Wireshark-announce: [Wireshark-announce] Wireshark 3.7.1 is now available
From: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>
Date: Mon, 27 Jun 2022 12:08:52 -0700
I'm proud to announce the release of Wireshark 3.7.1.
This is an experimental release intended to test new features for
Wireshark 4.0.
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
What’s New
Note: We do not ship official 32-bit Windows packages for this branch.
If you need to use Wireshark on that platform, please install the
latest 3.6 release. Issue 17779[1]
• The display filter syntax is now more powerful with many new
extensions. See below for details.
• The Conversation and Endpoint dialogs have been redesigned with
the following improvements:
• The context menu now includes the option to resize all columns,
as well as copying elements
• Data may be exported as JSON
• Tabs may be detached and reattached from the dialog
• Adding/Removing tabs will keep them in the same order all the
time
• If a filter is applied, two columns are shown in either dialog
detailing the difference between unmatched and matched packets
• Columns are now sorted via secondary properties if an identical
entry is found.
• Conversations will be sorted via second address and first port
number
• Endpoints will be sorted via port numbers
• IPv6 addresses are sorted correctly after IPv4 addresses
• The dialog elements have been moved to make it easier to handle
for new users.
• Selection of tap elements is done via list
• All configurations and options are done via a left side button
row
• Columns for the Conversations and Endpoint dialogs can be
hidden by context menu
• TCP/UDP conversations now include the stream id and allows
filtering on it
• The ip.flags field is now only the three high bits, not the full
byte. Display filters or Coloring rules using the field will need
to be adjusted.
• The 'v' (lower case) and 'V' (upper case) switches have been
swapped for editcap and mergecap to match the other command line
utilities.
• New address type AT_NUMERIC allows simple numeric addresses for
protocols which do not have a more common-style address approach,
analog to AT_STRINGZ.
• The Wireshark Lua API now uses the lrexlib bindings to PCRE2
(https://github.com/rrthomas/lrexlib). Code using the Lua GRegex
module will have to be updated to use lrexlib-pcre2 instead. In
most cases the API should be compatible and the conversion just
requires a module name change.
• The PCRE2 library (https://www.pcre.org/) is now a required
dependency to build Wireshark.
• You must now have a compiler with C11 support in order to build
Wireshark.
• The tap registration system has been updated and the list of
arguments for tap_packet_cb has changed. All taps registered
through register_tap_listener have to be updated.
Many other improvements have been made. See the “New and Updated
Features” section below for more details.
New and Updated Features
The following features are new (or have been significantly updated)
since version 3.7.0:
• The Windows installers now ship with Qt 6.2.3. They previously
shipped with Qt 6.2.4.
• The Conversation and Endpoint dialogs have been reworked
extensively
The following features are new (or have been significantly updated)
since version 3.6.0:
• The Windows installers now ship with Npcap 1.60. They previously
shipped with Npcap 1.55.
• The Windows installers now ship with Qt 6.2.4. They previously
shipped with Qt 5.12.2.
• The display filter syntax has been updated and enhanced:
• A syntax to match a specific layer in the protocol stack has
been added. For example in an IP-over-IP packet “ip.addr#1 ==
1.1.1.1” matches the outer layer addresses and “ip.addr#2 ==
1.1.1.2” matches the inner layer addresses.
• Universal quantifiers "any" and "all" have been added to any
relational operator. For example the expression "all tcp.port ›
1024" is true if and only if all tcp.port fields match the
condition. Previously only the default behaviour to return true
if any one field matches was supported.
• Field references, of the form ${some.field}, are now part of
the syntax of display filters. Previously they were implemented
as macros. The new implementation is more efficient and has the
same properties as protocol fields, like matching on multiple
values using quantifiers and support for layer filtering.
• Arithmetic is supported for numeric fields with the usual
operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions
must be grouped using curly brackets (not parenthesis).
• New display filter functions max(), min() and abs() have been
added.
• Functions can accept expressions as arguments, including other
functions. Previously only protocol fields and slices were
syntactically valid function arguments.
• A new syntax to disambiguate literals from identifiers has
been added. Every value with a leading dot is a protocol or
protocol field. Every value in between angle brackets is a
literal value. See the User’s Guide[2] for details.
• The "bitwise and" operator is now a first-class bit operator,
not a boolean operator. In particular this means it is now
possible to mask bits, e.g.: frame[0] & 0x0F == 3.
• Dates and times can be given in UTC using ISO 8601 (with 'Z'
timezone) or by appending the suffix "UTC" to the legacy formats.
Otherwise local time is used.
• Integer literal constants may be written in binary (in
addition to decimal/octal/hexadecimal) using the prefix "0b" or
"0B".
• Logical AND now has higher precedence than logical OR, in line
with most programming languages.
• It is now possible to index protocol fields from the end using
negative indexes. For example the following expression tests the
last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This
was a longstanding bug that has been fixed in this release.
• Set elements must be separated using a comma, e.g: {1, 2,
"foo"}. Using only whitespace as a separator was deprecated in
3.6 and is now a syntax error.
