ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online

Wireshark-announce: [Wireshark-announce] Wireshark 3.7.0 is now available

Date Prev · Date Next · Thread Prev · Thread Next
From: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>
Date: Wed, 11 May 2022 13:09:05 -0700
I'm proud to announce the release of Wireshark 3.7.0.

 This is an experimental release intended to test new features for
 Wireshark 4.0.

 What is Wireshark?

  Wireshark is the world’s most popular network protocol analyzer. It is
  used for troubleshooting, analysis, development and education.

 What’s New

 Note: We do not ship official 32-bit Windows packages for this branch.
 If you need to use Wireshark on that platform, please install the
 latest 3.6 release. Issue 17779[1]

    • The PCRE2 library ( is now a required
      dependency to build Wireshark.

    • You must now have a compiler with C11 support in order to build

  Many improvements have been made. See the “New and Updated Features”
  section below for more details.

  New and Updated Features

   The following features are new (or have been significantly updated)
   since version 3.6.0:

     • The Windows installers now ship with Npcap 1.60. They previously
       shipped with Npcap 1.55.

     • The display filter syntax has been updated and enhanced:

        • A syntax to match a specific layer in the protocol stack has
       been added. For example “ip.addr#2 ==” matches only the
       inner layer in an IP-over-IP packet.

        • Set elements must be separated using a comma, e.g: {1, 2,
       "foo"}. Using only whitespace as a separator was deprecated in
       3.6 and is now a syntax error.

        • Support for some additional character escape sequences in
       double quoted strings has been added. Along with octal
       (\<number>) and hex (\x<number>) encoding, the following C escape
       sequences are now supported with the same meaning: \a, \b, \f,
       \n, \r, \t, \v. Previously they were only supported with
       character constants.

        • Unrecognized escape sequences are now treated as a syntax
       error. Previously they were treated as a literal character. In
       addition to the sequences indicated above, backslash, single
       quotation and double quotation mark are also valid sequences: \\,
       \', \".

        • The display filter engine now uses PCRE2 instead of GRegex
       (GLib’s bindings to the older and end-of-life PCRE library).
       PCRE2 is compatible with PCRE so any user-visible changes should
       be minimal. Some exotic patterns may now be invalid and require

        • A new strict equality operator "===" or "all_eq" has been
       added. The expression "a === b" is true if and only if all a’s
       are equal to b. The negation of "===" can now be written as "!=="

        • The aliases "any_eq" for "==" and "all_ne" for "!=" have been

        • The operator "~=" is deprecated and will be removed in a
       future version. Use "!==", which has the same meaning instead.

        • Dates and times can be given in UTC using ISO 8601 (with 'Z'
       timezone) or by appending the suffix "UTC" to the legacy formats.
       Otherwise local time is used.

        • Integer literal constants may be written in binary (in
       addition to decimal/octal/hexadecimal) using the prefix "0b" or

        • A new syntax to disambiguate literals from identifiers has
       been added. Every value with a leading dot is a protocol or
       protocol field. Every value with a leading colon or in between
       angle brackets is a literal value. See the User’s Guide[2] for

        • Floats must be written with a leading and ending digit. For
       example the values ".7" and "7." are now invalid as floats. They
       must be written "0.7" and "7.0" respectively.

        • The "bitwise and" operator is now a first-class bit operator,
       not a boolean operator. In particular this means it is now
       possible to mask bits, e.g.: frame[0] & 0x0F == 3.

        • Arithmetic is supported for numeric fields with the usual
       operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions
       must be grouped using curly brackets (not parenthesis).

        • Logical AND now has higher precedence than logical OR, in line
       with most programming languages.

        • New display filter functions max(), min() and abs() have been

        • Functions can accept expressions as arguments, including other
       functions. Previously only protocol fields and slices were
       syntactically valid function arguments.

     • The `text2pcap` command and the “Import from Hex Dump” feature
       have been updated and enhanced:

        • `text2pcap` supports writing the output file in all the
       capture file formats that wiretap library supports, using the
       same `-F` option as `editcap`, `mergecap`, and `tshark`.

        • `text2pcap` supports selecting the encapsulation type of the
       output file format using the wiretap library short names with an
       `-E` option, similiar to the `-T` option of `editcap`.

        • `text2pcap` has been updated to use the new logging output
       options and the `-d` flag has been removed. The "debug" log level
       corresponds to the old `-d` flag, and the "noisy" log level
       corresponds to using `-d` multiple times.

        • `text2pcap` and “Import from Hex Dump” support writing fake
       IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4,
       and Raw IPv6 encapsulations, in addition to Ethernet
       encapsulation available in previous versions.

        • `text2pcap` supports scanning the input file using a custom
       regular expression, as supported in “Import from Hex Dump” in
       Wireshark 3.6.x.

        • In general, `text2pcap` and wireshark’s “Import from Hex Dump”
       have feature parity.

     • The HTTP2 dissector now supports using fake headers to parse the
       DATAs of streams captured without first HEADERS frames of a
       long-lived stream (such as a gRPC streaming call which allows
       sending many request or response messages in one HTTP2 stream).
       Users can specify fake headers using an existing stream’s server
       port, stream id and direction.

     • The IEEE 802.11 dissector supports Mesh Connex (MCX).

     • The “Capture Options” dialog contains the same configuration icon
       as Welcome Screen. It is now possible to configure interfaces

     • The “Extcap” dialog remembers password items during runtime,
       which makes it possible to run extcaps multiple times in row.
       Passwords are never stored on disk.

