of resizing slightly
       depending on the visible entries. Issue 12931[23]

        • The Y-axis labels stay in the correct position without having
       to click Reset.

        • The progress bar appears correctly in the Flow Graph (non VoIP
       Calls.)

        • The behavior of the "Any" and "Network" combobox is corrected.
       Issue 19818[24]

        • "Limit to Display Filter" is checked if a display filter is
       applied when the Flow Graph is opened, per the documentation.

     • TCP Stream Graphs:

        • A better decision is made about which side is the server and
       thus the initially chosen direction in the graph.

        • The Window Scaling graph axis labels are corrected and show
       both graphs.

        • The graph crosshairs context menu option works.

        • Switching between relative and absolute sequence numbers works
       again.

     • The included Lua version has been updated to 5.4. While most Lua
       dissectors should continue to work (the lua_bitop library has
       been patched to work with Lua 5.3 and 5.4, in addition to the
       native Lua support for bit operations present in those versions),
       different versions of Lua are not guaranteed to be compatible. If
       a Lua dissector has issues, check the manuals for Lua 5.4[25],
       Lua 5.3[26], and Lua 5.2[27] for incompatibilities and suggested
       workarounds. Note that features marked as deprecated in one
       version are removed in the subsequent version without additional
       notice, so it can be worth checking the manual for previous
       versions.

  Removed Features and Support

     • The tshark `-G` option with no argument is deprecated and will be
       removed in a future version. Use `tshark -G fields` to produce
       the same report.

  Removed Dissectors

   The Parlay dissector has been removed.

  New Protocol Support

   Allied Telesis Resiliency Link (AT RL), EGNOS Message Server (EMS)
   file format, Galileo E1-B I/NAV navigation messages, MAC NR Framed
   (mac-nr-framed), RF4CE Network Layer (RF4CE), RF4CE Profile (RF4CE
   Profile), and ZeroMQ Message Transport Protocol (ZMTP)

  Updated Protocol Support

     • IPv6: The "show address detail" preference is now enabled by
       default. The address details provided have been extended to
       include more special purpose address block properties
       (forwardable, globally-routable, etc).

   Too many other protocol updates have been made to list them all here.

   EGNOS Messager Server (EMS) files

   u-blox GNSS receivers

  Major API Changes

     • Plugins should provide a `plugin_describe()` function that
       returns an ORed list of flags consisting of the plugin types used
       (declared in wsutil/plugins.h).

 Getting Wireshark

  Wireshark source code and installation packages are available from
  https://www.wireshark.org/download.html.

  Vendor-supplied Packages

   Most Linux and Unix vendors supply their own Wireshark packages. You
   can usually install or upgrade Wireshark using the package management
   system specific to that platform. A list of third-party packages can
   be found on the download page[28] on the Wireshark web site.

 File Locations

  Wireshark and TShark look in several different locations for
  preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
  locations vary from platform to platform. You can use "Help › About
  Wireshark › Folders" or `tshark -G folders` to find the default
  locations on your system.

 Getting Help

  The User’s Guide, manual pages and various other documentation can be
  found at https://www.wireshark.org/docs/

  Community support is available on Wireshark’s Q&A site[29] and on the
  wireshark-users mailing list. Subscription information and archives
  for all of Wireshark’s mailing lists can be found on the web site[30].

  Bugs and feature requests can be reported on the issue tracker[31].

  You can learn protocol analysis and meet Wireshark’s developers at
  SharkFest[32].

 How You Can Help

  The Wireshark Foundation helps as many people as possible understand
  their networks as much as possible. You can find out more and donate
  at wiresharkfoundation.org[33].

 Frequently Asked Questions

  A complete FAQ is available on the Wireshark web site[34].

 References

   1. https://gitlab.com/wireshark/wireshark/-/issues/15990
   2. https://gitlab.com/wireshark/wireshark/-/issues/16181
   3. https://gitlab.com/wireshark/wireshark/-/issues/7752
   4. https://gitlab.com/wireshark/wireshark/-/issues/10154
   5. https://gitlab.com/wireshark/wireshark/-/issues/18588
   6. https://gitlab.com/wireshark/wireshark/-/issues/19076
   7. https://gitlab.com/wireshark/wireshark/-/issues/17484
   8. https://gitlab.com/wireshark/wireshark/-/issues/16419
   9. https://gitlab.com/wireshark/wireshark/-/issues/2988
  10. https://gitlab.com/wireshark/wireshark/-/issues/13682
  11. https://gitlab.com/wireshark/wireshark/-/issues/8460
  12. https://gitlab.com/wireshark/wireshark/-/issues/15822
  13. https://gitlab.com/wireshark/wireshark/-/issues/18450
  14. https://gitlab.com/wireshark/wireshark/-/issues/12827
  15. https://gitlab.com/wireshark/wireshark/-/issues/17422
  16. https://gitlab.com/wireshark/wireshark/-/issues/12909
  17. https://gitlab.com/wireshark/wireshark/-/issues/13717
  18. https://gitlab.com/wireshark/wireshark/-/issues/13854
  19. https://gitlab.com/wireshark/wireshark/-/issues/18102
  20. https://gitlab.com/wireshark/wireshark/-/issues/13504
  21. https://gitlab.com/wireshark/wireshark/-/issues/12038
  22. https://gitlab.com/wireshark/wireshark/-/issues/12932
  23. https://gitlab.com/wireshark/wireshark/-/issues/12931
  24. https://gitlab.com/wireshark/wireshark/-/issues/19818
  25. https://www.lua.org/manual/5.4/manual.html#8
  26. https://www.lua.org/manual/5.3/manual.html#8
  27. https://www.lua.org/manual/5.2/manual.html#8
  28. https://www.wireshark.org/download.html
  29. https://ask.wireshark.org/
  30. https://www.wireshark.org/lists/
  31. https://gitlab.com/wireshark/wireshark/-/issues
  32. https://sharkfest.wireshark.org
  33. https://wiresharkfoundation.org
  34. https://www.wireshark.org/faq.html