• Support for some additional character escape sequences in
double quoted strings has been added. Along with octal
(\<number>) and hex (\x<number>) encoding, the following C escape
sequences are now supported with the same meaning: \a, \b, \f,
\n, \r, \t, \v. Previously they were only supported with
character constants.
• Unicode universal character names are now supported with the
escape sequences \uNNNN or \UNNNNNNNN, where N is an hexadecimal
digit.
• Unrecognized escape sequences are now treated as a syntax
error. Previously they were treated as a literal character. In
addition to the sequences indicated above, backslash, single
quotation and double quotation mark are also valid sequences: \\,
\', \".
• A new strict equality operator "===" or "all_eq" has been
added. The expression "a === b" is true if and only if all a’s
are equal to b. The negation of "===" can now be written as "!=="
(any_ne).
• The aliases "any_eq" for "==" and "all_ne" for "!=" have been
added.
• The operator "~=" is deprecated and will be removed in a
future version. Use "!==", which has the same meaning instead.
• Floats must be written with a leading and ending digit. For
example the values ".7" and "7." are now invalid as floats. They
must be written "0.7" and "7.0" respectively.
• The display filter engine now uses PCRE2 instead of GRegex
(GLib’s bindings to the older and end-of-life PCRE library).
PCRE2 is compatible with PCRE so any user-visible changes should
be minimal. Some exotic patterns may now be invalid and require
rewriting.
• Literal strings can handle embedded null bytes (the value
'\0') correctly. This includes regular expression patterns. For
example the double-quoted string "\0 is a null byte" is a legal
literal value. This may be useful to match byte patterns but note
that in general protocol fields with a string type still cannot
contain embedded null bytes.
• Booleans can be written as True/TRUE or False/FALSE.
Previously they could only be written as 1 or 0.
• The `text2pcap` command and the “Import from Hex Dump” feature
have been updated and enhanced:
• `text2pcap` supports writing the output file in all the
capture file formats that wiretap library supports, using the
same `-F` option as `editcap`, `mergecap`, and `tshark`.
• Consistent with the other command line tools like `editcap`,
`mergecap`, `tshark`, and the "Import from Hex Dump" option
within Wireshark, the default capture file format for `text2pcap`
is now pcapng. The `-n` flag to select pcapng (instead of the
previous default, pcap) has been has been deprecated and will be
removed in a future release.
• `text2pcap` supports selecting the encapsulation type of the
output file format using the wiretap library short names with an
`-E` option, similiar to the `-T` option of `editcap`.
• `text2pcap` has been updated to use the new logging output
options and the `-d` flag has been removed. The "debug" log level
corresponds to the old `-d` flag, and the "noisy" log level
corresponds to using `-d` multiple times.
• `text2pcap` and “Import from Hex Dump” support writing fake
IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4,
and Raw IPv6 encapsulations, in addition to Ethernet
encapsulation available in previous versions.
• `text2pcap` supports scanning the input file using a custom
regular expression, as supported in “Import from Hex Dump” in
Wireshark 3.6.x.
• In general, `text2pcap` and wireshark’s “Import from Hex Dump”
have feature parity.
• The default main window layout has been changed so that the
packet detail and bytes are side by side.
• The HTTP2 dissector now supports using fake headers to parse the
DATAs of streams captured without first HEADERS frames of a
long-lived stream (such as a gRPC streaming call which allows
sending many request or response messages in one HTTP2 stream).
Users can specify fake headers using an existing stream’s server
port, stream id and direction.
• The IEEE 802.11 dissector supports Mesh Connex (MCX).
• The “Capture Options” dialog contains the same configuration icon
as Welcome Screen. It is now possible to configure interfaces
there.
• The “Extcap” dialog remembers password items during runtime,
which makes it possible to run extcaps multiple times in row.
Passwords are never stored on disk.
• It is possible to set extcap passwords in `tshark` and other CLI
tools.
• The extcap configuration dialog now supports and remembers empty
strings. There are new buttons to reset values back to their
defaults.
• Support to display JSON mapping for Protobuf message has been
added.
• macOS debugging symbols are now shipped in separate packages,
similar to Windows packages.
• In the ZigBee ZCL Messaging dissector the
zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to
zbee_zcl_se.msg.msg_ctrl.deprecated
• The interface list on the welcome page sorts active interfaces
first and only displays sparklines for active interfaces.
Additionally, the interfaces can now be hidden and shown via the
context menu in the interface list
• The Event Tracing for Windows (ETW) file reader now supports
display IP packets from an event trace logfile or an event trace
live session.
Removed Features and Support
• The CMake options starting with DISABLE_something were renamed
ENABLE_something for consistency. For example DISABLE_WERROR=On
became ENABLE_WERROR=Off. The default values are unchanged.
