This is an experimental release intended to test new features for Wireshark 5.0.
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.
Wireshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol analysis education. Wireshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
What’s New
-
Welcome Page Overhaul The welcome page has been redesigned to be more informative and easier to navigate. It now highlights the learning sections better and includes a new sidebar with tips and tricks for using Wireshark effectively. The welcome page is now also more accessible, with improved keyboard navigation and screen reader support.
-
Lua Debugger A built-in Lua script debugger has been added. It supports breakpoints, single-stepping, variable inspection, expression evaluation, and stack traces. The debugger can be opened from the menu.
-
Themes Wireshark now drives the colors used throughout the GUI from a single theme instead of many individual color preferences. The renamed preferences page lets you pick a theme, switch between Light, Dark, and System appearance, set the packet pane font, and preview the result on a mockup of a capture window. A built-in default theme ships with Wireshark, and additional themes can be installed as JSONC (JSON with Comments) files. The previous per-color settings (marked and ignored packets, "Follow Stream" client and server text, display filter validity, and the selected packet) are now provided by the active theme. Personal themes can now be dropped as single
.jsoncfiles into $HOME/.local/lib/wireshark/themes (Unix) or %APPDATA%\Wireshark\themes (Windows); the filename becomes the theme’s name in the dropdown. The exact path is shown in the About dialog’s Folders tab. On first launch after the upgrade, Wireshark checks the Default profile’s preferences for customized values of the removed per-color settings. If any are found, a personal theme named Personal (Migrated) is created automatically in the personal themes directory, the legacy keys are removed from the Default profile’s preferences file, and the theme is activated so the original visual customizations are preserved. The migration runs once: the generated personal.jsonc can be edited, renamed, or deleted by hand at any time. The welcome page section headers ("Open", "Capture", "Learn") and the filter validity tints have been restored to the historical Classic look (Tango sky_blue brand, saturated GTK-era dark green / dark red filter backgrounds). -
The Default profile now has additional column "Delta", showing the delta time from the previous displayed packet.
-
Name Resolution SMI paths are now searched recursively. This makes it easier to use MIBs provided by libsmi.
Many other improvements have been made. See the “New and Updated Features” section below for more details.
-
Wireshark Profile Import RCE via Zip-Slip Vulnerability - A critical issue that caused Wireshark to crash when importing malformed zip files has been fixed. This bug was reported by Joohyun Park, Hyuk Kwon, Yonghwa Lee, Taisic Yun, Sangjun Song (Theori), with Xint and has been resolved in this release.
New and Updated Features
The following features are either new or have been significantly updated since version 4.6.0:
-
The Windows installers now ship with Npcap 1.88. They previously shipped with Npcap 1.83.
-
The Windows and macOS installers now ship with Qt 6.10.3. They previously shipped with Qt 6.9.3.
-
Zooming ( / ) now scales the whole window, including the capture and display filter fields and other window elements. Previously only the text size in the three main window panes (packet list, details, and bytes) changed. The new behavior should be much more useful for demos and presentations.
-
The keyboard shortcuts dialog () has been moved out of of the About dialog to the menu and now has a button to print the list of keyboard shortcuts to an HTML file.
-
The application icons have been updated and refreshed. The macOS icon now supports Liquid Glass and is sized according to Apple’s specifications on older macOS versions. Issue 18131
-
The RTP Player now supports AMR-WB and 24-bit linear encoded audio.
-
The protocol dissection API has been updated to more safely handle packet data offsets and lengths. See the Major API Changes section below for details.
Removed Features and Support
Dumpcap’s TCP@host:port interface has been removed.
The individual color preferences under Appearance (marked and ignored packets, "Follow Stream" client and server text, display filter validity, and the selected packet) have been removed. These colors are now provided by the selected theme; see the "What’s New" section above.
Building with Qt 5 is no longer supported.
