ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online

Wireshark-announce: [Wireshark-announce] Wireshark 3.7.2 is now available

Date Prev · Date Next · Thread Prev · Thread Next
From: Wireshark announcements <wireshark-announce@xxxxxxxxxxxxx>
Date: Thu, 28 Jul 2022 14:10:53 -0700
I'm proud to announce the release of Wireshark 3.7.2.


 This is an experimental release intended to test new features for
 Wireshark 4.0.

 What is Wireshark?

  Wireshark is the world’s most popular network protocol analyzer. It is
  used for troubleshooting, analysis, development and education.

 What’s New

 Note: We do not ship official 32-bit Windows packages for this branch.
 If you need to use Wireshark on that platform, please install the
 latest 3.6 release. Issue 17779[1]

    • The display filter syntax is now more powerful with many new
      extensions. See below for details.

    • The Conversation and Endpoint dialogs have been redesigned with
      the following improvements:

       • The context menu now includes the option to resize all columns,
      as well as copying elements.

       • Data may be exported as JSON.

       • Tabs may be detached and reattached from the dialog.

       • Adding/Removing tabs will keep them in the same order all the
      time.

       • If a filter is applied, two columns are shown in either dialog
      detailing the difference between unmatched and matched packets.

       • Columns are now sorted via secondary properties if an identical
      entry is found.

       • Conversations will be sorted via second address and first port
      number.

       • Endpoints will be sorted via port numbers.

       • IPv6 addresses are sorted correctly after IPv4 addresses.

       • The dialog elements have been moved to make it easier to handle
      for new users.

       • Selection of tap elements is done via list.

       • All configurations and options are done via a left side button
      row.

       • Columns for the Conversations and Endpoint dialogs can be
      hidden by context menu.

       • TCP/UDP conversations now include the stream id and allows
      filtering on it.

    • The ip.flags field is now only the three high bits, not the full
      byte. Display filters and Coloring rules using the field will need
      to be adjusted.

    • Speed when using MaxMind geolocation has been greatly improved.

    • The 'v' (lower case) and 'V' (upper case) switches have been
      swapped for editcap and mergecap to match the other command line
      utilities.

    • New address type AT_NUMERIC allows simple numeric addresses for
      protocols which do not have a more common-style address approach,
      analog to AT_STRINGZ.

    • The Wireshark Lua API now uses the lrexlib[2] bindings to PCRE2.
      Code using the Lua GRegex module will have to be updated to use
      lrexlib-pcre2 instead. In most cases the API should be compatible
      and the conversion just requires a module name change.

    • The tap registration system has been updated and the list of
      arguments for tap_packet_cb has changed. All taps registered
      through register_tap_listener have to be updated.

    • The PCRE2 library[3] is now a required dependency to build
      Wireshark.

    • You must now have a compiler with C11 support in order to build
      Wireshark.

    • The following libraries and tools have had their minimum required
      version increased:

       • CMake 3.10 is required on macOS and Linux.

       • Qt version 5.12 (was 5.6.0), although compilation with 5.10 and
      5.11 is still possible, but will trigger a warning during
      configuration.

       • Windows SDK 10.0.18362.0 is required due to issues with C11
      support.

       • macOS version 10.10 (was 10.8) is required, if the Qt version
      is to be built, at least 10.11 is required, depending on the Qt
      version used (see below).

       • GLib version 2.50.0 (was 2.38.0) is required.

       • Libgcrypt version 1.8.0 (was 1.5.0) is required.

       • c-ares version 1.14.0 (was 1.5.0).

       • Python version 3.6.0 (was 3.4.0).

       • GnuTLS version 3.5.8 (was 3.3.0).

       • Nghttp2 minimum version has been set to 1.11.0 (none previous).

    • For building with Qt on macOS, the following versions are required
      depending on the Qt version to be used:

       • Qt 5.10 or higher requires macOS version 10.11

       • Qt 5.12 or higher requires macOS version 10.12

       • Qt 5.14 or higher requires macOS version 10.13

       • Qt 6.0 or higher requires macOS version 10.14

    • Perl is no longer required to build Wireshark, but may be required
      to build some source code files and run code analysis checks.

  Many other improvements have been made. See the “New and Updated
  Features” section below for more details.

  New and Updated Features

   The following features are new (or have been significantly updated)
   since version 3.7.0:

     • The Windows installers now ship with Qt 6.2.3. They previously
       shipped with Qt 6.2.4.

     • The Conversation and Endpoint dialogs have been reworked
       extensively

   The following features are new (or have been significantly updated)
   since version 3.6.0:

     • The Windows installers now ship with Npcap 1.60. They previously
       shipped with Npcap 1.55.