New Protocol Support
Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer
(AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle
Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol
(TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash
Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0
(EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy
Register Access Protocol (5co-legacy), Generic Data Transfer Protocol
(GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP),
Mesh Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP),
Protected Extensible Authentication Protocol (PEAP), Realtek, REdis
Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure
File Transfer Protocol (sftp), Secure Host IP Configuration Protocol
(SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP),
and ZBOSS NCP
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
Major API Changes
• proto.h: The field display types "STR_ASCII" and "STR_UNICODE"
have been removed. Use "BASE_NONE" instead.
Getting Wireshark
Wireshark source code and installation packages are available from
https://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You
can usually install or upgrade Wireshark using the package management
system specific to that platform. A list of third-party packages can
be found on the download page[3] on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for
preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
locations vary from platform to platform. You can use "Help › About
Wireshark › Folders" or `tshark -G folders` to find the default
locations on your system.
Getting Help
The User’s Guide, manual pages and various other documentation can be
found at https://www.wireshark.org/docs/
Community support is available on Wireshark’s Q&A site[4] and on the
wireshark-users mailing list. Subscription information and archives
for all of Wireshark’s mailing lists can be found on the web site[5].
Bugs and feature requests can be reported on the issue tracker[6].
Frequently Asked Questions
A complete FAQ is available on the Wireshark web site[7].
Last updated 2022-06-27 17:03:56 UTC
References
1. https://gitlab.com/wireshark/wireshark/-/issues/17779
2. https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDispla
yFilterSection.html#_some_protocol_names_can_be_ambiguous
3. https://www.wireshark.org/download.html
4. https://ask.wireshark.org/
5. https://www.wireshark.org/lists/
6. https://gitlab.com/wireshark/wireshark/-/issues
7. https://www.wireshark.org/faq.html
Digests
wireshark-3.7.1.tar.xz: 40659668 bytes
SHA256(wireshark-3.7.1.tar.xz)=cccd3da69b97f0e8ab4c609746359fd74d8e5e18ca326b1dbc28b4e2a80d05cd
SHA1(wireshark-3.7.1.tar.xz)=778108333ba42a722fe7aa7a877049e8b2d2dcfc
Wireshark-win64-3.7.1.exe: 76769024 bytes
SHA256(Wireshark-win64-3.7.1.exe)=18898f97aa1290e5aa3a4d25f45fa5895c1d40a7b9877f34294e8410182a8543
SHA1(Wireshark-win64-3.7.1.exe)=cf4ff218c555d7bbcbbf879d2dd9b94f35fad107
Wireshark-win64-3.7.1.msi: 50008064 bytes
SHA256(Wireshark-win64-3.7.1.msi)=c815dc522d417c2ce07b1a0b07fe80557cd2e8ab3092a1282217f58b096aaac5
SHA1(Wireshark-win64-3.7.1.msi)=5edfedd10dba661271f41b6aef3c1f94073ab990
WiresharkPortable64_3.7.1.paf.exe: 43533816 bytes
SHA256(WiresharkPortable64_3.7.1.paf.exe)=71bae5669982bad458786f3e87ee640509b723f521ae37970bbc5b6cf787f978
SHA1(WiresharkPortable64_3.7.1.paf.exe)=c6a14e2e73d129d8541a8b74501c7b900303bacf
Wireshark 3.7.1 Arm 64.dmg: 57627151 bytes
SHA256(Wireshark 3.7.1 Arm 64.dmg)=07ce9d5f295363fe7d197832b0451d1311120db6e04f493360df3d5c9504f797
SHA1(Wireshark 3.7.1 Arm 64.dmg)=b0b8a4c3fdbffd15ec61a21d721a075d86e3530d
Wireshark dSYM 3.7.1 Arm 64.dmg: 84159659 bytes
SHA256(Wireshark dSYM 3.7.1 Arm 64.dmg)=c1ef7ebf53d9851ed7eb637682c8c8563c7af16731137fa25a9e8af626b4e41d
SHA1(Wireshark dSYM 3.7.1 Arm 64.dmg)=fb40ac547c837d915667709f75d39a928efea442
Wireshark 3.7.1 Intel 64.dmg: 60424180 bytes
SHA256(Wireshark 3.7.1 Intel 64.dmg)=819f3be6ddb836c195f7122eb02b28641f114c48e1874079f3889cddd667d999
SHA1(Wireshark 3.7.1 Intel 64.dmg)=7509f080c6173c51dbf14554b2ce124b0ce99fb5
Wireshark dSYM 3.7.1 Intel 64.dmg: 82385161 bytes
SHA256(Wireshark dSYM 3.7.1 Intel 64.dmg)=cb49760367a3e54a0bd069199dbd58dafe6e03680ba41faa5afcf59f2d56728a
SHA1(Wireshark dSYM 3.7.1 Intel 64.dmg)=13162dd2a7b056133fff2cf4ac3247cfb5d25220
You can validate these hashes using the following commands (among others):
Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
Other: openssl sha256 wireshark-x.y.z.tar.xz
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
- Prev by Date: [Wireshark-announce] Wireshark 3.6.6 is now available
- Previous by thread: [Wireshark-announce] Wireshark 3.6.6 is now available
- Index(es):
- Get Wireshark
- Download
- Code of Conduct