Wireshark · Wireshark-announce: [Wireshark-announce] Wireshark 3.6.0 is now available

[Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>]

I'm proud to announce the release of Wireshark 3.6.0.


 What is Wireshark?

  Wireshark is the world’s most popular network protocol analyzer. It is
  used for troubleshooting, analysis, development and education.

 What’s New

  Many improvements have been made. See the “New and Updated Features”
  section below for more details. You might want to pay particular
  attention to the display filter syntax updates.

  New and Updated Features

   The following features are new (or have been significantly updated)
   since version 3.6.0rc3:

     • The macOS Intel packages now ship with Qt 5.15.3 and require
       macOS 10.13 or later.

   The following features are new (or have been significantly updated)
   since version 3.6.0rc2:

     • Display filter set elements must now be comma-separated. See
       below for more details.

   The following features are new (or have been significantly updated)
   since version 3.6.0rc1:

     • The display filter expression “a != b” now has the same meaning
       as “!(a == b)”.

   The following features are new (or have been significantly updated)
   since version 3.5.0:

     • Nothing of note.

   The following features are new (or have been significantly updated)
   since version 3.4.0:

     • Several changes have been made to the display filter syntax:

        • The expression “a != b” now always has the same meaning as
       “!(a == b)”. In particular this means filter expressions with
       multi-value fields like “ip.addr != 1.1.1.1” will work as
       expected (the result is the same as typing “ip.src != 1.1.1.1 and
       ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a
       != b) being true.

        • It is possible to use the syntax “a ~= b” or “a any_ne b” to
       recover the previous (inconsistent with "==") logic for not
       equal.

        • Literal strings can now be specified using raw string syntax,
       identical to raw strings in the Python programming language. This
       can be used to avoid the complexity of using two levels of
       character escapes with regular expressions.

        • Set elements must now be separated using a comma. A filter
       such as http.request.method in {"GET" "HEAD"} must be written as
       …​ in {"GET", "HEAD"}. Whitespace is not significant. The
       previous use of whitespace as separator is deprecated and will be
       removed in a future version.

        • Support for the syntax "a not in b" with the same meaning as
       "not a in b" has been added.

     • Packaging updates:

        • A macOS Arm 64 (Apple Silicon) package is now available.

        • The macOS Intel packages now ship with Qt 5.15.3 and require
       macOS 10.13 or later.

        • The Windows installers now ship with Npcap 1.55.

        • A 64-bit Windows PortableApps package is now available.

     • TCP conversations now support a completeness criteria, which
       facilitates the identification of TCP streams having any of
       opening or closing handshakes, a payload, in any combination. It
       can be accessed with the new tcp.completeness filter.

     • Protobuf fields that are not serialized on the wire or otherwise
       missing in capture files can now be displayed with default values
       by setting the new “add_default_value” preference. The default
       values might be explicitly declared in “proto2” files, or false
       for bools, first value for enums, zero for numeric types.

     • Wireshark now supports reading Event Tracing for Windows (ETW). A
       new extcap named ETW reader is created that now can open an etl
       file, convert all events in the file to DLT_ETW packets and write
       to a specified FIFO destination. Also, a new packet_etw dissector
       is created to dissect DLT_ETW packets so Wireshark can display
       the DLT_ETW packet header, its message and packet_etw dissector
       calls packet_mbim sub_dissector if its provider matches the MBIM
       provider GUID.

     • “Follow DCCP stream” feature to filter for and extract the
       contents of DCCP streams.

     • Wireshark now supports dissecting RTP packets with OPUS payloads.

     • Importing captures from text files based on regular expressions
       is now possible. By specifying a regex capturing a single packet
       including capturing groups for relevant fields a textfile can be
       converted to a libpcap capture file. Supported data encodings are
       plain-hexadecimal, -octal, -binary and base64. Also the timestamp
       format now allows the second-fractions to be placed anywhere in
       the timestamp and it will be stored with nanosecond instead of
       microsecond precision.

     • The RTP Player has been significatnly redesigned and improved.
       See Playing VoIP Calls[1] and RTP Player Window[2] in the User’s
       Guide for more details.

        • The RTP Player can play many streams in row.

        • The UI is more responsive.

        • The RTP Player maintains playlist and other tools can add and
       remove streams to and from it.

        • Every stream can be muted or routed to the left or right
       channel for replay.

        • The option to save audio has been moved from the RTP Analysis
       dialog to the RTP Player. The RTP Player also saves what was
       played, and it can save in multichannel .au or .wav.

        • The RTP Player is now accessible from the Telephony › RTP ›
       RTP Player menu.

