Version 4.0 of the open source protocol analysis tool Wireshark is available. In addition to code cleanups, it also contains a lot of new features both on and below the surface.
Version 4.0 of Wireshark has been released. The innovations in the free protocol analysis tool primarily concern the revised filter options. The cessation of support for 32-bit versions of Windows is also noteworthy. The developers state that despite aiming for a small code base, the tool now has over three million lines of code.
After the update, analysts are immediately greeted by the first new feature: the tool displays the active interfaces with the highest utilization directly above in the selection of interfaces to be recorded. This is used for faster selection when there is a large number of interfaces on the source system. In addition, the views and options of the endpoints and conversations views have been revised. These now offer, among other things, an export option in JSON, a display and filter option for the stream ID for UDP and TCP streams, as well as sorting of IPv6 addresses behind IPv4 addresses and much more.
Modified display filters
The developers have changed the display filter engine from GRegex to PCRE2. There are also new aliases in the form of
any_eq for “==” and
all_ne for “!=”. The engine now also offers
all for relational operators, such as greater than and less than. The developers give as an example a filter all
tcp.port > 1024 at that only then
TRUE is when all TCP ports are greater than 1024. The new multilayer numbering is also available for networks with overlay solutions. By entering a hash and an integer value behind it, you can specify the x-th occurrence of the desired header value. An example would be
ip.addr#2 == 192.0.2.1 for the inner IP header in an IPv4 over IPv4 packet.
A new strict comparison operator “===”, respectively
all_eq, offers the possibility to set the filter in such a way that the condition only applies if the condition applies in all cases. With “x === y” this is the case if the value x always corresponds to the value y.
In addition to the classic 0 and 1 values, Boolean values are now also
False/FALSE possible. In the future, the TCP payload filter can also be used based on a specification of the byte values, such as
tcp.payload[0:2] for the first two bytes in the payload.
More small changes
The Wireshark developers have also expanded the functions for importing hex dumps and text2pcap and brought them to feature parity. The default format is now PCAPng instead of PCAP. The extcap interface for remote captures has also been expanded, for example to include passwords that can be stored. In this context, the community also added the ciscodump module. This supports remote captures from Cisco IOS, IOS-XE and ASAs via SSH.
Version 4.0 also offers innovations for Windows users. The Event Tracing for Windows (ETW) Reader offers the possibility of displaying IP packets from an ETW file or an ETW Live session. In addition, the developers state that they have significantly improved the speed of the MaxMind geolocation service.
In addition to a large number of revised protocol dissectors, such as a fully supported QUIC protocol, there are also a number of new dissectors. These include the encrypted file transfer protocols such as Secure File Transfer Protocol (sftp) and SSH File Transfer Protocol (SFTP), but also the authentication protocol Protected Extensible Authentication Protocol (PEAP) used in IEEE 802.1X environments.
Under the hood
One of the biggest innovations is the change in the underlying graphics library from Qt 5 to Qt 6. Furthermore, support for 32-bit Windows systems is no longer available. Users of such systems must remain on version 3.6. For Windows environments there is also a change to the Npcap driver in version 1.70. The developers have updated the Python library from 3.4.0 to 3.6.0, GnuTLS from 3.3.0 to 3.5.8. In principle, Wireshark 4.0 no longer requires Perl in the build process.
The team lists the entire list of changes in the release notes for Wireshark 4.0. The developers on YouTube and Gitlab provide more information about the new update.