New File Format Decoding Support
Bachmann M-Module
New Protocol Support
Apple Darwin Metadata, Axia Livewire, Controller Interface Transport Protocol (CITP), DCERPC SCARD_PACK, DECT NR+, ESUN, JSON Dictionary, Linux mac80211_hwsim Netlink, Linux Open vSwitch Netlink (OVS), MCData, MIDI System Exclusive DigiTech, Mikrotik RoMON, Multicast Router Discovery (MRD), MySQL X Protocol (MySQLX), NATS, NMEA 2000, Object Transform Protocol (OTP), Perforce P4RPC, PosiStageNet (PSN), PROFINET SXP (PN-SXP), Qualcomm Diagnostic (QCDIAG), RDP Conctrl virtual channel Protocol (CONCTRL), RDP Video Capture Virtual Channel Extension (RDPECAM), Real-Time Tracking Protocol (RTTrP), TrueConf, TrueConf Protocol (TrueConf), Ultra Ethernet Transport (UET), XGT, and ZigBee ZCL Generic Tunnel
Updated Protocol Support
Too many protocol updates have been made to list them all here.
Of particular note, "ike" is now preferred to "isakmp" for filtering the Internet Key Exchange (IKE) protocol and its fields (both IKEv1 and IKEv2), including fields primarily associated with RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP) though "isakmp" remains as an alias for the protocol and all its fields.
New and Updated Capture File Support
New and Updated Capture Interface support
Major API Changes
The tvb new_subset and tvb length_remaining routines now take unsigned offset and length arguments. Negative offsets, indicating an offset relative to the end of the captured length of the buffer (not reported) are no longer permitted, nor is a length of -1 meaning "to the end of the buffer." For the latter, use tvb_new_subset_remaining instead. Internally, tvbuffer lengths have long been unsigned; this change should simplify dealing with 32-bit unsigned length fields and checking for offsets overflowing.
tvb find_line_end, tvb_find_uint8, tvb_find_uint16 and tvb_ws_mempbrk_pattern_uint8 has been changed in a similar fashion. They now return a boolean, true if found.
Functions tvb_get_string_uint[64] were added that can retrieve an unsigned integer encoded as an ASCII-like string from packet data similar to strtoul but without string copying or otherwise ensuring NUL termination.
Linking with the Heimdal Kerberos library is now deprecated, and support will likely be removed in a future release. Linking with the MIT Kerberos library is still supported.
Plugin Development Changes
The list of installed dissector header files has been reduced and is now restricted to ones that contain the following: - Functions marked WS_DLL_PUBLIC - Structs whose names contain "tap_" - The string "PUBLIC_HEADER"
On UN*X systems (excluding macOS when running from an app bundle, as
with the official installer) extcap binaries are now searched for under
the libexec directory by default, e.g., /usr/libexec/wireshark/extcap
instead of /usr/lib64/wireshark/extcap or similar. This is the customary
place for helper binaries, which as opposed to libraries do not need
multiarch support. The location can be overridden via the environment
variable WIRESHARK_EXTCAP_DIR. The extcap binaries shipped with Wireshark
are installed in the new location, but third party extcaps may need
packaging changes. This change was effective in version 4.6.0, but was not
explicitly noted in the release notes previously. Note that some distributions
do not use a libexec directory, such as Alpine Linux, which does not have
multilib support. On such systems extcap binaries should be in the same
location as before.
Getting Wireshark
Wireshark source code and installation packages are available from https://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries.
These locations vary from platform to platform.
You can use or tshark -G folders to find the default locations on your system.
Getting Help
The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/
Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.
Bugs and feature requests can be reported on the issue tracker.
You can learn protocol analysis and meet Wireshark’s developers at SharkFest.
Official Wireshark training and certification are available from the Wireshark Foundation.
How You Can Help
The Wireshark Foundation helps as many people as possible understand their networks as much as possible. You can find out more and donate at wiresharkfoundation.org.
Frequently Asked Questions
A complete FAQ is available on the Wireshark web site.