     • The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP
       Player, SIP Flows) are non-modal and can stay opened on
       background.

        • The same tools are provided across all dialogs (Prepare
       Filter, Analyse, RTP Player …​)

     • The “Follow Stream” dialog is now able to follow SIP calls based
       on their Call-ID value.

     • The “Follow Stream” dialog’s YAML output format has been updated
       to add timestamps and peers information For more details see
       Following Protocol Streams[3] in the User’s Guide.

     • IP fragments between public IPv4 addresses are now reassembled
       even if they have different VLAN IDs. Reassembly of IP fragments
       where one endpoint is a private (RFC 1918 section 3) or
       link-local (RFC 3927) IPv4 address continues to take the VLAN ID
       into account, as those addresses can be reused. To revert to the
       previous behavior and not reassemble fragments with different
       VLAN IDs, turn on the “Enable stricter conversation tracking
       heuristics” top level protocol preference.

     • USB Link Layer reassembly has been added, which allows hardware
       captures to be analyzed at the same level as software captures.

     • TShark can now export TLS session keys with the
       --export-tls-session-keys option.

     • Wireshark participated in the Google Season of Docs 2020 and the
       User’s Guide has been extensively updated.

     • The “RTP Stream Analysis” dialog CSV export format was slightly
       changed. The first line of the export contains column titles as
       in other CSV exports.

     • Wireshark now supports the Turkish language.

     • The settings in the “Import from Hex Dump” dialog is now stored
       in a profile import_hexdump.json file.

     • Analyze › Reload Lua Plugins has been improved to properly
       support FileHandler.

     • The “RTP Stream Analysis” and “IAX2 Stream Analysis” dialogs now
       show correct calculation mean jitter calculations.

     • RTP streams are now created based on Skinny protocol messages in
       addition to other types of messages.

     • The “VoIP Calls Flow Sequence” window shows more information
       about various Skinny messages.

     • Initial support for building Wireshark on Windows using GCC and
       MinGW-w64 has been added. See README.msys2 in the sources for
       more information.

  New File Format Decoding Support

   Vector Informatik Binary Log File (BLF)

  New Protocol Support

   5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT
   LMP), Bundle Protocol version 7 (BPv7), Bundle Protocol version 7
   Security (BPSec), CBOR Object Signing and Encryption (COSE), E2
   Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme
   extra Eth Header (EXEH), High-Performance Connectivity Tracer
   (HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol,
   Local Interconnect Network (LIN), Microsoft Task Scheduler Service,
   O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio
   Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic
   Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol
   (EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe
   Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire
   Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC),
   Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP),
   Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN
   DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson
   PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI
   payload (xIRI)

  Updated Protocol Support

   Too many protocols have been updated to list here.

  New and Updated Capture File Support

   Vector Informatik Binary Log File (BLF)

 Getting Wireshark

  Wireshark source code and installation packages are available from
  https://www.wireshark.org/download.html.

  Vendor-supplied Packages

   Most Linux and Unix vendors supply their own Wireshark packages. You
   can usually install or upgrade Wireshark using the package management
   system specific to that platform. A list of third-party packages can
   be found on the download page[4] on the Wireshark web site.

 File Locations

  Wireshark and TShark look in several different locations for
  preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
  locations vary from platform to platform. You can use Help › About
  Wireshark › Folders or tshark -G folders to find the default locations
  on your system.

 Getting Help

  The User’s Guide, manual pages and various other documentation can be
  found at https://www.wireshark.org/docs/

  Community support is available on Wireshark’s Q&A site[5] and on the
  wireshark-users mailing list. Subscription information and archives
  for all of Wireshark’s mailing lists can be found on the web site[6].

  Bugs and feature requests can be reported on the issue tracker[7].

 Frequently Asked Questions

  A complete FAQ is available on the Wireshark web site[8].

  Last updated 2021-11-22 18:33:14 UTC

 References

   1. https://www.wireshark.org/docs/wsug_html_chunked/ChTelPlayingCalls
  .html
   2. https://www.wireshark.org/docs/wsug_html_chunked/_rtp.html#ChTelRt
  pPlayer
   3. https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowStream
  Section.html
   4. https://www.wireshark.org/download.html
   5. https://ask.wireshark.org/
   6. https://www.wireshark.org/lists/
   7. https://gitlab.com/wireshark/wireshark/-/issues
   8. https://www.wireshark.org/faq.html


