Thank you for the update . Am looking forward to see what I can do with it in my current project.
Regards, Given. On Thu, 29 Aug 2024, 00:36 Gerald Combs, <ger...@wireshark.org> wrote: > I'm proud to announce the release of Wireshark 4.4.0. > > > This is the first release of the 4.4 branch. > > What is Wireshark? > > Wireshark is the world’s most popular network protocol analyzer. It is > used for troubleshooting, analysis, development and education. > > Wireshark is hosted by the Wireshark Foundation, a nonprofit which > promotes protocol analysis education. Wireshark and the foundation > depend on your contributions in order to do their work. If you or your > organization would like to contribute or become a sponsor, please > visit wiresharkfoundation.org[1]. > > What’s New > > Many improvements and fixes to the graphing dialogs, including I/O > Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs. > > Wireshark now supports automatic profile switching. You can associate > a display filter with a configuration profile, and when you open a > capture file that matches the filter, Wireshark will automatically > switch to that profile. > > Support for Lua 5.3 and 5.4 has been added, and support for Lua 5.1 > and 5.2 has been removed. The Windows and macOS installers now ship > with Lua 5.4.6. > > Improved display filter support for value strings (optional string > representations for numeric fields). > > Display filter functions can be implemented as plugins, similar to > protocol dissectors and file parsers. > > Display filters can be translated to pcap filters using "Edit › Copy › > Display filter as pcap filter" if each display filter field has a > corresponding pcap filter equivalent. > > Custom columns can be defined using any valid field expression, such > as display filter functions, packet slices, arithmetic calculations, > logical tests, raw byte addressing, and protocol layer modifiers. > > Custom output fields for `tshark -e` can also be defined using any > valid field expression. > > Wireshark can be built with the zlib-ng instead of zlib for compressed > file support. Zlib-ng is substantially faster than zlib. The official > Windows and macOS packages include this feature. > > Many other improvements have been made. See the “New and Updated > Features” section below for more details. > > New and Updated Features > > The following features are either new or have been significantly > updated since version 4.2.0: > > • The Windows installers now ship with Npcap 1.79. They previously > shipped with Npcap 1.78. > > • Improvements to the "I/O Graphs" dialog: > > • A number of crasher bugs have been fixed. > > • The protocol tree context menu can open a I/O graph of the > currently selected field. Issue 11362[2] > > • Smaller intervals can be used, down to 1 microsecond. Issue > 13682[3] > > • A larger number of I/O Graph item buckets can be used, up to > 2^25 (33 million) items. Issue 8460[4] > > • The size of individual graph items has been reduced, which > reduces memory utilization. > > • When the Y field or Y axis changes, the graph displays the new > graph correctly, retapping if necessary, instead of displaying > information based on stale data. > > • The graph is smarter about choosing whether to retap > (expensive), recalculate (moderately intensive), or replot > (cheap) in order to display the newly chosen options correctly > with the least amount of calculations. For instance, a graph that > has previously been plotted and is disabled and then reenabled > without any other changes will not require a new retap. Issue > 15822[5] > > • LOAD graphs are graphed properly again. Issue 18450[6] > > • Y axes have human readable units with SI prefixes. Issue > 12827[7] > > • Bar widths are scaled to the size of the interval. > > • Bar border colors are a slightly darker color than that of the > graph itself, instead of always black. Issue 17422[8] > > • Time values have the correct width when axes are automatically > reset. > > • The precision of the interval time shown in the hint message > depends on the interval. > > • The tracer follows the currently selected row on the table of > graphs, and does not appear on an invisible graph. > > • The tracer moves to the frame selected in the main window. > Issue 12909[9] > > • Pending graph changes are saved when changing profiles when > the I/O Graphs dialog is open. > > • I/O Graph dialog windows