     • The Windows installers now ship with Qt 6.2.4. They previously
       shipped with Qt 5.12.2.

     • The display filter syntax has been updated and enhanced:

        • A syntax to match a specific layer in the protocol stack has
       been added. For example in an IP-over-IP packet “ip.addr#1 ==
       1.1.1.1” matches the outer layer addresses and “ip.addr#2 ==
       1.1.1.2” matches the inner layer addresses.

        • Universal quantifiers "any" and "all" have been added to any
       relational operator. For example the expression "all tcp.port ›
       1024" is true if and only if all tcp.port fields match the
       condition. Previously only the default behaviour to return true
       if any one field matches was supported.

        • Field references, of the form ${some.field}, are now part of
       the syntax of display filters. Previously they were implemented
       as macros. The new implementation is more efficient and has the
       same properties as protocol fields, like matching on multiple
       values using quantifiers and support for layer filtering.

        • Arithmetic is supported for numeric fields with the usual
       operators “+”, “-”, “*”, “/”, and “%”. Arithmetic expressions
       must be grouped using curly brackets (not parenthesis).

        • New display filter functions max(), min() and abs() have been
       added.

        • Functions can accept expressions as arguments, including other
       functions. Previously only protocol fields and slices were
       syntactically valid function arguments.

        • A new syntax to disambiguate literals from identifiers has
       been added. Every value with a leading dot is a protocol or
       protocol field. Every value in between angle brackets is a
       literal value. See the User’s Guide[4] for details.

        • The "bitwise and" operator is now a first-class bit operator,
       not a boolean operator. In particular this means it is now
       possible to mask bits, e.g.: frame[0] & 0x0F == 3.

        • Dates and times can be given in UTC using ISO 8601 (with 'Z'
       timezone) or by appending the suffix "UTC" to the legacy formats.
       Otherwise local time is used.

        • Integer literal constants may be written in binary (in
       addition to decimal/octal/hexadecimal) using the prefix "0b" or
       "0B".

        • Logical AND now has higher precedence than logical OR, in line
       with most programming languages.

        • It is now possible to index protocol fields from the end using
       negative indexes. For example the following expression tests the
       last two bytes of the TCP protocol field: tcp[-2:] == AA:BB. This
       was a longstanding bug that has been fixed in this release.

        • Set elements must be separated using a comma, e.g: {1, 2,
       "foo"}. Using only whitespace as a separator was deprecated in
       3.6 and is now a syntax error.

        • Support for some additional character escape sequences in
       double quoted strings has been added. Along with octal
       (\<number>) and hex (\x<number>) encoding, the following C escape
       sequences are now supported with the same meaning: \a, \b, \f,
       \n, \r, \t, \v. Previously they were only supported with
       character constants.

        • Unicode universal character names are now supported with the
       escape sequences \uNNNN or \UNNNNNNNN, where N is a hexadecimal
       digit.

        • Unrecognized escape sequences are now treated as a syntax
       error. Previously they were treated as a literal character. In
       addition to the sequences indicated above, backslash, single
       quotation and double quotation mark are also valid sequences: \\,
       \', \".

        • A new strict equality operator "===" or "all_eq" has been
       added. The expression "a === b" is true if and only if all a’s
       are equal to b. The negation of "===" can now be written as "!=="
       (any_ne).

        • The aliases "any_eq" for "==" and "all_ne" for "!=" have been
       added.

        • The operator "~=" is deprecated and will be removed in a
       future version. Use "!==", which has the same meaning instead.

        • Floats must be written with a leading and ending digit. For
       example the values ".7" and "7." are now invalid as floats. They
       must be written "0.7" and "7.0" respectively.

        • The display filter engine now uses PCRE2 instead of GRegex
       (GLib’s bindings to the older and end-of-life PCRE library).
       PCRE2 is compatible with PCRE so any user-visible changes should
       be minimal. Some exotic patterns may now be invalid and require
       rewriting.

        • Literal strings can handle embedded null bytes (the value
       '\0') correctly. This includes regular expression patterns. For
       example the double-quoted string "\0 is a null byte" is a legal
       literal value. This may be useful to match byte patterns but note
       that in general protocol fields with a string type still cannot
       contain embedded null bytes.

        • Booleans can be written as True/TRUE or False/FALSE.
       Previously they could only be written as 1 or 0.

        • It is now possible to test for the existence of a slice.

        • All integer sizes are now compatible. Unless overflow occurs
       any integer field can be compared with any other.

