Recent headlines | VLC hits milestone: over 5 billion downloads 1

AfterDawn > Software downloads > Network > Network administration > Wireshark > Version history

Version history for Wireshark

<<Back to software description

Changes for v1.99.3 Beta - v1.99.5 Beta

Wireshark 1.99.5 has been released. This is an experimental release intended to test features that will go into Wireshark 2.0. Installers for Windows, OS X, and source code are now available.
This fixes an interface bug present in 1.99.4.
The following features are new (or have been significantly updated) since version 1.99.3:
Qt port:
Several interface bugs have been fixed.
Translations have been updated.
The following features are new (or have been significantly updated) since version 1.99.2:
Qt port:
Several bugs have been fixed.
You can now open a packet in a new window.
The Bluetooth ATT Server Attributes dialog has been added.
The Coloring Rules dialog has been added.
Many translations have been updated. Chinese, Italian and Polish translations are complete.
General user interface and usability improvements.
Automatic scrolling during capture now works.
The related packet indicator has been updated.
The following features are new (or have been significantly updated) since version 1.99.1:
Qt port:
The welcome screen layout has been updated.
The Preferences dialog no longer crashes on Windows.
The packet list header menu has been added.
Statistics tree plugins are now supported.
The window icon is now displayed properly in the Windows taskbar.
A packet list an byte view selection bug has been fixed (Bug 10896)
The RTP Streams dialog has been added.
The Protocol Hierarchy Statistics dialog has been added.
The following features are new (or have been significantly updated) since version 1.99.0:
Qt port:
You can now show and hide toolbars and major widgets using the View menu.
You can now set the time display format and precision.
The byte view widget is much faster, particularly when selecting large reassembled packets.
The byte view is explorable. Hovering over it highlights the corresponding field and shows a description in the status bar.
An Italian translation has been added.
The Summary dialog has been updated and renamed to Capture File Properties.
The VoIP Calls and SIP Flows dialogs have been added.
The following features are new (or have been significantly updated) since version 1.12.0:
The I/O Graph in the Gtk+ UI now supports an unlimited number of data points (up from 100k).
TShark now resets its state when changing files in ring-buffer mode.
Expert Info severities can now be configured.
Wireshark now supports external capture interfaces. External capture interfaces can be anything from a tcpdump-over-ssh pipe to a program that captures from proprietary or non-standard hardware. This functionality is not available in the Qt UI yet.
Qt port:
The Qt UI is now the default (program name is wireshark).
A Polish translation has been added.
The Interfaces dialog has been added.
The interface list is now updated when interfaces appear or disappear.
The Conversations and Endpoints dialogs have been added.
A Japanese translation has been added.
It is now possible to manage remote capture interfaces.
Windows: taskbar progress support has been added.
Most toolbar actions are in place and work.
More command line options are now supported

Changes for v1.99.2 Beta - v1.99.3 Beta

Several bugs have been fixed.
You can now open a packet in a new window.
The Bluetooth ATT Server Attributes dialog has been added.
The Coloring Rules dialog has been added.
Many translations have been updated. Chinese, Italian and Polish translations are complete.
General user interface and usability improvements.
Automatic scrolling during capture now works.
The related packet indicator has been updated.

Changes for v1.99.1 Beta - v1.99.2 Beta

Qt port:
The welcome screen layout has been updated.
The Preferences dialog no longer crashes on Windows.
The packet list header menu has been added.
Statistics tree plugins are now supported.
The window icon is now displayed properly in the Windows taskbar.
A packet list an byte view selection bug has been fixed (Bug 10896)
The RTP Streams dialog has been added.
The Protocol Hierarchy Statistics dialog has been added.

Changes for v1.12.4 - v1.12.5

Bug Fixes
The following vulnerabilities have been fixed.
The LBMR dissector could go into an infinite loop. (Bug 11036) CVE-2015-3808 CVE-2015-3809
The WebSocket dissector could recurse excessively. (Bug 10989) CVE-2015-3810
The WCP dissector could crash while decompressing data. (Bug 10978) CVE-2015-3811
The X11 dissector could leak memory. (Bug 11088) CVE-2015-3812
The packet reassembly code could leak memory. (Bug 11129) CVE-2015-3813
The IEEE 802.11 dissector could go into an infinite loop. (Bug 11110) CVE-2015-3814
The Android Logcat file parser could crash. Discovered by Hanno Böck. (Bug 11188) CVE-2015-3815
The following bugs have been fixed:
Wireshark crashes if "Update list of packets in real time" is disabled and a display filter is applied while capturing. (Bug 6217)
EAPOL 4-way handshake information wrong. (Bug 10557)
RPC NULL calls incorrectly flagged as malformed. (Bug 10646)
Wireshark relative ISN set incorrectly if raw ISN set to 0. (Bug 10713)
Buffer overrun in encryption code. (Bug 10849)
Crash when use Telephony / Voip calls. (Bug 10885)
ICMP Parameter Problem message contains Length of original datagram is treated as the total IPv4 length. (Bug 10991)
ICMP Redirect takes 4 bytes for IPv4 payload instead of 8. (Bug 10992)
Missing field "tcp.pdu.size" in TCP stack. (Bug 11007)
Sierra EM7345 marks MBIM packets as NCM. (Bug 11018)
Possible infinite loop DoS in ForCES dissector. (Bug 11037)
"Decode As…" crashes when a packet dialog is open. (Bug 11043)
Interface Identifier incorrectly represented by Wireshark. (Bug 11053)
"Follow UDP Stream" on mpeg packets crashes wireshark v.1.12.4 (works fine on v.1.10.13). (Bug 11055)
Annoying popup when trying to capture on bonds. (Bug 11058)
Request-response cross-reference in USB URB packets incorrect. (Bug 11072)
Right clicking in Expert Infos to create a filter (duplicate IP) results in invalid filters. (Bug 11073)
CanOpen dissector fails on frames with RTR and 0 length. (Bug 11083)
Typo in secp521r1 curve wrongly identified as sect521r1. (Bug 11106)
packet-zbee-zcl.h: IS_ANALOG_SUBTYPE doesn’t filter ENUM. (Bug 11120)
Typo: "LTE Positioning Protocol" abbreviated as "LPP", not "LLP". (Bug 11141)
Missing Makefile.nmake in ansi1/Kerberos directory. (Bug 11155)
Can’t build tshark without the Qt packages installed unless --without-qt is specified. (Bug 11157)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AllJoyn, ASN.1 PER, ATM, CANopen, Diameter, ForCES, GSM RLC/MAC, GSMTAP, ICMP, IEC-60870-5-104, IEEE 802.11, IMF, IP, LBMC, LBMR, LDAP, LPP, MBIM, MEGACO, MP2T, PKCS-1, PPP IPv6CP, RPC, SPNEGO, SRVLOC, SSL, T.38, TCP, USB, WCP, WebSocket, X11, and ZigBee ZCL
New and Updated Capture File Support
and Android Logcat Savvius OmniPeek Visual Networks

Changes for v1.12.3 - v1.12.4

Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2015-06
The ATN-CPDLC dissector could crash. (Bug 9952) CVE-2015-2187
wnpa-sec-2015-07
The WCP dissector could crash. (Bug 10844) CVE-2015-2188
wnpa-sec-2015-08
The pcapng file parser could crash. (Bug 10895) CVE-2015-2189
wnpa-sec-2015-09
The LLDP dissector could crash. (Bug 10983) CVE-2015-2190
wnpa-sec-2015-10
The TNEF dissector could go into an infinite loop. Discovered by Vlad Tsyrklevich. (Bug 11023) CVE-2015-2191
wnpa-sec-2015-11
The SCSI OSD dissector could go into an infinite loop. Discovered by Vlad Tsyrklevich. (Bug 11024) CVE-2015-2192
The following bugs have been fixed:
RTP player crashes on decode of long call: BadAlloc (insufficient resources for operation). (Bug 2630)
"Telephony?SCTP?Analyse This Association" crashes Wireshark on manufactured SCTP packet. (Bug 9849)
IPv6 Mobility Header Link Layer Address is parsed incorrectly. (Bug 10006)
DNS NXT RR is parsed incorrectly. (Bug 10615)
IPv6 AUTH mobility option parses Mobility SPI and Authentication Data incorrectly. (Bug 10626)
IPv6 Mobility Header Link-Layer Address Mobility Option is parsed incorrectly. (Bug 10627)
HTTP chunked response includes data beyond the chunked response. (Bug 10707)
DHCP Option 125 Suboption: (1) option-len always expects 1 but specification allows for more. (Bug 10784)
Incorrect decoding of IPv4 Interface/Neighbor Address sub-TLVs in Extended IS Reachability TLV of IS-IS. (Bug 10837)
Little-endian OS X Bluetooth PacketLogger files aren’t handled. (Bug 10861)
X.509 certificate serial number incorrectly interpreted as negative number. (Bug 10862)
Malformed Packet on rsync-version with length 2. (Bug 10863)
ZigBee epoch time is incorrectly displayed in OTA cluster. (Bug 10872)
BGP EVPN - Route Type 4 - "Invalid length of IP Address" - "Expert Info" shows a false error. (Bug 10873)
Bad bytes read for extended rnc id value in GTP dissector. (Bug 10877)
"ServiceChangeReasonStr" messages are not shown in txt generated by tshark. (Bug 10879)
Clang ASAN : AddressSanitizer: global-buffer-overflow ANSI. (Bug 10897)
MEGACO wrong decoding on media port. (Bug 10898)
Wrong media format. (Bug 10899)
BSSGP Status PDU decoding fault (missing Mandatory element (0x04) BVCI for proper packet). (Bug 10903)
DNS LOC Precision missing units. (Bug 10940)
Packets on OpenBSD loopback decoded as raw not null. (Bug 10956)
Display Filter Macro unable to edit. (Bug 10957)
IPv6 Local Mobility Anchor Address mobility option code is treated incorrectly. (Bug 10961)
SNTP server list improperly formatted in DHCPv6 packet details. (Bug 10964)
Juniper Packet Mirror dissector expects ipv6 flow label = 0. (Bug 10976)
NS Trace (NetScaler Trace) file format is not able to export specified packets. (Bug 10998)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ACN, ANSI IS-637-A, AppleMIDI, ATN-CPDLC, BGP, BSSGP, CMIP, DHCP, DHCPv6, DIS, DLM3, DMP, DNS, Extreme Networks, ForCES, FTAM, GMHDR, GSM A BSSMAP, GSM A-bis OML, GSM MAP, GSM RLC MAC, GTP, H.248, H.264, HTTP, IEEE 802.11, IPv6, IS-IS, ISMACryp, J1939, Juniper Jmirror, KDP, L2CAP, LDAP, LLDP, MGCP, MIP6, NBNS, NET/ROM, Netflow, Novell PKIS, PANA, PPPoE, RSL, RSYNC, RTMPT, RTP, SCSI OSD, SDP, SMB Pipe, SMPP, SYNCHROPHASOR, TETRA, TiVoConnect, TNEF, USB HID, V.52, VSS-Monitoring, X.509AF, Zebra, and ZigBee
New and Updated Capture File Support
NetScaler, PacketLogger, and Pcapng

Changes for v1.12.2 - v1.12.3

Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2015-01
The WCCP dissector could crash. (Bug 10720, Bug 10806) CVE-2015-0559, CVE-2015-0560
wnpa-sec-2015-02
The LPP dissector could crash. (Bug 10773) CVE-2015-0561
wnpa-sec-2015-03
The DEC DNA Routing Protocol dissector could crash. (Bug 10724) CVE-2015-0562
wnpa-sec-2015-04
The SMTP dissector could crash. (Bug 10823) CVE-2015-0563
wnpa-sec-2015-05
Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam Rathaus. CVE-2015-0564
The following bugs have been fixed:
WebSocket dissector: empty payload causes DISSECTOR_ASSERT_NOT_REACHED. (Bug 9332)
Wireshark crashes if Lua heuristic dissector returns true. (Bug 10233)
Display MEP ID in decimal in OAM Y.1731 Synthetic Loss Message and Reply PDU. (Bug 10500)
TCP Window Size incorrectly reported in Packet List. (Bug 10514)
Status bar "creeps" to the left a few pixels every time Wireshark is opened. (Bug 10518)
E-LMI Message type. (Bug 10531)
SMTP decoder can dump binary data to terminal in TShark. (Bug 10536)
PTPoE dissector gets confused by packets that include an FCS. (Bug 10611)
IPv6 Vendor Specific Mobility Option includes the next mobility option type. (Bug 10618)
Save PCAP to PCAPng with commentary fails. (Bug 10656)
Display filter "frame contains bytes [2342]" causes a crash. (Bug 10690)
Multipath TCP: checksum displayed when it’s not there. (Bug 10692)
LTE APN-AMBR is decoded incorrectly. (Bug 10699)
DNS NAPTR RR Replacement Length is incorrect. (Bug 10700)
IPv6 Experimental mobility header data is interpreted as options. (Bug 10703)
Dissector bug, protocol SPDY: tvbuff.c:610: failed assertion "tvb && tvb?initialized". (Bug 10704)
BGP: Incorrect decoding AS numbers when mixed AS size. (Bug 10742)
BGP update community - incorrect decoding. (Bug 10746)
Setting a 6LoWPAN context generates a Wireshark crash. (Bug 10747)
FC is not dissected (protocol UNKNOWN). (Bug 10751)
Crash when displaying several times INFO column. (Bug 10755)
Decoding of longitude value in LCSAP (3GPP TS 29.171) is incorrect. (Bug 10767)
Crash when enabling FCoIB manual settings without filling address field. (Bug 10796)
RSVP RECORD_ROUTE IPv4 Subobject Flags field incorrect decoding. (Bug 10799)
Wireshark Lua engine can’t access protocol field type. (Bug 10801)
Field Analysis of OpenFlow v1.4 OFPT_SET_ASYNC. (Bug 10808)
Lua: getting fieldinfo.value for FT_NONE causes assert. (Bug 10815)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
6LoWPAN, ADwin, AllJoyn, Art-Net, Asterix, BGP, Bitcoin, Bluetooth OBEX, Bluetooth SDP, CFM, CIP, DCERPC PN-IO, DCERPC SPOOLSS, DEC DNA, DECT, DHCPv6, DNS, DTN, E-LMI, ENIP, Ethernet, Extreme, FCoIB, Fibre Channel, GED125, GTP, H.248, H.264, HiSLIP, IDRP, IEEE 802.11, IEEE P1722.1, Infiniband, IrDA, iSCSI, ISUP, LBMR, LCSAP, LPP, MAC LTE, MAUSB, MBIM, MIM, MIP, MIPv6, MP2T, MPEG-1, NAS EPS, NAT-PMP, NCP, NXP PN532, OpcUa, OpenFlow, PTP, RDM, RPKI-RTR, RSVP, RTnet, RTSP, SCTP, SMPP, SMTP, SPDY, Spice, TCP, WCCP, Wi-Fi P2P, and WiMAX
New and Updated Capture File Support
and K12

Changes for v1.12.1 - v1.12.2

1. What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.
2. What’s New
2.1. Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2014-20
SigComp UDVM buffer overflow. (Bug 10662) CVE-2014-8710
wnpa-sec-2014-21
AMQP crash. (Bug 10582) CVE-2014-8711
wnpa-sec-2014-22
NCP crashes. (Bug 10552, Bug 10628) CVE-2014-8712 CVE-2014-8713
wnpa-sec-2014-23
TN5250 infinite loops. (Bug 10596) CVE-2014-8714
The following bugs have been fixed:
Wireshark determine packets of MMS protocol as a packets of T.125 protocol. (Bug 10350)
6LoWPAN Mesh headers not treated as encapsulating address. (Bug 10462)
UCP dissector bug of operation 31 - PID 0639 not recognized. (Bug 10463)
iSCSI dissector rejects PDUs with "expected data transfer length" > 16M. (Bug 10469)
GTPv2: trigging_tree under Trace information has wrong length. (Bug 10470)
openflow_v1 OFPT_FEATURES_REPLY parsed incorrectly. (Bug 10493)
Capture files from a remote virtual interface on MacOS X 10.9.5 aren’t dissected correctly. (Bug 10502)
Problem specifying protocol name for filtering. (Bug 10509)
LLDP TIA Network Policy Unknown Policy Flag Decode is not correct. (Bug 10512)
Decryption of DCERPC with Kerberos encryption fails. (Bug 10538)
Dissection of DECRPC NT sid28 shouldn’t show expert info if tree is null. (Bug 10542)
Attempt to render an SMS-DELIVER-REPORT instead of an SMS-DELIVER. (Bug 10547)
IPv6 Calipso option length is not used properly. (Bug 10561)
The SPDY dissector couldn’t dissecting packet correctly. (Bug 10566)
IPv6 QuickStart option Nonce is read incorrectly. (Bug 10575)
IPv6 Mobility Option IPv6 Address/Prefix marks too many bytes for the address/prefix field. (Bug 10576)
IPv6 Mobility Option Binding Authorization Data for FMIPv6 Authenticator field is read beyond the option data. (Bug 10577)
IPv6 Mobility Option Mobile Node Link Layer Identifier Link-layer Identifier field is read beyond the option data. (Bug 10578)
Wrong offset for hf_mq_id_icf1 in packet-mq.c. (Bug 10597)
Malformed PTPoE announce packet. (Bug 10611)
IPv6 Permanent Home Keygen Token mobility option includes too many bytes for the token field. (Bug 10619)
IPv6 Redirect Mobility Option K and N bits are parsed incorrectly. (Bug 10622)
IPv6 Care Of Test mobility option includes too many bytes for the Keygen Token field. (Bug 10624)
IPv6 MESG-ID mobility option is parsed incorrectly. (Bug 10625)
IPv6 AUTH mobility option parses Mobility SPI and Authentication Data incorrectly. (Bug 10626)
IPv6 DNS-UPDATE-TYPE mobility option includes too many bytes for the MD identity field. (Bug 10629)
IPv6 Local Mobility Anchor Address mobility option’s code and reserved fields are parsed as 2 bytes instead of 1. (Bug 10630)
WCCP v.2.01 extended assignment data element parsed wrong. (Bug 10641)
DNS ISDN RR Sub Address field is read one byte early. (Bug 10650)
TShark crashes when running with PDML on a specific packet. (Bug 10651)
DNS A6 Address Suffix field is parsed incorrectly. (Bug 10652)
DNS response time: calculation incorrect. (Bug 10657)
SMPP does not display properly the hour field in the Submit_sm Validity Period field. (Bug 10672)
DNS Name Length for Zone RR on root is 6 and Label Count is 1. (Bug 10674)
DNS WKS RR Protocol field is read as 4 bytes instead of 1. (Bug 10675)
IPv6 Mobility Option Context Request reads an extra request. (Bug 10676)
2.2. New and Updated Features
There are no new features in this release.
The Windows installers no longer include previews of Wireshark 2. If you want to try the new user interface, please download a development (1.99) installer.
2.3. New Protocol Support
There are no new protocols in this release.
2.4. Updated Protocol Support
6LoWPAN, AMQP, ANSI IS-637-A, Bluetooth HCI, CoAP, DCERPC (all), DCERPC NT, DNS, GSM MAP, GTPv2, H.223, HPSW, HTTP2, IEEE 802.11, IPv6, iSCSI, Kerberos, LBT-RM, LLDP, MIH, Mobile IPv6, MQ, NCP, OpcUa, OpenFlow, PKTAP, PTPoE, SigComp, SMB2, SMPP, SPDY, Stanag 4607, T.125, UCP, USB CCID, and WCCP
2.5. New and Updated Capture File Support
Catapult DCT2000, HP-UX nettl, Ixia IxVeriWave, pcap, pcap-ng, RADCOM, and Sniffer (DOS)
3. Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
3.1. Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
4. File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.
5. Known Problems
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The BER dissector might infinitely loop. (Bug 1516)
Capture filters aren’t applied when capturing from named pipes. (Bug 1814)
Filtering tshark captures with read filters (-R) no longer works. (Bug 2234)
The 64-bit Windows installer does not support Kerberos decryption. (Win64 development page)
Resolving (Bug 9044) reopens (Bug 3528) so that Wireshark no longer automatically decodes gzip data when following a TCP stream.
Application crash when changing real-time option. (Bug 4035)
Hex pane display issue after startup. (Bug 4056)
Packet list rows are oversized. (Bug 4357)
Wireshark and TShark will display incorrect delta times in some cases. (Bug 4985)
6. Getting Help
Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the web site.
Official Wireshark training and certification are available from Wireshark University.
7. Frequently Asked Questions
A complete FAQ is available on the Wireshark web site.

