ProHoster > Blog > internet news > Wireshark 4.0 network analyzer release

Wireshark 4.0 network analyzer release

The release of the new stable branch of the Wireshark 4.0 network analyzer has been published. Recall that the project was originally developed under the name Ethereal, but in 2006 due to a conflict with the owner of the Ethereal trademark, the developers were forced to rename the project to Wireshark. The project code is distributed under the GPLv2 license.

Key innovations in Wireshark 4.0.0:

  • The layout of elements in the main window has been changed. The "Additional Packet Information" and "Package Bytes" panels are placed side by side below the "Packet List" panel.
  • Changed the design of the dialog boxes "Dialogue" (Conversation) and "Endpoint" (Endpoint).
    • Added options to context menus to resize all columns and copy items.
    • The ability to detach and attach tabs is provided.
    • Added support for JSON export.
    • When filters are applied, columns displaying the differences between the filtered and non-filtered packets are shown.
    • Sorting of various types of data has been changed.
    • Identifiers are attached to TCP and UDP streams and the ability to filter by them is provided.
    • Allowed hiding dialogs from the context menu.
  • Improved import of hex dumps from the Wireshark interface and using the text2pcap command.
    • text2pcap provides the ability to capture dumps in all formats supported by the wiretap library.
    • Text2pcap has pcapng set as the default format, similar to the editcap, mergecap, and tshark utilities.
    • Added support for selecting the type of output format encapsulation.
    • Added new options for logging.
    • Provided the ability to dump dummy IP, TCP, UDP, and SCTP headers when using Raw IP, Raw IPv4, and Raw IPv6 encapsulation.
    • Added support for scanning input files using regular expressions.
    • Provided parity between the functionality of the text2pcap utility and the "Import from Hex Dump" interface in Wireshark.
  • Significantly improved location performance using MaxMind databases.
  • Changes have been made to the syntax of traffic filtering rules:
    • Added the ability to select a specific layer of the protocol stack, for example, when encapsulating IP-over-IP to extract addresses from external and nested packets, you can specify "ip.addr#1 == 1.1.1.1" and "ip.addr#2 == 1.1.1.2. XNUMX".
    • In conditional statements, support for "any" and "all" quantifiers is implemented, for example, "all tcp.port > 1024" to check all fields of tcp.port.
    • Built-in syntax for specifying field references - ${some.field}, implemented without the use of macros.
    • Added the ability to use arithmetic operations ("+", "-", "*", "/", "%") with numeric fields, separating the expression with curly brackets.
    • Added max(), min() and abs() functions.
    • It is allowed to specify expressions and call other functions as function arguments.
    • A new syntax has been added to separate literals from identifiers - a value starting with a dot is treated as a protocol or protocol field, and a value in angle brackets is treated as a literal.
    • Added bit operator "&", for example, to change individual bits, you can specify "frame[0] & 0x0F == 3".
    • The precedence of the logical AND operator is now higher than that of the OR operator.
    • Added support for specifying constants in binary form using the "0b" prefix.
    • Added the ability to use negative index values ​​to report from the end, for example, to check the last two bytes in the TCP header, you can specify "tcp[-2:] == AA:BB".
    • It is forbidden to separate elements of a set with spaces, using spaces instead of a comma will now lead to an error instead of a warning.
    • Added additional escape sequences: \a, \b, \f, \n, \r, \t, \v.
    • Added the ability to specify Unicode characters in the format \uNNNN and \UNNNNNNNN.
    • A new comparison operator "===" ("all_eq") has been added, which works only if in the expression "a === b" all values ​​of "a" match with "b". Also added back operator "!==" ("any_ne").
    • The "~=" operator has been deprecated and "!==" should be used instead.
    • It is forbidden to use numbers with an unclosed dot, i.e. the values ​​".7" and "7." are now invalid and should be replaced by "0.7" and "7.0".
    • The regular expression engine in the display filter engine has been moved to the PCRE2 library instead of GRegex.
    • Null bytes are handled correctly in strings and regular expression patterns ('\0' in a string is treated as a null byte).
    • In addition to 1 and 0, boolean values ​​can now also be written as True/TRUE and False/FALSE.
  • Added support to the HTTP2 dissector to use dummy headers to parse data that was intercepted without previous packets with headers (for example, when parsing messages on already established gRPC connections).
  • Support for Mesh Connex (MCX) has been added to the IEEE 802.11 parser.
  • Temporary saving (without saving on disk) of the password in the Extcap dialog is provided in order not to enter it during repeated launches. Added the ability to set an extcap password via command line utilities such as tshark.
  • The ciscodump utility implements the ability to remotely capture from devices based on IOS, IOS-XE and ASA.
  • Added support for protocols:
    • Allied Telesis Loop Detection (AT LDF),
    • AUTOSAR I-PDU Multiplexer (AUTOSAR I-PduM),
    • DTN Bundle Protocol Security (BPSec),
    • DTN Bundle Protocol Version 7 (BPv7),
    • DTN TCP Convergence Layer Protocol (TCPCL),
    • DVB Selection Information Table (DVB SIT),
    • Enhanced Cash Trading Interface 10.0 (XTI),
    • Enhanced Order Book Interface 10.0 (EOBI),
    • Enhanced Trading Interface 10.0 (ETI),
    • FiveCo's Legacy Register Access Protocol (5co-legacy),
    • Generic Data Transfer Protocol (GDT),
    • gRPC Web (gRPC Web),
    • Host IP Configuration Protocol (HICP)
    • Huawei GRE bonding (GREbond),
    • Locamation Interface Module (IDENT, CALIBRATION, SAMPLES - IM1, SAMPLES - IM2R0),
    • Mesh Connex (MCX),
    • Microsoft Cluster Remote Control Protocol (RCP),
    • Open Control Protocol for OCA/AES70 (OCP.1),
    • Protected Extensible Authentication Protocol (PEAP),
    • REdis Serialization Protocol v2 (RESP),
    • Roon Discovery (RoonDisco),
    • Secure File Transfer Protocol (sftp),
    • Secure Host IP Configuration Protocol (SHICP),
    • SSH File Transfer Protocol (SFTP),
    • USB Attached SCSI (UASP),
    • ZBOSS Network Coprocessor (ZB NCP).
  • Increased build environment requirements (CMake 3.10) and dependencies (GLib 2.50.0, Libgcrypt 1.8.0, Python 3.6.0, GnuTLS 3.5.8).

Source: opennet.ru

Add a comment