for closed capture files are no > longer affected by changing the list of graphs (either in that > dialogs or in other dialogs for the currently open file.) > > • Newly created temporary graphs, which will not be saved unless > the configuration has changed, are more clearly marked with > italics. > > • When "Time of Day" is selected for a graph, the absolute time > will be saved to CSV exports instead of the relative time. Issue > 13717[10] > > • Graphs can be reordered by dragging and dropping their list > entries. Issue 13855[11] > > • The graph layer order and legend order always matches the > order in the graph list. Legends also appear properly. Issue > 13854[12] > > • The legend can be moved to other corners of the graph by > right-clicking on it and selecting its new location from a menu. > > • For purposes of displaying zero values, graphs with both lines > and data point symbols are treated as line graphs, not scatter > plots. > > • Logarithmic ticks are used when the Y axis is logarithmic. > > • The graph crosshairs context menu option works. > > • You can resize the graph list columns to their contents by > right clicking on the list header. Issue 18102[13] > > • The graph is more responsive to mouse movement, especially on > Linux Wayland. > > • Improvements to the Sequence Diagram (Flow Graphs and VoIP > Calls): > > • When exporting the graph as an image, the entire graph is > shown with up to 1000 items instead of only what was visible > on-screen. This value can be increased in the preferences. Issue > 13504[14] > > • Endpoints that share the same address now have two distinct > nodes with a line between them. Issue 12038[15] > > • The "Comment" column can be resized by selecting the axis > between the "Comment" column and the graph and dragging, and > auto-resized by double-clicking the column. Issue 4972[16] > > • Tooltips are shown for elided comments. > > • The scroll direction via keyboard is no longer reversed. Issue > 12932[17] > > • The column widths are fixed instead of resizing slightly > depending on the visible entries. Issue 12931[18] > > • The Y axis labels stay in the correct position without having > to click the Reset button. > > • The progress bar appears correctly in the Flow Graph (non VoIP > Calls). > > • The behavior of the "Any" and "Network" combobox is corrected. > Issue 19818[19] > > • "Limit to Display Filter" is checked if a display filter is > applied when the Flow Graph is opened, per the documentation. > > • TCP Stream Graphs: > > • A better decision is made about which side is the server and > thus the initially chosen direction in the graph. > > • The "Window Scaling" graph axis labels are corrected and show > both graphs. > > • The graph crosshairs context menu option works. > > • Switching between relative and absolute sequence numbers works > again. > > • The "Follow Stream" dialog can now show delta times between turns > and all packets and events. > > • A number of graphs using the QCustomPlot widget ("I/O Graphs", > "Flow Graph", "TCP Stream Graphs", and "RTP Player") are more > responsive to mouse movement, especially on Linux when Wayland is > used. > > • The "Find Packet" dialog can search backwards and find additional > occurrences of a string, hex value, or regular expression in a > single frame. > > • When using "Go To Packet" with an undisplayed frame, the window > goes to nearest displayed frame by number. Issue 2988[20] > > • Display filter syntax enhancements: > > • Better handling of comparisons with value strings. Now the > display filter engine can correctly handle cases where multiple > different numeric values map to the same value string, including > but not limited to range-type value strings. > > • Fields with value strings now support regular expression > matching. > > • Date and time values now support arithmetic, with some > restrictions: the multiplier/divisor must be an integer or > floating point number and appear on the right-hand side of the > operator. > > • The keyword "bitand" can be used as an alternative syntax for > the bitwise-and operator. > > • Functions alone can now be used as an entire logical > expression. The result of the expression is the truthiness of the > function return value (or of all values if more than one). This > is useful for example to write "len(something)" instead of > "len(something) != 0". Even more so if a function returns itself > a boolean