New and Updated Features
The following features are new (or have been significantly updated) since version 1.4:
* Wireshark can import text dumps, similar to text2pcap.
* You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
* TShark can show a specific occurrence of a field when using '-T fields'.
* Custom columns can show a specific occurrence of a field.
* You can hide columns in the packet list.
* Wireshark can now export SMB objects.
* dftest and randpkt now have manual pages.
* TShark can now display iSCSI service response times.
* Dumpcap can now save files with a user-specified group id.
* Syntax checking is done for capture filters.
* You can display the compiled BPF code for capture filters in the Capture Options dialog.
* You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
* Packet length is (finally) a default column.
* TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
* 802.1q VLAN tags are now shown by the Ethernet II dissector.
* Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
* The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
* The RTP player now shows why media interruptions occur.
* Graphs now save as PNG images by default.
New Protocol Support
ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Constrained Application Protocol (COAP), Digium TDMoE, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, SAMETIME, SCoP, SGSAP, Tektronix Teklink, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
New and Updated Capture File Support
Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView
* Wireshark can import text dumps, similar to text2pcap.
* You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
* TShark can show a specific occurrence of a field when using '-T fields'.
* Custom columns can show a specific occurrence of a field.
* You can hide columns in the packet list.
* Wireshark can now export SMB objects.
* dftest and randpkt now have manual pages.
* TShark can now display iSCSI service response times.
* Dumpcap can now save files with a user-specified group id.
* Syntax checking is done for capture filters.
* You can display the compiled BPF code for capture filters in the Capture Options dialog.
* You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+.
* Packet length is (finally) a default column.
* TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
* 802.1q VLAN tags are now shown by the Ethernet II dissector.
* Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
* The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
* The RTP player now shows why media interruptions occur.
* Graphs now save as PNG images by default.
* New Protocol Support: ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Constrained Application Protocol (COAP), Digium TDMoE, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, SAMETIME, SCoP, SGSAP, Tektronix Teklink, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
* New and Updated Capture File Support: Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView
The NFS dissector could crash on Windows. (Bug 5209)
The X.509if dissector could crash. (Bug 5754, Bug 5793)
Paul Makowski from SEI/CERT discovered that the DECT dissector could overflow a buffer. He verified that this could allow remote code execution on many platforms.
The following bugs have been fixed:
Cygwin make fails after updating to bash v 4.1.9.2
Export HTTP > All - System Appears Hung (but isn't). (Bug 1671)
Some HTTP responses don't decode with TCP reassembly on. (Bug 3785)
Wireshark crashes when cancelling a large sort operation. (Bug 5189)
Wireshark crashes if SSL preferences RSA key is actually a DSA key. (Bug 5662)
tshark incorrectly calculates TCP stream for some syn packets. (Bug 5743)
Wireshark not able to decode the PPP frame in a sflow (RFC3176) flow sample packet because Wireshark incorrectly read the protocol in PPP frame header. (Bug 5746)
Mysql protocol dissector: all fields should be little endian. (Bug 5759)
Error when opening snoop from Juniper SSG-140. (Bug 5762)
svnversion: command not found. (Bug 5798)
capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too many. (Bug 5803)
Value of TCP segment data cannot be copied. (Bug 5811)
proto_field_is_referenced() is not exported in libwireshark.dll. (Bug 5816)
Wireshark ver. 1.4.4 not displayed "Granted QoS" field in a A11 packet. (Bug 5822)* "Closing File!" Dialog Hangs.
* Sub-fields of data field should appear in exported PDML as children of the data field instead of as siblings to it.
* Incorrect time differences displayed with time reference set.
* Wrong packet type association of SNMP trap after TFTP transfer.
* SSL/TLS decryption needs wireshark to be rebooted.
* Export HTTP Objects -> save all crashes Wireshark.
* Wireshark Netflow dissector complains there is no template found though the template is exported.
* DCERPC EPM tower UUID must be interpreted always as little endian.
