Wireshark is the world's foremost and widely-used network protocol analyzer. It lets you see what's happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.
Features
- Deep inspection of hundreds of protocols, with more being added all the time
- Live capture and offline analysis
- Standard three-pane packet browser
- Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
- Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
- The most powerful display filters in the industry
- Rich VoIP analysis
- Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
- Capture files compressed with gzip can be decompressed on the fly
- Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
- Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
- Coloring rules can be applied to the packet list for quick, intuitive analysis
- Output can be exported to XML, PostScript®, CSV, or plain text
What's New
This is the first major Wireshark release under the Wireshark Foundation, a nonprofit which hosts Wireshark and promotes protocol analysis education. The foundation depends on your contributions in order to do its work. If you or your employer would like to contribute or become a sponsor, please visit wiresharkfoundation.org.
- Wireshark supports dark mode on Windows.
- A Windows installer for Arm64 has been added.
- Packet list sorting has been improved.
- Wireshark and TShark are now better about generating valid UTF-8 output.
- A new display filter feature for filtering raw bytes has been added.
- Display filter autocomplete is smarter about not suggesting invalid syntax.
- Tools › MAC Address Blocks can lookup a MAC address in the IEEE OUI registry.
- The enterprises, manuf, and services configuration files have been compiled in for improved start-up times. These files are no longer available in the master branch in our source code repository. You can download the manuf file from our automated build directory.
- The installation target no longer installs development headers by default.
- The Wireshark installation is relocatable on Linux (and other ELF platforms with support for relative RPATHs).
- Wireshark can be compiled on Windows using MSYS2. Check the Developer's guide for instructions.
- Wireshark can be cross-compiled for Windows using Linux. Check the Developer's guide for instructions.
- Tools › Browser (SSL Keylog) can launch your web browser with the SSLKEYLOGFILE environment variable set to the appropriate value.
- Windows installer file names now have the format Wireshark-
- .exe. - Wireshark now supports the Korean language.
- Many other improvements have been made. See the "New and Updated Features" section below for more details.
Bug Fixes
The following bugs have been fixed:
- Issue 18413 - RTP player do not play audio frequently on Windows builds with Qt6.
- Issue 18510 - Playback marker does not move after resume with Qt6.
- New and Updated Features
- The following features are new (or have been significantly updated) since version 4.2.0rc3:
- Nothing of note.
- The following features are new (or have been significantly updated) since version 4.2.0rc2:
- The Windows installers now ship with Npcap 1.78. They previously shipped with Npcap 1.77.
- The following features are new (or have been significantly updated) since version 4.2.0rc1:
- The Windows installers now ship with Npcap 1.77. They previously shipped with Npcap 1.71.
- The following features are new (or have been significantly updated) since version 4.1.0:
- Improved dark mode support.
- The Windows installers now ship with Qt 6.5.3. They previously shipped with Qt 6.2.3.
- The following features are new (or have been significantly updated) since version 4.0.0:
- The API has been updated to ensure that the dissection engine produces valid UTF-8 strings.
- Wireshark now builds with Qt6 by default. To use Qt5 instead pass USE_qt6=OFF to CMake.
- The "ciscodump" extcap supports Cisco IOS XE 17.x.
- The default interval between GUI updates when capturing has been decreased from 500ms to 100ms, and is now configurable.
- The -n option also now disables IP address geolocation information lookup in configured MaxMind databases (and geolocation lookup can be enabled with -Ng.) This is most relevant for TShark, where geolocation lookups are synchronous.
- The display filter drop-down list is now sorted by "most recently used" instead of "most recently created".
- Display filter syntax-related changes:
- It is now possible to filter on raw packet data for any field by using the syntax @some.field ==
. This can be useful to filter on malformed UTF-8 strings, among other use cases where it is necessary to look at the field's raw data. - Negation (unary minus) now works with any display filter arithmetic expression.