value, it is now possible to write > "bool_test(some.field)" instead of having to write > "bool_test(some.field) == True". Both forms are now valid. > > • Display filter references can be written without curly braces. > It is now possible to write `$frame.number` instead of > `${frame.number}` for example. > > • There are new display filter functions which test various IP > address properties. Check the wireshark-filter[21](5) man page > for more information. > > • There are new display filter functions which convert unsigned > integer types to decimal or hexadecimal, and convert fields with > value strings into the associated string for their value, which > can be used to produce results similar to custom columns. Check > the wireshark-filter[22](5) man page for more information. > > • Display filter macros can be written with a semicolon after > the macro name before the argument list, e.g. > `${mymacro;arg1;…;argN}`, instead of `${mymacro:arg1;…;argN}`. > The version with semicolons works better with pop-up suggestions > when editing the display filter, so the version with the colon > might be removed in the future. > > • Display filter macros can be written using a function-like > notation. The macro `${mymacro:arg1;…;argN}` can be written > `$mymacro(arg1,…,argN)`. > > • AX.25 addresses are now filtered using the "CALLSIGN-SSID" > string syntax. Filtering based on the raw bytes values is still > possible, like other field types, with the `@` operator. Issue > 17973[23] > > • Display filter functions can be implemented as libwireshark > plugins. Plugins are loaded during startup from the usual binary > plugin configuration directories. See the `ipaddr.c` source file > in the distribution for an example of a display filter C plugin > and the doc/plugins.example folder for generic instructions how > to build a plugin. > > • Display filter autocompletions now also include display filter > functions. > > • The display filter macro configuration file has changed format. > It now uses the same format as the "dfilters" file and has been > renamed accordingly to "dmacros". Internally it no longer uses > the UAT API and the display filter macro GUI dialog has been > updated. There is some basic migration logic implemented but it > is advisable to check that the "dfilter_macros" (old) and > "dmacros" (new) files in the profile directory are consistent. > > • Custom columns can be defined using any valid field expression: > > • Display filter functions, like `len(tcp.payload)`, including > nested functions like `min(len(tcp.payload), len(udp.payload))` > and newly defined functions using the plugin system mentioned > above. Issue 15990[24] Issue 16181[25] > > • Arithmetic calculations, like `ip.len * 8` or `tcp.srcport + > tcp.dstport`. Issue 7752[26] > > • Slices, like `tcp.payload[4:4]`. Issue 10154[27] > > • The layer operator, like `ip.proto#1`, which will return the > protocol field in the first IPv4 layer if there is tunneling. > Issue 18588[28] > > • Raw byte addressing, like `@ip`, which will return the bytes > of protocol or FT_NONE fields, among others. Issue 19076[29] > > • Logical tests, like `tcp.port == 443`, which produce a check > mark if the test matches (similar to protocol and FT_NONE fields > without `@`.) This works with all logical operators, including > e.g. regular expression matching (`matches` or `~`.) > > • Defined display filter macros. > > • Any combination of the above also works. > > • Multifield columns are still available. For backwards > compatibility, `X or Y` is interpreted as a multifield column as > before. To represent a logical test for the presence of multiple > fields instead of concatenating values, use parenthesis, e.g. > `(tcp.options.timestamp or tcp.options.nop)`. > > • Field references are not implemented because there’s no sense > of a currently selected frame. "Resolved" column values (such as > host name resolution or value string lookup) are not supported > for any of the new expressions yet. > > • Custom output fields for `tshark -e <field>` can also be defined > using any valid field expression as above. > > • For custom output fields, `X or Y` is the usual logical test; > to output multiple fields use multiple `-e` terms as before. > > • The various `-E` options, including `-E occurrence`, all work > as expected. > > • When selecting "Manage Interfaces" from "Capture Options", > Wireshark only attempts