Wireshark 4.6.1 Release Notes

Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.

Wireshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol analysis education. Wireshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, please visit wiresharkfoundation.org.

If you use Wireshark professionally or you just want to learn more about protocol analysis, you should join us at SharkFest, the Wireshark developer and user conference.

You can also become a Wireshark Certified Analyst! Official Wireshark training and certification are available from the Wireshark Foundation.

Wireshark 4.6.0 included the following changes. See the release notes for details:

Wireshark can dissect process information, packet metadata, flow IDs, drop information, and other information provided by tcpdump on macOS.

We now ship universal macOS installers instead of separate packages for Arm64 and Intel. Issue 17294

WinPcap is no longer supported. On Windows, use Npcap instead, uninstalling WinPcap if necessary. The final release of WinPcap was version 4.1.3 in 2013. It only supports up to Windows 8, which is no longer supported by Microsoft or Wireshark.

A new “Plots” dialog has been added, which provides scatter plots in contrast to the “I/O Graphs” dialog, which provides histograms. The Plots dialog window supports multiple plots, markers, and automatic scrolling.

Live captures can be compressed while writing. (Previously there was support for compressing when performing multiple file capture, at file rotation time.) The --compress option in TShark works on live captures as well. Issue 9311

Wireshark can now decrypt NTP packets using NTS (Network Time Security). To decrypt packets, the NTS-KE (Network Time Security Key Establishment Protocol) packets need to be present, alongside the TLS client and exporter secrets.

Wireshark’s ability to decrypt MACsec packets has been expanded to either use the SAK unwrapped by the MKA dissector, or the PSK configured in the MACsec dissector.

The TCP Stream Graph axes now use units with SI prefixes. Issue 20197

Display filter functions float and double are added to allow explicitly converting field types like integers and times to single and double precision floats.

A Edit › Copy › as HTML menu item has been added, along with associated context menu items and a keyboard shortcut.

The Conversations and Endpoints dialogs have an option to display byte counts and bit rates in exact counts instead of human-readable numbers with SI units.

The color scheme can be set to Light or Dark mode independently of the current OS default on Windows and macOS, if Wireshark is built with Qt 6.8 or later as the official installers are. Issue 19328

Wireshark source code and installation packages are available from https://www.wireshark.org/download.html.

Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use Help › About Wireshark › Folders or tshark -G folders to find the default locations on your system.

The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/

Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.

Bugs and feature requests can be reported on the issue tracker.

You can learn protocol analysis and meet Wireshark’s developers at SharkFest.

The Wireshark Foundation helps as many people as possible understand their networks as much as possible. You can find out more and donate at wiresharkfoundation.org.

A complete FAQ is available on the Wireshark web site.