Changes for v1.12.0 - v1.12.1

Bug Fixes
The following bugs have been fixed:
The following vulnerabilities have been fixed.
wnpa-sec-2014-13. MEGACO dissector infinite loop. (Bug 10333) CVE-2014-6423
wnpa-sec-2014-14. Netflow dissector crash. (Bug 10370) CVE-2014-6424
wnpa-sec-2014-15. CUPS dissector crash. (Bug 10353) CVE-2014-6425
wnpa-sec-2014-16. HIP dissector infinite loop. CVE-2014-6426
wnpa-sec-2014-17. RTSP dissector crash. (Bug 10381) CVE-2014-6427
wnpa-sec-2014-18. SES dissector crash. (Bug 10454) CVE-2014-6428
wnpa-sec-2014-19. Sniffer file parser crash. (Bug 10461) CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432
The following bugs have been fixed:
Wireshark can crash during remote capture (rpcap) configuration. (Bug 3554, Bug 6922, ws-buglink:7021)
802.11 capture does not decrypt/decode DHCP response. (Bug 8734)
Extra quotes around date fields (FT_ABSOLUTE_TIME) when using -E quote=d or s. (Bug 10213)
No progress line in "VOIP RTP Player". (Bug 10307)
MIPv6 Service Selection Identifier parse error. (Bug 10323)
Probably wrong length check in proto_item_set_end. (Bug 10329)
802.11 BA sequence number decode is broken. (Bug 10334)
wmem_alloc_array() "succeeds" (and clobbers memory) when requested to allocate 0xaaaaaaaa items of size 12. (Bug 10343)
Different dissection results for same file. (Bug 10348)
Mergecap wildcard breaks in version 1.12.0. (Bug 10354)
Diameter TCP reassemble. (Bug 10362)
TRILL NLPID 0xc0 unknown to Wireshark. (Bug 10382)
BTLE advertising header flags (RxAdd/TxAdd) dissected incorrectly. (Bug 10384)
Ethernet OAM (CFM) frames including TLV’s are wrongly decoded as malformed. (Bug 10385)
BGP4: Wireshark skipped some potion of AS_PATH. (Bug 10399)
MAC address name resolution is broken. (Bug 10344)
Wrong decoding of RPKI RTR End of Data PDU. (Bug 10411)
SSL/TLS dissector incorrectly interprets length for status_request_v2 hello extension. (Bug 10416)
Misparsed NTP control assignments with empty values. (Bug 10417)
6LoWPAN multicast address decompression problems. (Bug 10426)
Netflow v9 flowset not decoded if options template has zero-length scope section. (Bug 10432)
GUI Hangs when Selecting Path to GeoIP Files. (Bug 10434)
AX.25 dissector prints unprintable characters. (Bug 10439)
6LoWPAN context handling not working. (Bug 10443)
SIP: When export to a CSV, Info is changed to differ. (Bug 10453)
Typo in packet-netflow.c. (Bug 10458)
Incorrect MPEG-TS decoding (OPCR field). (Bug 10446)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
6LoWPAN, A21, ACR122, Art-Net, AX.25, BGP, BTLE, CAPWAP, DIAMETER, DICOM, DVB-CI, Ethernet OAM, HIP, HiSLIP, HTTP2, IEEE 802.11, MAUSB, MEGACO, MIPv6, MP2T, Netflow, NTP, openSAFETY, OSI, RDM, RPKI RTR, RTSP, SES, SIP, TLS, and Token Ring MAC
New and Updated Capture File Support
DOS Sniffer, and NetScaler

Changes for v1.10.8 - v1.12.0

Bug Fixes
The following bugs have been fixed:
"On-the-wire" packet lengths are limited to 65535 bytes. (Bug 8808, Bug 9390)
"Follow TCP Stream" shows only the first HTTP request and response. (Bug 9044)
Files with pcap-ng Simple Packet Blocks can’t be read. (Bug 9200)
MPLS-over-PPP isn’t recognized. (Bug 9492)
New and Updated Features
The following features are new or have been significantly updated since version 1.10:
The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
Expert information is now filterable when the new API is in use.
The "Number" column shows related packets and protocol conversation spans (Qt only).
When manipulating packets with editcap using the -C and/or -s options, it is now possible to also adjust the original frame length using the -L option.
You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
"malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.
The Kerberos dissector has been replaced with an auto generated one from ASN1 protocol description, changing a lot of filter names.
Additionally the Windows installers have an extra component: a preview of the upcoming user interface for Wireshark 2.0.
The following features are new (or have been significantly updated) since version 1.11.3:
Transport name resolution is now disabled by default.
Support has been added for all versions of the DCBx protocol.
Cleanup of LLDP code, all dissected fields are now navigable.
The following features are new (or have been significantly updated) since version 1.11.2:
Qt port:
The About dialog has been added
The Capture Interfaces dialog has been added.
The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
The Export PDU dialog has been added.
Several SCTP dialogs have been added.
The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
The I/O Graph dialog has been added.
French translation has updated.
The following features are new (or have been significantly updated) since version 1.11.1:
Mac OS X packaging has been improved.
The following features are new (or have been significantly updated) since version 1.11.0:
Dissector output may be encoded as UTF-8. This includes TShark output.
Qt port:
The Follow Stream dialog now supports packet and TCP stream selection.
A Flow Graph (sequence diagram) dialog has been added.
The main window now respects geometry preferences.
Removed Dissectors
The ASN1 plugin has been removed as it’s deemed obsolete.
The GNM dissector has been removed as it was never used.
The Kerberos hand made dissector has been replaced by one generated from ASN1 code.
Platform Support
Support for Windows XP has been deprecated. We will make an effort to support it for as long as possible but our ability to do so depends on upstream packages and other factors beyond our control.
U3 packages are no longer supported or provided.
This is the last major release that will support 32-bit versions of Mac OS X.
New Protocol Support
29West, 802.1AE Secure tag, A21, ACR122, ADB Client-Server, AllJoyn, Apple PKTAP, Aruba Instant AP, ASTERIX, ATN, Bencode, Bluetooth 3DS, Bluetooth HSP, Bluetooth Linux Monitor Transport, Bluetooth Low Energy, Bluetooth Low Energy RF Info, CARP, CFDP, Cisco MetaData, DCE/RPC MDSSVC, DeviceNet, ELF file format, Ethernet Local Management Interface (E-LMI), Ethernet Passive Optical Network (EPON), EXPORTED PDU, FINGER, HDMI, High-Speed LAN Instrument Protocol (HiSLIP), HTTP2, IDRP, IEEE 1722a, ILP, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, Kafka, Kyoto Tycoon, Landis & Gyr Telegyr 8979, LBM, LBMC, LBMPDM, LBMPDM-TCP, LBMR, LBT-RM, LBT-RU, LBT-TCP, Lightweight Mesh (v1.1.1), Link16, Linux netlink, Linux netlink netfilter, Linux netlink sock diag, Linux rtnetlink (route netlink), Logcat, MBIM, Media Agnostic USB (MA USB), MiNT, MP4 / ISOBMFF file format, MQ Telemetry Transport Protocol, MS NLB (Rewrite), Novell PKIS certificate extensions, NXP PN532 HCI, Open Sound Control, OpenFlow, Pathport, PDC, Picture Transfer Protocol Over IP, PKTAP, Private Data Channel, QUIC (Quick UDP Internet Connections), SAE J1939, SEL RTAC (Real Time Automation Controller) EIA-232 Serial-Line Dissection, Sippy RTPproxy, SMB-Direct, SPDY, STANAG 4607, STANAG 5066 DTS, STANAG 5066 SIS, Tinkerforge, Ubertooth, UDT, URL Encoded Form Data, USB Communications and CDC Control, USB Device Firmware Upgrade, VP8, WHOIS, Wi-Fi Display, and ZigBee Green Power profile
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
Netscaler 2.6, STANAG 4607, and STANAG 5066 Data Transfer Sublayer
Major API Changes
The libwireshark API has undergone some major changes:
A more flexible, modular memory manager (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old emem API (which is deprecated).
A new API for expert information has been added, replacing the old one.
The tvbuff API has been cleaned up: tvb_length has been renamed to tvb_captured_length for clarity, and tvb_get_string and tvb_get_stringz have been deprecated in favour of tvb_get_string_enc and tvb_get_stringz_enc.
dissector_try_heuristic() signature has been changed to return heur_dtbl_entry_t to make it possible to save it and use it in subsequent calls to avoid the overhead of going trough the heuristics list.

Changes for v1.11.2 Beta - v1.11.3 Beta

New and Updated Features
The following features are new (or have been significantly updated) since version 1.11.1:
Qt port:
The About dialog has been added
The Capture Interfaces dialog has been added.
The Decode As dialog has been added. It managed to swallow up the User Specified Decodes dialog as well.
The Export PDU dialog has been added.
Several SCTP dialogs have been added.
The statistics tree (the backend for many Statistics and Telephony menu items) dialog has been added.
The I/O Graph dialog has been added.
French translation has updated.
The following features are new (or have been significantly updated) since version 1.11.1:
Mac OS X packaging has been improved.
The following features are new (or have been significantly updated) since version 1.11.0:
Dissector output may be encoded as UTF-8. This includes TShark output.
Qt port:
The Follow Stream dialog now supports packet and TCP stream selection.
A Flow Graph (sequence diagram) dialog has been added.
The main window now respects geometry preferences.
The following features are new (or have been significantly updated) since version 1.10:
Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
Expert information is now filterable when the new API is in use.
The "Number" column shows related packets and protocol conversation spans (Qt only).
When manipulating packets with editcap using the -C and/or -s options, it is now possible to also adjust the original frame length using the -L option.
You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
"malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.

Changes for v1.11.1 Beta - v1.11.2 Beta

The following features are new (or have been significantly updated) since version 1.11.1:
Mac OS X packaging has been improved.
The following features are new (or have been significantly updated) since version 1.11.0:
Qt port:
The Follow Stream dialog now supports packet and TCP stream selection.
A Flow Graph (sequence diagram) dialog has been added.
The main window now respects geometry preferences.
The following features are new (or have been significantly updated) since version 1.10:
Wireshark now uses the Qt application framework. The new UI should provide a significantly better user experience, particularly on Mac OS X and Windows.
A more flexible, modular memory manger (wmem) has been added. It was available experimentally in 1.10 but is now mature and has mostly replaced the old API.
Expert info is now filterable and now requires a new API.
The Windows installer now uninstalls the previous version of Wireshark silently. You can still run the uninstaller manually beforehand if you wish to run it interactively.
The "Number" column shows related packets and protocol conversation spans (Qt only).
When manipulating packets with editcap using the -C and/or -s options, it is now possible to also adjust the original frame length using the -L option.
You can now pass the -C option to editcap multiple times, which allows you to chop bytes from the beginning of a packet as well as at the end of a packet in a single step.
You can now specify an optional offset to the -C option for editcap, which allows you to start chopping from that offset instead of from the absolute packet beginning or end.
"malformed" display filter has been renamed to "_ws.malformed". A handful of other filters have been given the "_ws." prefix to note they are Wireshark application specific filters and not dissector filters.

Changes for v1.10.7 - v1.10.8

The following vulnerabilities have been fixed.
wnpa-sec-2014-07. The frame metadissector could crash. (Bug 9999, Bug 10030). Versions affected: 1.10.0 to 1.10.7. CVE-2014-4020
The following bugs have been fixed:
VoIP flow graph crash upon opening. (Bug 9179)
Tshark with "-F pcap" still generates a pcapng file. (Bug 9991)
IPv6 Next Header 0x3d recognized as SHIM6. (Bug 9995)
Failed to export pdml on large pcap. (Bug 10081)
TCAP: set a fence on info column after calling sub dissector (Bug 10091)
Dissector bug in JSON protocol. (Bug 10115)
GSM RLC MAC: do not skip too many lines of the CSN_DESCR when the field is missing (Bug 10120)
Wireshark PEEKREMOTE incorrectly decoding QoS data packets from Cisco Sniffer APs. (Bug 10139)
IEEE 802.11: fix dissection of HT Capabilities (Bug 10166)

Changes for v1.10.6 - v1.10.7

2.1. Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2014-06 ( https://www.wireshark.org/security/wnpa-sec-2014-06.html )
The RTP dissector could crash. (Bug 9885)
Versions affected: 1.10.0 to 1.10.6
CVE-2014-2907
The following bugs have been fixed:
RTP not decoded inside the conversation in v.1.10.1 (Bug 9021)
SIP/SDP: disabled second media stream disables all media streams (Bug 9835)
Lua: trying to get/access a Preference before its registered causes a segfault (Bug 9853)
Some value_string strings contain newlines. (Bug 9878)
Tighten the NO_MORE_DATA_CHECK macros (Bug 9932)
Fix crash when calling "MAP Summary" dialog when no file is open (Bug 9934)
Fix comparing a sequence number of TCP fragment when its value wraps over uint32_t limit (Bug 9936)
2.2. New and Updated Features
There are no new features in this release.
2.3. New Protocol Support
There are no new protocols in this release.
2.4. Updated Protocol Support
ANSI A, DVB-CI, GSM DTAP, GSM MAP, IEEE 802.11, LCSAP, LTE RRC, MAC LTE, Prism, RTP, SDP, SIP, and TCP
2.5. New and Updated Capture File Support
and There are no changes in this release.

Changes for v1.10.5 - v1.10.6

The following vulnerabilities have been fixed.
wnpa-sec-2014-01
The NFS dissector could crash. Discovered by Moshe Kaplan. (Bug 9672)
Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
CVE-2014-2281
wnpa-sec-2014-02
The M3UA dissector could crash. Discovered by Laurent Butti. (Bug 9699)
Versions affected: 1.10.0 to 1.10.5
CVE-2014-2282
wnpa-sec-2014-03
The RLC dissector could crash. (Bug 9730)
Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
CVE-2014-2283
wnpa-sec-2014-04
The MPEG file parser could overflow a buffer. Discovered by Wesley Neelen. (Bug 9843)
Versions affected: 1.10.0 to 1.10.5, 1.8.0 to 1.8.12
CVE-2014-2299
The following bugs have been fixed:
Customized OUI is not recognized correctly during dissection. (Bug 9122)
Properly decode CAPWAP Data Keep-Alives. (Bug 9165)
Build failure with GTK 3.10 - GTK developers have gone insane. (Bug 9340)
SIGSEGV/SIGABRT during free of TvbRange using a chained dissector in lua. (Bug 9483)
MPLS dissector no longer registers itself in "ppp.protocol" table. (Bug 9492)
Tshark doesn’t display the longer data fields (mbtcp). (Bug 9572)
DMX-CHAN disector does not clear strbuf between rows. (Bug 9598)
Dissector bug, protocol SDP: proto.c:4214: failed assertion "length >= 0". (Bug 9633)
False error: capture file appears to be damaged or corrupt. (Bug 9634)
SMPP field source_telematics_id field length different from spec. (Bug 9649)
Lua: bitop library is missing in Lua 5.2. (Bug 9720)
GTPv1-C / MM Context / Authentication quintuplet / RAND is not correct. (Bug 9722)
Lua: ProtoField.new() is buggy. (Bug 9725)
Lua: ProtoField.bool() VALUESTRING argument is not optional but was supposed to be. (Bug 9728)
Problem with CAPWAP Wireshark Dissector. (Bug 9752)
nas-eps dissector: CS Service notification dissection stops after Paging identity IE. (Bug 9789)
2.2. New and Updated Features
IPv4 checksum verfification is now disabled by default.
2.3. New Protocol Support
There are no new protocols in this release.
2.4. Updated Protocol Support
AppleTalk, CAPWAP, DMX-CHAN, DSI, DVB-CI, ESS, GTPv1, IEEE 802a, M3UA, Modbus/TCP, NAS-EPS, NFS, OpenSafety, SDP, and SMPP
2.5. New and Updated Capture File Support
libpcap, MPEG, and pcap-ng

Changes for v1.10.4 - v1.10.5

The following bugs have been fixed:
Wireshark stops showing new packets but dumpcap keeps writing them to the temp file. (Bug 9571)
Wireshark 1.10.4 shuts down when promiscuous mode is unchecked. (Bug 9577)
Homeplug dissector bug: STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address. (Bug 9578)
Updated Protocol Support
GSM BSSMAP, GSM BSSMAP LE, GSM SMS, Homeplug, NAS-EPS, and SGSAP

Changes for v1.10.3 - v1.10.4

The following vulnerabilities have been fixed.
wnpa-sec-2013-66
The SIP dissector could go into an infinite loop. Discovered by Alain Botti. (Bug 9388)
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7112
wnpa-sec-2013-67
The BSSGP dissector could crash. Discovered by Laurent Butti. (Bug 9488)
Versions affected: 1.10.0 to 1.10.3
CVE-2013-7113
wnpa-sec-2013-68
The NTLMSSP v2 dissector could crash. Discovered by Garming Sam.
Versions affected: 1.10.0 to 1.10.3, 1.8.0 to 1.8.11
CVE-2013-7114
The following bugs have been fixed:
"On-the-wire" packet lengths are limited to 65535 bytes. (Bug 8808, ws-buglink:9390)
Tx MCS set is not interpreted properly in WLAN beacon frame. (Bug 8894)
VoIP Graph Analysis window - some calls are black. (Bug 8966)
Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses. (Bug 9031)
epan/follow.c - Incorrect "bytes missing in capture file" in "check_fragments" due to an unsigned int wraparound?. (Bug 9112)
gsm_map doesn’t decode MAPv3 reportSM-DeliveryStatus result. (Bug 9382)
Incorrect NFSv4 FATTR4_SECURITY_LABEL value. (Bug 9383)
Timestamp decoded for Gigamon trailer is not padded correctly. (Bug 9433)
SEL Fast Message Bug-fix for Signed 16-bit Integer Fast Meter Messages. (Bug 9435)
DNP3 Bug Fix for Analog Data Sign Bit Handling. (Bug 9442)
GSM SMS User Data header fill bits are wrong when using a 7 bits ASCII / IA5 encoding. (Bug 9478)
WCDMA RLC dissector cannot assemble PDUs with SNs skipped and wrap-arounded. (Bug 9505)
DTLS: fix buffer overflow in mac check. (Bug 9512)
[PATCH] Correct data length in SCSI_DATA_IN packets (within iSCSI). (Bug 9521)
GSM SMS UDH EMS control expects 4 octets instead of 3 with OPTIONAL 4th. (Bug 9550)
Fix "decode as …" for packet-time.c. (Bug 9563)

Changes for v1.10.1 - v1.10.2

Multiple vulnerabilities have been fixed. See the release notes for details.
Many other bugs have been fixed.

Changes for v1.8.7 - v1.10.0

Bug Fixes
The following bugs have been fixed:
Redirecting the standard output didn’t redirect the output the of -D or -L flags. This fix means that the output of those flags now goes to the standard output, not the standard error, as it did in previous releases. Bug 8609
2.2. New and Updated Features
The following features are new (or have been significantly updated) since version 1.8:
Wireshark on 32- and 64-bit Windows supports automatic updates.
The packet bytes view is faster.
You can now display a list of resolved host names in "hosts" format within Wireshark.
The wireless toolbar has been updated.
Wireshark on Linux does a better job of detecting interface addition and removal.
It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
USB type and product name support has been improved.
All Bluetooth profiles and protocols are now supported.
Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
Capinfos now prints human-readable statistics with SI suffixes by default.
It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
Wireshark can be compiled using GTK+ 3.
The Wireshark application icon, capture toolbar icons, and other icons have been updated.
Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.
Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add "gtk-scrolled-window-placement = top-right" in the config file, which might be called /.gtkrc-2.0 or /.config/gtk-3.0/settings.ini).
Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.
The LOAD() metric in the IO-graph now shows the load in IO units instead of thousands of IO units.

Changes for v1.10 RC 1 - v1.10.0 RC 2

Bug Fixes
Redirecting the standard output didn’t redirect the output the of -D or -L flags. This fix means that the output of those flags now goes to the standard output, not the standard error, as it did in previous releases. Bug 8609
New and Updated Features
Wireshark on 32- and 64-bit Windows supports automatic updates.
The packet bytes view is faster.
You can now display a list of resolved host names in "hosts" format within Wireshark.
The wireless toolbar has been updated.
Wireshark on Linux does a better job of detecting interface addition and removal.
It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
The Windows installers ship with WinPcap 4.1.3, which supports Windows 8.
USB type and product name support has been improved.
All Bluetooth profiles and protocols are now supported.
Wireshark now calculates HTTP response times and presents the result in a new field in the HTTP response. Links from the request’s frame to the response’s frame and vice-versa are also added.
The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
Capinfos now prints human-readable statistics with SI suffixes by default.
It is now possible to open a referenced packet (such as the matched request or response packet) in a new window.
Tshark can now display only the hex/ascii packet data without requiring that the packet summary and/or packet details are also displayed. If you want the old behavior, use -Px instead of just -x.
Wireshark can be compiled using GTK+ 3.
The Wireshark application icon, capture toolbar icons, and other icons have been updated.
Tshark’s filtering and multi-pass analysis have been reworked for consistency and in order to support dependent frame calculations during reassembly. See the man page descriptions for -2, -R, and -Y.
Tshark’s -G fields2 and -G fields3 options have been eliminated. The -G fields option now includes the 2 extra fields that -G fields3 previously provided, and the blurb information has been relegated to the last column since in many cases it is blank anyway.
Wireshark dropped the left-handed settings from the preferences. This is still configurable via the GTK settings (add "gtk-scrolled-window-placement = top-right" in the config file, which might be called /.gtkrc-2.0 or /.config/gtk-3.0/settings.ini).
Wireshark now ships with two global configuration files: Bluetooth, which contains coloring rules for Bluetooth and Classic, which contains the old-style coloring rules.
New Protocol Support
Amateur Radio AX.25, Amateur Radio BPQ, Amateur Radio NET/ROM, America Online (AOL), AR Drone, Automatic Position Reporting System (APRS), AX.25 KISS, AX.25 no Layer 3, Bitcoin Protocol, Bluetooth Attribute Protocol, Bluetooth AVCTP Protocol, Bluetooth AVDTP Protocol, Bluetooth AVRCP Profile, Bluetooth BNEP Protocol, Bluetooth HCI USB Transport, Bluetooth HCRP Profile, Bluetooth HID Profile, Bluetooth MCAP Protocol, Bluetooth SAP Profile, Bluetooth SBC Codec, Bluetooth Security Manager Protocol, Cisco GED-125 Protocol, Clique Reliable Multicast Protocol (CliqueRM), D-Bus, Digital Transmission Content Protection over IP, DVB-S2 Baseband, FlexNet, Forwarding and Control Element Separation Protocol (ForCES), Foundry Discovery Protocol (FDP), Gearman Protocol, GEO-Mobile Radio (1) RACH, HoneyPot Feeds Protocol (HPFEEDS), LTE Positioning Protocol Extensions (LLPe), Media Resource Control Protocol Version 2 (MRCPv2), Media-Independent Handover (MIH), MIDI System Exclusive (SYSEX), Mojito DHT, MPLS-TP Fault-Management, MPLS-TP Lock-Instruct, NASDAQ’s OUCH 4.x, NASDAQ’s SoupBinTCP, OpenVPN Protocol, Pseudo-Wire OAM, RPKI-Router Protocol, SEL Fast Message, Simple Packet Relay Transport (SPRT), Skype, Smart Message Language (SML), SPNEGO Extended Negotiation Security Mechanism (NEGOEX), UHD/USRP, USB Audio, USB Video, v.150.1 State Signaling Event (SSE), VITA 49 Radio Transport, VNTAG, WebRTC Datachannel Protocol (RTCDC), and WiMAX OFDMA PHY SAP
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
AIX iptrace, CAM Inspector, Catapult DCT2000, Citrix NetScaler, DBS Etherwatch (VMS), Endace ERF, HP-UX nettl, IBM iSeries, Ixia IxVeriWave, NA Sniffer (DOS), Netscreen, Network Instruments Observer, pcap, pcap-ng, Symbian OS btsnoop, TamoSoft CommView, and Tektronix K12xx

