Wireshark 1.6.0 Released

June 7, 2011

Wireshark 1.6.0 has been released. Installers for Windows, Mac OS X 10.5.5 and above (Intel and PPC), and source code are now available.

New in 1.6.0

  • Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets.

  • Large file (greater than 2 GB) support has been improved.

  • Wireshark and TShark can import text dumps, similar to text2pcap.

  • You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.

  • Wireshark can export SSL session keys via FileExportSSL Session Keys...

  • TShark can show a specific occurrence of a field when using '-T fields'.

  • Custom columns can show a specific occurrence of a field.

  • You can hide columns in the packet list.

  • Wireshark can now export SMB objects.

  • dftest and randpkt now have manual pages.

  • TShark can now display iSCSI, ICMP and ICMPv6 service response times.

  • Dumpcap can now save files with a user-specified group id.

  • Syntax checking is done for capture filters.

  • You can display the compiled BPF code for capture filters in the Capture Options dialog.

  • You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .

  • Packet length is (finally) a default column.

  • TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.

  • 802.1q VLAN tags are now shown in the Ethernet II protocol tree instead of a separate tree.

  • Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.

  • The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.

  • The RTP player now shows why media interruptions occur.

  • Graphs now save as PNG images by default.

  • TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via

    [-z hosts]


  • TShark's -z option now uses the

    [-z <proto>,srt]

    syntax instead of

    [-z <proto>,rtt]

    for all protocols that support service response time statistics. This matches Wireshark's syntax for this option.

  • Wireshark and TShark can now read compressed Windows Sniffer files.

For a complete list of changes, please refer to the 1.6.0 release notes.

Official releases are available right now from the download page.