* Crash if no recent files.
* IPv6 frame containing routing header with 0 segments left calculates wrong UDP checksum.
* IPv4 UDP/TCP Checksum incorrect if routing header present.
* Incorrect Parsing of SCPS Capabilities Option introduced in response to bug 6194.
* Various crashes after loading NetMon2.x capture file.
* Fixed compilation of dumpcap on some systems (when MUST_DO_SELECT is defined).
* SIGSEGV in SVN 40046.
* Wireshark dissects TCP option 25 as an "April 1" option.
* ZigBee ZCL Dissector reports invalid status.
* ICMPv6 DNSSL option malformed on padding.
* Wrong tvb_get_bits function call in packet-csn1.c.
* [UDP] - Length Field of Pseudo Header while computing CheckSum is not correct.
* pcapio.c: bug in libpcap_write_interface_description_block.
* Memory leaks in various dissectors.
* Bytes highlighted in wrong Byte pane when field selected in Details pane.
# Updated Protocol Support
* BGP, BMC CSN1, DCERPC EPM, DCP(ETSI) DMP DTLS GSM Management, H245 HPTEAM, ICMPv6, IEEE 802.15.4 IPSEC IPv4, IPv6, ISAKMP KERBEROS LDSS NFS RLC, RPC-NETLOGON RRC RTMPT SIGCOMP SSL SYSLOG TCP, UDP, XML ZigBee ZCL
# New and Updated Capture File Support
* Accellent 5Views, AIX iptrace, HP-UX nettl, I4B, Microsoft Network Monitor, Novell LANalyzer, PacketLogger, Pcap-ng, Sniffer, Tektronix K12, WildPackets {Airo,Ether}Peek. Bug Fixes
The following bugs have been fixed:
New and Updated Features
The following features are new (or have been significantly
updated) since version 1.8:
* Wireshark on 32- and 64-bit Windows supports automatic
updates.
* The packet bytes view is faster.
* You can now display a list of resolved host names in
"hosts" format within Wireshark.
* The wireless toolbar has been updated.
* Wireshark on Linux does a better job of detecting interface
addition and removal.
* It is now possible to compare two fields in a display
filter (for example: udp.srcport != udp.dstport). The two
fields must be of the same type for this to work.
* The Windows installers ship with WinPcap 4.1.3, which
supports Windows 8.
* USB type and product name support has been improved.
* Wireshark now calculates HTTP response times and presents
the result in a new field in the HTTP response. Links from
the request's frame to the response's frame and vice-versa
are also added.
* The main welcome screen and status bar now display file
sizes using strict SI prefixes instead of old-style binary
prefixes.
* Capinfos now prints human-readable statistics with SI
suffixes by default.
* It is now possible to open a referenced packet (such as the
matched request or response packet) in a new window.
* It is now possible for tshark to display only the hex/ascii
packet data without also requiring that the packet summary
and/or packet details are also displayed. If you want the
old behavior, use -Px instead of just -x.
* The Wireshark application icon, capture toolbar icons, and
other icons have been updated. Bug Fixes
The following bugs have been fixed:
New and Updated Features
The following features are new (or have been significantly
updated) since version 1.8:
* Wireshark on 32- and 64-bit Windows supports automatic
updates.
* The packet bytes view is faster.
* You can now display a list of resolved host names in
"hosts" format within Wireshark.
* The wireless toolbar has been updated.
* Wireshark on Linux does a better job of detecting interface
addition and removal.
* It is now possible to compare two fields in a display
filter (for example: udp.srcport != udp.dstport). The two
fields must be of the same type for this to work.
* The Windows installers ship with WinPcap 4.1.3, which
supports Windows 8.
* USB type and product name support has been improved.
* All Bluetooth profiles and protocols are now supported.
* Wireshark now calculates HTTP response times and presents
the result in a new field in the HTTP response. Links from
the request's frame to the response's frame and vice-versa
are also added.
