Wireshark 4.6 has been released today as a major update to this popular, open-source, free, and cross-platform network protocol analyzer software for Linux, macOS, and Windows systems.
Highlights of Wireshark 4.6 include a new “Plots” dialog that provides scatter plots with support for multiple plots, markers, and automatic scrolling, support for compressing live captures while writing, and support for writing absolute time fields in ISO 8601 format in UTC with -T json.
In addition, Wireshark can now decrypt NTP packets using NTS (Network Time Security), expands the ability to decrypt MACsec packets to use the SAK unwrapped by the MKA dissector or the PSK configured in the MACsec dissector, and uses units with SI prefixes for the TCP Stream Graph axes.
On Linux, capture filters that use BPF extensions like “inbound”, “outbound”, and “ifindex” can be used for capturing. Among other changes, UTC frame time column formats now have a “Z” suffix per ISO 8601 and the underlying type of EUI-64 fields has been switched to bytes when packet matching.
A new option has been added to custom columns for displaying values using the same format as in the packet details. Also, DNP 3 (Distributed Network Protocol 3) is now supported in the Conversations and Endpoints table dialogs, and the ethers file can now contain EUI-64 to name mappings.
Moreover, Wireshark’s “Import from Hex Dump” feature and text2pcap now support byte groups with 2 to 4 bytes, the GUI Export Dissections Dialog can output raw hex bytes of the frame data for each field with or without exporting the field values, and the Lua API now supports Libgcrypt symmetric cipher functions.
On top of that, Wireshark 4.6 adds an option to the Conversations and Endpoints dialogs to display byte counts and bit rates in exact counts instead of human-readable numbers with SI units, as well as a new “-o statistics.output_format” preference to control the output format for some TShark statistics taps.
Frame timestamps can be added as preamble to hex dumps from the “Print” and “Export Packet Dissection” dialogs, the packet list and event list no longer support rows with multiple lines, Follow Stream is supported for MPEG 2 Transport Stream PIDs, and the HTTP2 tracking of 3GPP session over 5G is now optionally available.
Last but not least, there’s now a new Edit› Copy› as HTML menu item to copy plain text with aligned columns, along with the ability to select a copy format to be used when copied via keyboard shortcut. Also, the View menu received an option to Redissect Packets manually.
Starting with this release, Wireshark no longer supports AirPcap and WinPcap, nor versions 1 or 2 of the Netlink Protocol Library Suite (libnl) library. Wireshark 4.6 introduces support for decoding the Resource Interchange File Format (RIFF) and TTL File Format.
New protocols supported in Wireshark 4.6 include Asymmetric Key Packages (AKP), Binary HTTP, BIST TotalView-ITCH protocol (BIST-ITCH), BIST TotalView-OUCH protocol (BIST-OUCH), Bluetooth Android HCI (HCI ANDROID), Bluetooth Intel HCI (HCI INTEL), BPSec COSE Context, BPSec Default SC, and Commsignia Capture Protocol (C2P).
The list of newly supported protocols continues with DECT NR+ (DECT-2020 New Radio), DLMS/COSEM, Ephemeral Diffie-Hellman Over COSE, Identifier-Locator Network Protocol (ILNP), LDA Neo Device trailer (LDA_NEO_TRAILER), Lenbrook Service Discovery Protocol (LSDP), LLC V1, and vSomeIP Internal Protocol (vSomeIP).
Furthermore, Wireshark now supports the Navitrol messaging, Network Time Security Key Establishment Protocol (NTS-KE), Ouster VLP-16, Private Line Emulation (PLE), RC V3, RCG, Roughtime, SBAS L5 Navigation Message, and SGP.22 GSMA Remote SIM Provisioning (SGP.22) protocols.
Lastly, the SICK CoLA ASCII and CoLA Binary protocols, Silabs Debug Channel, Universal Measurement and Calibration Protocol (XCP), USB Picture Transfer Protocol (USB-PTP), VLP-16 Data and Position messaging, and SGP.32 GSMA Remote SIM Provisioning (SGP.32) protocols are newly supported in Wireshark 4.6.
Check out the release notes for more details about the changes included in Wireshark 4.6, which you can download as a source tarball from the official website if you fancy compiling from sources. You can also install Wireshark as a Flatpak app from Flathub.