to reconnect to rpcap hosts that were > active in the last session, instead of every remote host that the > current profile has ever connected to. Issue 17484[30] > > • The "Resolved Addresses" dialog only shows what addresses and > ports are present in the file (not including information from > static files), and selected rows or the entire table can be saved > or copied to the clipboard in several formats. Issue 16419[31] > > • Dumpcap and Wireshark support the `-F` option when capturing a > file on the command line. Issue 18009[32] > > • When capturing on the command line dumpcap accepts a `-Q` option > that is quieter than `-q` and prints only errors to standard > error, similar to tshark. Issue 14491[33] > > • When capturing a file and requesting the `pcap` format, > nanosecond resolution time stamps will be written if the device > and version of libpcap supports it. > > • When capturing using a file size autostop or ring buffer > condition, the maximum value is now 2 TB, up from 2GiB. Note that > you may have problems when the number of packets gets larger than > 2^31 or 2^32, though that is also true when no limit is set. > > • When capturing files in multiple file mode, a pattern that places > the date and time before the index number can be used (e.g., > foo_20240714110102_00001.pcap instead of > foo_00001_20240714110102.pcap). This makes file names sortable in > chronological order across file sets from different captures. The > "File Set" dialog has been updated to handle the new pattern, > which has been capable of being produced by tshark since version > 3.6.0. > > • Adding interfaces at startup is about twice as fast, and has many > fewer UAC pop-ups when Npcap is installed with access restricted > to Administrators on Windows. > > • The Lua version included with the Windows and macOS installers > has been updated to 5.4. While we have tried to help with > backward compatibility by including lua_bitop library with Lua > 5.3 and 5.4 in addition to the native Lua support for bit > operations present in those versions, different versions of Lua > are not guaranteed to be compatible. If a Lua dissector has > issues, check the manuals for Lua 5.4[34], Lua 5.3[35], and Lua > 5.2[36] for incompatibilities and suggested workarounds. Note > that features marked as deprecated in one version are removed in > the subsequent version without additional notice, so it can be > worth checking the manual for previous versions. > > • Lua scripts in the plugins directories are now initially loaded > via the same internal Lua methods as `require()`. This avoids > errors from loading plugins twice, once by scanning the directory > initially, and once by `require()`, and also results in globals > defined in plugins entering the global namespace. Previously > globals defined in plugins only entered the global namespace when > placed in the global plugins directory, but not the personal > plugins directory. Using globals in plugins remains deprecated > style (both by Wireshark and in Lua generally), that should be > avoided via using other methods. Issue 18589[37] > > • Lua functions have been added to decompress and decode TvbRanges > with other compression types besides zlib, such as Brotli, > Snappy, Zstd, and others, matching the support in the C API. > tvbrange:uncompress() has been deprecated in favor of > tvbrange:uncompress_zlib(). > > • Lua Dumper now defaults to the pcapng file type, and to > per-packet encapsulation (creating interfaces on demand as > necessary) when writing pcapng Issue 16403[38] > > • Editcap has an `--extract-secrets` option to extract embedded > decryption secrets from a capture file. Issue 18197[39] > > • Global profiles can be used in tshark by using `--global-profile` > option. > > • Capture files can be saved with LZ4 compression. LZ4 has an > emphasis on speed and may be particularly useful for large files. > > • Fast random access is supported with LZ4 compressed files when > compressed with independent blocks, which is the default. This > provides much more responsive GUI performance when jumping to > different packets. Fast random access has been supported with > gzip compressed files since version 1.8.0, but this is not > supported for Zstd compressed files. > > • Mergecap, Editcap, TShark and Text2pcap have an `--compress` > option to compress output to different formats. For now, it > supports the gzip and LZ4 compression