Changes for v1.8.5 - v1.9.2 Development Release

Bug Fixes
The following vulnerabilities have been fixed. wnpa-sec-2013-10
The TCP dissector could crash. (Bug 8274)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2475 wnpa-sec-2013-11
The HART/IP dissectory could go into an infinite loop. (Bug 8360)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2476 wnpa-sec-2013-12
The CSN.1 dissector could crash. Discovered by Laurent Butti. (Bug 8383)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2477 wnpa-sec-2013-13
The MS-MMS dissector could crash. Discovered by Laurent Butti. (Bug 8382)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2478 wnpa-sec-2013-14
The MPLS Echo dissector could go into an infinite loop. Discovered by Laurent Butti. (Bug 8039)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2479 wnpa-sec-2013-15
The RTPS and RTPS2 dissectors could crash. Discovered by Alyssa Milburn. (Bug 8332)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2480 wnpa-sec-2013-16
The Mount dissector could crash. Discovered by Alyssa Milburn. (Bug 8335)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2481 wnpa-sec-2013-17
The AMPQ dissector could go into an infinite loop. Discovered by Moshe Kaplan. (Bug 8337)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2482 wnpa-sec-2013-18
The ACN dissector could attempt to divide by zero. Discovered by Alyssa Milburn. (Bug 8340)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2483 wnpa-sec-2013-19
The CIMD dissector could crash. Discovered by Moshe Kaplan. (Bug 8346)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2484 wnpa-sec-2013-20
The FCSP dissector could go into an infinite loop. Discovered by Moshe Kaplan. (Bug 8359)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2485 wnpa-sec-2013-21
The RELOAD dissector could go into an infinite loop. Discovered by Even Jensen. (Bug 8364)
Versions affected: 1.8.0 to 1.8.5.
CVE-2013-2486
CVE-2013-2487 wnpa-sec-2013-22
The DTLS dissector could crash. Discovered by Laurent Butti. (Bug 8380)
Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13.
CVE-2013-2488
The following bugs have been fixed: Lua pinfo.cols.protocol not holding value in postdissector. (Bug 6020) data combined via ssl_desegment_app_data not visible via "Follow SSL Stream" only decrypted ssl data tabs. (Bug 6434) HTTP application/json-rpc should be decoded/shown as application/json. (Bug 7939) Maximum value of 802.11-2012 Duration field should be 32767. (Bug 8056) Voice RTP player crash if player is closed while playing. (Bug 8065) Display Filter Macros crash. (Bug 8073) RRC RadioBearerSetup message decoding issue. (Bug 8290) R-click filters add ! in front of field when choosing "apply as filter>selected". (Bug 8297) BACnet - Loop Object - Setpoint-Reference property does not decode correctly. (Bug 8306) WMM TSPEC Element Parsing is not done is wrong due to a wrong switch case number. (Bug 8320) Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321) Registering ieee802154 dissector for IEEE802.15.4 frames inside Linux SLL frames. (Bug 8325) Version Field is skipped while parsing WMM_TSPEC causing wrong dissecting (1 byte offset missing) of all fields in the TSPEC. (Bug 8330) [BACnet] UCS-2 strings longer than 127 characters do not decode correctly. (Bug 8331) Malformed IEEE80211 frame triggers DISSECTOR_ASSERT. (Bug 8345) Decoding of GSM MAP SMS Diagnostics. (Bug 8378) Incorrect packet length displayed for Flight Message Transfer Protocol (FMTP). (Bug 8407) Netflow dissector flowDurationMicroseconds nanosecond conversion wrong. (Bug 8410) BE (3) AC is wrongly named as "Video" in (qos_acs). (Bug 8432) New and Updated Features
There are no new features in this release. New Protocol Support
There are no new protocols in this release. Updated Protocol Support
ACN, AMQP, ASN.1 PER, BACnet, CIMD, CSN.1, DOCSIS TLVs, DTLS, FCSP, FMP/NOTIFY, FMTP, GSM MAP SMS, HART/IP, IEEE 802.11, IEEE 802.15.4, JSON, Linux SLL, LTE RRC, Mount, MPLS Echo, Netflow, RELOAD, RSL, RTP, RTPS, RTPS2, SABP, SIP, SSL, TCP

Changes for v1.8.6 - v1.9.1 Development Release

Wireshark on 32- and 64-bit Windows supports automatic updates.
The packet bytes view is faster.
You can now display a list of resolved host names in "hosts" format within Wireshark.
The wireless toolbar has been updated.
Wireshark on Linux does a better job of detecting interface addition and removal.
It is now possible to compare two fields in a display filter (for example: udp.srcport != udp.dstport). The two fields must be of the same type for this to work.
The main welcome screen and status bar now display file sizes using strict SI prefixes instead of old-style binary prefixes.
Capinfos now prints human-readable statistics with SI suffixes by default.

Changes for v1.8.6 - v1.8.7

Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2013-23
The RELOAD dissector could go into an infinite loop. Discovered by Evan Jensen. (Bug 8364, (Bug 8546)
Versions affected: 1.8.0 to 1.8.6.
CVE-2013-2486
CVE-2013-2487
wnpa-sec-2013-24
The GTPv2 dissector could crash. (Bug 8493)
Versions affected: 1.8.0 to 1.8.6.
wnpa-sec-2013-25
The ASN.1 BER dissector could crash. (Bug 8599)
Versions affected: 1.8.0 to 1.8.6, 1.6.0 to 1.6.14.
wnpa-sec-2013-26
The PPP CCP dissector could crash. (Bug 8638)
Versions affected: 1.8.0 to 1.8.6.
wnpa-sec-2013-27
The DCP ETSI dissector could crash. Discovered by Evan Jensen. (Bug 8231, bug 8540, bug 8541)
Versions affected: 1.8.0 to 1.8.6.
wnpa-sec-2013-28
The MPEG DSM-CC dissector could crash. (Bug 8481)
Versions affected: 1.8.0 to 1.8.6.
wnpa-sec-2013-29
The Websocket dissector could crash. Discovered by Moshe Kaplan. (Bug 8448, Bug 8499)
Versions affected: 1.8.0 to 1.8.6.
wnpa-sec-2013-30
The MySQL dissector could go into an infinite loop. Discovered by Moshe Kaplan. (Bug 8458)
Versions affected: 1.8.0 to 1.8.6.
wnpa-sec-2013-31
The ETCH dissector could go into a large loop. Discovered by Moshe Kaplan. (Bug 8464)
Versions affected: 1.8.0 to 1.8.6.The following bugs have been fixed:
The Windows installer and uninstaller does a better job of detecting running executables.
Library mismatch when compiling on a system with an older Wireshark version. (Bug 6011)
SNMP dissector bug: STATUS_INTEGER_DIVIDE_BY_ZERO. (Bug 7359)
A console window is never opened. (Bug 7755)
GSM_MAP show malformed Packets when two IMSI. (Bug 7882)
Fix include and libs search path when cross compiling. (Bug 7926)
PER dissector crash. (Bug 8197)
pcap-ng: name resolution block is not written to file on save. (Bug 8317)
Incorrect RTP statistics (Lost Packets indication not ok). (Bug 8321)
Decoding of GSM MAP E164 Digits. (Bug 8450)
Silent installer and uninstaller not silent. (Bug 8451)
Replace use of INCLUDES with AM_CPPFLAGS in all Makefiles to placate recent autotools. (Bug 8452)
Wifi details are not stored in the Decryption Key Management dialog (post 1.8.x). (Bug 8446)
IO Graph should not be limited to 100k points (NUM_IO_ITEMS). (Bug 8460)
geographical_description: hf_gsm_a_geo_loc_deg_of_long 24 bit field truncated to 23 bits. (Bug 8532)
IRC message with multiple params causes malformed packet exception. (Bug 8548)
Part of Ping Reply Message in ICMPv6 Reply Message is marked as "Malformed Packet". (Bug 8554)
MP2T wiretap heuristic overriding ERF. (Bug 8556)
Cannot read content of Ran Information Application Error Rim Container. (Bug 8559)
Endian error and IP:Port error when decoding BT-DHT response message. (Bug 8572)
"ACE4_ADD_FILE/ACE4_ADD_SUBDIRECTORY" should be "ACE4_APPEND_DATA / ACE4_ADD_SUBDIRECTORY". (Bug 8575)
wireshark crashes while displaying I/O Graph. (Bug 8583)
GTPv2 MM Context (UMTS Key, Quad, and Quint Decoded) incorrectly. (Bug 8596)
DTLS 1.2 uses wrong PRF. (Bug 8608)
RTP DTMF digits are no longer displayed in VoIP graph analysis. (Bug 8610)
Universal port not accepted in RSA Keys List window. (Bug 8618)
Wireshark Dissector bug with HSRP Version 2. (Bug 8622)
LISP control packet incorrectly identified as LISP data based when UDP source port is 4341. (Bug 8627)
Bad tcp checksum not detected. (Bug 8629)
AMR Frame Type uses wrong Value String. (Bug 8681)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AMR, ASN.1 BER, BAT, Bluetooth DHT, BSSGP, DTLS, E.164, Ericsson A-bis OML, GSM A, GSM MAP, HDFSDATA, ICMP, ICMPv6, ixveriwave, IRC, KDSP, LISP Data, MMS, NFS, OpenWire, PPP, RELOAD, RTP, SASP, SIP, SSL/TLS, TCP, UA3G
New and Updated Capture File Support
Endace ERF, NetScreen snoop.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.

Changes for v1.8.5 - v1.8.6

The following vulnerabilities have been fixed.
wnpa-sec-2013-10
The TCP dissector could crash.

Changes for v1.8.4 - v1.8.5

What's New
Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2013-01
Infinite and large loops in the Bluetooth HCI, CSN.1, DCP-ETSI DOCSIS CM-STAUS, IEEE 802.3 Slow Protocols, MPLS, R3, RTPS, SDP, and SIP dissectors. Reported by Laurent Butti. (Bugs 8036, 8037, 8038, 8040, 8041, 8042, 8043, 8198, 8199, 8222)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-02
The CLNP dissector could crash. Discovered independently by Laurent Butti and the Wireshark development team. (Bug 7871)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-03
The DTN dissector could crash. (Bug 7945)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-04
The MS-MMC dissector (and possibly others) could crash. (Bug 8112)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-05
The DTLS dissector could crash. Discovered by Laurent Butti. (Bug 8111)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-06
The ROHC dissector could crash. (Bug 7679)
Versions affected: 1.8.0 to 1.8.4.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-07
The DCP-ETSI dissector could corrupt memory. Discovered by Laurent Butti. (Bug 8213)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-08
The Wireshark dissection engine could crash. Discovered by Laurent Butti. (Bug 8197)
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
wnpa-sec-2013-09
The NTLMSSP dissector could overflow a buffer. Discovered by Ulf Härnhammar.
Versions affected: 1.8.0 to 1.8.4, 1.6.0 to 1.6.12.
GENERIC-MAP-NOMATCH
The following bugs have been fixed:
SNMPv3 Engine ID registration. (Bug 2426)
Wrong decoding of gtp.target identification. (Bug 3974)
Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
Wireshark crashes when starting due to out-of-date plugin left behind from earlier installation. (Bug 7401)
Failed to dissect TLS handshake packets. (Bug 7435)
ISUP dissector problem with empty Generic Number. (Bug 7632)
Illegal character is used in temporary capture file name. (Bug 7877)
Lua code crashes wireshark after update to 1.8.3. (Bug 7976)
Timestamp info is not saved correctly when writing DOS Sniffer files. (Bug 7998)
1.8.3 Wireshark User's Guide version is 1.6. (Bug 8009)
Core dumped when the file is closed. (Bug 8022)
LPP is misspelled in APDU parameter in e-CIDMeasurementInitiation request for LPPA message. (Bug 8023)
Wrong packet bytes are selected for ISUP CUG binary code. (Bug 8035)
Decodes FCoE Group Multicast MAC address as Broadcom MAC address. (Bug 8046)
The SSL dissector stops decrypting the SSL conversation with Malformed Packet:SSL error messages. (Bug 8075)
Unable to Save/Apply [Unistim Port] in Preferences. (Bug 8078)
Some Information Elements in GTPv2 are not dissected correctly. (Bug 8079)
Wrong bytes highlighted with "Find Packet...". (Bug 8085)
3GPP ULI AVP. SAI is not correctly decoded. (Bug 8098)
Wireshark does not show "Start and End Time" information for Cisco Netflow/IPFIX with type 154 to 157. (Bug 8105)
GPRS Tunnel Protocoll GTP Version 1 does not decode DAF flag in Common Flags IE. (Bug 8193)
Wrong parcing of ULI of gtpv2 messages - errors in SAC, RAC & ECI. (Bug 8208)
Version Number in EtherIP dissector. (Bug 8211)
Warn Dissector bug, protocol JXTA. (Bug 8212)
Electromagnetic Emission Parser parses field Event Id as Entity Id. (Bug 8227)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ANSI IS-637-A, ASN.1 PER, AX.25, Bluetooth HCI, CLNP, CSN.1, DCP-ETSI, DIAMETER, DIS PDU, DOCSIS CM-STATUS, DTLS, DTN, EtherIP, Fibre Channel, GPRS, GTP, GTPv2, HomePlug AV, IEEE 802.3 Slow, IEEE 802.15.4, ISUP, JXTA, LAPD, LPPa, MPLS, MS-MMC, NAS-EPS, NTLMSSP, ROHC, RSL, RTPS, SDP, SIP, SNMP, SSL
New and Updated Capture File Support
DOS Sniffer

Changes for v1.8.3 - v1.8.4

The following vulnerabilities have been fixed.
wnpa-sec-2012-30 Wireshark could leak potentially sensitive host name resolution information when working with multiple pcap-ng files. Discovered by Laura Chappell. Versions affected: 1.8.0 to 1.8.3.
wnpa-sec-2012-31 The USB dissector could go into an infinite loop. (Bug 7787) Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
wnpa-sec-2012-32 The sFlow dissector could go into an infinite loop. (Bug 7789) Versions affected: 1.8.0 to 1.8.3.
wnpa-sec-2012-33 The SCTP dissector could go into an infinite loop. (Bug 7802) Versions affected: 1.8.0 to 1.8.3.
wnpa-sec-2012-34 The EIGRP dissector could go into an infinite loop. (Bug 7800) Versions affected: 1.8.0 to 1.8.3.
wnpa-sec-2012-35 The ISAKMP dissector could crash. (Bug 7855) Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
wnpa-sec-2012-36 The iSCSI dissector could go into an infinite loop. (Bug 7858) Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
wnpa-sec-2012-37 The WTP dissector could go into an infinite loop. (Bug 7869) Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
wnpa-sec-2012-38 The RTCP dissector could go into an infinite loop. (Bug 7879) Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11.
wnpa-sec-2012-39 The 3GPP2 A11 dissector could go into an infinite loop. (Bug 7801) Versions affected: 1.8.0 to 1.8.3.
wnpa-sec-2012-40 The ICMPv6 dissector could go into an infinite loop. (Bug 7844) Versions affected: 1.8.0 to 1.8.3, 1.6.0 to 1.6.11. The following bugs have been fixed:
Menu and Title bars inaccessible using GTK2 (non-legacy) with two monitors. (Bug 553)
802.11 Probe Response fails to parse. (Bug 1284)
Tshark - decimal symbol. (Bug 2880)
Malformed tpncp.dat file can crash Wireshark. (Bug 6665)
SSL decryption not work even with example capture file and key. (Bug 6869)
Info line is incorrect on SIP message containing another SIP message in body. (Bug 7780)
OOPS: dissector table "sctp.ppi" doesn't exist Protocol being registered is "Datagram Transport Layer Security". (Bug 7784)
Dissection of IEEE 802.11 Channel Switch Announcement element fails. (Bug 7797)
Invalid memory accesses when loading RADIUS captures. (Bug 7803)
ISUP CIC should have format BASE_DEC, not BASE_HEX. (Bug 7848)
We don't handle pcap-ng files with IDBs that come after packet blocks. (Bug 7851)
'*' wildcard in the 'Src IP' or 'Dest IP' field of the ESP SA dialog does not work. (Bug 7866)
nas_eps dissector does not decode some esm message. (Bug 7912)
WLAN decryption status not updated after updating WEP/WPA keys. (Bug 7921)
IPv6 Option Pad1 Incorrect dissection. (Bug 7938)
Print GNUTLS error message if PEM import fails. (Bug 7948)
GSM classmark3 8-PSK decode error. (Bug 7964)
Parsing the Server Name Indication extension in SSL/TLS traffic reads some fields incorrectly. (Bug 7967)
Lua code crashes wireshark after update to 1.8.3. (Bug 7976)
2 bugs in Ran-Information-Error Rim Container. (Bug 8000)
Misspelling (typo) in IPv6 display filter field name. (Bug 8006)
Two BSSGP dissector bugs. (Bug 8008)
Core dump during SCTP association analysis. (Bug 8011) New and Updated Features There are no new features in this release.
New Protocol Support There are no new protocols in this release.
Updated Protocol Support 3GPP2 A11, BSSGP, EIGRP, FMP/NOTIFY, GSM A, ICMP, ICMPv6, IEEE 802.11, IPsec, IPv6, ISAKMP, iSCSI, LTE RRC, NAS EPS, NDPS, Prism, RADIUS, RRC, RTCP, SCTP, sFlow, SIP, SMB2, SSL/TLS, TPNCP, USB
New and Updated Capture File Support
CommView NCF, iSeries, pcap-ng.

Changes for v1.8.2 - v1.8.3

Bug Fixes The following vulnerabilities have been fixed.
wnpa-sec-2012-26 The HSRP dissector could go into an infinite loop. (Bug 7581) Versions affected: 1.8.0 to 1.8.2.CVE-2012-5237
wnpa-sec-2012-27 The PPP dissector could abort. (Bug 7316, bug 7668) Versions affected: 1.8.0 to 1.8.2.CVE-2012-5238
wnpa-sec-2012-28 Martin Wilck discovered an infinite loop in the DRDA dissector. (Bug 7666) Versions affected: 1.6.0 to 1.6.10, 1.8.0 to 1.8.2.CVE-2012-5239
wnpa-sec-2012-29 Laurent Butti discovered a buffer overflow in the LDP dissector. (Bug 7567) Versions affected: 1.8.0 to 1.8.2.CVE-2012-5240
The following bugs have been fixed:
The HTTP dissector does not reassemble headers when the first TCP segment does not contain a full header line.
HDCP2 uses the wrong protocol id.
Several I/O graph problems have been fixed.
No markers show up when maps are displayed. (Bug 5016)
Assertion when using tshark/wireshark on large captures. (Bug 5699)
Volume label field of "SMB/TRANS2-QUERY_FS_INFO/InfoVolume level" reply packet is not displayed correctly due alignment issue. (Bug 5778)
64-bit Wireshark appears to hit 2-Gbyte memory limit on 64-bit Windows. (Bug 5979)
Truncated/partial JPEG files are not dissected. (Bug 6230)
Support for MPLS Packet Loss and Delay Measurement, RFC 6374. (Bug 6881)
Memory leak in voip_calls.c. (Bug 7320)
When listing protocols available for "Decode As", plugins are sorted after built-ins. (Bug 7348)
Hidden columns should not be printed when printing packet summary line. (Bug 7356)
Size wrong in "File Set List" for just-finished captures. (Bug 7370)
Error: no dependency information found for debian/wireshark-common/usr/lib/wireshark/libwsutil.so.2 (used by debian/wireshark/usr/bin/wireshark). (Bug 7408)
Parse and properly display LTE RADIUS AVP 3GPP-User-Location-Info. (Bug 7474)
[PATCH] HomeplugAV dissector: decode device id. (Bug 7548)
BACnet GetEnrollmentSummary-ACK does not decode correctly. (Bug 7556)
epan/dissectors/packet-per.c dissect_per_constrained_integer_64b fails for 64 bits. (Bug 7624)
New SCTP PPID 48. (Bug 7635)
dissector of Qos attribute "Reliability Class" in GMM/SM message. (Bug 7670)
Performance regression in tshark -z io,stat. (Bug 7674)
Incorrect io-stat table format when unsupported "-t" operand is specified and when using AVG of relative_time fields. (Bug 7685)
IEEE 802.11 TKIP dissection : wrong IS_TKIP macro. (Bug 7691)
Homeplug AV dissectors does not properly dissect short frames. (Bug 7707)
mm_context_nas_dl_cnt and mm_context_nas_ul_cnt are not dissected properly in ContextResponse message in Gtpv2. (Bug 7718)
This trace causes Wireshark to crash when VoIP Calls selected. (Bug 7724)
Some diameter Gx enumerations are missing values or value is incorrect. (Bug 7727)
Wireshark 1.8.2 is only displaying 2 filters from the drop-down menu even when preferences are set to higher integer. (Bug 7731)
BGP bad decoding for Graceful Restart Capability with only helper support & for Enhanced Route Refresh Capability. (Bug 7734)
Dissection error of D-RELEASE and D-CONNECT in TETRA dissector. (Bug 7736)
DND can cause Wireshark to crash. (Bug 7744)
SCSI: WRITE BUFFER fields always display as zero. (Bug 7753)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release. Updated Protocol Support ASN.1 PER, BACnet, BGP, DIAMETER, DRDA, DVB CI, DVB, GSM Management, GTP, GTPv2, HDCP2, HomePlug AV, ICMP, ICMPv6, IEEE 802.11, IEEE 802a, Interlink, JPEG, LDP, LPP, MPEG, MPLS, PCAP, PPP, RANAP, RRC, RRLP, SCCP, SCSI, SCTP, SDP, SMB, TETRA New and Updated Capture File Support There are no file format updates in this release. Getting Wireshark Wireshark source code and installation packages are available from http://www.wireshark.org/download.html. Vendor-supplied Packages Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.

