wireshark/doc/Wireshark_Release_Notes.adoc

include::attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: {css_dir}/{stylesheet}

= Wireshark {wireshark-version} Release Notes
// Asciidoctor Syntax Quick Reference:
// https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/

This is an experimental release intended to test new features for Wireshark 5.0.

== What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer.
It is used for troubleshooting, analysis, development and education.

Wireshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol analysis education.
Wireshark and the foundation depend on your contributions in order to do their work.
If you or your organization would like to contribute or become a sponsor, please visit https://wiresharkfoundation.org[wiresharkfoundation.org].

== What’s New

// Add a summary of **major** changes here.
// Add other changes to "New and Updated Features" below.

Many other improvements have been made.
See the “New and Updated Features” section below for more details.

//=== Bug Fixes

//The following bugs have been fixed:
//* wsbuglink:5000[]
//* wsbuglink:6000[Wireshark bug]
//* cveidlink:2014-2486[]
//* Wireshark grabs your ID at 3 am, goes to Waffle House, and insults people.

=== New and Updated Features

The following features are either new or have been significantly updated since version 4.4.0:

* The Windows installers now ship with Npcap 1.80.
  They previously shipped with Npcap 1.79.

* The Windows installers now ship with Qt 6.8.1.
  They previously shipped with Qt 6.5.3.

* WinPcap is no longer supported. On Windows, use Npcap instead, uninstalling
  WinPcap if necessary. The last release ever of WinPcap, 4.1.3, was on
  2013-03-08 and only supports up to Windows 8, which is no longer supported
  by Microsoft or Wireshark.

* Source packages are now compressed using zstd.

* Live captures can be compressed while writing. (Previously there was
  support for compressing when performing multiple file capture, at file
  rotation time.) The `--compress` option in TShark works on live captures
  as well. wsbuglink:9311[]

* Absolute time fields, regardless of field display in the Packet Details,
  are always written in ISO 8601 format in UTC with -T json. This was already
  the case for -T ek since version 4.2.0. JSON is primarily a data interchange
  format read by software, so a standard format is desirable.

* When absolute times field are output with -T fields, the "show" field of -T
  pdml, or in custom columns (including CSV output of columns), the formatting
  similar to asctime (e.g., Dec 18, 2017 05:28:39.071704055 EST) has been
  deprecated in favor of ISO 8601. For backwards compatibility, a preference
  has been added, protocols.display_abs_time_ascii, which can be set to continue
  to format times as before. This preference can also be set to never use ASCII
  time and to use ISO 8601 time formatting in the protocol tree (Packet Details)
  as well. It is possible that a future release will remove the ascitime style
  formatting entirely.

* UTC frame time column formats (including "Time (format as specified)" when
  a UTC time display format is selected) have a "Z" suffix per ISO 8601. Local
  time formats remain unqualified (including if the local time zone is UTC.)
  Custom columns displaying FT_ABSOLUTE_TIME already had time zone indication.

* The TShark `-G` option for generating glossary reports does not need to be the
  first option given on the command line anymore. In addition, the reports now
  are affected by other command line options such as `-o`, `-d`, and
  `--disable-protocol`, in addition to the `-C` option, which was already supported.
  (The `defaultprefs` report remains unaffected by any other options.)
  As a part of this change, `-G` with no argument, which was previously deprecated,
  is no longer supported. Use `tshark -G fields` to produce the same report.
  Also, the syntax for only listing fields with a certain prefix has changed to
  `tshark -G fields,prefix`.

* The underlying type of EUI-64 fields has been switched to bytes when packet
  matching, similar to most other address formats. This means that EUI-64
  addresses can be sliced and compared to other bytes types, e.g. the filter
  `wpan.src64[:3] == eth.src[:3]`. Fields can still be specified using 64-bit
  unsigned integer literals, though arithmetic with other integers is no longer
  supported.

* Wireshark can now decrypt NTP packets using NTS (Network Time Security). To decrypt packets,
  the NTS-KE (Network Time Security Key Establishment Protocol) packets need to be present,
  alongside the TLS client and exporter secrets. Additionally, the parts of a NTP packet which
  can be cryptographically authenticated (from NTP packet header until the end  of the last
  extension field that precedes the NTS Authenticator and Encrypted Extension Fields
  extension field) are checked for validity.

* The TCP Stream Graph axes now use units with SI prefixes. wsbuglink:20197[]

* Custom columns have an option to show the values using the same format as
  in Packet Details.

* Custom column complex expressions (e.g., with arithmetic, filter functions,
  etc.) that return numeric results are sorted numerically instead of
  lexicographically.

* A display filter function `double` is added to allow explicitly converting
  field types like integers and times to doubles. This can be used to perform
  further arithmetic operations on fields of different types, including in
  custom column definitions.