formats. When the option is > not given, the desired compression format can also be deduced > from the output filename extension, e.g. gzip for .gz. > > • Wireshark’s Git repostory tags are now signed using SSH. See the > Developer’s Guide[40] for more details. > > Removed Features and Support > > • The tshark `-G` option with no argument is deprecated and will be > removed in a future version. Use `tshark -G fields` to produce > the same report. > > Removed Dissectors > > The Parlay dissector has been removed. > > New Protocol Support > > Allied Telesis Resiliency Link (AT RL), ATN Security Label, Bit Index > Explicit Replication (BIER), Bus Mirroring Protocol, EGNOS Message > Server (EMS) file format, Galileo E1-B I/NAV navigation messages, IBM > i RDMA Endpoint (iRDMA-EDP), IWBEMSERVICES, MAC NR Framed > (mac-nr-framed), Matter Bluetooth Transport Protocol (MatterBTP), > MiWi P2P Star, Monero, NMEA 0183, PLDM, RDP authentication > redirection virtual channel protocol (rdpear), RF4CE Network Layer > (RF4CE), RF4CE Profile (RF4CE Profile), RK512, SAP Remote Function > Call (SAPRFC), SBAS L1 Navigation Message, Scanner Access Now Easy > (SANE), TREL, WMIO, and ZeroMQ Message Transport Protocol (ZMTP) > > Updated Protocol Support > > IPv6: The "show address detail" preference is now enabled by default. > The address details provided have been extended to include more > special purpose address block properties (forwardable, > globally-routable, etc). > > Too many other protocol updates have been made to list them all here. > > New and Updated Capture File Support > > EGNOS Messager Server (EMS) files > > New and Updated Capture Interfaces support > > u-blox GNSS receivers > > Major API Changes > > • The entire code base has been updated to use C99 types instead of > GLib types. This includes changing occurrences `gboolean`, which > is an integer, to C99’s native `bool` type in many places. See > issue 19116[41] for more details. > > • The `tvb_get_guintX` and `tvb_get_gintX` functions in the tvbuff > API have been renamed to `tvb_get_uintX` and `tvb_get_intX` (the > GLib-style "g" has been removed). You can still use the old-style > names, but they have been deprecated. > > • Plugins should provide a `plugin_describe()` function that > returns an ORed list of flags consisting of the plugin types > used. See wsutil/plugins.h for details. > > Getting Wireshark > > Wireshark source code and installation packages are available from > https://www.wireshark.org/download.html. > > Vendor-supplied Packages > > Most Linux and Unix vendors supply their own Wireshark packages. You > can usually install or upgrade Wireshark using the package management > system specific to that platform. A list of third-party packages can > be found on the download page[42] on the Wireshark web site. > > File Locations > > Wireshark and TShark look in several different locations for > preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These > locations vary from platform to platform. You can use "Help › About > Wireshark › Folders" or `tshark -G folders` to find the default > locations on your system. > > Getting Help > > The User’s Guide, manual pages and various other documentation can be > found at https://www.wireshark.org/docs/ > > Community support is available on Wireshark’s Q&A site[43] and on the > wireshark-users mailing list. Subscription information and archives > for all of Wireshark’s mailing lists can be found on the mailing list > site[44]. > > Bugs and feature requests can be reported on the issue tracker[45]. > > You can learn protocol analysis and meet Wireshark’s developers at > SharkFest[46]. > > How You Can Help > > The Wireshark Foundation helps as many people as possible understand > their networks as much as possible. You can find out more and donate > at wiresharkfoundation.org[47]. > > Frequently Asked Questions > > A complete FAQ is available on the Wireshark web site[48]. > > References > > 1. https://wiresharkfoundation.org > 2. https://gitlab.com/wireshark/wireshark/-/issues/11362 > 3. https://gitlab.com/wireshark/wireshark/-/issues/13682 > 4. https://gitlab.com/wireshark/wireshark/-/issues/8460 > 5. https://gitlab.com/wireshark/wireshark/-/issues/15822 > 6. https://gitlab.com/wireshark/wireshark/-/issues/18450 > 7. https://gitlab.com/wireshark/wireshark/-/issues/12827 > 8. https://gitlab.com/wireshark/wireshark/-/issues/17422 > 