     • The `text2pcap` command and the “Import from Hex Dump” feature
       have been updated and enhanced:

        • `text2pcap` supports writing the output file in all the
       capture file formats that wiretap library supports, using the
       same `-F` option as `editcap`, `mergecap`, and `tshark`.

        • Consistent with the other command line tools like `editcap`,
       `mergecap`, `tshark`, and the "Import from Hex Dump" option
       within Wireshark, the default capture file format for `text2pcap`
       is now pcapng. The `-n` flag to select pcapng (instead of the
       previous default, pcap) has been deprecated and will be removed
       in a future release.

        • `text2pcap` supports selecting the encapsulation type of the
       output file format using the wiretap library short names with an
       `-E` option, similar to the `-T` option of `editcap`.

        • `text2pcap` has been updated to use the new logging output
       options and the `-d` flag has been removed. The "debug" log level
       corresponds to the old `-d` flag, and the "noisy" log level
       corresponds to using `-d` multiple times.

        • `text2pcap` and “Import from Hex Dump” support writing fake
       IP, TCP, UDP, and SCTP headers to files with Raw IP, Raw IPv4,
       and Raw IPv6 encapsulations, in addition to Ethernet
       encapsulation available in previous versions.

        • `text2pcap` supports scanning the input file using a custom
       regular expression, as supported in “Import from Hex Dump” in
       Wireshark 3.6.x.

        • In general, `text2pcap` and wireshark’s “Import from Hex Dump”
       have feature parity.

     • The default main window layout has been changed so that the
       Packet Detail and Packet Bytes are side by side underneath the
       Packet List pane.

     • The HTTP2 dissector now supports using fake headers to parse the
       DATAs of streams captured without first HEADERS frames of a
       long-lived stream (such as a gRPC streaming call which allows
       sending many request or response messages in one HTTP2 stream).
       Users can specify fake headers using an existing stream’s server
       port, stream id and direction.

     • The IEEE 802.11 dissector supports Mesh Connex (MCX).

     • The “Capture Options” dialog contains the same configuration icon
       as the Welcome Screen. It is now possible to configure interfaces
       there.

     • The “Extcap” dialog remembers password items during runtime,
       which makes it possible to run extcaps multiple times in row
       without having to reenter the password each time. Passwords are
       never stored on disk.

     • It is possible to set extcap passwords in `tshark` and other CLI
       tools.

     • The extcap configuration dialog now supports and remembers empty
       strings. There are new buttons to reset values back to their
       defaults.

     • Support to display JSON mapping for Protobuf message has been
       added.

     • macOS debugging symbols are now shipped in separate packages,
       similar to Windows packages.

     • In the ZigBee ZCL Messaging dissector the
       zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to
       zbee_zcl_se.msg.msg_ctrl.deprecated

     • The interface list on the welcome page sorts active interfaces
       first and only displays sparklines for active interfaces.
       Additionally, the interfaces can now be hidden and shown via the
       context menu in the interface list

     • The Event Tracing for Windows (ETW) file reader now supports
       displaying IP packets from an event trace logfile or an event
       trace live session.

     • ciscodump now supports IOS, IOS-XE and ASA remote capturing

  Removed Features and Support

     • The CMake options starting with DISABLE_something were renamed
       ENABLE_something for consistency. For example DISABLE_WERROR=On
       became ENABLE_WERROR=Off. The default values are unchanged.

  New Protocol Support

   Allied Telesis Loop Detection (AT LDF), AUTOSAR I-PDU Multiplexer
   (AUTOSAR I-PduM), DTN Bundle Protocol Security (BPSec), DTN Bundle
   Protocol Version 7 (BPv7), DTN TCP Convergence Layer Protocol
   (TCPCL), DVB Selection Information Table (DVB SIT), Enhanced Cash
   Trading Interface 10.0 (XTI), Enhanced Order Book Interface 10.0
   (EOBI), Enhanced Trading Interface 10.0 (ETI), FiveCo’s Legacy
   Register Access Protocol (5co-legacy), Generic Data Transfer Protocol
   (GDT), gRPC Web (gRPC-Web), Host IP Configuration Protocol (HICP),
   Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1), Mesh
   Connex (MCX), Microsoft Cluster Remote Control Protocol (RCP),
   Protected Extensible Authentication Protocol (PEAP), Realtek, REdis
   Serialization Protocol v2 (RESP), Roon Discovery (RoonDisco), Secure
   File Transfer Protocol (sftp), Secure Host IP Configuration Protocol
   (SHICP), SSH File Transfer Protocol (SFTP), USB Attached SCSI (UASP),
   and ZBOSS NCP

  Updated Protocol Support

   Too many protocols have been updated to list here.