* The minimum width of the I/O Graph dialog window is reduced, so it should
  work better on small resolution desktops, especially in certain languages.
  To enable this, some checkbox controls were moved to the graph right-click
  context menu. wsbuglink:20147[]

* X.509 certificates, used in TLS and elsewhere, can be exported via the
  File->Export Objects menu in Wireshark (under the name "X509AF") and
  `--export-objects` in TShark (with the protocol name `x509af`.)

* Zstandard Content-Encoding is supported in the HTTP and HTTP/2 dissectors.

* Follow Stream is supported for MPEG 2 Transport Stream PIDs, and for
  Packetized Elementary Streams contained within MPEG 2 TS. The latter
  can be used to extract audio or video for playback with other tools.

* DNP 3 (Distributed Network Protocol 3) is now supported in the Conversations
  and Endpoints table dialogs.

* The Lua supplied preloaded libraries `bit` and `rex_pcre2` are loaded in
  a way that adds them to the `package.loaded` table, as though through
  `require`, so that `require("bit")` and `require("rex_pcre2")` statements
  in Lua dissectors, while usually superfluous, behave as expected. wsbuglink:20213[]

* The packet list (Wireshark) and event list (Stratoshark) no longer support rows with multiple lines.
  wsbuglink:14424[]

* The `ethers` file can also contain EUI-64 to name mappings. wsbuglink:15487[]

* Wireshark "Import from Hex Dump" and text2pcap support byte groups with 2 to
  4 bytes (with an option for little-endian byte order), and support hexadecimal
  offsets with a `0x` or `0X` prefix (as produced by `tcpdump -x`, among others).
  wsbuglink:16193[]

* Frame timestamps can be added as preamble to hex dumps in Wireshark from
  the "Print" and "Export Packet Dissection" dialogs, and in TShark with
  the `--hexdump time` option. wsbuglink:17132[]

* Lua now has a `Conversation` object, which exposes conversations and conversation
  data to Lua. Resolves wsbuglink:15396[]

* Supports "Copy in HTML" format via main menu, context menu and keyboard
  shortcut. It also provides an option (via knobs in preferences) to copy plain
  text with aligned columns along with an ability to select a copy format to be
  used when copied via keyboard shortcut.

* The "no duplicate keys" version of JSON output that tshark has supported
  since 2.6.0 is available through the GUI Export Dissections Dialog.
  Note that this format does not necessarily preserve the ordering of all
  children in a tree, if sibling with identical keys are not consecutive.

=== Removed Features and Support

Wireshark no longer supports AirPcap and WinPcap.

// === Removed Dissectors


//=== New File Format Decoding Support

//[commaize]
//--
//--

=== New Protocol Support

// Add one protocol per line between the -- delimiters in the format
// “Full protocol name (Abbreviation)”
// git log --oneline --diff-filter=A --stat v4.3.0rc0.. epan/dissectors plugins
[commaize]
--
Lenbrook Service Discovery Protocol (LSDP)
Network Time Security Key Establishment Protocol (NTS-KE)
Private Line Emulation (PLE)
Roughtime (Roughtime)
SBAS L5 messages
Universal Measurement and Calibration Protocol (XCP)
vSomeIP Internal Protocol (vSomeIP)
--

=== Updated Protocol Support

Too many protocol updates have been made to list them all here.

//=== New and Updated Capture File Support

There is no new or updated capture file support in this release.
// Add one file type per line between the -- delimiters.
// [commaize]
// --
// --

// === New and Updated Capture Interfaces support
// [commaize]
// --
// --

//=== New and Updated Codec support

//_Non-empty section placeholder._

// === Major API Changes


== Getting Wireshark

Wireshark source code and installation packages are available from
https://www.wireshark.org/download.html.

=== Vendor-supplied Packages

Most Linux and Unix vendors supply their own Wireshark packages.
You can usually install or upgrade Wireshark using the package management system specific to that platform.
A list of third-party packages can be found on the
https://www.wireshark.org/download.html[download page]
on the Wireshark web site.

== File Locations

Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries.
These locations vary from platform to platform.
You can use menu:Help[About Wireshark,Folders] or `tshark -G folders` to find the default locations on your system.

== Getting Help

The User’s Guide, manual pages and various other documentation can be found at
https://www.wireshark.org/docs/

Community support is available on
https://ask.wireshark.org/[Wireshark’s Q&A site]
and on the wireshark-users mailing list.
Subscription information and archives for all of Wireshark’s mailing lists can be found on https://lists.wireshark.org/lists/[the mailing list site].

Bugs and feature requests can be reported on
https://gitlab.com/wireshark/wireshark/-/issues[the issue tracker].

You can learn protocol analysis and meet Wireshark’s developers at
https://sharkfest.wireshark.org[SharkFest].

// Official Wireshark training and certification are available from
// https://www.wiresharktraining.com/[Wireshark University].

== How You Can Help

The Wireshark Foundation helps as many people as possible understand their networks as much as possible.
You can find out more and donate at https://wiresharkfoundation.org[wiresharkfoundation.org].

== Frequently Asked Questions

A complete FAQ is available on the
https://www.wireshark.org/faq.html[Wireshark web site].