9. https://gitlab.com/wireshark/wireshark/-/issues/12909 > 10. https://gitlab.com/wireshark/wireshark/-/issues/13717 > 11. https://gitlab.com/wireshark/wireshark/-/issues/13855 > 12. https://gitlab.com/wireshark/wireshark/-/issues/13854 > 13. https://gitlab.com/wireshark/wireshark/-/issues/18102 > 14. https://gitlab.com/wireshark/wireshark/-/issues/13504 > 15. https://gitlab.com/wireshark/wireshark/-/issues/12038 > 16. https://gitlab.com/wireshark/wireshark/-/issues/4972 > 17. https://gitlab.com/wireshark/wireshark/-/issues/12932 > 18. https://gitlab.com/wireshark/wireshark/-/issues/12931 > 19. https://gitlab.com/wireshark/wireshark/-/issues/19818 > 20. https://gitlab.com/wireshark/wireshark/-/issues/2988 > 21. https://www.wireshark.org/docs/man-pages/wireshark-filter.html > 22. https://www.wireshark.org/docs/man-pages/wireshark-filter.html > 23. https://gitlab.com/wireshark/wireshark/-/issues/17973 > 24. https://gitlab.com/wireshark/wireshark/-/issues/15990 > 25. https://gitlab.com/wireshark/wireshark/-/issues/16181 > 26. https://gitlab.com/wireshark/wireshark/-/issues/7752 > 27. https://gitlab.com/wireshark/wireshark/-/issues/10154 > 28. https://gitlab.com/wireshark/wireshark/-/issues/18588 > 29. https://gitlab.com/wireshark/wireshark/-/issues/19076 > 30. https://gitlab.com/wireshark/wireshark/-/issues/17484 > 31. https://gitlab.com/wireshark/wireshark/-/issues/16419 > 32. https://gitlab.com/wireshark/wireshark/-/issues/18009 > 33. https://gitlab.com/wireshark/wireshark/-/issues/14491 > 34. https://www.lua.org/manual/5.4/manual.html#8 > 35. https://www.lua.org/manual/5.3/manual.html#8 > 36. https://www.lua.org/manual/5.2/manual.html#8 > 37. https://gitlab.com/wireshark/wireshark/-/issues/18589 > 38. https://gitlab.com/wireshark/wireshark/-/issues/16403 > 39. https://gitlab.com/wireshark/wireshark/-/issues/18197 > 40. https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcGitRepositor > y.html#ChSrcWebInterface > 41. https://gitlab.com/wireshark/wireshark/-/issues/19116 > 42. https://www.wireshark.org/download.html > 43. https://ask.wireshark.org/ > 44. https://lists.wireshark.org/lists/ > 45. https://gitlab.com/wireshark/wireshark/-/issues > 46. https://sharkfest.wireshark.org > 47. https://wiresharkfoundation.org > 48. https://www.wireshark.org/faq.html > > > Digests > > wireshark-4.4.0.tar.xz: 46786568 bytes > > SHA256(wireshark-4.4.0.tar.xz)=ead5cdcc08529a2e7ce291e01defc3b0f8831ba24c938db0762b1ebc59c71269 > SHA1(wireshark-4.4.0.tar.xz)=4869b9fbfab3f1b02801a38f83ef8f6f740f9277 > > Wireshark-4.4.0-x64.exe: 87262448 bytes > > SHA256(Wireshark-4.4.0-x64.exe)=f635e68ef536fe85b2c0d5ac12a1197ba015cacc0c866c1995ae75b2b5d957fd > SHA1(Wireshark-4.4.0-x64.exe)=22ffbb76ea80bcd35cc4d5153d85ed4e493f7dcf > > Wireshark-4.4.0-arm64.exe: 68671040 bytes > > SHA256(Wireshark-4.4.0-arm64.exe)=c6dd8e0300fd3b12ba56184e0f9e2c6b91861e73f795d80e4fddb748390bd83f > SHA1(Wireshark-4.4.0-arm64.exe)=36ddd3ef612fb739df33ae01ea95dd8810932e7b > > Wireshark-4.4.0-x64.msi: 63766528 bytes > > SHA256(Wireshark-4.4.0-x64.msi)=6518c93481d2269d04158c7a632ddf912e6eb332b0e4da4fd247d6e0e3d7d363 > SHA1(Wireshark-4.4.0-x64.msi)=ac73a59b92d7f4f9c9d01d26145dd081a4d90773 > > WiresharkPortable64_4.4.0.paf.exe: 73410312 bytes > > SHA256(WiresharkPortable64_4.4.0.paf.exe)=01fef28f7896da47f552ac859954bb086291006b0424a70b0d30689af2354da7 > > SHA1(WiresharkPortable64_4.4.0.paf.exe)=3acc608ef3bf66241b86b6111e5e7023a1ae6ce9 > > Wireshark 4.4.0 Arm 64.dmg: 65304242 bytes > SHA256(Wireshark 4.4.0 Arm > 64.dmg)=13349959456d29b9b5d2214ba7bfd8d88016f5ac24bf5a7a5a4945ff46584a29 > SHA1(Wireshark 4.4.0 Arm 64.dmg)=781f76c7216f8bf06697ddf49b23d18607b23191 > > Wireshark 4.4.0 Intel 64.dmg: 68727761 bytes > SHA256(Wireshark 4.4.0 Intel > 64.dmg)=edb07ee6afbce6b5231d08b301bab31c0ba6c31f7277f1a74bd370ec59369ef7 > SHA1(Wireshark 4.4.0 Intel 64.dmg)=c5300f53d02f14f1f2415a3d35409d8dd65fcec2 > > You can validate these hashes using the following commands (among others): > > Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256 > Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz > macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg" > Other: openssl sha256 wireshark-x.y.z.tar.xz > _______________________________________________ > Wireshark-dev mailing list -- wireshark-dev@wireshark.org > To unsubscribe send an email to wireshark-dev-le...@wireshark.org >
_______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org