Digests

wireshark-3.6.0.tar.xz: 39687684 bytes
SHA256(wireshark-3.6.0.tar.xz)=9cc8f7fc5bb1d66fbdfdf95cde6e1c98633c303f9af9b33ae9f1fcf022fedf06
RIPEMD160(wireshark-3.6.0.tar.xz)=1ecec1acd1c10be69654afac3f4f2d0acaf42a3c
SHA1(wireshark-3.6.0.tar.xz)=98248f0e6c19408fbb796398f998cf90d7ed9ca6

Wireshark-win64-3.6.0.exe: 77270896 bytes
SHA256(Wireshark-win64-3.6.0.exe)=8ffa9f2c7943d1e8ed8020d7d08c8015ec649c3e3af901808a9ec858564cd255
RIPEMD160(Wireshark-win64-3.6.0.exe)=b9f85e1a331c04feb43548e7b69279a9c69dedb3
SHA1(Wireshark-win64-3.6.0.exe)=a847cd6fcc0764429601e7ab7967936d83f1a9f8

Wireshark-win32-3.6.0.exe: 61175712 bytes
SHA256(Wireshark-win32-3.6.0.exe)=798462bc710d4560e24ed408f2861efe22e9e4ea87d16271b192d7524239fd23
RIPEMD160(Wireshark-win32-3.6.0.exe)=3551defbcdb4c7a61d5ae37756c16d9f5299b071
SHA1(Wireshark-win32-3.6.0.exe)=a4b5097cec28938a9077c55f0ef30158c363d06c

Wireshark-win32-3.6.0.msi: 45277184 bytes
SHA256(Wireshark-win32-3.6.0.msi)=69e28782a4e8b901a6450215f9306b1c1b4aa818778a42af4f7820c267d57b85
RIPEMD160(Wireshark-win32-3.6.0.msi)=ce80145ba7ccebc46fde241184a57c3b4c988d07
SHA1(Wireshark-win32-3.6.0.msi)=6538c4a10effe314103d50b14d11e6d8728ed8dd

Wireshark-win64-3.6.0.msi: 50749440 bytes
SHA256(Wireshark-win64-3.6.0.msi)=d4f9fe9e907f91e272e48e4497f8ce18717bac65f8890bbfb925172617169758
RIPEMD160(Wireshark-win64-3.6.0.msi)=3b75bada21b4a116fa4e08681b440829135e99c2
SHA1(Wireshark-win64-3.6.0.msi)=eb369134cc7cdd7a9c205d71dc8852749c5a151d

WiresharkPortable32_3.6.0.paf.exe: 39317904 bytes
SHA256(WiresharkPortable32_3.6.0.paf.exe)=0dbeaa8d882dc50a839c5c33cea2cffce1f606d5ff38999d5186d1e89ac0ee0e
RIPEMD160(WiresharkPortable32_3.6.0.paf.exe)=f4686440dbdccb5372071b90c6adf990fd47353a
SHA1(WiresharkPortable32_3.6.0.paf.exe)=2451a05080f61c0d59221cb8431fa5bdf436ace1

WiresharkPortable64_3.6.0.paf.exe: 44098272 bytes
SHA256(WiresharkPortable64_3.6.0.paf.exe)=1b54a694ec2714a8744c19afa7bf15531ea6e0e9a71f91fc2d4ea42bccb8f392
RIPEMD160(WiresharkPortable64_3.6.0.paf.exe)=7840e70b98600c786efbb16845db9879202c394b
SHA1(WiresharkPortable64_3.6.0.paf.exe)=c2ce950aa36143cfe39043bce8cc112ed482a22f

Wireshark 3.6.0 Arm 64.dmg: 140005503 bytes
SHA256(Wireshark 3.6.0 Arm 64.dmg)=9893a985693c01b29b532745ca0f999590b119a3e8e9820a403291ffce11fd97
RIPEMD160(Wireshark 3.6.0 Arm 64.dmg)=5b21989294768b79cf312061ba1dd21884aed5e7
SHA1(Wireshark 3.6.0 Arm 64.dmg)=bf2ff02c32fb4b53688d8dcd8f081031cc631527

Wireshark 3.6.0 Intel 64.dmg: 138589061 bytes
SHA256(Wireshark 3.6.0 Intel 64.dmg)=c571417d3318074fbe73814a0180e84262e10b58cadb2e80c9fc05cf97e99645
RIPEMD160(Wireshark 3.6.0 Intel 64.dmg)=73a102fa432c9857cd20d280d2ac751cf2a81285
SHA1(Wireshark 3.6.0 Intel 64.dmg)=aeca14c89ede6fe358553d4889ed5888a6c6a200

You can validate these hashes using the following commands (among others):

    Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
    Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
    macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
    Other: openssl sha256 wireshark-x.y.z.tar.xz

Attachment: OpenPGP_signature
Description: OpenPGP digital signature