- Using the slice operator with strings produces a string. Previously it would produce a byte array. This is useful to index/slice UTF-8 multibyte strings. String byte slices can still be obtained using the "@" (raw operator) prefix.
- Arithmetic expressions are allowed as set elements.
- Absolute date and time values can be written as Unix time.
- The limitation where a minus sign needed to be preceded by a space character has been removed.
- Added XOR logical operator.
- Fixed the implementation of all … in membership operator (#19188).
- When parsing absolute time values the display filter engine has learned to understand timezones as specified in strptime(3), including some common North American designations. Arbitrary timezone names are not supported however. Previously only ISO8601 offsets and the "UTC" designation was understood.
- Writing value strings without double quotes is deprecated and will generate a warning. Value strings are integer or boolean values that can be represented using a user-friendly textual format, such as "Set"/"Unset" instead of numerical values like 1 and 0. It is now a requirement that value strings need to be written enclosed in double-quotes.
- The deprecated ~â operator symbol has been removed. It was replaced by !== in version 4.0.
- Running the test suite requires the pytest Python module. The emulation layer that allowed running tests without pytest installed has been removed.
- When saving files or exporting packets after changing their time with the "Time Shift" dialog, the shifted time is written to the new file.
- TLS secrets used in decrypting packets can be embedded (or discarded) from the capture file via the GUI, similar to the options --inject-secrets and --discard-all-secrets in editcap.
- The text of any configured column (displayed or hidden) can be filtered anywhere that filters are used - in display filters, filters in taps, coloring rules, Wireshark read filters, and the -Y, -R, and -e options to TShark, the "Apply as Filter" GUI option, etc.
- The filter field names are prefixed by "_ws.col", followed by a lowercase version of the COL_ name found in epan/column-utils.h, e.g. "_ws.col.info" or "_ws.col.protocol"
- Using the column names as a filter is slower than other filter types because the columns must be constructed, so when the same filtering can be achieved via other fields, prefer that.
- The external name resolution text files "manuf", "enterprises" and "services" have been removed and replaced with static binary data. You can dump the respective internal data using tshark -G manuf|enterprises|services.
- The "manuf" file is now also read from the personal configuration folder, and is profile-based.
- The Lua console dialogs under the Tools menu were refactored and redesigned. It now consists of a single dialog window for input and output.
- Wireshark now shows byte units in the statistics in the user-selected language (uses the system default language by default).
Packet list sorting has been improved:
- When sorting packet list with a filter applied, only the visible packets are sorted, which greatly increases sorting speed.
- The cache size for column text is limited to a default of 10000 rows, which limits the maximum memory usage. The maximum value can be changed in Preferences→Appearance→Layout
- Due to the above, columns that require packet dissection can only be sorted if the number of visible rows is less than the cache size. If there are more rows visible, a warning will appear. Columns that do not require packet dissection (those that calculated directly from the capture file frame headers, such as packet number, time, and frame length) can be sorted with any number of visible rows.
- Sorting can be interrupted.
- When changing the dissector via the "Decode As" table for values that have default dissectors registered, selecting "(none)" will select no dissection (while still allowing heuristic dissectors to attempt to dissect.) The previous behavior was to reset the dissector to the default. To facilitate resetting the dissector, the default dissector is now sorted at the top of the list of possible dissector options.
- The personal extcap plugin folder location on Unix has been changed to follow existing conventions for architecture-dependent files. The extcap personal folder is now $HOME/.local/lib/wireshark/extcap. Previously it was $XDG_CONFIG_HOME/wireshark/extcap.
- The "init.lua" file is now loaded from any of the Lua plugin directories. Previously it was loaded from the personal configuration directory. (For backward-compatibility this is still allowed; note that deprecated features may be removed in a future release).
- Installation of development headers must be done explicitly using the CMake command cmake --install
--component Development. - The Windows build has a new SpeexDSP external dependency (https://www.speex.org). The speex code that was previously bundled has been removed.
- New --print-timers option added to TShark.