     • It is possible to set extcap passwords in `tshark` and other CLI

     • The extcap configuration dialog now supports and remembers empty
       strings. There are new buttons to reset values back to their

     • Support to display JSON mapping for Protobuf message has been

     • macOS debugging symbols are now shipped in separate packages,
       similar to Windows packages.

     • In the ZigBee ZCL Messaging dissector the
       zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to

     • The interface list on the welcome page sorts active interfaces
       first and only displays sparklines for active interfaces.
       Additionally, the interfaces can now be hidden and shown via the
       context menu in the interface list

     • The Event Tracing for Windows (ETW) file reader now supports
       display IP packets from an event trace logfile or an event trace
       live session.

  Removed Features and Support

     • The CMake options starting with DISABLE_something were renamed
       ENABLE_something for consistency. For example DISABLE_WERROR=On
       became ENABLE_WERROR=Off. The default values are unchanged.

  New Protocol Support

   Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer
   (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle
   Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol
   (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash
   Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0
   (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy
   Register Access Protocol (5co-legacy), Generic Data Transfer Protocol
   (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP),
   Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP),
   Realtek, REdis Serialization Protocol v2 (RESP), Secure File Transfer
   Protocol (sftp), Secure Host IP Configuration Protocol (SHICP), USB
   Attached SCSI (UASP), and ZBOSS NCP

  Updated Protocol Support

   Too many protocols have been updated to list here.

  New and Updated Capture File Support

  Major API Changes

     • proto.h: The field display types "STR_ASCII" and "STR_UNICODE"
       have been removed. Use "BASE_NONE" instead.

 Getting Wireshark

  Wireshark source code and installation packages are available from

  Vendor-supplied Packages

   Most Linux and Unix vendors supply their own Wireshark packages. You
   can usually install or upgrade Wireshark using the package management
   system specific to that platform. A list of third-party packages can
   be found on the download page[3] on the Wireshark web site.

 File Locations

  Wireshark and TShark look in several different locations for
  preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
  locations vary from platform to platform. You can use "Help › About
  Wireshark › Folders" or `tshark -G folders` to find the default
  locations on your system.

 Getting Help

  The User’s Guide, manual pages and various other documentation can be
  found at

  Community support is available on Wireshark’s Q&A site[4] and on the
  wireshark-users mailing list. Subscription information and archives
  for all of Wireshark’s mailing lists can be found on the web site[5].

  Bugs and feature requests can be reported on the issue tracker[6].

 Frequently Asked Questions

  A complete FAQ is available on the Wireshark web site[7].

  Last updated 2022-05-11 17:24:58 UTC




wireshark-3.7.0.tar.xz: 40156004 bytes

Wireshark-win64-3.7.0.exe: 76230472 bytes

Wireshark-win64-3.7.0.msi: 49811456 bytes

WiresharkPortable64_3.7.0.paf.exe: 43360960 bytes

Wireshark 3.7.0 Arm 64.dmg: 57549330 bytes
SHA256(Wireshark 3.7.0 Arm 64.dmg)=5db0522a621f71776490ad5ba98af944d2968c5fc4174ac206c2191f4547a565
RIPEMD160(Wireshark 3.7.0 Arm 64.dmg)=d935e8afb5dad1ee36d9783839d4f49b6b84dc97
SHA1(Wireshark 3.7.0 Arm 64.dmg)=4e4a0f09e4974ed2856083bc73daf2f8243c63e5

Wireshark dSYM 3.7.0 Arm 64.dmg: 83237621 bytes
SHA256(Wireshark dSYM 3.7.0 Arm 64.dmg)=24b522fd7d4a1b8ecfb4ea65d11ce6a4fc5b9d3e3d1d414588aeda6e87e5be1f
RIPEMD160(Wireshark dSYM 3.7.0 Arm 64.dmg)=0c2a8564157600cacfb480a58f5a7af49549e95b
SHA1(Wireshark dSYM 3.7.0 Arm 64.dmg)=85dc50f6c3b46f023c3210744552a0ac20de7bac

Wireshark dSYM 3.7.0 Intel 64.dmg: 81594605 bytes
SHA256(Wireshark dSYM 3.7.0 Intel 64.dmg)=e7a44799c2f59da3f09006ec30dc6d82d24ed2996b124448580a893258e3408b
RIPEMD160(Wireshark dSYM 3.7.0 Intel 64.dmg)=2dbe2a07fbb19282baff52361bab3298e1afc119
SHA1(Wireshark dSYM 3.7.0 Intel 64.dmg)=6436a51a45d49d318cb38d09b4af517f5e4371ea

Wireshark 3.7.0 Intel 64.dmg: 60314217 bytes
SHA256(Wireshark 3.7.0 Intel 64.dmg)=09b1ba577b6e960ceeebeb8a93a2458d452eb613522e3912f9b4a73d16f92a86
RIPEMD160(Wireshark 3.7.0 Intel 64.dmg)=fa8c2d4e15e0210bb369485cedc8696c9ea94642
SHA1(Wireshark 3.7.0 Intel 64.dmg)=f3ea6245f60e6c1f404f7b032d99209081007cc2

You can validate these hashes using the following commands (among others):

    Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
    Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
    macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
    Other: openssl sha256 wireshark-x.y.z.tar.xz

Attachment: OpenPGP_signature
Description: OpenPGP digital signature