* The main welcome screen and status bar now display file
sizes using strict SI prefixes instead of old-style binary
prefixes.
* Capinfos now prints human-readable statistics with SI
suffixes by default.
* It is now possible to open a referenced packet (such as the
matched request or response packet) in a new window.
* Tshark can now display only the hex/ascii packet data
without requiring that the packet summary and/or packet
details are also displayed. If you want the old behavior,
use -Px instead of just -x.
* Wireshark can be compiled using GTK+ 3.
* The Wireshark application icon, capture toolbar icons, and
other icons have been updated.
* Tshark's filtering and multi-pass analysis have been
reworked for consistency and in order to support dependent
frame calculations during reassembly. See the man page
descriptions for -2, -R, and -Y.
* Tshark's -G fields2 and -G fields3 options have been
eliminated. The -G fields option now includes the 2 extra
fields that -G fields3 previously provided, and the blurb
information has been relegated to the last column since in
many cases it is blank anyway.# The following vulnerabilities have been fixed.
- The Bluetooth HCI ACL dissector could crash.
- The NBAP dissector could crash.
- The ASSA R3 dissector could go into an infinite loop.
- The RTPS dissector could overflow a buffer.
- The MQ dissector could crash.
- The LDAP dissector could crash.
- The Netmon file parser could crash.
# The following bugs have been fixed:
- Lua ByteArray:append() causes wireshark crash.
- Lua script can not get "data-text-lines" protocol data.
- Lua: Trying to use Field.new("tcp.segments") to get reassembled TCP data is failed.
- "Edit Interface Settings": "Capture Filter" combo box is not populated across Wireshark sessions.
- PER normally small non-negative whole number decoding is wrong when >= 64.
- Strange behavior of tree expand/collapse in packet details.
- Incorrect parsing of IPFIX *IpTotalLength elements.
- IO graph/advanced, max/min/summ error on frames with multiple Diameter messages.
- pod2man error on reordercap.pod.
- SGI Nsym disambiguation is unconditionally displayed when dissecting VHT.
- The Wireshark icon doesn’t show up in OS X 10.5.
- Build fails if system Python is version 3+.
- SCSI dissector does not parse PERSISTENT RESERVE commands correctly.
- SDP messages throws an assert.
- Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses.
- PN_MRP LinkUp Message is shown as LinkDown in info.
- Dissector for EtherCAT: ADS highlighting in the Packet Bytes Pane is incorrect.
- 802.11 HT Extended Capabilities B10 decode incorrect.
- Wrong dissection of MSTI Root Identifiers for all MSTIs.
- Weird malformed HTTP error.
- Warning for attempting to install 64-bit Wireshark on a 32-bit machine has an embedded "\n".
- Wireshark crashes when using "Export Specified Packets" > "Displayed".
# Updated Protocol Support
- ASN.1 PER, ASSA R3, Bluetooth HCI ACL, EtherCAT AMS, GTPv2, HTTP, IEEE 802.11, IPFIX, ISDN SUP, LDAP, MQ, NBAP, Novell SSS, PROFINET MRP, Radiotap, ROHC, RTPS, SCSI, SIP, and STP
# New and Updated Capture File Support
- Microsoft Network Monitor, pcap-ng.Bug Fixes:
The following bugs have been fixed:
"Follow TCP Stream" shows only the first HTTP req+res.
Files with pcap-ng Simple Packet Blocks can't be read.
New and Updated Features:
The following features are new (or have been significantly updated) since version 1.10:
Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
A more flexible, modular memory manger (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old API.
Expert info is now filterable and now requires a new API.
The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
The "Number" column shows related packets and protocol conversation spans (Qt only).
When manipulating packets with editcap using the -C choplen> and/or -s options, it is now possible to also adjust the original frame length using the -L option.
You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
"malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
New Protocol Support:
ASTERIX, SEL RTAC (Real Time Automation Controller) EIA-232
Serial-Line Dissection, and UDT
Updated Protocol Support:
Too many protocols have been updated to list here.
