Wireshark 3.6.0rc1 Release Candidate

October 13, 2021

What’s New

Many improvements have been made. See the “New and Updated Features” section below for more details.

New and Updated Features

The following features are new (or have been significantly updated) since version 3.4.0:

The Windows installers now ship with Npcap 1.55.
A 64-bit Windows PortableApps package is now available.
A macOS Arm 64 (Apple Silicon) package is now available.
TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It is accessed with the new tcp.completeness filter.
Protobuf fields that are not serialized on the wire (missing in capture files) can now be displayed with default values by setting the new 'add_default_value' preference. The default values might be explicitly declared in 'proto2' files, or false for bools, first value for enums, zero for numeric types.
Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID.
"Follow DCCP stream" feature to filter for and extract the contents of DCCP streams.
Wireshark now supports dissecting the rtp packet with OPUS payload.
Importing captures from text files is now also possible based on regular expressions. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision.
Display filter literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This is useful to avoid the complexity of using two levels of character escapes with regular expressions.
Significant RTP Player redesign and improvements (see Wireshark User Documentation, Playing VoIP Calls and RTP Player Window)
- RTP Player can play many streams in row
- UI is more responsive
- RTP Player maintains playlist, other tools can add/remove streams to it
- Every stream can be muted or routed to L/R channel for replay
- Save audio is moved from RTP Analysis to RTP Player. RTP Player saves what was played. RTP Player can save in multichannel .au or .wav.
- RTP Player added to menu Telephony>RTP>RTP Player
VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal, can stay opened on background
- Same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …)
Follow stream is now able to follow SIP calls based on their Call-ID value.
Follow stream YAML output format’s has been changed to add timestamps and peers information (for more details see the user’s guide, Following Protocol Streams)
IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the "Enable stricter conversation tracking heuristics" top level protocol preference.
USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures.
TShark can now export TLS session keys with the --export-tls-session-keys option.
Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated.
Format of export to CSV in RTP Stream Analysis dialog was slightly changed. First line of export contains names of columns as in other CSV exports.
Wireshark now supports the Turkish language.
The settings in the 'Import from Hex Dump' dialog is now stored in a profile import_hexdump.json file.
Reload Lua plugins has been improved to properly support FileHandler.

New File Format Decoding Support

Vector Informatik Binary Log File (BLF)

New Protocol Support

5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT LMP), CBOR Object Signing and Encryption (COSE), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme extra Eth Header (EXEH), High-Performance Connectivity Tracer (HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol (EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI payload (xIRI)