  New and Updated Capture File Support

  Major API Changes

     • proto.h: The field display types "STR_ASCII" and "STR_UNICODE"
       have been removed. Use "BASE_NONE" instead.

 Getting Wireshark

  Wireshark source code and installation packages are available from
  https://www.wireshark.org/download.html.

  Vendor-supplied Packages

   Most Linux and Unix vendors supply their own Wireshark packages. You
   can usually install or upgrade Wireshark using the package management
   system specific to that platform. A list of third-party packages can
   be found on the download page[5] on the Wireshark web site.

 File Locations

  Wireshark and TShark look in several different locations for
  preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These
  locations vary from platform to platform. You can use "Help › About
  Wireshark › Folders" or `tshark -G folders` to find the default
  locations on your system.

 Getting Help

  The User’s Guide, manual pages and various other documentation can be
  found at https://www.wireshark.org/docs/

  Community support is available on Wireshark’s Q&A site[6] and on the
  wireshark-users mailing list. Subscription information and archives
  for all of Wireshark’s mailing lists can be found on the web site[7].

  Bugs and feature requests can be reported on the issue tracker[8].

 Frequently Asked Questions

  A complete FAQ is available on the Wireshark web site[9].

  Last updated 2022-07-28 19:00:34 UTC

 References

   1. https://gitlab.com/wireshark/wireshark/-/issues/17779
   2. https://github.com/rrthomas/lrexlib
   3. https://www.pcre.org/
   4. https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDispla
  yFilterSection.html#_some_protocol_names_can_be_ambiguous
   5. https://www.wireshark.org/download.html
   6. https://ask.wireshark.org/
   7. https://www.wireshark.org/lists/
   8. https://gitlab.com/wireshark/wireshark/-/issues
   9. https://www.wireshark.org/faq.html


Digests

wireshark-3.7.2.tar.xz: 40737396 bytes
SHA256(wireshark-3.7.2.tar.xz)=be455226fb30aca64edf513312b87b58e11e14730c725611f0e1562658bc7890
SHA1(wireshark-3.7.2.tar.xz)=a128bbff3530e8bf29bd84fdfc9b3bc337a5cece

Wireshark-win64-3.7.2.exe: 77740928 bytes
SHA256(Wireshark-win64-3.7.2.exe)=8763889d5057078d936f89808df07ab8f59ce9d857ceca3f30fb027d4b19771c
SHA1(Wireshark-win64-3.7.2.exe)=949cdb3c522f897cfc58eb3304d547e0c8a7de54

Wireshark-win64-3.7.2.msi: 51093504 bytes
SHA256(Wireshark-win64-3.7.2.msi)=0c7531a53542c24fa811aebd820771fa3e9c547ddcfa16ca24f7435c0e5fbbc9
SHA1(Wireshark-win64-3.7.2.msi)=f37e2f8ee6ce079f11d4293bedb589f2a81d6091

WiresharkPortable64_3.7.2.paf.exe: 44543664 bytes
SHA256(WiresharkPortable64_3.7.2.paf.exe)=caee7398a5a8b730fba46402af59d47cd59421e47b75c851fb2f982ee08c5e15
SHA1(WiresharkPortable64_3.7.2.paf.exe)=fd183b835be385aff312e5a49d311722bc6f9a4d

Wireshark 3.7.2 Arm 64.dmg: 57758036 bytes
SHA256(Wireshark 3.7.2 Arm 64.dmg)=fad8472e9cbc5f8ce0ab32671fc76b58aaee556c2404659599fc825cf7125c2b
SHA1(Wireshark 3.7.2 Arm 64.dmg)=86ee2ecb60b5989802a726249ca405bbae9ef56a

Wireshark 3.7.2 Intel 64.dmg: 60479020 bytes
SHA256(Wireshark 3.7.2 Intel 64.dmg)=5702020fad65d27deb504d0520237f419afa2d093ab46efb3673da41d95a3bf1
SHA1(Wireshark 3.7.2 Intel 64.dmg)=e4ef70d4889be054d25b517aeca7deeb7eabf1f3

You can validate these hashes using the following commands (among others):

    Windows: certutil -hashfile Wireshark-win64-x.y.z.exe SHA256
    Linux (GNU Coreutils): sha256sum wireshark-x.y.z.tar.xz
    macOS: shasum -a 256 "Wireshark x.y.z Arm 64.dmg"
    Other: openssl sha256 wireshark-x.y.z.tar.xz

Attachment: OpenPGP_signature
Description: OpenPGP digital signature