New and Updated Capture File Support:
Netscaler 2.6, and STANAG 4607The following vulnerabilities have been fixed:
The IEEE 802.15.4 dissector could crash. (Bug 9139)
The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9168)
The SIP dissector could crash. (Bug 9228)
The OpenWire dissector could go into a large loop. Discovered by Murali. (Bug 9248)
The TCP dissector could crash. (Bug 9263)
The following bugs have been fixed:
new_packet_list: EAP-TLS reassemble does not happen when NEW_PACKET_LIST is toggled. (Bug 5349)
TLS decryption fails with XMPP start_tls. (Bug 8871)
Wrong Interpretation of GTS starting slot. (Bug 8946)
"Follow TCP Stream" shows only the first HTTP req+res. (Bug 9044)
The value of SEND_TO_UE in the DIAMETER Gx dictionary for Packet-Filter-Usage AVP is 0 instead of 1. (Bug 9126)
Crash then try to delete the same entry (length range) twice. (Bug 9129)
Crash if wrong "packet lengths range" entered. (Bug 9130)
Bssgp ⇒ SGSN-INVOKE-TRACE use the wrong function… (Bug 9157)
Minor correction to dissection of DLR frames in Ethernet/IP dissector. (Bug 9186)
WebSphere MQ V7 Bug Fix 8322 TSHM_EBCDIC. (Bug 9198)
EDNS0 "Higher bits in extended RCODE" incorrectly decoded in packet-dns.c. (Bug 9199)
Files with pcap-ng Simple Packet Blocks can’t be read. (Bug 9200)
Bug in RTP dissector if RTP extension is present. (Bug 9204)
Improve "eHRPD Indicator" NVSE dissection in 3GPP2 A11 Registration Request. (Bug 9206)
"make debian-package" fails, missing wsicon32.xpm. (Bug 9209)
Fix typo in MODCOD list of DVB-S2 dissector. (Bug 9218)
Ring buffer crash when tshark gets too far behind dumpcap. (Bug 9258)
PTP Dissector Wrongfully Reports Malformed Packet. (Bug 9262)
Wireshark lua dissector unable to load for media_type=application/octet-stream. (Bug 9296)
Wireshark crash when dissecting packet with NTLMSSP. (Bug 9299)
Padding in uint64 field in DCERPC protocol wrongly reported. (Bug 9300)
DCERPC data_blobs are not correctly dissected when NDR64 encoding is used. (Bug 9301)
Multiple PDUs in the same DCERPC packet are not correctly decrypted. (Bug 9302)
The tshark summary line doesn’t display the frame number or displays it sporadically. (Bug 9317)
Bluetooth: SDP improvements and minor fixes. (Bug 9327)
Duplicate IRC header field abbreviation breaks filter (example: irc.response.command). (Bug 9360)
Updated Protocol Support:
3GPP2 A11, Bluetooth SDP, BSSGP, DCERPC, DCERPC NDR, DCERPC NT, DIAMETER, DNS, DVB-S2, Ethernet, EtherNet/IP, H.225, IEEE 802.15.4, IRC, NBAP, NTLMSSP, OpenWire, PTP, RTP, SIP, TCP, WiMax, and XMPP# Bug Fixes
* "On-the-wire" packet lengths are limited to 65535 bytes.
* "Follow TCP Stream" shows only the first HTTP req+res.
* Files with pcap-ng Simple Packet Blocks can't be read.
# New and Updated Features
* Qt port:
- The Follow Stream dialog now supports packet and TCP stream selection.
- A Flow Graph (sequence diagram) dialog has been added.
- The main window now respects geometry preferences.
* Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
* A more flexible, modular memory manger (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old API.
* Expert info is now filterable and now requires a new API.
* The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
* The "Number" column shows related packets and protocol conversation spans (Qt only).
* When manipulating packets with editcap using the -C <choplen> and/or -s <snaplen> options, it is now possible to also adjust the original frame length using the -L option.