Changes for v1.8.1 - v1.8.2

What's New
Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2012-13
The DCP ETSI dissector could trigger a zero division. Reported by Laurent Butti. (Bug 7566)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4285
wnpa-sec-2012-14
The MongoDB dissector could go into a large loop. Reported by Ben Schmidt. (Bug 7572)
Versions affected: 1.8.0 to 1.8.1.
CVE-2012-4287
wnpa-sec-2012-15
The XTP dissector could go into an infinite loop. Reported by Ben Schmidt. (Bug 7571)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4288
wnpa-sec-2012-16
The ERF dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7563)
Versions affected: 1.8.0 to 1.8.1.
CVE-2012-4294 CVE-2012-4295
wnpa-sec-2012-17
The AFP dissector could go into a large loop. Reported by Stefan Cornelius. (Bug 7603)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4289
wnpa-sec-2012-18
The RTPS2 dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7568)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4296
wnpa-sec-2012-19
The GSM RLC MAC dissector could overflow a buffer. Reported by Laurent Butti. (Bug 7561)
Versions affected: 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4297
wnpa-sec-2012-20
The CIP dissector could exhaust system memory. Reported by Ben Schmidt. (Bug 7570)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4291
wnpa-sec-2012-21
The STUN dissector could crash. Reported by Laurent Butti. (Bug 7569)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4292
wnpa-sec-2012-22
The EtherCAT Mailbox dissector could abort. Reported by Laurent Butti. (Bug 7562)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4293
wnpa-sec-2012-23
The CTDB dissector could go into a large loop. Reported by Ben Schmidt. (Bug 7573)
Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.
CVE-2012-4290
wnpa-sec-2012-24
The pcap-ng file parser could trigger a zero division. (Bug 7533)
Versions affected: 1.8.0 to 1.8.1.
CVE-2012-4286
wnpa-sec-2012-25
The Ixia IxVeriWave file parser could overflow a buffer. (Bug 7533)
Versions affected: 1.8.0 to 1.8.1.
CVE-2012-4298
The following bugs have been fixed:
Move Y.1711 out of MPLS dissector. (Bug 6787)
Patch: Add frame.interface_id support for ERF file format. (Bug 7266)
Freeze when Resizing or Moving while capturing. (Bug 7305)
Wireshark crashes when using multiple files. (Bug 7423)
Wireshark crashes on opening very short NFS pcap file. (Bug 7498)
Analyze->Apply as Filter and Analyze->Prepare a Filter cause crashes. (Bug 7506)
crashes in interface list, pipe handling. (Bug 7511)
ISDN LAPD X.31 packet traffic can not be decoded. (Bug 7514)
GIOP request_id used for sub dissectors is not assigned when decoding GIOP 1.2 Request message. (Bug 7516)
pcap-ng -ISB always writes 0 for isb_ifrecv option. (Bug 7523)
GSM classmark3 decode wrong. (Bug 7524)
mem corruption\heap corruption\div0 bugs. (Bug 7533)
DNS AD flag not shown properly. (Bug 7555)
Wireshark and TShark crash at start with invalid color filter on SPARC. (Bug 7634)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AFP, Apache JServ Protocol v1.3, Bluetooth L2CAP, CIP, CTDB, DCP ETSI, ERF, EtherCAT Mailbox, FC Link Control, GIOP, GSM A, GSM RLC MAC, GTP, GTPv2, ISDN, LISP, MongoDB, MPLS ITU-T Y.1711 OAM, MPLS PM, NFS, RTPS2, SCTP, STUN, XTP
New and Updated Capture File Support
Ixia IxVeriWave, pcap-ng
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.
Known Problems
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The BER dissector might infinitely loop. (Bug 1516)
Capture filters aren't applied when capturing from named pipes. (Bug 1814)
Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)
The 64-bit Windows installer does not support Kerberos decryption. (Win64 development page)
Application crash when changing real-time option. (Bug 4035)
Hex pane display issue after startup. (Bug 4056)
Packet list rows are oversized. (Bug 4357)
Summary pane selected frame highlighting not maintained. (Bug 4445)
Wireshark and TShark will display incorrect delta times in some cases. (Bug 4985)

Changes for v1.8.0 - v1.8.1

What's New
Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2012-11
The PPP dissector could crash. (Debian bug 680056) -->
Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.
wnpa-sec-2012-12
The NFS dissector could use excessive amounts of CPU. (Bug 7436)
Versions affected: 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.
The following bugs have been fixed:
Wireshark crashes on bootp filter. (Bug 7391)
Wireshark > 1.4 does not correctly read Association ID for PS Poll packets. (Bug 7429)
Radius-EAP broken since 1.8.0 release. (Bug 7430)
SNMP incorrectly marks SNMPv3 "discovery" packet as malformed. (Bug 7438)
Widgets are not properly expanded in GTK3. (Bug 7377)
Find Next Mark duplicated on Edit Menu. (Bug 7445)
DVB-CI/CI+: fix offset error in operator_info apdu. (Bug 7468)
Unable to correctly identify IEC 61850 MMS packets. (Bug 7488)
WinPcap doesn't install if vcredist_x64 requires reboot. (Bug 7507)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BACapp, BOOTP, DCERPC SPOOLSS, DVB-CI, H.248, IEEE 802.11, Jmirror, NAS EPS, NFS, PPP, RELOAD Framing, SES, SNMP, XMPP
New and Updated Capture File Support
Microsoft Network Monitor

Changes for v1.8.0 RC 2 - v1.8.0

What's New
Bug Fixes
The following bugs have been fixed:
When saving the displayed packets, packets which are dependencies (e.g., due to reassembly) of the displayed packets are included in the list of saved packets (Bug 3315).
Rearranging columns in preferences doesn't work on 64-bit Windows. (Bug 6077)
New and Updated Features
The following features are new (or have been significantly updated) since version 1.6:
Wireshark supports capturing from multiple interfaces at once.
You can now add, edit, and save packet and capture file annotations.
Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
OID resolution is now supported on 64-bit Windows.
The "Save As" menu item has been split into "Save As", which lets you save a file using a different filename and "Export Specified Packets", which lets you have more control over which packets are saved.
TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
TCP window updates are no longer colorized as "Bad TCP".
TShark's command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
GeoIP IPv6 databases are now supported.
New Protocol Support
Aastra Signalling Protocol (AASP), ActiveMQ OpenWire, Bandwidth Reservation Protocol (BRP), Bazaar, Binary Floor Control Protocol, BitTorrent DHT, C12.22, CANopen, CIP Motion, CIP Safety, Cisco FabricPath MiM, DMX Channel Data, DMX SIP, DMX Test, DMX Text, DMX, DVB Application Information Table, DVB Bouquet Association Table, DVB Event Information Table, DVB MultiProtocol Encapsulation (DVB-MPE), DVB Network Information Table, DVB Service Description Table, DVB Time and Date Table, DVB Time Offset Table, DVB/ETSI IP Data Cast (IPDC) Electronic Service Guide (ESG), ECP VDP, EIA-709.1 (LonTalk), EIA-852 (CN/IP), ELCOM, Ericsson A-bis OML (OM 2000), Ericsson HDLC, Ericsson Proprietary PCAP, ETSI CAT, ETV-AM Data, ETV-AM EISS Section, Flight Message Transfer Protocol (FMTP), Gadu-Gadu, GEO-Mobile Radio (1) BCCH, GEO-Mobile Radio (1) Common, GEO-Mobile Radio (1) DTAP, GEO-Mobile Radio (1) Radio Resource, Gluster Callback, Gluster CLI, Gluster Dump, Gluster Portmap, GlusterD, GlusterFS Callback, GlusterFS Handshake, GlusterFS, GSM A-bis OML, GSM CBCH, GSM Cell Broadcast Service, GSM SIM, H.248.2, Hadoop Distributed File System (HDFS), HART/IP, Hazelcast, HDFS Data, High bandwidth Digital Content Protection (HDCP), High-availability Seamless Redundancy (HSR), HomePlug AV, HSR/PRP, IEEE 1722.1, ISO 7816, ixveriwave, Kismet drone/server protocol, KristalliNet, LCS-AP, Link Access Procedure, Satellite channel (LAPSat), LLRP, LTE Positioning Protocol A (LPPa), LTE Positioning Protocol, M3 Application Protocol (M3AP), MAC Address Acquisition Protocol, MBMS synchronisation protocol, Microsoft Credential Security Support Provider (CredSSP), MoldUDP, MoldUDP64, MPEG Conditional Access, MPEG descriptors, MPEG DSM-CC, MPEG Program Association Table (PAT), MPEG Program Map Table, MPEG Section, MPLS Packet Loss and Delay Measurement, MPLS-TP Protection State Coordination, Multiple VLAN Registration Protocol (MRVP), Netfilter LOG, NOE, NXP MiFare, NXP PN532, Open IPTV Forum openSAFETY, Performance Co-Pilot (PCP), PPI Sensor, RDP, RTP-MIDI, SBc Application Part (SBc-AP), SDH/SONET, Solaris IP over InfiniBand, Sony FeliCa, T.124, UA (Universal Alcatel), UA3G, UASIP, UAUDP, USB Integrated Circuit Card Interface Device Class (CCID), V5 Data Link Layer (V5DL), V5 Envelope Function (V5EF), Virtual eXtensible Local Area Network (VXLAN), VSS-Monitoring, Vuze DHT, WaveAgent, WebSocket, WSE Remote Ethernet, XMCP, YAMI
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
Aethra Telecommunications' PC108, Catapult DCT2000, Citrix NetScaler, Cisco Secure IDS IPLog, Endace ERF, Gammu DCT3, Generic MIME, IBM iSeries, InfoVista 5View, Ixia IxVeriWave, LANalyzer, Microsoft NetMon, MPEG2-TS, Network Instruments Observer, Nokia DCT3, pcap, pcap-ng, Solaris snoop, TamoSoft CommView, Tektronix K12xx, XML

Changes for v1.7.1 Beta - v1.8.0 RC 1

Bug Fixes
The following bugs have been fixed:
When saving the displayed packets, packets which are dependencies (e.g., due to reassembly) of the displayed packets are included in the list of saved packets (Bug 3315).
Rearranging columns in preferences doesn't work on 64-bit Windows. (Bug 6077)
New and Updated Features
The following features are new (or have been significantly updated) since version 1.6:
Wireshark supports capturing from multiple interfaces at once.
You can now add, edit, and save packet and capture file annotations.
Wireshark, TShark, and their associated utilities now save files using the pcap-ng file format by default. (Your copy of Wireshark might still use the pcap file format if pcap-ng is disabled in your preferences.)
Decryption key management for IEEE 802.11, IPsec, and ISAKMP is easier.
OID resolution is now supported on 64-bit Windows.
When saving packets, the default choice is now to save only the displayed packets rather than all packets.
TCP fast retransmissions are now indicated as an expert info note, rather than a warning, just as TCP retransmissions are.
TCP window updates are no longer colorized as "Bad TCP".
TShark's command-line options have changed. The previously undocumented -P option is now -2 option for performing a two-pass analysis; the former -S option is now the -P option for printing packets even if writing to a file, and the -S option is now used to specify a different line separator between packets.
GeoIP IPv6 databases are now supported.
New Protocol Support
Aastra Signalling Protocol (AASP), ActiveMQ OpenWire, Bandwidth Reservation Protocol (BRP), Bazaar, Binary Floor Control Protocol, BitTorrent DHT, C12.22, CANopen, CIP Motion, CIP Safety, Cisco FabricPath MiM, DMX Channel Data, DMX SIP, DMX Test, DMX Text, DMX, DVB Application Information Table, DVB Bouquet Association Table, DVB Event Information Table, DVB MultiProtocol Encapsulation (DVB-MPE), DVB Network Information Table, DVB Service Description Table, DVB Time and Date Table, DVB Time Offset Table, DVB/ETSI IP Data Cast (IPDC) Electronic Service Guide (ESG), ECP VDP, EIA-709.1 (LonTalk), EIA-852 (CN/IP), ELCOM, Ericsson A-bis OML (OM 2000), Ericsson HDLC, Ericsson Proprietary PCAP, ETSI CAT, ETV-AM Data, ETV-AM EISS Section, Flight Message Transfer Protocol (FMTP), Gadu-Gadu, GEO-Mobile Radio (1) BCCH, GEO-Mobile Radio (1) Common, GEO-Mobile Radio (1) DTAP, GEO-Mobile Radio (1) Radio Resource, Gluster Callback, Gluster CLI, Gluster Dump, Gluster Portmap, GlusterD, GlusterFS Callback, GlusterFS Handshake, GlusterFS, GSM A-bis OML, GSM CBCH, GSM Cell Broadcast Service, GSM SIM, H.248.2, Hadoop Distributed File System (HDFS), HART/IP, Hazelcast, HDFS Data, High bandwidth Digital Content Protection (HDCP), High-availability Seamless Redundancy (HSR), HomePlug AV, HSR/PRP, IEEE 1722.1, ISO 7816, ixveriwave, Kismet drone/server protocol, KristalliNet, LCS-AP, Link Access Procedure, Satellite channel (LAPSat), LLRP, LTE Positioning Protocol A (LPPa), LTE Positioning Protocol, M3 Application Protocol (M3AP), MAC Address Acquisition Protocol, MBMS synchronisation protocol, Microsoft Credential Security Support Provider (CredSSP), MoldUDP, MoldUDP64, MPEG Conditional Access, MPEG descriptors, MPEG DSM-CC, MPEG Program Association Table (PAT), MPEG Program Map Table, MPEG Section, MPLS Packet Loss and Delay Measurement, MPLS-TP Protection State Coordination, Multiple VLAN Registration Protocol (MRVP), Netfilter LOG, NOE, NXP MiFare, NXP PN532, Open IPTV Forum openSAFETY, Performance Co-Pilot (PCP), PPI Sensor, RDP, RTP-MIDI, SBc Application Part (SBc-AP), SDH/SONET, Solaris IP over InfiniBand, Sony FeliCa, T.124, UA (Universal Alcatel), UA3G, UASIP, UAUDP, USB Integrated Circuit Card Interface Device Class (CCID), V5 Data Link Layer (V5DL), V5 Envelope Function (V5EF), Virtual eXtensible Local Area Network (VXLAN), VSS-Monitoring, Vuze DHT, WaveAgent, WebSocket, WSE Remote Ethernet, XMCP, YAMI
Updated Protocol Support
Too many protocols have been updated to list here.
New and Updated Capture File Support
Aethra Telecommunications' PC108, Catapult DCT2000, Citrix NetScaler, Cisco Secure IDS IPLog, Endace ERF, Gammu DCT3, Generic MIME, IBM iSeries, InfoVista 5View, Ixia IxVeriWave, LANalyzer, Microsoft NetMon, MPEG2-TS, Network Instruments Observer, Nokia DCT3, pcap, pcap-ng, Solaris snoop, TamoSoft CommView, Tektronix K12xx, XML

Changes for v1.6.7 - v1.6.8

Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2012-08
Infinite and large loops in the ANSI MAP, ASF, BACapp, Bluetooth HCI, IEEE 802.11, IEEE 802.3, LTP, and R3 dissectors have been fixed. Discovered by Laurent Butti. (Bugs 6805, 7118, 7119, 7120, 7121, 7122, 7124, 7125)
Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.
wnpa-sec-2012-09
The DIAMETER dissector could try to allocate memory improperly and crash. (Bug 7138)
Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.
wnpa-sec-2012-10
Wireshark could crash on SPARC processors due to misaligned memory. Discovered by Klaus Heckelmann. (Bug 7221)
Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.
The following bugs have been fixed:
User-Password - PAP decoding passwords longer than 16 bytes. (Bug 6779)
The MSISDN is not seen correctly in GTP packet. (Bug 7042)
Wireshark doesn't calculate the right IPv4 destination using source routing options when bad options precede them. (Bug 7043)
BOOTP dissector issue with DHCP option 82 - suboption 9. (Bug 7047)
MPLS dissector in 1.6.7 and 1.7.1 misdecodes some MPLS CW packets. (Bug 7089)
ANSI MAP infinite loop. (Bug 7119)
HCIEVT infinite loop. (Bug 7122)
Wireshark doesn't decode NFSv4.1 operations. (Bug 7127)
LTP infinite loop. (Bug 7124)
Wrong values in DNS CERT RR. (Bug 7130)
Megaco parser problem with LF in header. (Bug 7198)
OPC UA bytestring node id decoding is wrong. (Bug 7226)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ANSI MAP, ASF, BACapp, Bluetooth HCI, DHCP, DIAMETER, DNS, GTP, IEEE 802.11, IEEE 802.3, IPv4, LTP, Megaco, MPLS, NFS, OPC UA, RADIUS
New and Updated Capture File Support
5View, CSIDS, pcap, pcap-ng

Changes for v1.6.6 - v1.6.7

Bug Fixes
The following bugs have been fixed:
Wireshark could crash while reading SSL decryption keys on 64-bit Windows.
Malformed Packets H263-1996 (RFC2190). (Bug 6996)
Wireshark could crash while trying to open an rpcap: URL. (Bug 6922)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
H.263
New and Updated Capture File Support
There are no updates in this release.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.
Known Problems
Wireshark might make your system disassociate from a wireless network on OS X 10.4. (Bug 1315)
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The BER dissector might infinitely loop. (Bug 1516)
Capture filters aren't applied when capturing from named pipes. (Bug 1814)
Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)
The 64-bit Windows installer does not ship with libsmi. (Win64 development page)
"Closing File!" Dialog Hangs. (Bug 3046)
Application crash when changing real-time option. (Bug 4035)
Hex pane display issue after startup. (Bug 4056)
Packet list rows are oversized. (Bug 4357)
Summary pane selected frame highlighting not maintained. (Bug 4445)
Wireshark and TShark will display incorrect delta times when displayed as a custom column. (Bug 4985)

Changes for v1.6.5 - v1.6.6

Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2012-04
The ANSI A dissector could dereference a NULL pointer and crash. (Bug 6823)
Versions affected: 1.4.0 to 1.4.11, 1.6.0 to 1.6.5.
CVE-2012-1593
wnpa-sec-2012-05
The IEEE 802.11 dissector could go into an infinite loop. (Bug 6809)
Versions affected: 1.6.0 to 1.6.5.
CVE-2012-1594
wnpa-sec-2012-06
The pcap and pcap-ng file parsers could crash trying to read ERF data. (Bug 6804)
Versions affected: 1.4.0 to 1.4.11, 1.6.0 to 1.6.5.
CVE-2012-1595
wnpa-sec-2012-07
The MP2T dissector could try to allocate too much memory and crash. (Bug 6833)
Versions affected: 1.4.0 to 1.4.11, 1.6.0 to 1.6.5.
CVE-2012-1596
The Windows installers now include GnuTLS 2.12.18 and Libtasn1 2.12, which fix several vulnerabilities.
The following bugs have been fixed:
ISO SSAP: ActivityStart: Invalid decoding the activity parameter as a BER Integer. (Bug 2873)
Forward slashes in URI need to be converted to backslashes if WIN32. (Bug 5237)
Character echo pauses in Capture Filter field in Capture Options. (Bug 5356)
Some PGM options are not parsed correctly. (Bug 5687)
dumpcap crashes when capturing from pipe to a pcap-ng file (e.g., when passing data from CACE Pilot to Wireshark). (Bug 5939)
Unable to rearrange columns in preferences on Windows. (Bug 6077) (Note: this bug still affects the 64-bit package)
No error for UDP/IPv6 packet with zero checksum. (Bug 6232)
Wireshark installer doesn't add access_bpf in 10.5.8. (Bug 6526)
Corrupted Diameter dictionary file that crashes Wireshark. (Bug 6664)
packetBB dissector bug: More than 1000000 items in the tree -- possible infinite loop. (Bug 6687)
ZEP dissector: Timestamp not always displayed correctly. Fractional seconds never displayed. (Bug 6703)
GOOSE Messages don't use the length field to perform the dissection. (Bug 6734)
Ethernet traces in K12 text format sometimes give bogus "malformed frame" errors and other problems. (Bug 6735)
max_ul_ext isn't printed/decoded to the packet details log in GTP protocol packet. (Bug 6761)
non-IPP packets to or from port 631 are dissected as IPP. (Bug 6765)
lua proto registration fails for uppercase proto / g_ascii_strdown problem. (Bug 6766)
no menu item Fle->Export->SSL Session Keys in GTK. (Bug 6813)
IAX2 dissector reads past end of packet for unknown IEs. (Bug 6815)
TShark 1.6.5 immediately crashes on SSL decryption (every time). (Bug 6817)
USB: unknown GET DESCRIPTOR response triggers assert failure. (Bug 6826)
IEEE1588 PTPv2 over IPv6. (Bug 6836)
Patch to fix DTLS decryption. (Bug 6847)
Expression... dialog crash. (Bug 6891)
display filter "gtp.msisdn" not working. (Bug 6947)
Multiprotocol Label Switching Echo - Return Code: Reserved (5). (Bug 6951)
ISAKMP : VendorID CheckPoint : Malformed Packet. (Bug 6972)
Adding a Custom HTTP Header Field with a trailing colon causes wireshark to immediately crash (and crash upon restart). (Bug 6982)
Radiotap dissector lists a bogus "DBM TX Attenuation" bit. (Bug 7000)
MySQL dissector assertion. (Ask 8649)
Radiotap header format data rate alignment issues. (Ask 8649)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ANSI A, BSSGP, DIAMETER, DTLS, GOOSE, GSM Management, GTP, HTTP, IAX2, IEEE 802.11, IPP, ISAKMP, ISO SSAP, MP2T, MPLS, MySQL, NTP, PacketBB, PGM, Radiotap, SSL, TCP, UDP, USB, WSP
New and Updated Capture File Support
Endace ERF, Pcap-NG, Tektronix K12

Changes for v1.6.4 - v1.6.5

Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2012-01
Laurent Butti discovered that Wireshark failed to properly check record sizes for many packet capture file formats. (Bug 6663, bug 6666, bug 6667, bug 6668, bug 6669, bug 6670)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
wnpa-sec-2012-02
Wireshark could dereference a NULL pointer and crash. (Bug 6634)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
wnpa-sec-2012-03
The RLC dissector could overflow a buffer. (Bug 6391)
Versions affected: 1.4.0 to 1.4.10, 1.6.0 to 1.6.4.
The following bugs have been fixed:
"Closing File!" Dialog Hangs. (Bug 3046)
Sub-fields of data field should appear in exported PDML as children of the data field instead of as siblings to it. (Bug 3809)
Incorrect time differences displayed with time reference set. (Bug 5580)
Wrong packet type association of SNMP trap after TFTP transfer. (Bug 5727)
SSL/TLS decryption needs wireshark to be rebooted. (Bug 6032)
Export HTTP Objects -> save all crashes Wireshark. (Bug 6250)
Wireshark Netflow dissector complains there is no template found though the template is exported. (Bug 6325)
DCERPC EPM tower UUID must be interpreted always as little endian. (Bug 6368)
Crash if no recent files. (Bug 6549)
IPv6 frame containing routing header with 0 segments left calculates wrong UDP checksum. (Bug 6560)
IPv4 UDP/TCP Checksum incorrect if routing header present. (Bug 6561)
Incorrect Parsing of SCPS Capabilities Option introduced in response to bug 6194. (Bug 6562)
Various crashes after loading NetMon2.x capture file. (Bug 6578)
Fixed compilation of dumpcap on some systems (when MUST_DO_SELECT is defined). (Bug 6614)
SIGSEGV in SVN 40046. (Bug 6634)
Wireshark dissects TCP option 25 as an "April 1" option. (Bug 6643)
ZigBee ZCL Dissector reports invalid status. (Bug 6649)
ICMPv6 DNSSL option malformed on padding. (Bug 6660)
Wrong tvb_get_bits function call in packet-csn1.c. (Bug 6708)
[UDP] - Length Field of Pseudo Header while computing CheckSum is not correct. (Bug 6711)
pcapio.c: bug in libpcap_write_interface_description_block. (Bug 6719)
Memory leaks in various dissectors.
Bytes highlighted in wrong Byte pane when field selected in Details pane.
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BGP, BMC CSN1, DCERPC EPM, DCP(ETSI) DMP DTLS GSM Management, H245 HPTEAM, ICMPv6, IEEE 802.15.4 IPSEC IPv4, IPv6, ISAKMP KERBEROS LDSS NFS RLC, RPC-NETLOGON RRC RTMPT SIGCOMP SSL SYSLOG TCP, UDP, XML ZigBee ZCL
New and Updated Capture File Support
Accellent 5Views, AIX iptrace, HP-UX nettl, I4B, Microsoft Network

Changes for v1.6.3 - v1.6.4

Bug Fixes
The following bugs have been fixed:
Patch to fix memory leaks/errors in Lua plugin. (Bug 5575)
Wireshark crashes if a field of type BASE_CUSTOM is applied as a column. (Bug 6503)
Filter Expression dialog can only be opened once. (Bug 6537)
Wireshark crashes if compiled without GLib thread support. (Bug 6540)
80211 QoS Control: Add Raw TID. (Bug 6548)
SNMP length check error. (Bug 6564)
UCP dissector bug of operation 61. (Bug 6570)

Changes for v1.6.2 - v1.6.3

Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2011-17
The CSN.1 dissector could crash. (Bug 6351)
Versions affected: 1.6.0 to 1.6.2.
wnpa-sec-2011-18
Huzaifa Sidhpurwala of Red Hat Security Response Team discovered that the Infiniband dissector could dereference a NULL pointer. (Bug 6476)
Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
wnpa-sec-2011-19
Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a buffer overflow in the ERF file reader. (Bug 6479)
Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
The following bugs have been fixed:
Assertion failed when doing File->Quit->Save during live capture. (Bug 1710)
Wrong PCEP XRO sub-object decoding. (Bug 3778)
Wireshark window takes very long time to show up if invalid network file path is at recent file list (Bug 3810)
Decoding [Status Records] Timestamp Sequence Field in Bundle Protocol fails if over 32 bits. (Bug 4109)
ISUP party number dissection. (Bug 5221)
wireshark-1.4.2 crashes when testing the example python dissector because of a dissector count assertion. (Bug 5431)
Ethernet packets with both VLAN tag and LLC header no longer displayed correctly. (Bug 5645)
SLL encapsuled 802.1Q VLAN is not dissected. (Bug 5680)
Wireshark crashes when attempting to open a file via drag & drop when there's already a file open. (Bug 5987)
Adding and removing custom HTTP headers requires a restart. (Bug 6241)
Can't read full 64-bit SNMP values. (Bug 6295)
Dissection fails for frames with Gigamon Header and VLAN. (Bug 6305)
RTP Stream Analysis does not work for TURN-encapsulated RTP. (Bug 6322)
packet-csn1.c doesn't process CSN_CHOICE entries properly. (Bug 6328)
BACnet property time-synchronization-interval (204) name shown incorrectly as time-synchronization-recipients. (Bug 6336)
GUI crash on invalid IEEE 802.11 GAS frame. (Bug 6345)
[ASN.1 PER] Incorrect decoding of BIT STRING type. (Bug 6347)
ICMPv6 router advertisement Prefix Information Flag R "Router Address" missing. (Bug 6350)
Export -> Object -> HTTP -> save all: Error on saving files. (Bug 6362)
Inner tag of 802.1ad frames not parsed properly. (Bug 6366)
Added cursor type decoding to MySQL dissector. (Bug 6396)
Incorrect identification of UDP-encapsulated NAT-keepalive packets. (Bug 6414)
WPA IE pairwise cipher suite dissector uses incorrect value_string list. (Bug 6420)
S1AP protocol can't decode IPv6 transportLayerAddress. (Bug 6435)
RTPS2 dissector doesn't handle 0 in the octestToNextHeader field. (Bug 6449)
packet-ajp13 fix, cleanup, and enhancement. (Bug 6452)
Network Instruments Observer file format bugs. (Bug 6453)
Wireshark crashes when using "Open Recent" 2 times in a row. (Bug 6457)
Wireshark packet_gsm-sms, display bug: Filler bits in TP-User Data Header. (Bug 6469)
wireshark unable to decode NetFlow options which have system scope size != 4 bytes. (Bug 6471)
Display filter Expression Dialog Box Error. (Bug 6472)
text_import_scanner.l missing. (Bug 6531)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AJP13, ASN.1 PER, BACnet, CSN.1, DTN, Ethernet, ICMPv6, IEEE 802.11, IEEE 802.1q, Infiniband, IPsec, MySQL, PCEP, PN-RT, RTP, S1AP, SSL
New and Updated Capture File Support
Endace ERF.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.

Changes for v1.6.1 - v1.6.2

What's New
Bug Fixes
The following vulnerabilities have been fixed.
wnpa-sec-2011-12
A large loop in the OpenSafety dissector could cause a crash. (Bug 6138)
Versions affected: 1.6.0 to 1.6.1.
wnpa-sec-2011-13
A malformed IKE packet could consume excessive resources.
Versions affected: 1.4.0 to 1.4.8, 1.6.0 to 1.6.1.
CVE-2011-3266
wnpa-sec-2011-14
A malformed capture file could result in an invalid root tvbuff and cause a crash. (Bug 6135)
Versions affected: 1.6.0 to 1.6.1.
wnpa-sec-2011-15
Wireshark could run arbitrary Lua scripts. (Bug 6136)
Versions affected: 1.4.0 to 1.4.8, 1.6.0 to 1.6.1.
wnpa-sec-2011-16
The CSN.1 dissector could crash. (Bug 6139)
Versions affected: 1.6.0 to 1.6.1.
The following bugs have been fixed:
configure ignores (partially) LDFLAGS. (Bug 5607)
Build fails when it tries to #include , not present in Solaris 9. (Bug 5608)
Unable to configure zero length SNMP Engine ID. (Bug 5731)
BACnet who-is request device range values are not decoded correctly in the packet details window. (Bug 5769)
H.323 RAS packets missing from packet counts in "Telephony->VoIP Calls" and the "Flow Graph" for the call. (Bug 5848)
Wireshark crashes if sercosiii module isn't installed. (Bug 6006)
Editcap could create invalid pcap files when converting from JPEG. (Bug 6010)
Timestamp is incorrectly decoded for ICMP Timestamp Response packets from MS Windows. (Bug 6114)
Malformed Packet in decode for BGP-AD update. (Bug 6122)
Wrong display of CSN_BIT in CSN.1. (Bug 6151)
Fix CSN_RECURSIVE_TARRAY last bit error in packet-csn1.c. (Bug 6166)
Wireshark cannot display Reachable time & Retrans timer in IPv6 RA messages. (Bug 6168)
ReadPropertyMultiple-ACK not correctly dissected. (Bug 6178)
GTPv2 dissectors should treat gtpv2_ccrsi as optional. (Bug 6183)
BGP : AS_PATH attribute was decode wrong. (Bug 6188)
Fixes for SCPS TCP option. (Bug 6194)
Offset calculated incorrectly for sFlow extended data. (Bug 6219)
[Enter] key behavior varies when manually typing display filters. (Bug 6228)
Contents of pcapng EnhancedPacketBlocks with comments aren't displayed. (Bug 6229)
Misdecoding 3G Neighbour Cell Information Element in SI2quater message due to a coding typo. (Bug 6237)
Mis-spelled word "unknown" in assorted files. (Bug 6244)
tshark run with -Tpdml makes a seg fault. (Bug 6245)
btl2cap extended window shows wrong bit. (Bug 6257)
NDMP dissector incorrectly represents "ndmp.bytes_left_to_read" as signed. (Bug 6262)
TShark/dumpcap skips capture duration flag occasionally. (Bug 6280)
File types with no snaplen written out with a zero snaplen in pcap-ng files. (Bug 6289)
Wireshark improperly parsing 802.11 Beacon Country Information tag. (Bug 6264)
ERF records with extension headers not written out correctly to pcap or pcap-ng files. (Bug 6265)
RTPS2: MAX_BITMAP_SIZE is defined incorrectly. (Bug 6276)
Copying from RTP stream analysis copies 1st line many times. (Bug 6279)
Wrong display of CSN_BIT under CSN_UNION. (Bug 6287)
MEGACO context tracking fix - context id reuse. (Bug 6311)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BACapp, Bluetooth L2CAP, CSN.1, DCERPC, GSM A RR, GTPv2, ICMP, ICMPv6, IKE, MEGACO, MSISDN, NDMP, OpenSafety, RTPS2, sFlow, SNMP, TCP
New and Updated Capture File Support
CommView, pcap-ng, JPEG.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.

Changes for v1.6.0 - v1.6.1

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The Lucent/Ascend file parser was susceptible to an infinite loop.
Versions affected: 1.2.0 to 1.2.17, 1.4.0 to 1.4.7, and 1.6.0.
CVE-2011-2597
The ANSI MAP dissector was susceptible to an infinite loop. (Bug 6044)
Versions affected: 1.4.0 to 1.4.7, and 1.6.0.
The following bugs have been fixed:
TCP dissector doesn't decode TCP segments of length 1. (Bug 4716)
wireshark 1.4.0rc1 and python - spurious message. (Bug 4878)
Missing LUA function. (Bug 5006)
Lua API description about creating a new Tvb from a bytearray is not correct in wireshark's user guide. (Bug 5199)
Character echo pauses in Capture Filter field in Capture Options. (Bug 5356)
White space in protocol field abbreviation causes runtime failure while registering Lua dissector. (Bug 5569)
"File not found" box uses wrong filename encoding. (Bug 5715)
capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too many . (Bug 5803)
Wireshark crashes if Lua contains "Pref.range()" with missing arguments. (Bug 5895)
The "range" field in Lua's "Pref.range()" serves as default while the "default" field does nothing . (Bug 5896)
Wireshark crashes when calling TreeItem:set_len() on TreeItem without tvb. (Bug 5941)
TvbRange_string(lua_State* L) call a wrong function. (Bug 5960)
VoIP call flow graph displays BICC APM as a BICC ANM. (Bug 5966)
Cannot Live-capture VirtualBox network packets with Wireshark; pipe problem. (Bug 6002)
Interface list in Capture Options isn't cleared when selecting other host. (Bug 6008)
H323 rate multiplier wrong. (Bug 6009)
Inclusion of config.h is too late in lex-files resulting in wrong definition of _FILE_OFFSET_BITS. (Bug 6012)
tshark crashes when loading Lua script that contains GUI function. (Bug 6018)
802.11 Disassociation Packet's "Reason Code" field is imprecisely decoded/described. (Bug 6022)
Wireshark crashes when setting custom column's field name with conditional. (Bug 6028)
Crash after applying "expert.severity" field as column. (Bug 6035)
GTS Descriptor count limited to 3 instead of 7. (Bug 6055)
The SSL dissector can not resemble correctly the frames after TCP zero window probe packet. (Bug 6059)
Packet parser takes too long for this trace. (Bug 6073)
The SSL dissector can not resemble correctly the frames after TCP zero window probe packet. (Bug 6059)
Wireshark crashes after repeating "File -> Import -> Cancel". (Bug 6080)
Decoding of MQ ASCII and EBCDIC Traffic Flow - ASCII shows fine, EBCDIC does not. (Bug 6084)
802.11 Association Response Packet's "Status Code" field is imprecisely decoded/described. (Bug 6093)
Abis interface not correctly handled in gsmtap dissector. (Bug 6097)
Wrong decoding of RLC/MAC EGPRS Packet Downlink Ack/Nack (3GPP TS 44.060). (Bug 6098)
CSN Ack/Nack Description wrongly handled in gsm_rlcmac_dl dissector (3GPP TS 44.060). (Bug 6101)
wireshark 1.6.0 and python support: installer fails to create the wspy_dissectors subdirectory and . (Bug 6110)
Wireshark crash during RTP stream analysis. (Bug 6120)
Tshark custom columns: Why don't I get an error message? (Bug 6131)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
New and Updated Capture File Support
Network Monitor.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About→Folders to find the default locations on your system.

Changes for v1.6.0 RC1 - v1.6.0

What's New
Bug Fixes
The following bugs have been fixed:
Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
Crash when sorting column while capturing. (Bug 4273)
Ring buffers are no longer turned on by default when using multiple capture files.
New and Updated Features
The following features are new (or have been significantly updated) since version 1.4:
Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets.
Large file (greater than 2 GB) support has been improved.
Wireshark and TShark can import text dumps, similar to text2pcap.
You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
Wireshark can export SSL session keys via File?Export?SSL Session Keys...
TShark can show a specific occurrence of a field when using '-T fields'.
Custom columns can show a specific occurrence of a field.
You can hide columns in the packet list.
Wireshark can now export SMB objects.
dftest and randpkt now have manual pages.
TShark can now display iSCSI, ICMP and ICMPv6 service response times.
Dumpcap can now save files with a user-specified group id.
Syntax checking is done for capture filters.
You can display the compiled BPF code for capture filters in the Capture Options dialog.
You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
Packet length is (finally) a default column.
TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
802.1q VLAN tags are now shown in the Ethernet II protocol tree instead of a separate tree.
Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
The RTP player now shows why media interruptions occur.
Graphs now save as PNG images by default.
TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via
[-z hosts]
.
TShark's -z option now uses the
[-z ,srt]
syntax instead of
[-z ,rtt]
for all protocols that support service response time statistics. This matches Wireshark's syntax for this option.
Wireshark and TShark can now read compressed Windows Sniffer files.
New Protocol Support
ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Broadcast/Multicast Control, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Control, LISP Data, LISP, MikroTik MAC-Telnet, MRP Multiple Mac Registration Protocol (MMRP) Mongo Wire Protocol, MUX27010, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, openSAFETY, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, RObust Header Compression (ROHC), RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink, USB/AT Commands, uTorrent Transport Protocol, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
Updated Protocol Support
New and Updated Capture File Support
Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

Changes for v1.5.0 Development Release - v1.5.1 Development Release

Bug Fixes
The following bugs have been fixed:
Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
Ring buffers are no longer turned on by default when using multiple capture files.
New and Updated Features
The following features are new (or have been significantly updated) since version 1.4:
Wireshark can import text dumps, similar to text2pcap.
You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
TShark can show a specific occurrence of a field when using '-T fields'.
Custom columns can show a specific occurrence of a field.
You can hide columns in the packet list.
Wireshark can now export SMB objects.
dftest and randpkt now have manual pages.
TShark can now display iSCSI service response times.
Dumpcap can now save files with a user-specified group id.
Syntax checking is done for capture filters.
You can display the compiled BPF code for capture filters in the Capture Options dialog.
You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
Packet length is (finally) a default column.
TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
802.1q VLAN tags are now shown by the Ethernet II dissector.
Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
The RTP player now shows why media interruptions occur.
Graphs now save as PNG images by default.
TShark can read and write host name information from and to pcapng-formatted files. Wireshark can read it. TShark can dump host name information via
[-z hosts]
The tshark -z option now uses the
[-z ,srt]
syntax instead of
[-z ,rtt]
for all protocols that support service response time statistics. This syntax now matches Wireshark's syntax for this option.
New Protocol Support
ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Babel Routing Protocol, Constrained Application Protocol (COAP), Digium TDMoE, Erlang Distribution Protocol, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, RSIP, SAMETIME, SCoP, SGSAP, Tektronix Teklink, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
Updated Protocol Support
New and Updated Capture File Support
Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About?Folders to find the default locations on your system.

Changes for v1.4.3 - v1.5.0 Development Release

New and Updated Features
The following features are new (or have been significantly updated) since version 1.4:
Wireshark can import text dumps, similar to text2pcap.
You can now view Wireshark's dissector tables (for example the TCP port to dissector mappings) from the main window.
TShark can show a specific occurrence of a field when using '-T fields'.
Custom columns can show a specific occurrence of a field.
You can hide columns in the packet list.
Wireshark can now export SMB objects.
dftest and randpkt now have manual pages.
TShark can now display iSCSI service response times.
Dumpcap can now save files with a user-specified group id.
Syntax checking is done for capture filters.
You can display the compiled BPF code for capture filters in the Capture Options dialog.
You can now navigate backwards and forwards through TCP and UDP sessions using Ctrl+, and Ctrl+. .
Packet length is (finally) a default column.
TCP window size is now avaiable both scaled and unscaled. A TCP window scaling graph is available in the GUI.
802.1q VLAN tags are now shown by the Ethernet II dissector.
Various dissectors now display some UTF-16 strings as proper Unicode including the DCE/RPC and SMB dissectors.
The RTP player now has an option to show the time of day in the graph in addition to the seconds since beginning of capture.
The RTP player now shows why media interruptions occur.
Graphs now save as PNG images by default.
New Protocol Support
ADwin, ADwin-Config, Apache Etch, Aruba PAPI, Constrained Application Protocol (COAP), Digium TDMoE, Ether-S-I/O, FastCGI, Fibre Channel over InfiniBand (FCoIB), Gopher, Gigamon GMHDR, IDMP, Infiniband Socket Direct Protocol (SDP), JSON, LISP Data, MikroTik MAC-Telnet, Mongo Wire Protocol, Network Monitor 802.11 radio header, OPC UA ExtensionObjects, PPI-GEOLOCATION-GPS, ReLOAD, ReLOAD Framing, SAMETIME, SCoP, SGSAP, Tektronix Teklink, WAI authentication, Wi-Fi P2P (Wi-Fi Direct)
New and Updated Capture File Support
Apple PacketLogger, Catapult DCT2000, Daintree SNA, Endace ERF, HP OpenVMS TCPTrace, IPFIX (the file format, not the protocol), Lucent/Ascend debug, Microsoft Network Monitor, Network Instruments, TamoSoft CommView

Changes for v1.4.6 - v1.4.7

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Large/infinite loop in the DICOM dissector. (Bug 5876)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted Diameter dictionary file could crash Wireshark.
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted snoop file could crash Wireshark. (Bug 5912)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
David Maciejak of Fortinet's FortiGuard Labs discovered that malformed compressed capture data could crash Wireshark. (Bug 5908)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a corrupted Visual Networks file could crash Wireshark. (Bug 5934)
Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6.
The following bugs have been fixed:
AIM dissector has some endian issues. (Bug 5464)
Telephony?MTP3?MSUS doesn't display window. (Bug 5605)
Support for MS NetMon 3.x traces containing raw IPv6 ("Type 7") packets. (Bug 5817)
Service Indicator in M3UA protocol data. (Bug 5834)
IEC60870-5-104 protocol, incorrect decoding of timestamp type CP56Time2a. (Bug 5889)
DNP3 dissector incorrect constants AL_OBJ_FCTR_16NF _FDCTR_32NF _FDCTR_16NF. (Bug 5920)
3GPP QoS: Traffic class is not decoded properly. (Bug 5928)
Wireshark crashes when creating ProtoField.framenum in Lua. (Bug 5930)
Fix a wrong mask to extract FMID from DECT packets dissector. (Bug 5947)
Incorrect DHCPv6 remote identifier option parsing. (Bug 5962)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DICOM, IEC104, M3UA, TCP,
New and Updated Capture File Support
Network Monitor.

Changes for v1.4.5 - v1.4.6

Bug Fixes
The following bugs have been fixed:
Wireshark and TShark can crash while analyzing TCP packets. (Bug 5837)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
TCP
New and Updated Capture File Support
There is no new or updated capture file support in this release.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Changes for v1.4.4 - v1.4.5

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The NFS dissector could crash on Windows. (Bug 5209)
Versions affected: 1.4.0 to 1.4.4.
The X.509if dissector could crash. (Bug 5754, Bug 5793)
Versions affected: 1.2.0 to 1.2.15 and 1.4.0 to 1.4.4.
Paul Makowski from SEI/CERT discovered that the DECT dissector could overflow a buffer. He verified that this could allow remote code execution on many platforms.
Versions affected: 1.4.0 to 1.4.4.
The following bugs have been fixed:
Cygwin make fails after updating to bash v 4.1.9.2
Export HTTP > All - System Appears Hung (but isn't). (Bug 1671)
Some HTTP responses don't decode with TCP reassembly on. (Bug 3785)
Wireshark crashes when cancelling a large sort operation. (Bug 5189)
Wireshark crashes if SSL preferences RSA key is actually a DSA key. (Bug 5662)
tshark incorrectly calculates TCP stream for some syn packets. (Bug 5743)
Wireshark not able to decode the PPP frame in a sflow (RFC3176) flow sample packet because Wireshark incorrectly read the protocol in PPP frame header. (Bug 5746)
Mysql protocol dissector: all fields should be little endian. (Bug 5759)
Error when opening snoop from Juniper SSG-140. (Bug 5762)
svnversion: command not found. (Bug 5798)
capinfos: #ifdef HAVE_LIBGCRYPT block includes a line too many. (Bug 5803)
Value of TCP segment data cannot be copied. (Bug 5811)
proto_field_is_referenced() is not exported in libwireshark.dll. (Bug 5816)
Wireshark ver. 1.4.4 not displayed "Granted QoS" field in a A11 packet. (Bug 5822)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
HTTP, LDAP, MySQL, NFS, sFlow, SSL, TCP
New and Updated Capture File Support
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Changes for v1.4.3 - v1.4.4

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that Wireshark could free an uninitialized pointer while reading a malformed pcap-ng file. (Bug 5652)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0538
Huzaifa Sidhpurwala of the Red Hat Security Response Team discovered that a large packet length in a pcap-ng file could crash Wireshark. (Bug 5661)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
Wireshark could overflow a buffer while reading a Nokia DCT3 trace file.
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3.
CVE-2011-0713
Paul Makowski working for SEI/CERT discovered that Wireshark on 32 bit systems could crash while reading a malformed 6LoWPAN packet. (Bug 5722)
Versions affected: 1.4.0 to 1.4.3.
joernchen of Phenoelit discovered that the LDAP and SMB dissectors could overflow the stack. (Bug 5717)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior versions including 1.0.x are also affected.)
Xiaopeng Zhang of Fortinet's Fortiguard Labs discovered that large LDAP Filter strings can consume excessive amounts of memory. (Bug 5732)
Versions affected: 1.2.0 to 1.2.14 and 1.4.0 to 1.4.3. (Prior versions including 1.0.x are also affected.)
The following bugs have been fixed:
A TCP stream would not always be recognized as the same stream. (Bug 2907)
Wireshark Crashing by pressing 2 Buttons. (Bug 4645)
A crash can occur in the NTLMSSP dissector. (Bug 5157)
The column texts from a Lua dissector could be mangled. (Bug 5326) (Bug 5630)
Corrections to ANSI MAP ASN.1 specifications. (Bug 5584)
When searching in packet bytes, the field and bytes are not immediately shown. (Bug 5585)
Malformed Packet: ULP reported when dissecting ULP SessionID PDU. (Bug 5593)
Wrong IEI in container of decode_gtp_mm_cntxt. (Bug 5598)
Display filter does not work for expressions of type BASE_DEC, BASE_DEC_HEX and BASE_HEX_DEC. (Bug 5606)
NTLMSSP dissector may fail to compile due to space embedded in C comment delimiters. (Bug 5614)
Allow for name resolution of link-scope and multicast IPv6 addresses from local host file. (Bug 5615)
DHCPv6 dissector formats DUID_LLT time incorrectly. (Bug 5627)
Allow for IEEE 802.3bc-2009 style PoE TLVs. (Bug 5639)
Various fixes to the HIP packet dissector. (Bug 5646)
Display "Day of Year" for January 1 as 1, not 0. (Bug 5653)
Accommodate the CMake build on Ubuntu 10.10. (Bug 5665)
E.212 MCC 260 Poland update according to local national regulatory. (Bug 5668)
IPP on ports other than 631 not recognized. (Bug 5677)
Potential access violation when writing to LANalyzer files. (Bug 5698)
IEEE 802.15.4 Superframe Specification - Final CAP Slot always 0. (Bug 5700)
Peer SRC and DST AS numbers are swapped for cflow. (Bug 5702)
dumpcap: -q option behavior doesn't match documentation. (Bug 5716)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ANSI MAP, BitTorrent, DCM, DHCPv6, DTAP, DTPT, E.212, GSM Management, GTP, HIP, IEEE 802.15.4, IPP, LDAP, LLDP, Netflow, NTLMSSP, P_Mul, Quake, Skinny, SMB, SNMP, ULP
New and Updated Capture File Support
LANalyzer, Nokia DCT3, Pcap-ng
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Changes for v1.4.2 - v1.4.3

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
FRAsse discovered that the MAC-LTE dissector could overflow a buffer. (Bug 5530)
Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
FRAsse discovered that the ENTTEC dissector could overflow a buffer. (Bug 5539)
Versions affected: 1.2.0 to 1.2.13 and 1.4.0 to 1.4.2.
CVE-2010-4538
The ASN.1 BER dissector could assert and make Wireshark exit prematurely. (Bug 5537)
Versions affected: 1.4.0 to 1.4.2.
The following bugs have been fixed:
AMQP failed assertion. (Bug 4048)
Reassemble.c leaks memory for GLIB > 2.8. (Bug 4141)
Fuzz testing reports possible dissector bug: TCP. (Bug 4211)
Wrong length calculation in new_octet_aligned_subset_bits() (PER dissector). (Bug 5393)
Function dissect_per_bit_string_display might read more bytes than available (PER dissector). (Bug 5394)
Cannot load wpcap.dll & packet.dll from Wireshark program directory. (Bug 5420)
Wireshark crashes with Copy -> Description on date/time fields. (Bug 5421)
DHCPv6 OPTION_CLIENT_FQDN parse error. (Bug 5426)
Information element Error for supported channels. (Bug 5430)
Assert when using ASN.1 dissector with loading a 'type table'. (Bug 5447)
Bug with RWH parsing in Infiniband dissector. (Bug 5444)
Help->About Wireshark mis-reports OS. (Bug 5453)
Delegated-IPv6-Prefix(123) is shown incorrect as X-Ascend-Call-Attempt-Limit(123). (Bug 5455)
"tshark -r file -T fields" is truncating exported data. (Bug 5463)
gsm_a_dtap: incorrect "Extraneous Data" when decoding Packet Flow Identifier. (Bug 5475)
Improper decode of TLS 1.2 packet containing both CertificateRequest and ServerHelloDone messages. (Bug 5485)
LTE-PDCP UL and DL problem. (Bug 5505)
CIGI 3.2/3.3 support broken. (Bug 5510)
Prepare Filter in RTP Streams dialog does not work correctly. (Bug 5513)
Wrong decode at ethernet OAM Y.1731 ETH-CC. (Bug 5517)
WPS: RF bands decryption. (Bug 5523)
Incorrect LTP SDNV value handling. (Bug 5521)
LTP bug found by randpkt. (Bug 5323)
Buffer overflow in SNMP EngineID preferences. (Bug 5530)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AMQP, ASN.1 BER, ASN.1 PER, CFM, CIGI, DHCPv6, Diameter, ENTTEC, GSM A GM, IEEE 802.11, InfiniBand, LTE-PDCP, LTP, MAC-LTE, MP2T, RADIUS, SAMR, SCCP, SIP, SNMP, TCP, TLS, TN3270, UNISTIM, WPS
New and Updated Capture File Support
Endace ERF, Microsoft Network Monitor, VMS TCPtrace.

Changes for v1.4.1 - v1.4.2

What's New
Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Nephi Johnson of BreakingPoint discovered that the LDSS dissector could overflow a buffer. (Bug 5318)
Versions affected: 1.2.0 to 1.2.12 and 1.4.0 to 1.4.1.
The ZigBee ZCL dissector could go into an infinite loop. (Bug 5303)
Versions affected: 1.4.0 to 1.4.1.
The following bugs have been fixed:
File-Open Display Filter is overwritten by Save-As Filename. (Bug 3894)
Wireshark crashes with "Gtk-ERROR **: Byte index 6 is off the end of the line" if click on last PDU. (Bug 5285)
GTK-ERROR can occur in packets when there are multiple Netbios/SMB headers in a single frame. (Bug 5289)
"Tshark -G values" crashes on Windows. (Bug 5296)
PROFINET I&M0FilterData packet not fully decoded. (Bug 5299)
PROFINET MRP linkup/linkdown decoding incorrect. (Bug 5300)
[lua] Dumper:close() will cause a segfault due later GC of the Dumper. (Bug 5320)
Network Instruments' trace files sometimes cannot be read with an error message of "Observer: bad record: Invalid magic number". (Bug 5330)
IO Graph Time of Day times incorrect for filtered data. (Bug 5340)
Wireshark tools do not detect and read some ERF files correctly. (Bug 5344)
"editcap -h" sends some lines to stderr and others to stdout. (Bug 5353)
IP Timestamp Option: "flag=3" variant (prespecified) not displayed correctly. (Bug 5357)
AgentX PDU Header 'hex field highlighting' incorrectly spans extra bytes. (Bug 5364)
AgentX dissector cannot handle null OID in Open-PDU. (Bug 5368)
Crash with "Gtk-ERROR **: Byte index 6 is off the end of the line". (Bug 5374)
ANCP Portmanagment TLV wrong decoded. (Bug 5388)
Crash during startup because of Python SyntaxError in wspy_libws.py. (Bug 5389)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AgentX, ANCP, DIAMETER, HTTP, IP, LDSS, MIME, NBNS, PROFINET, SIP, TCP, Telnet, ZigBee
New and Updated Capture File Support
Endace ERF, Network Instruments Observer.

Changes for v1.4.0 - v1.4.1

What's New
Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The Penetration Test Team of NCNIPC (China) discovered that the ASN.1 BER dissector was susceptible to a stack overflow. (Bug 5230)
Versions affected: All previous versions up to and including 1.2.11 and 1.4.0.
CVE-2010-????
The following bugs have been fixed:
Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
Incorrect behavior using sorting in the packet list. (Bug 2225)
Cooked-capture dissector should omit the source address field if empty. (Bug 2519)
MySQL dissector doesn't dissect MySQL stream. (Bug 2691)
Wireshark crashes if active display filter macro is renamed. (Bug 5002)
Incorrect dissection of MAP V2 PRN_ACK. (Bug 5076)
TCP bytes_in_flight becomes inflated with lost packets. (Bug 5132)
Wireshark fails to start on Windows XP 64bit. (Bug 5160)
GTP header is exported in PDML with an incorrect size. (Bug 5162)
Packet list hidden columns will not be parsed correctly from preferences file. (Bug 5163)
Wireshark does not display the t.38 graph. (Bug 5165)
Wireshark don't show mgcp calls in "Telephony ? VoIP calls". (Bug 5167)
Wireshark 1.4.0 & VoIP calls "Prepare Filter" problem. (Bug 5172)
GTPv2: IMSI is decoded improperly. (Bug 5179)
[NAS EPS] EPS Quality of Service IE decoding is wrong. (Bug 5186)
Wireshark mistakenly writes "not all data available" for IPv4 checksum. (Bug 5194)
GSM: Cell Channel Description, range 1024 format. (Bug 5214)
Wrong SDP interpretation on VoIP call flow chart. (Bug 5220)
The CLDAP attribute value on a CLDAP reply is no longer being decoded. (Bug 5239)
[NAS EPS] Traffic Flow Template IE dissection bugs. (Bug 5243)
[NAS EPS] Use Request Type IE defined in 3GPP 24.008. (Bug 5246)
NTLMSSP_AUTH domain and username truncated to first letter with IE8/Windows7 (generating the NTLM packet). (Bug 5251)
IPv6 RH0: dest addr is to be used i.s.o. last RH address when 0 segments remain. (Bug 5252)
EIGRP dissection error in Flags field in external route TLVs. (Bug 5261)
MRP packet is not correctly parsed in PROFINET multiple write record request. (Bug 5267)
MySQL Enhancement: support of Show Fields and bug fix. (Bug 5271)
[NAS EPS] Fix TFT decoding when having several Packet Filters defined. (Bug 5274)
Crash if using ssl.debug.file with no password for ssl.keys_list. (Bug 5277)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASN.1 BER, ASN.1 PER, EIGRP, GSM A RR, GSM Management, GSM MAP, GTP, GTPv2, ICMPv6, Interlink, IPv4, IPv6, IPX, LDAP, LLC, MySQL, NAS EPS, NTLMSSP, PN-IO, PPP, RPC, SDP, SLL, SSL, TCP
New and Updated Capture File Support
There are no new or updated capture file formats in this release.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Changes for v1.4.0 RC 2 - v1.4.0

What's New
Bug Fixes
The following bugs have been fixed:
Update time display in background. (Bug 1275)
Wireshark is unresponsive when capturing from named pipes on Windows. (Bug 1759)
Tshark returns 0 even with an invalid interface or capture filter. (Bug 4735)
New and Updated Features
The following features are new (or have been significantly updated) since version 1.2:
The packet list internals have been rewritten and are now more efficient.
Columns are easier to use. You can add a protocol field as a column by right-clicking on its packet detail item, and you can adjust some column preferences by right-clicking the column header.
Preliminary Python scripting support has been added.
Many memory leaks have been fixed.
Wireshark 1.4 does not support Windows 2000. Please use Wireshark 1.2 or 1.0 on those systems.
Packets can now be ignored (excluded from dissection), similar to the way they can be marked.
Manual IP address resolution is now supported.
Columns with seconds can now be displayed as hours, minutes and seconds.
You can now set the capture buffer size on UNIX and Linux if you have libpcap 1.0.0 or greater.
TShark no longer needs elevated privileges on UNIX or Linux to list interfaces. Only dumpcap requires privileges now.
Wireshark and TShark can enable 802.11 monitor mode directly if you have libpcap 1.0.0 or greater.
You can play RTP streams directly from the RTP Analysis window.
Capinfos and editcap now respectively support time order checking and forcing.
Wireshark now has a "jump to timestamp" command-line option.
You can open JPEG files directly in Wireshark.
New Protocol Support
3GPP Nb Interface RTP Multiplex, Access Node Control Protocol, Apple Network-MIDI Session Protocol, ARUBA encapsulated remote mirroring, Assa Abloy R3, Asynchronous Transfer Mode, B.A.T.M.A.N. Advanced Protocol, Bluetooth AMP Packet, Bluetooth OBEX, Bundle Protocol, CIP Class Generic, CIP Connection Configuration Object, CIP Connection Manager, CIP Message Router, collectd network data, Control And Provisioning of Wireless Access Points, Controller Area Network, Device Level Ring, DOCSIS Bonded Initial Ranging Message, Dropbox LAN sync Discovery Protocol, Dropbox LAN sync Protocol, DTN TCP Convergence Layer Protocol, EtherCAT Switch Link, Fibre Channel Delimiters, File Replication Service DFS-R, Gateway Load Balancing Protocol, Gigamon Header, GigE Vision Control Protocol, Git Smart Protocol, GSM over IP ip.access CCM sub-protocol, GSM over IP protocol as used by ip.access, GSM Radiotap, HI2Operations, Host Identity Protocol, HP encapsulated remote mirroring, HP NIC Teaming Heartbeat, IEC61850 Sampled Values, IEEE 1722 Protocol, InfiniBand Link, Interlink Protocol, IPv6 over IEEE 802.15.4, ISO 10035-1 OSI Connectionless Association Control Service, ISO 9548-1 OSI Connectionless Session Protocol, ISO 9576-1 OSI Connectionless Presentation Protocol, ITU-T Q.708 ISPC Analysis, Juniper Packet Mirror, Licklider Transmission Protocol, MPLS PW ATM AAL5 CPCS-SDU mode encapsulation, MPLS PW ATM Cell Header, MPLS PW ATM Control Word, MPLS PW ATM N-to-One encapsulation, no CW, MPLS PW ATM N-to-One encapsulation, with CW, MPLS PW ATM One-to-One or AAL5 PDU encapsulation, Multiple Stream Reservation Protocol, NetPerfMeter Protocol, NetScaler Trace, NexusWare C7 MTP, NSN FLIP, OMRON FINS Protocol, packetbb Protocol, Peer Network Resolution Protocol, PKIX Attribute Certificate, Pseudowire Padding, Server/Application State Protocol, Solaris IPNET, TN3270 Protocol, TN5250 Protocol, TRILL, Twisted Banana, UMTS FP Hint, UMTS MAC, UMTS Metadata, UMTS RLC, USB HID, USB HUB, UTRAN Iuh interface HNBAP signalling, UTRAN Iuh interface RUA signalling, V5.2, Vendor Specific Control Protocol, Vendor Specific Network Protocol, VMware Lab Manager, VXI-11 Asynchronous Abort, VXI-11 Core Protocol, VXI-11 Interrupt, X.411 Message Access Service, ZigBee Cluster Library
Updated Protocol Support
There are too many to list here.
New and Updated Capture File Support
Accellent 5Views, ASN.1 Basic Encoding Rules, Catapult DCT2000, Daintree SNA, Endace ERF, EyeSDN, Gammu DCT3 trace, IBM iSeries, JPEG/JFIF, libpcap, Lucent/Ascend access server trace, NetScaler, PacketLogger, pcapng, Shomiti/Finisar Surveyor, Sun snoop, Symbian OS btsnoop, Visual Networks
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Changes for v1.2.8 - v1.4.0 RC 1

What's New
Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The SMB dissector could dereference a NULL pointer. (Bug 4734)
Versions affected: 0.99.6 to 1.0.13, 1.2.0 to 1.2.8
J. Oquendo discovered that the ASN.1 BER dissector could overrun the stack.
Versions affected: 0.10.13 to 1.0.13, 1.2.0 to 1.2.8
The SMB PIPE dissector could dereference a NULL pointer on some platforms.
Versions affected: 0.8.20 to 1.0.13, 1.2.0 to 1.2.8
The SigComp Universal Decompressor Virtual Machine could go into an infinite loop. (Bug 4826)
Versions affected: 0.10.7 to 1.0.13, 1.2.0 to 1.2.8
The SigComp Universal Decompressor Virtual Machine could overrun a buffer. (Bug 4837)
Versions affected: 0.10.8 to 1.0.13, 1.2.0 to 1.2.8
The following bugs have been fixed:
Cannot open file with File -> Open. (Bug 1791)
Application crash when changing real-time option. (Bug 4035)
Crash in filter autocompletion. (Bug 4306)
The XML dissector doesn't allow dots (".") in tags. (Bug 4405)
Live capture stops when using zlib 1.2.5. (Bug 4708)
Want to be able to apply decode as to Data Portion of Lan Trace. (Bug 4721)
SABP short pdu (packet_per.c). (Bug 4743)
Kerberos pre-auth type constants - MS extensions are wrong. (Bug 4752)
Check HTTP Content-Length parsing for overflow. (Bug 4758)
Wrong variable used for proto_tree_add_text() in ptp dissector. (Bug 4773)
Crash when close window frame of gtk file chooser. (Bug 4778)
text2pcap expects \n delimited text (instead of \r\n) on win32. (Bug 4780)
Wrong decoding for BGP ORF. (Bug 4782)
Crash when Ctrl-Backspacing the display filter. (Bug 4797)
Acker AFI field incorrect size in PGM dissector. (Bug 4798)
Fedora 13: wireshark fails to build (linking problem). (Bug 4815)
The NFS FH hash (nfs.fh.hash) incorrectly matches multiple filehandles. (Bug 4839)
AES-CTR decoding not working, (dissectors/packet_ipsec.c using gcrypt). (Bug 4838)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASN.1 BER, BGP, HTTP, IGMP, IPsec, Kerberos, NFS, PGM, PTP, SABP, SigComp, SMB, TCAP, XML,
Updated Capture File Support
ERF, PacketLogger.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.
Known Problems
Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
Wireshark might make your system disassociate from a wireless network on OS X. (Bug 1315)
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The BER dissector might infinitely loop. (Bug 1516)
Capture filters aren't applied when capturing from named pipes. (Bug 1814)
Wireshark might freeze when reading from a pipe. (Bug 2082)
Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)
The 64-bit Windows installer does not ship with the same libraries as the 32-bit installer. (Bug 3610)
Getting Help
Community support is available on the wireshark-users mailing list. Subscription information and archives for all of Wireshark's mailing lists can be found on the web site.
Commercial support, training, and development services are available from CACE Technologies.

Changes for v1.3.3 Development Release - v1.3.4 Beta

More improvements have been made to the new packet list code.

Changes for v1.3.1 Development Release - v1.3.2 Development Release

The rewritten packet list internals have been updated.

Changes for v1.2.12 - v1.2.13

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Nephi Johnson of BreakingPoint discovered that the LDSS dissector could overflow a buffer. (Bug 5318)
Versions affected: 1.2.0 to 1.2.12 and 1.4.0 to 1.4.1.
The following bugs have been fixed:
File-Open Display Filter is overwritten by Save-As Filename. (Bug 3894)
GTK-ERROR can occur in packets when there are multiple Netbios/SMB headers in a single frame. (Bug 5289)
IO Graph Time of Day times incorrect for filtered data. (Bug 5340)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BOOTP, LDSS
Updated Capture File Support
There are no new or updated capture file formats in this release.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Changes for v1.3.1 Development Release - v1.2.12

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The Penetration Test Team of NCNIPC (China) discovered that the ASN.1 BER dissector was susceptible to a stack overflow. (Bug 5230)
Versions affected: All previous versions up to and including 1.2.11 and 1.4.1.
CVE-2010-3445
The following bugs have been fixed:
ERROR:capture.c:141:capture_start: assertion failed: (capture_opts->state == CAPTURE_STOPPED). (Bug 5126)
GTP header is exported in PDML with an incorrect size. (Bug 5162)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASN.1 BER, GTP, IPv4, RPC
Updated Capture File Support
There are no new or updated capture file formats in this release.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.
Known Problems
Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
Wireshark might make your system disassociate from a wireless network on OS X. (Bug 1315)
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The BER dissector might infinitely loop. (Bug 1516)
Capture filters aren't applied when capturing from named pipes. (Bug 1814)
Wireshark might freeze when reading from a pipe. (Bug 2082)
Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)
The 64-bit Windows installer does not ship with the same libraries as the 32-bit installer. (Bug 3610)

Changes for v1.2.10 - v1.2.11

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Wireshark is vulnerable to DLL hijacking as described in Microsoft Security Advisory 2269637. This problem is fully fixed on Windows XP SP1 and later. It is partially fixed on Windows 2000 and XP without service packs. We expect to address those platforms in future releases. If you are running Wireshark on Windows 2000 or XP we recommend that you only open capture files within Wireshark. (Bug 5133)
Versions affected: All previous Windows versions up to and including 1.0.15 and 1.2.10.
CVE-2010-3133
The following bugs have been fixed:
The RTSP dissector could crash. (Bug 5081)
TShark could crash when generating PostScript®. (Bug 5148)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BOOTP/DHCP, H.264, IP, RTSP, SCTP, SDP, SMB, SMB2
Updated Capture File Support
There are no new or updated capture file formats in this release.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.
Known Problems
Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
Wireshark might make your system disassociate from a wireless network on OS X. (Bug 1315)
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
The BER dissector might infinitely loop. (Bug 1516)
Capture filters aren't applied when capturing from named pipes. (Bug 1814)
Wireshark might freeze when reading from a pipe. (Bug 2082)
Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)
The 64-bit Windows installer does not ship with the same libraries as the 32-bit installer. (Bug 3610)

Changes for v1.2.9 - v1.2.10

The following bugs have been fixed:
Wireshark crashes after configuring new Information column. (Bug 4854)
Crash triggered when changing display filter from right-mouse pop-up menu via packet-list. (Bug 4860)
Wireshark crash selecting Inter-Asterisk exchange v2 packet data. (Bug 4868)
zlib-1.2.5 cause tshark to stop live capture. (Bug 4916)
Crash when adding SNMP users. (Bug 4926)
Wireshark via ssh -X on ipv6 link-local address fails to allow capture. (Bug 4945)
OMAPI dissector fails to parse combined initialization messages. (Bug 4982)
QUERY_FS_INFO for Macintosh level 0x301 - MacSupportFlags decodes wrong. (Bug 4993)
SCSI dissector misidentifies ATA PASSTHROUGH command as ACCESS CONTROL IN. (Bug 5037)
Wrong decoding of GTP Prime (GTP') packets. (Bug 5055)

Changes for v1.2.8 - v1.2.9

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The SMB dissector could dereference a NULL pointer. (Bug 4734) Versions affected: 0.99.6 to 1.0.13, 1.2.0 to 1.2.8
J. Oquendo discovered that the ASN.1 BER dissector could overrun the stack. Versions affected: 0.10.13 to 1.0.13, 1.2.0 to 1.2.8
The SMB PIPE dissector could dereference a NULL pointer on some platforms. Versions affected: 0.8.20 to 1.0.13, 1.2.0 to 1.2.8
The SigComp Universal Decompressor Virtual Machine could go into an infinite loop. (Bug 4826) Versions affected: 0.10.7 to 1.0.13, 1.2.0 to 1.2.8
The SigComp Universal Decompressor Virtual Machine could overrun a buffer. (Bug 4837) Versions affected: 0.10.8 to 1.0.13, 1.2.0 to 1.2.8
The following bugs have been fixed:
Cannot open file with File -> Open. (Bug 1791)
Application crash when changing real-time option. (Bug 4035)
Crash in filter autocompletion. (Bug 4306)
The XML dissector doesn't allow dots (".") in tags. (Bug 4405)
Live capture stops when using zlib 1.2.5. (Bug 4708)
Want to be able to apply decode as to Data Portion of Lan Trace. (Bug 4721)
SABP short pdu (packet_per.c). (Bug 4743)
Kerberos pre-auth type constants - MS extensions are wrong. (Bug 4752)
Check HTTP Content-Length parsing for overflow. (Bug 4758)
Wrong variable used for proto_tree_add_text() in ptp dissector. (Bug 4773)
Crash when close window frame of gtk file chooser. (Bug 4778)
text2pcap expects \n delimited text (instead of \r\n) on win32. (Bug 4780)
Wrong decoding for BGP ORF. (Bug 4782)
Crash when Ctrl-Backspacing the display filter. (Bug 4797)
Acker AFI field incorrect size in PGM dissector. (Bug 4798)
Fedora 13: wireshark fails to build (linking problem). (Bug 4815)
The NFS FH hash (nfs.fh.hash) incorrectly matches multiple filehandles. (Bug 4839)
AES-CTR decoding not working, (dissectors/packet_ipsec.c using gcrypt). (Bug 4838)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASN.1 BER, BGP, HTTP, IGMP, IPsec, Kerberos, NFS, PGM, PTP, SABP, SigComp, SMB, TCAP, XML,
Updated Capture File Support
ERF, PacketLogger.

Changes for v1.2.7 - v1.2.8

Changes for v1.2.6 - v1.2.7

Bug Fixes
The following bugs have been fixed:
SNMPv3 Engine ID registration. (Bug 2426)
Open file dialog always displayed when clicking anywhere on Wireshark. (Bug 2478)
tshark reports wrong number of bytes on big dumpfiles with -z io,stat. (Bug 3205)
Negative INTEGER number displayed as positive number in SNMP dissector. (Bug 3230)
Add support for FT_BOOLEAN fields to wslua FieldInfo. (Bug 4049)
Wireshark crashes w/ GLib error when trying to play RTP stream. (Bug 4119)
Windows 2000 support has been restored. (Bug 4176)
Wrong dissection on be_cell_id_list for bssmap. (Bug 4437)
I/O Graph dropdown boxes not working correctly. (Bug 4487)
Runtime Error when right-clicking field and selecting "Filter Field Reference". (Bug 4522)
In GSM SMS PDU TPVPF showing wrong. (Bug 4524)
Profinet: May be wrong defined byte meaning. (Bug 4525)
GLib-CRITICAL ** Message. (Bug 4547)
Certain EDP display filters trigger Wireshark/tshark runtime error. (Bug 4563)
Some NCP frames trigger "Dissector bug, protocol NCP". (Bug 4565)
The encapsulation abbreviation "bluetooth-h4" is ambiguous. (Bug 4613)
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BSSMAP, DMP, GSM SMS, LDSS, NCP, PN/IO, PPP, SIP, SNMP
Updated Capture File Support
There are no updated capture file formats in this release.

Changes for v1.2.5 - v1.2.6

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Babi discovered several buffer overflows in the LWRES dissector.
Versions affected: 0.9.15 to 1.0.10, 1.2.0 to 1.2.5
The following bugs have been fixed:
Wireshark could crash while decrypting Kerberos data.
Address display filters hang Wireshark. (Bug 658)
PSML - structure context node missing. (Bug 1564)
Wireshark doesn't dynamically update the packet list. (Bug 1605)
LUA: There's no tvb_get_stringz() equivalent. (Bug 2244)
tvb_new_real_data is prone to memory leak. (Bug 3917)
Malformed OPC UA traffic makes Wireshark "freeze". (Bug 3986)
Analyze?Expert... doesn't show IP "Bad Checksum" errors. (Bug 4177)
Wireshark can't decrypt WPA(2)-PSK when passphrase is 63 bytes. (Bug 4183)
RTP stream analysis: Wrong jitter values after clicking the refresh button. (Bug 4340)
Wireshark decodes bootp option 2 incorrectly. (Bug 4342)
Deleting SMI modules causes Wireshark to crash. (Bug 4354)
Wireshark decodes kerberos AS-REQ PADATA incorrect. (Bug 4363)
PDML output from TShark includes invalid characters. (Bug 4402)
Empty GPRS LLC S frames cause truncated data exception. (Bug 4417)
New and Updated Features
Feature parity between the 64- and 32-bit Windows installer has been improved. The 64-bit installer now supports the "matches" operator, GeoIP location, and most types of decryption. Kerberos decryption and OID resolution are still not supported.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
BJNP, BOOTP/DHCP, DHCPv6, FIP, GPRS LLC, IEEE 802.11, IP, Kerberos, OPCUA, SCTP, SSL, ZRTP
Updated Capture File Support
There are no updated capture file formats in this release.
Getting Wireshark
Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Changes for v1.2.4 - v1.2.5

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The Daintree SNA file parser could overflow a buffer. (Bug 4294)
The SMB and SMB2 dissectors could crash. (Bug 4301)
The IPMI dissector could crash on Windows. (Bug 4319)
The following bugs have been fixed:
Wireshark does not graph rtp streams. (Bug 3801)
Wireshark showing extraneous data in a TCP stream. (Bug 3955)
Wrong decoding of gtp.target identification. (Bug 3974)
TTE dissector bug. (Bug 4247)
Upper case in Lua pref symbol causes Wireshark to crash. (Bug 4255)
OpenBSD 4.5 build fails at epan/dissectors/packet-rpcap.c. (Bug 4258)
Incorrect display of stream data using "Follow tcp stream" option. (Bug 4288)
Custom RADIUS dictionary can cause a crash. (Bug 4316)
Updated Protocol Support
DAP, eDonkey, GTP, IPMI, MIP, RADIUS, RANAP, SMB, SMB2, TCP, TTE, VNC, X.509sat

Changes for v1.2.2 - v1.2.3

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The Paltalk dissector could crash on alignment-sensitive processors. (Bug 3689)
Versions affected: 1.2.0 to 1.2.2
The DCERPC/NT dissector could crash.
Versions affected: 0.10.10 to 1.2.2
The SMB dissector could crash.
Versions affected: 1.2.0 to 1.2.2
The following bugs have been fixed:
Wireshark memory leak with each file open and/or display filter change. (Bug 2375)
DHCP Dissector displays negative lease time. (Bug 2733)
Invalid advertised window line on tcptrace style graph. (Bug 3417)
SMB get_dfs_referral referral entry is not dissected correctly. (Bug 3542)
Error dissecting eMule sourceOBFU message. (Bug 3848)
Typos in Diameter XML files. (Bug 3878)
RSL dissector for MS Power IE is broken. (Bug 4017)
Manifest problem in 1.2.2 Win64 build. (Bug 4024)
FIP dissector throws assertion. (Bug 4046)
TCAP problem with indefinite length 'components' SEQ OF. (Bug 4053)
GSM MAP: an-APDU not decoded. (Bug 4095)
Add "Drag and Drop entries..." message on Columns preferences page. (Bug 4099)
Editcap -t and -w option parses fractional digits incorrectly. (Bug 4162)
New and Updated Features
The 32-bit and 64-bit Windows packages now include WinPcap 4.1.1. .
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DCERPC NT, DHCP, Diameter, E.212, eDonkey, FIP, IPsec, MGCP, NCP, Paltalk, RADIUS, RSL, SBus, SMB, SNMP, SSL, TCP, Teamspeak2, WPS
Updated Capture File Support
Capture file support is unchanged in this release.

Changes for v1.2.1 - v1.2.2

The GSM A RR dissector could crash. (Bug 3893)
Versions affected: 1.2.0 to 1.2.1
The OpcUa dissector could use excessive CPU and memory. (Bug 3986)
Versions affected: 0.99.6 to 1.0.8, 1.2.0 to 1.2.1
The TLS dissector could crash on some platforms. (Bug 4008)
Versions affected: 1.2.0 to 1.2.1
The following bugs have been fixed:
The "Capture->Interfaces" window can't be closed. (Bug 1740)
tshark-1.0.2 (dumpcap) signal abort core saved. (Bug 2767)
Memory leak fixes. (Bug 3330)
Display filter autocompletion doesn't work for some RADIUS and WiMAX ASNCP fields. (Bug 3538)
Wireshark Portable includes wrong WinPcap installer. (Bug 3547)
Crash when loading a profile. (Bug 3640)
The proto,colinfo tap doesn't work if the INFO column isn't being printed. (Bug 3675)
Flow Graph adds too much unnecessary garbage. (Bug 3693)
The EAP Diameter dictionary file was missing in the distribution. (Bug 3761)
Graph analysis window is behind other window. (Bug 3773)
IKEv2 Cert Request payload dissection error. (Bug 3782)
DNS NAPTR RR (RFC 3403) replacement MUST be a fully qualified domain-name. (Bug 3792)
Malformed RTCP Packet error while sending Payload specific RTCP feedback packet( as per RFC 4585). (Bug 3800)
802.11n Block Ack packet Bitmap field missing. (Bug 3806)
Wireshark doesn't decode WBXML/ActiveSync information correctly. (Bug 3811)
Malformed packet when IPv6 packet has Next Header == 59. (Bug 3820)
Wireshark could crash while reading an ERF file. (Bug 3849)
Minor errors in gsm rr dissectors. (Bug 3889)
WPA Decryption Issues. (Bug 3890)
GSM A RR sys info dissection problem. (Bug 3901)
GSM A RR inverts MEAS-VALID values. (Bug 3915)
PDML output leaks ~300 bytes / packet. (Bug 3913)
Incorrect station identifier parsing in Kingfisher dissector. (Bug 3946)
DHCPv6, Vendor-Specific Informantion, SubOption"Option Request" parser incorrect. (Bug 3987)
Wireshark could leak memory while analyzing SSL.
Wireshark could crash while updating menu items after reading a file in some cases.
The Mac OS X ChmodBPF script now works correctly under Snow Leopard.

Changes for v1.2.0 - v1.2.1

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The IPMI dissector could overrun a buffer. Versions affected: 1.2.0
The AFS dissector could crash. Versions affected: 0.9.2 to 1.2.0
The Infiniband dissector could crash on some platforms. Versions affected: 1.0.6 to 1.2.0
The Bluetooth L2CAP dissector could crash. Versions affected: 1.2.0
The RADIUS dissector could crash. Versions affected: 1.2.0
The MIOP dissector could crash. Versions affected: 1.2.0
The sFlow dissector could use excessive CPU and memory. Versions affected: 1.2.0
The following bugs have been fixed:
Wireshark could crash while reading a pcap-ng file.
Wireshark could crash while reading a PacketLogger file.
CFLOW decoding is wrong for IPv6 fields (Bug 3328)
Buildbot crash output: fuzz-2009-04-24-2891.pcap (Bug 3438)
packet-dcm, corrupt DICOM export files (Bug 3493)
GeoIP map should use random temporary file name (Bug 3530)
Wireshark crashes when range_string is the data type (Bug 3536)
Pcap-ng breaks VoIP call data (Bug 3539)
ANSI MAP legInformation BER Error (Bug 3541)
Starting Wireshark Portable 1.2.0 gives error message. (Bug 3547)
On Windows, Wireshark could crash on startup. (Bug 3555)
The title in the TCP sequence graphs is too short. (Bug 3556)
USB Packets in pcap-ng Files Not Dissected Properly (Bug 3560)
802.11 decryption is broken (Bug 3590)
SMB2 Error Response doesn't decode properly (Bug 3609)
configure.in uses deprecated autoconf test for gnutls detection (Bug 3627)
Radius Malformed Packet error message (Bug 3635)
Wireshark could crash when loading a profile. (Bug 3640)
Analyze->Decode as... menu item becomes unavailable (Bug 3642)
btsnoop: Incorrect error message for not supported datalink type (Bug 3645)
Decode error for network-id in BICC BCU-ID (Bug 3648)
IEC 60870-5-104 dissector decodes nothing (Bug 3650)
radius_register_avp_dissector() can stop RADIUS dissector from working correctly (Bug 3651)
ANSI ISUP Cause indicators with coding standard=ANSI fail to dissect. (Bug 3654)
Wrong field position in PacketCable Multimedia Extended Classifier (Bug 3656)
FF Protocol "FMS Initiate - Version OD Calling" field packet data not unpacked properly (Bug 3694)
hci_h4: Optimize column/field handling (Bug 3703)
BSSLAP Protocol Not Decoded In BSSMAP-LE Messages (Bug 3711)
Description of tshark -t dd missing from tshark.pod (Bug 3723)
Problem in packet-per.c for ASN.1 PER Encoding (Bug 3733)
[SNMP] Crash when dissecting packet (custom MIB) (Bug 3746)
New and Updated Features
There are no new or updated features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AFS, ANSI ISUP, ANSI MAP, ASN.1 PER, Bluetooth HCI H4, Bluetooth L2CAP, BSS CFLOW, COPS, Diameter, DICOM, FF-HSE, ICMPv6, IEC-60870-5-104, IEEE 802.11, Infiniband, IPMI, MIOP, RADIUS, RSVP, sFlow, SNMP, SMB2, ZIOP
New Capture File Support
Btsnoop, DCT3, Packetlogger, pcap-ng.

Changes for v1.2.0 Pre 2 - v1.2.0

Bug Fixes
Too many bugs have been fixed since the 1.0 release to list here.
Some notable fixes are:
Type-ahead search now works properly.
Several bugs that affected capture from pipes have been fixed.
Many Lua-related bugs have been fixed.
Several memory leaks have been found and fixed.
The "Follow TCP Stream" feature could show two streams at the same time The hex dump view has been narrowed.
WPA and SSL decryption bugs have been fixed.
Readability problems on 256-color displays on Windows have been fixed.
New and Updated Features:
The following features are new (or have been significantly updated) since version 1.0:
Wireshark has a spiffy new start page.
Display filters now autocomplete.
A 64-bit Windows (x64) installer is now provided.
Support for the c-ares resolver library has been added. It has many advantages over ADNS.
Many new protocol dissectors and capture file formats have been added (see below for a complete list).
Macintosh OS X support has been improved.
GeoIP database lookups.
OpenStreetMap + GeoIP integration.
Improved Postscript(R) print output.
The preference handling code is now much smarter about changes.
Support for Pcap-ng, the next-generation capture file format.
Support for process information correlation via IPFIX.
Column widths are now saved.
The last used configuration profile is now saved.
Protocol preferences are changeable from the packet details context menu.
Support for IP packet comparison.
Capinfos now shows the average packet rate.
GTK1 is no longer supported. (Yes, this is a feature.)
Official Windows packages are now built using Microsoft Visual C++ 2008 SP1.
New Protocol Support:
Anything in Anything Protocol, ATM PW, N-to-one Cell Mode, B.A.T.M.A.N. Layer 3 Protocol, BACnet MS/TP, BSS LCS Assistance Protocol, Canon BJNP, CESoPSN basic NxDS0 mode (no RTP support), Charging ASE, Cimetrics MS/TP, DECT Protocol, Digital Private Signalling System No 1 Link Layer, DOCSIS Mac Domain Description, DOCSIS Registration Request Multipart, DOCSIS Registration Response Multipart, DOCSIS Synchronisation Message, E100 Encapsulation, EHS, Enhanced Variable Rate Codec, Ethernet Global Data, Ethernet PW, Exchange 2003 Directory Request For Response, Far End Failure Detection, FCoE Initialization Protocol, GOOSE, GPEF, GPRS Tunneling Protocol V2, GSM A-I/F COMMON, GSM A-I/F GPRS Mobility and Session Management, GSM SACCH, GSM Um Interface, HDLC PW, FR port mode (no CW), HDLC-like framing for PPP, IEC 60870-5-104,Apci, IEC 60870-5-104,Asdu, IEEE 802.15.4 Low-Rate Wireless PAN non-ASK PHY, IEEE C37.118 Synchrophasor Protocol, Intelligent Platform Management Interface (Session Wrapper), Inter-Integrated Circuit, Internal TDM, IPSICTL, ISMACryp Protocol, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, iWARP Marker Protocol data unit Aligned framing, Kontiki Delivery Protocol, LANforge Traffic Generator, Layer 1 Event Messages, Lb-I/F BSSMAP LE, LeCroy VICP, Link Access Procedure, Channel Dm (LAPDm), Local Download Sharing Service, LTE Radio Resource Control (RRC) protocol, MAC-LTE, Memcache Protocol, Mesh Header, MP4V-ES, Nasdaq TotalView-ITCH, Nasdaq-SoupTCP version 2.0, NAT Port Mapping Protocol, Netdump Protocol, Non-Access-Stratum (NAS)PDU, PacketLogger, Paltalk Messenger Protocol, PDCP-LTE, PW Associated Channel Header, PW Ethernet Control Word, PW Frame Relay DLCI Control Word, PW MPLS Control Word (generic/preferred), Real-Time Publish-Subscribe Wire Protocol 2.x, Remote Packet Capture, RLC-LTE, SAToP (no RTP support), SERCOS III V1.1, SIMULCRYPT Protocol, Subnetwork Dependent Convergence Protocol XID, Teamspeak2 Protocol, TTEthernet, TTEthernet Protocol Control Frame, Turbocell Aggregate Data, Turbocell Header, TURN Channel, Unreliable Multicast Inter-ORB Protocol, VCDU, Wave Short Message Protocol(IEEE P1609.3), Wireless Access Station Session Protocol, Wireshark Expert Info, World of Warcraft, Xpress Transport Protocol, ZigBee Application Framework, ZigBee Application Support Layer, ZigBee Device Profile, ZigBee Encapsulation Protocol, ZigBee Network Layer, Zipped Inter-ORB Protocol, ZRTP
Updated Protocol Support:
There are too many updates to list here.
New Capture File Support:
Apple Bluetooth PacketLogger, Daintree's Sensor Network Analyzer, dct3trace, Pcap-NG, TNEF (yes, those silly winmail.dat attachments)

Changes for v1.1.1 Development Release - v1.1.2 Development Release

GeoIP database support has been added
Supporting libraries have been updated in the Windows installer, including a security fix in c-ares.
File previews on Windows have been improved

Changes for v1.0.3 - v1.1.0 Development Release

Wireshark 1.1.0 has been released. Installers for Windows, Mac OS X Intel 10.5, and source code is now available. This is a development release, intended to be used as a platform for testing new features. The latest stable release of Wireshark is still 1.0.3.

Changes for v1.0.8 - v1.0.10

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The RADIUS dissector could crash.
Versions affected: 0.10.10 to 1.0.9, 1.2.0
CVE-CVE-2009-2560
The DCERPC/NT dissector could crash.
Versions affected: 0.10.10 to 1.2.2
New and Updated Features
There are no new or updated features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DCERPC NT, RADIUS

Changes for v1.0.7 - v1.0.8

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The PCNFSD dissector could crash.
Versions affected: 0.8.20 to 1.0.7
CVE-2009-????
The following bugs have been fixed:
Lua integration could crash. (Bug 2453)
The SCCP dissector could crash when loading more than one file in a single session. (Bug 3409)
The NDMP dissector could crash if reassembly was enabled. (Bug 3470)
New and Updated Features
There are no new or updated features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
All ASN.1 protocols, DICOM, NDMP, PCNFSD, RTCP, SCCP, SSL, STANAG 5066
New and Updated Capture File Support
There are no new or updated capture file formats in this release.

Changes for v1.0.6 - v1.0.7

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The PROFINET dissector was vulnerable to a format string overflow. (Bug 3382). Versions affected: 0.99.6 to 1.0.6. CVE-2009-1210
The LDAP dissector could crash on Windows. (Bug 3262). Versions affected: 0.99.2 to 1.0.6. CVE-2009-1267
The Check Point High-Availability Protocol (CPHAP) dissector could crash. (Bug 3269). Versions affected: 0.9.6 to 1.0.6. CVE-2009-1268
Wireshark could crash while loading a Tektronix .rf5 file. (Bug 3366). Versions affected: 0.99.6 to 1.0.6. CVE-2009-1269
The following bugs have been fixed:
Correct use of proto_tree_add_int_format() (Bug 3048)
RTP dynamic payload clock rates incorrectly determined (Bug 3067)
TShark fails to properly close capture files when opening new ones (Bug 3172)
ANSI MAP digits type decode and bitmask corrections (Bug 3233)
Two small patches for ipvs-syncd dissector (Bug 3236)
BGP capability dissection failure (Bug 3247)
ANSI MAP fix for missing MEID/MSC ID number in RegNot (Bug 3255)
BACnet PrivateTransferError shows malformed packet (Bug 3257)
Windows silent installer is not that silent (Bug 3260)
Crash in ASN.1 dissector when using 'type table' (Bug 3271)
802.11n SM Power save mode value 0x3 label is incorrect (Bug 3276)
802.11 WME ie displayed incorrectly (Bug 3284)
"Copy as filter" from the packet list has been fixed.
New and Updated Features
There are no new or updated features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ACN, ANSI MAP, ASN.1 BACnet, BGP, CPHAP, GSM MAP, IEEE 802.11, IPVS, LDAP, NetFlow/IPFIX, PROFINET, RTP, SNMP, WSP
New and Updated Capture File Support
(TBD)

Changes for v1.0.5 - v1.0.6

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
On non-Windows systems, Wireshark could crash if the HOME environment variable contained sprintf-style string formatting characters. Discovered by babi. (Bug 3150)
Wireshark could crash while reading a malformed NetScreen snoop file. Discovered by babi. (Bug 3151)
Wireshark could crash while reading a Tektronix K12 text capture file. (Bug 1937)
The following bugs have been fixed:
Crash when loading capture file and Preferences: NO Info column (Bug 2902)
Some Lua scripts may lead to corruption via out of bounds stack (Bug 3062)
Build with GLib 1.2 fails with error: 'G_MININT32' undeclared (Bug 3109)
Wrong decoding IMSI with GSM MAP protocol (Bug 3116)
Segmentation fault for "Follow TCP stream" (Bug 3119)
SMPP optional parameter 'network_error_code' incorrectly decoded (Bug 3128)
DHCPv6 dissector doesn't handle malformed FQDN (Bug 3134)
WCCP overrides CFLOW as decoded protocol (Bug 3175)
Improper decoding of MPLS echo reply IPv4 Interface and Label Stack Object (Bug 3179)
ANSI MAP fix for TRN digits/SMS and OTA subdissection (Bug 3214)
The 1.0 branch can now be built with Visual Studio 2008.
New and Updated Features
The version of GNUTLS included with the Windows packages has been updated from 2.3.8 to 2.6.3.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AFS, ATM, DHCPv6, DIS, E.212, RTP, UDP, USB, WCCP, WPS
New and Updated Capture File Support
NetScreen snoop

Changes for v1.0.4 - v1.0.5

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The SMTP dissector could consume excessive amounts of CPU and memory. Versions affected: 1.0.4
The WLCCP dissector could go into an infinte loop. Versions affected: 0.99.7 to 1.0.4
The following bugs have been fixed:
Missing CRLF during HTTP POST in the "packet details" window (Bug 2534)
Memory assertion in time_secs_to_str_buf() when compiled with GCC 4.2.3 (Bug 2777)
Diameter dissector fails RFC 4005 compliance (Bug 2828)
LDP vendor private TLV type is not correctly shown (Bug 2832)
Wireshark on MacOS does not run when there are spaces in its path (Bug 2844)
OS X Intel package incorrectly claims to be Universal (Bug 2979)
Compilation broke when compiling without zlib (Bug 2993)
Memory leak: saved_repoid (Bug 3017)
Memory leak: follow_info (Bug 3018)
Memory leak: follow_info (Bug 3019)
Memory leak: tacplus_data (Bug 3020)
Memory leak: col_arrows (Bug 3021)
Memory leak: col_arrows (Bug 3022)
Incorrect address structure assigned for find_conversation() in WSP (Bug 3071)
Memory leak with unistim in voip_calls (Bug 3079)
Error parsing the BSSGP protocol (Bug 3085)
Assertion thrown in fvalue_get_uinteger when decoding TIPC (Bug 3086)
LUA script : Wireshark crashes after closing and opening again a window used by a listener.draw() function. (Bug 3090)

Changes for v1.0.3 - v1.0.4

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Florent Drouin and David Maciejak found that the Bluetooth ACL dissector could crash or abort. (Bug 1513) Versions affected: 0.99.2 to 1.0.3
The Q.931 dissector could crash or abort. (Bug 2870) Versions affected: 0.10.3 to 1.0.3
Wireshark could abort while reading Tamos CommView capture files. (Bug 2926) Versions affected: 0.99.7 to 1.0.3
David Maciejak found that the USB dissector could crash or abort. This led to the disovery of a similar problem in the Bluetooth RFCOMM dissector. (Bug 2922) Versions affected: 0.99.7 to 1.0.3
Vivek Gupta and David Maciejak found that the PRP and MATE dissectors could make Wireshark crash. (Neither PRP nor MATE are enabled by default.) (Bug 2549) Versions affected: 0.99.2 to 1.0.3
The following bugs have been fixed:
Let MP2T call its subdissectors, even without tree (Bug 2627)
Wireless Toolbar not enabled (using AirPcap) if PCAP_REMOTE=1 (Bug 2685)
Failure to dissect long SASL wrapped LDAP response (Bug 2687)
Fix compiler warnings (Bug 2823)
Homeplug dissection bugs (Bug 2859)
Malformed Packet DCP ETSI error (Bug 2860)
Wrong size of selected_registrar in WPS dissector (Bug 2865)
Dissector assertion displaying cookies in DTLS frames (Bug 2876)
Missing field type in documentation (Bug 2889)
Wireshark -p switch seems to have no effect to PROMISCUOUS mode (Bug 2891)
Misspelled PPI error vector magnitude filter (Bug 2903)
Modbus Function 43 Encapsulated Interface Transport decoding (Bug 2917)
Crash when printing or exporting some protocol data (Bug 2934)
Crash when selecting "Export Selected Packet Bytes" (Bug 2964)
New and Updated Features
There are no new or updated features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
AFP, Bluetooth ACL, Bluetooth RFCOMM, DCP ETSI, DTLS, Homeplug, IEEE 802.11, IP, Modbus TCP, MP2T, NSIP, NCP, PPI, Q.931, SASL, SNMP, USB, WPS
New and Updated Capture File Support
AiroPeek, CommView

Changes for v1.0.2 - v1.0.3

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The NCP dissector was susceptible to a number of problems, including buffer overflows and an infinite loop.
Versions affected: 0.9.7 to 1.0.2
Wireshark could crash while uncompressing zlib-compressed packet data.
Versions affected: 0.10.14 to 1.0.2
Wireshark could crash while reading a Tektronix .rf5 file.
Versions affected: 0.99.6 to 1.0.2
The following bugs have been fixed:
802.11 WPA/WPA2-PSK Unable to decode Group Keys. (Bug 1420)
Packets could wrongly be dissected as "Redback Lawful Intercept" (Bug 2376)
MIKEY dissector improvements (Bug 2400)
tvb_get_bits{16|32} could read past the end of a tvbuff (Bug 2439)
Incorrect wslua function names. (Bug 2448)
Memory corruption in wslua. (Bug 2453)
Unknown PPPoE TAGs which are present in a PPPoE discovery packet are not displayed under "PPPoE Tags" subtree/section. (Bug 2458)
Following a TCP stream could incorrectly reassemble packets. (Bug 2606)
SIP decode shows fully expanded "Content-Length" header instead of compact form. (Bug 2635)
Segmentation fault loading trace containing NCP packets. (Bug 2675)
SIP packets might incorrectly be displayed as malformed. (Bug 2729)
RTCP BYE padding interpreted incorrectly. (Bug 2778)
Reversed RTP stream is saved as silent .au file, forward stream saves correctly. (Bug 2780)
Fix some lint warnings. (Bug 2822)
Setting a duration on a capture file would capture for an extra second.

Changes for v1.0.1 - v1.0.2

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Wireshark could crash while reassembling packets. Versions affected: 0.8.19 to 1.0.1
The following bugs have been fixed:
Dumpcap could crash on some versions of Windows (primarily Vista). (Bug 2677)

Changes for v0.99.7 - v0.99.8

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
The SCTP dissector could crash. Versions affected: 0.99.5 to 0.99.7
The SNMP dissector could crash. Versions affected: 0.99.6 to 0.99.7
The TFTP dissector could crash Wireshark on Ubuntu 7.10. (This appears to be a bug in the Cairo library on that platform.) Reported by Noam Rathaus. Versions affected: 0.6.0 to 0.99.7
The following bugs have been fixed:
Wireshark could crash when saving I/O graphs.
Wireshark could crash when editing table-based preferences.
Wireshark could crash when trying to play RTP streams.
Wireshark could crash when trying to apply a display filtermacro.
Wireshark could crash in Turkish and other locales.
New and Updated Features
The following features are new (or have been significantly updated) since the last release:
You can now have multiple configuration profiles.
Temporary coloring rules have been added, which let you coloror filter on a conversation.
I/O graphs have been improved.
Wireshark now has WLAN traffic statistics.
The Wireshark GUI now supports RPCAP.
Conversations and endopoints can now be limited to the current display filter.
Experimental support for the NTAR/PcapNG file format has beenadded.
New Protocol Support
AiroPeek Remote Capture, China Mobile Point to Point, Distributed Lock Manager 3, EUTRAN X2 Application Protocol, Fieldbus Foundation, International Passenger Airline Reservation System/Airline Link Control, Microsoft DirectPlay, Path Computation Element communication Protocol, Real Time Messaging Protocol, S1 Application Protocol, Scripting Service Protocol, Societe Internationale de Telecommunications Aeronautiques, Unisys Transmittal System, Wi-fi Protected Setup,
Updated Protocol Support
3G A11, 3GPP, ACN, ACP133, ALCAP, AMR, ANSI A, ANSI IS-637-A, ANSI MAP, ARP, ASAP, AVS WLAN, BACapp, BER, BOOTP, Bluetooth (HCI ACL, HCI CMD, HCI EVT, HCI SCO, L2CAP, SDP), CDP, CFM, CMS, COPS, Camel, Cisco ERSPAN, DAP, DCERPC SPOOLSS, DCERPC, DHCP, DHCPv6, DIAMETER, DMP, DTLS, E.164, EAP, ENIP, ENRP, EtherCAT, Ethernet, FMP, FTAM, GMRP, GRE, GSM MAP, GSM SMS, GSS-API, GTP, Gryphon, H.223, H.225, H.245, H.263, H.264, H.460, HCI H1, HTTP, ICMP, IEEE 802.11, IGMP, IPP, ISAKMP, ISUP, JFIF, JPEG, JXTA, Kerberos, LDAP, MP2T, MS MMS, MTP3MG, NBAP, NFS, NHRP, NetFlow, P7, PER, PIM, PKCS12, PPPoE, PTP, P_Mul, Q.932, Quakeworld, RANAP, RMT ALC, RMT LCT, ROS, RPC, RPL, RRC, RTCP, RTP, SCCP, SCTP, SDP, SLL, SMB, SMB2, SMPP, SMTP, SNMP, SRVLOC, SSL, STUN2, T.38, TCAP, TCP, TFTP, TiVoConnect, UCP, UDP-Lite, USB, VLAN, WBXML, X.411, X.420, X.509if, X.509sat
New and Updated Capture File Support
Catapult DCT2000, DBS Etherwatch, NTAR/PcapNG, TamoSoft CommView, Visual Networks
Getting Wireshark
Wireshark source code and installation packages are available from the download page on the main web site.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.
Known Problems
The Filter button is nonfunctional in the file dialogs under Windows. (Bug 942)

Changes for v0.99.6a - v0.99.7

Bug Fixes
The following vulnerabilities have been fixed. See the security advisory for details and a workaround.
Wireshark could crash when reading an MP3 file. Versions affected: 0.99.6
Beyond Security discovered that Wireshark could loop excessively while reading a malformed DNP packet. Versions affected: 0.10.12 to 0.99.6
Stefan Esser discovered a buffer overflow in the SSL dissector. Versions affected: 0.99.0 to 0.99.6
The ANSI MAP dissector could be susceptible to a buffer overflow on some platforms. Versions affected: 0.99.5 to 0.99.6
The Firebird/Interbase dissector could go into an infinite loop or crash. Versions affected: 0.99.6
The NCP dissector could cause a crash. Versions affected: 0.99.6
The HTTP dissector could crash on some systems while decoding chunked messages. Versions affected: 0.10.14 to 0.99.6
The MEGACO dissector could enter a large loop and consume system resources. Versions affected: 0.9.14 to 0.99.6
The DCP ETSI dissector could enter a large loop and consume system resources. Versions affected: 0.99.6
Fabiodds discovered a buffer overflow in the iSeries (OS/400) Communication trace file parser. Versions affected: 0.99.0 to 0.99.6
The PPP dissector could overflow a buffer. Versions affected: 0.99.6
The Bluetooth SDP dissector could go into an infinite loop. Versions affected: 0.99.2 to 0.99.6
A malformed RPC Portmap packet could cause a crash. Versions affected: 0.8.16 to 0.99.6
The IPv6 dissector could loop excessively. Versions affected: 0.99.6
The USB dissector could loop excessively or crash. Versions affected: 0.99.6
The SMB dissector could crash. Versions affected: 0.99.6
The RPL dissector could go into an infinite loop. Versions affected: 0.9.8 to 0.99.6
The WiMAX dissector could crash due to unaligned access on some platforms. Versions affected: 0.99.6
The CIP dissector could attempt to allocate a huge amount of memory and crash. Versions affected: 0.9.14 to 0.99.6
The following bugs have been fixed:
Handling of non-ASCII file names and paths has been improved.
Wireshark could crash while editing a coloring rule or a UAT table.
The display filter code could crash while bitwise ANDing an IPv4 address.
New and Updated Features
The following features are new (or have been significantly updated) since the last release:
Most of the capture code has been moved out of the GUI, which means that Wireshark no longer needs to be run as root.
Many display filter names have been cleaned up. If your favorite display filter just went missing, please consult the display filter reference to find out where it ended up.
You can now filter directly on SNMP OIDs.
IO graphs have more display options, and you can now export graphs.
You can now follow UDP streams in addition to TCP and SSL streams.
You can now disable coloring rules without deleting them.
Main window toolbar buttons are now available even when the window is small.
The version of WinPcap that ships with the Windows installers has been updated to 4.0.2.
The Windows installers now include a "services" file, which maps port numbers to names.
The Windows installer now enables npf.sys by default under Vista. Wireshark will print a warning at startup if npf.sys isn't loaded under Vista.
Optimizations have been applied in some places to make Wireshark start up and run faster.
New Protocol Support
ANSI TCAP, application/xcap-error (MIME type), CFM, DPNSS, EtherCAT, ETSI e2/e4, H.282, H.460, H.501, IEEE 802.1ad and 802.1ah, IMF (RFC 2822), RSL, SABP, T.125, TNEF, TPNCP, UNISTIM, Wake on LAN, WiMAX ASN Control Plane, X.224,
Updated Protocol Support
3Com XNS, 3G A11, ACN, ACP123, ACSE, AIM, ANSI IS-637-A, ANSI MAP, Armagetronad, BACapp, BACnet, BER, BFD, BGP, Bluetooth, CAMEL, CDT, CFM, CIP, Cisco ERSPAN, CLNP, CMIP, CMS, COPS, CTDB, DCCP, DCERPC ATSVC, DCERPC PNIO, DCERPC SAMR, DCERPC, DCOM CBA-ACCO, DCP ETSI, DEC DNA, DFS, DHCP/BOOTP, DHCPv6, DIAMETER, DISP, DMP, DNP, DNS, DOP, DTLS, DUA, eDonkey, ELSM, ESL, Ethernet, FC ELS, FC, FCOE, FTAM, FTP, GDSDB, GIOP, GPRS-LLC, GSM A, GSM MAP, GTP, HSRP, HTTP, IAX2, ICMPv6, IEEE 802.11, INAP, IP, IPMI, IPv6, ISAKMP, ISIS, iSNS, ISUP, IUUP, JXTA, K12, Kerberos, L2TP, LAPD, LDAP, LINX, LPD, LWAPP, MEGACO, MIKEY, MIME Multipart, MMS, MP2T, MPEG PES, MPEG, MTP2, MySQL, NBAP, NetFlow, nettl, NFS, NSIP, OSPF, P_MUL, PANA, PER, PKCS#12, PMIPv6, PN-PTCP, PN-RT, PPI, PPPoE, PRES, PROFINET, PTP, Q.932 ROS, Q.932, QSIG, Radiotap, RADIUS, RANAP, RNSAP, ROS, RTCP, RTP, RTSE, RTSP, SCCP, SCTP, SDP, SIGCOMP, SIP, Slow Protocols, SMB, SMPP, SMTP, SNDCP, SNMP, SRP, SSL, STANAG 4406, STUN2, TCAP, TCP, text/media, TIPC, ULP, UMA, UMTS FP, V5UA, VNC, WiMAX M2M, WiMAX, WLCCP, X.411, X.420, X.509 SAT, XML,
New and Updated Capture File Support
Catapult DCT 2000, Endace ERF, Juniper NetScreen snoop, Visual Networks, Windows Sniffer (NetXRay)

Changes for v0.99.6 - v0.99.6a

A new Windows installer (wireshark-setup-0.99.6a.exe) has been released in order to fix a problem with updating from WinPcap 4.0 to 4.0.1. There are no other changes in this release.

Changes for v0.99.5 - v0.99.6

The following vulnerabilities have been fixed.
Wireshark could crash when dissecting an HTTP chunked response. (Bug 1394) Versions affected: 0.99.5
On some systems, Wireshark could crash while reading iSeries capture files. (Bug 1415) Versions affected: 0.10.14 to 0.99.5
Wireshark could exhaust system memory while reading a malformed DCP ETSI packet. (Bug 1264) Versions affected: 0.99.5
Wireshark could loop excessively while reading a malformed SSL packet. (Bug 1582) Versions affected: 0.8.20 to 0.99.5
The DHCP/BOOTP dissector was susceptible to an off-by-one error. (Bug 1416) Versions affected: 0.10.17 to 0.99.5
Wireshark could loop excessively while reading a malformed MMS packet. (Bug 1342) Versions affected: 0.10.12 to 0.99.5
The following bugs have been fixed:
WEP decryption would only work for the first key specified. disappear or become unusable. WEP and WPA decryption didn't work for QoS frames. WPA decryption failed if EAPOL handshake packets contained extra data. Wireshark failed to parse colon-separated WEP keys.
Merging files in Wireshark now appends files properly.
Wireshark could hang while saving an RTP stream with bad timestamp data.
You must now explicitly pass "--disable-wireshark" to the build environment if you only want to build TShark; the configure script will fail, rather than automatically building only TShark, if it's run on a system that doesn't have GTK+ headers and libraries installed.
Capture from named pipes (via -i \\\pipe\) now works under Windows.
The frame.time_delta display filter now works as expected, matching the delta time between the current and previous captured packet. A new filter, frame.time_delta_displayed, matches the delta time between the current and previous displayed packet.
The following features are new (or have been significantly updated) since the last release:
You no longer have to restart Wireshark after changing column preferences. Woohoo!
You can now export HTTP objects via File?Export?Objects?HTTP.
Display filter macros are now supported.
Right-clicking on a packet lets you copy many more things, such as the packet summary and the packet bytes.
You can now match upper- and lower-case text with the contains operator, e.g. upper(http.request.method) contains "GET".
A great deal of code has been cleaned up, including fixing many compiler errors. Many thanks to those who worked on this.
New Protocol Support
AMQP (Advanced Message Queueing Protocol), BCTP Q.1990, Borland StarTeam, Cisco ERSPAN, CTDB (Cluster TDB), DRDA (Distributed Relational Database Architecture), DTPT (DeskTop PassThrough), EPMD (Erlang Port Mapper Daemon), FCoE (Fibre Channel over Ethernet), Firebird/Interbase (replaces the old Interbase dissector), FMP (File Mapping Protocol), H.248.10, H.248.7, IPsec/ISAKMP over TCP, Kingfisher, MIKEY (Multimedia Internet KEYing), MPEG, NSRP (Juniper Netscreen Redundant Protocol), OpcUa Binary Protocol, PPI (Per-Packet Information header), Q.932, QSIG, TAPA (Trapeze Access Point Access Protocol), WiMAX, WiMAX M2M
Updated Protocol Support
ACSE, AFP, AMR, ANSI IS-801, ANSI MAP, ARP, ASAP, ASN.1 BER, ASN.1 PER, AVS WLANCAP, BSSAP, BSSGP, BVLC, Camel, CDT, CIP, CMS, COPS, CPFI, DCCP, DCERPC (DCERPC, ATSVC, DFS, EFS, EVENTLOG, INITSHUTDOWN, NDR, NETLOGON, NSPI, NT, PNIO, SAMR, SPOOLSS, SRVSVC, WINREG, WKSSVC, WZCSVC), DCOM (DCOM, CBA, CBA-ACCO), DCP ETSI, DCP, DCT2000, DHCP, DIAMETER, DMP, DNP, DTLS, EDP, ENRP, EPL, ERF, FCELS, Fibre Channel, FTAM, FTBP, FW-1, GIOP, GSM MAP, GTP, H.223, H.225, H.235, H.245, H.248, H.263, HTTP, IAX2, IEEE 802.11, IGRP, INAP, IP, IPsec, IPv6, iSCSI, ISUP, IUA, IuUP, Juniper, JXTA, K12, Kerberos, L2TP, LDAP, LLDP, LWAPP, M3UA, MEGACO, MIP, MMS, MP2T, MTP3, NBAP, NDMP, Netflow, NFS, NT SONMP, OICQ, OSPF, PANA, PN-PTCP, PPP, P_Mul, Radiotap, RADIUS (Packetcable), RANAP, Redback, RNSAP, RRLP, RSVP, RTCP, RTP, RX, SCCP, SCSI (SCSI, MMC, OSD, SBC, SMC, SSC), SCTP, SDP, SIGCOMP, SIP, Skinny, SliMP3, SLL, SMB PIPE, SMB, SMB2, SMPP, SNMP, SPNEGO, SSCOP, SSL, STUN, SUA, Symantec, Syslog, TACACS, TCAP, TCP, TFTP, UDLD, UDP, ULP, UMA, UMTS (UMTS, FP, RRC), USB, VNC, WCP, WLCCP, X.25, X.411, X.509, YMSG
New and Updated Capture File Support
DCT2000, Endace ERF, iSeries, K12, MPEG Audio (yes, this means you can open .mp3 files in Wireshark), NetMon, pppdump, snoop (Shomiti wireless packets), Visual Networks, Windows Sniffer (NetXRay)

Version history for Wireshark

Top downloads

Latest updates

Help us

Sections:

Follow us: