The new version of Wireshark 3.0.0 was released yesterday, replacing the no longer preserved WinPcap packet capture library with the Npcap packet sniffing and dispatching library for Windows.
Wireshark is a free software network protocol analysis software and cross-platform that runs on Windows and most UNIX and UNIX platforms, such as Linux, FreeBSD, and MacOS.
In addition, Wireshark is used by security experts, developers, and educators for analysis, troubleshooting, development and education to interactively capture and navigate packet traffic on computer networks.
Wireshark 3.0.0 Key New Features
This new release of Wireshark 3.0.0 comes with "802.11 WiFi monitor mode capture and loop capture support (if supported by the NIC driver)."
It is also important to mention that in Wireshark 3.0.0 has provided support for new protocols among which we find the following:
- Apple Wireless Direct Link (AWDL)
- Basic Transport Protocol (BTP)
- BLIP Couchbase Mobile (BLIP)
- CDMA 2000
- Circuit Emulation Service over Ethernet (CESoETH)
- Cisco Meraki Discovery Protocol (MDP)
- Distributed Ruby (DRb)
- Dx
- E1AP (5G)
- EVS (3GPP TS 26.445 A.2 EVS RTP)
- General Circuit Service Notification Application Protocol (GCSNA)
- GeoNetworking (GeoNw)
- GLOW Lawo Emberplus Data
- Great Britain Accompanying Specification (GBCS)
- GSM-R (use of user-to-user information element)
- HI3CCLinkData, Intelligent Transport Systems (ITS)
- ISO 13400-2 Diagnostic communication over Internet Protocol (DoIP)
- ITU-t X.696 Octet Encoding Rules (OER)
- Local Number Portability Database Lookup Protocol (ANSI),
- msgpack
- NGAP (5G)
- NR (5G)
- PDCP
- Osmocom Generic Subscriber Update Protocol (GSUP)
- pcom
- PROXY (v2)
- S101 Lawo Emberplus
- Secure and Reliable Transport Protocol (SRT)
- Signature of the Spiral Test Center (STCSIG)
- TeamSpeak 3 DNS
- TPM 2.0
- Ubiquitous Discovery Protocol (UBDP)
- wire guard
- XnAP (5G)
Another novelty that comes with Wireshark 3.0.0 is that it sThe old GTK + interface version is now no longer officially supported, as the interface is now in Qt.
In Wireshark 3.0.0 the TCP analysis module, the configuration "Reassemble segments out of order" has been added., which allows you to solve problems with the analysis and decryption of flows when the segments are out of order.
In addition, WireGuard Dissector module added to decrypt WireGuard VPN traffic (if you have keys). The BOOTP parser module is renamed to DHCP and the SSL module to TLS.
When importing hex dumps into Wireshark 3.0.0, it is possible to specify an ExportPDU header to directly call the required parser module, without accessing the underlying protocol modules.
other developments
Of the other changes that have been presented in this new release we find:
- Frame sequence verification (checksums) is disabled by default on IEEE 802.11 and Ethernet stream modules.
- Added the ability to transfer backlight rules, input / output graphics, filters, and protocol settings between profiles.
- Added a separate "No reassembly" profile to disable traffic normalization.
The "–inject-secrets" option was added to the editcap utility to attach a file with the captured keys (TLS Key Log) to the pcapng file. - The string () function has been added to dfilter to convert non-string fields to strings for later use in matching functions
- Added support for decoding the Ruby Marshal format used to serialize objects
- Support for extracting data from PEM (RFC 7468) formats and SystemD Journal export files
Download and install Wireshark 3.0.0
Since the launch was made a few hours ago, packages built to ease Wireshark 3.0.0 installation are not yet available.
At the moment this new version can only be obtained by downloading and compiling its source code, which is available from its download section on its official website.
The link is this.
In the package are the instructions for compilation as well as the necessary dependencies.