* You can now pass the -C <choplen> option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
* You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
* "malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
# New Protocol Support
* 802.1AE Secure tag, ASTERIX, ATN, BT 3DS, CARP, Cisco MetaData, ELF file format, EXPORTED PDU, HTTP2, IDRP, ILP, Kafka, MBIM, MiNT, MP4 / ISOBMFF file format, NXP PN532 HCI, OpenFlow, Picture Transfer Protocol Over IP, QUIC (Quick UDP Internet Connections), SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, STANAG 4607, STANAG 5066 SIS, Tinkerforge, UDT, URL Encoded Form Data, WHOIS, and Wi-Fi Display
# Updated Protocol Support
* Too many protocols have been updated to list here.
# New and Updated Capture File Support
* Netscaler 2.6, and STANAG 46072.1. Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2013-66
The SIP dissector could go into an infinite loop. Discovered by Alain Botti. (Bug 9388)
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7112
wnpa-sec-2013-67
The BSSGP dissector could crash. Discovered by Laurent Butti. (Bug 9488)
Versions affected: 1.10.0 to 1.10.3
CVE-2013-7113
wnpa-sec-2013-68
The NTLMSSP v2 dissector could crash. Discovered by Garming Sam.
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7114
The following bugs have been fixed:
"On-the-wire" packet lengths are limited to 65535 bytes. (Bug 8808, ws-buglink:9390)
Tx MCS set is not interpreted properly in WLAN beacon frame. (Bug 8894)
VoIP Graph Analysis window - some calls are black. (Bug 8966)
Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses. (Bug 9031)
epan/follow.c - Incorrect "bytes missing in capture file" in "check_fragments" due to an unsigned int wraparound?. (Bug 9112)
gsm_map doesn’t decode MAPv3 reportSM-DeliveryStatus result. (Bug 9382)
Incorrect NFSv4 FATTR4_SECURITY_LABEL value. (Bug 9383)
Timestamp decoded for Gigamon trailer is not padded correctly. (Bug 9433)
SEL Fast Message Bug-fix for Signed 16-bit Integer Fast Meter Messages. (Bug 9435)
DNP3 Bug Fix for Analog Data Sign Bit Handling. (Bug 9442)
GSM SMS User Data header fill bits are wrong when using a 7 bits ASCII / IA5 encoding. (Bug 9478)
WCDMA RLC dissector cannot assemble PDUs with SNs skipped and wrap-arounded. (Bug 9505)
DTLS: fix buffer overflow in mac check. (Bug 9512)
[PATCH] Correct data length in SCSI_DATA_IN packets (within iSCSI). (Bug 9521)
GSM SMS UDH EMS control expects 4 octets instead of 3 with OPTIONAL 4th. (Bug 9550)
Fix "decode as …" for packet-time.c. (Bug 9563) What’s New
2.1. Bug Fixes
The following bugs have been fixed:
Wireshark stops showing new packets but dumpcap keeps writing them to the temp file. (Bug 9571)
Wireshark 1.10.4 shuts down when promiscuous mode is unchecked. (Bug 9577)
Homeplug dissector bug: STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address. (Bug 9578)
2.2. New and Updated Features
There are no new features in this release.
2.3. New Protocol Support
There are no new protocols in this release.
2.4. Updated Protocol Support
GSM BSSMAP, GSM BSSMAP LE, GSM SMS, Homeplug, NAS-EPS, and SGSAP
2.5. New and Updated Capture File Support
There is no updated capture file support in this release.Bug Fixes:
The following vulnerabilities have been fixed:
wnpa-sec-2014-01
The NFS dissector could crash.
Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
CVE-2014-2281
wnpa-sec-2014-02
The M3UA dissector could crash.
Versions affected: 1.10.0 to 1.10.5
CVE-2014-2282
wnpa-sec-2014-03
The RLC dissector could crash. (Bug 9730)
Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
CVE-2014-2283
wnpa-sec-2014-04
The MPEG file parser could overflow a buffer.
Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
CVE-2014-2299
The following bugs have been fixed:
Customized OUI is not recognized correctly during dissection. (Bug 9122)
Properly decode CAPWAP Data Keep-Alives. (Bug 9165)
Build failure with GTK 3.10 - GTK developers have gone insane. (Bug 9340)
SIGSEGV/SIGABRT during free of TvbRange using a chained dissector in lua. (Bug 9483)
MPLS dissector no longer registers itself in "ppp.protocol" table. (Bug 9492)
Tshark doesn’t display the longer data fields (mbtcp). (Bug 9572)
DMX-CHAN disector does not clear strbuf between rows. (Bug 9598)
Dissector bug, protocol SDP: proto.c:4214: failed assertion "length >= 0". (Bug 9633)
False error: capture file appears to be damaged or corrupt. (Bug 9634)
SMPP field source_telematics_id field length different from spec. (Bug 9649)
Lua: bitop library is missing in Lua 5.2. (Bug 9720)
GTPv1-C / MM Context / Authentication quintuplet / RAND is not correct. (Bug 9722)
Lua: ProtoField.new() is buggy. (Bug 9725)
Lua: ProtoField.bool() VALUESTRING argument is not optional but was supposed to be. (Bug 9728)
Problem with CAPWAP Wireshark Dissector. (Bug 9752)
nas-eps dissector: CS Service notification dissection stops after Paging identity IE. (Bug 9789)
New and Updated Features:
IPv4 checksum verfification is now disabled by default.
Updated Protocol Support:
AppleTalk, CAPWAP, DMX-CHAN, DSI, DVB-CI, ESS, GTPv1, IEEE 802a, M3UA, Modbus/TCP, NAS-EPS, NFS, OpenSafety, SDP, and SMPP
New and Updated Capture File Support:
libpcap, MPEG, and pcap-ng2.1. Bug Fixes
The following bugs have been fixed:
"On-the-wire" packet lengths are limited to 65535 bytes. (Bug 8808, ws-buglink:9390)
"Follow TCP Stream" shows only the first HTTP req+res. (Bug 9044)
Files with pcap-ng Simple Packet Blocks can’t be read. (Bug 9200)
MPLS-over-PPP isn’t recognized. (Bug 9492)
2.2. New and Updated Features
The following features are new (or have been significantly updated) since version 1.11.2:
Qt port:
The About dialog has been added
The Capture Interfaces dialog has been added.
The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
The Export PDU dialog has been added.
Several SCTP dialogs have been added.
The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
The I/O Graph dialog has been added.
French translation has updated.
The following features are new (or have been significantly updated) since version 1.11.1:
Mac OS X packaging has been improved.
The following features are new (or have been significantly updated) since version 1.11.0:
Dissector output may be encoded as UTF-8. This includes TShark output.
Qt port:
The Follow Stream dialog now supports packet and TCP stream selection.
A Flow Graph (sequence diagram) dialog has been added.
The main window now respects geometry preferences.
The following features are new (or have been significantly updated) since version 1.10:
Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
Expert information is now filterable when the new API is in use.
The "Number" column shows related packets and protocol conversation spans (Qt only).
When manipulating packets with editcap using the -C <choplen> and/or -s <snaplen> options, it is now possible to also adjust the original frame length using the -L option.
You can now pass the -C <choplen> option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
"malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
2.3. Removed dissectors
The ASN1 plugin has been removed as it’s deemed obsolete.
The GNM dissector has been removed as it was never used.
2.4. New Protocol Support
29West, 802.1AE Secure tag, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, EXPORTED PDU, FINGER, HDMI, HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
2.5. Updated Protocol Support
Too many protocols have been updated to list here.
2.6. New and Updated Capture File Support
Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
2.7. Major API Changes
The libwireshark API has undergone some major changes:
A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated).
A new API for expert information has been added, replacing the old one.
The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc.