Wireshark 4.4.0 released – What’s new?

The Wireshark Foundation has announced the release of Wireshark 4.4.0, which brings a host of new features, improvements, and bug fixes to the popular open source network protocol analyzer. This latest version introduces significant improvements to graphics capabilities, display filtering functionality, and overall performance.

One of the notable improvements in Wireshark 4.4.0 is the major overhaul of the diagram dialogs. The I/O diagrams, flow diagrams/VoIP calls, and TCP stream diagrams have all been extensively updated, providing users with more precise and flexible visualization options.

The I/O Charts dialog now supports intervals as small as 1 microsecond and can handle up to 33 million chart elements. Memory usage has been optimized and the chart more intelligently detects when data needs to be re-tapped, recalculated, or re-plotted. Users can now reorder charts using drag-and-drop and the legend can be moved to different corners of the chart.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Advanced display filter functions

Wireshark 4.4.0 introduces significant improvements to the display filter functionality:

• Support for value strings: Improved handling of value string comparisons, including support for regular expression matching.
• Date and time arithmetic: Users can now perform calculations on date and time values.
• New features: Additional display filter functions have been added to test IP address properties and convert unsigned integer types.
• Plugin support: Display filter functions can now be implemented as libwireshark plugins, allowing greater extensibility.

A major upgrade in this release is the ability to define custom columns using any valid field expression. This includes display filter functions, arithmetic calculations, packet slices, and logical tests. Likewise, custom output fields for Tshark can now be defined using these expressions, giving users unprecedented flexibility in data presentation and analysis.

Performance improvements

Wireshark 4.4.0 brings several performance improvements:

• Faster compression: The software can now be built with zlib-ng instead of zlib, which provides much faster support for compressed files.
• LZ4 compression: Recording files can now be saved with LZ4 compression, increasing speed and supporting fast random access.
• Interface management: Adding interfaces at startup is now about twice as fast and there are fewer UAC popups on Windows systems.

The new version adds support for several new protocols, including Allied Telesis Resiliency Link, ATN Security Label, Bit Index Explicit Replication (BIER), and many others. Numerous existing protocol dissectors have also been updated to provide more accurate and comprehensive analysis.

• Lua 5.4 support: The Windows and macOS installers now ship with Lua 5.4.6, while support for Lua 5.1 and 5.2 has been removed.
• Automatic profile change: Wireshark now supports automatic switching between configuration profiles based on display filters.
• Improved file management: The maximum file size for recordings has been increased to 2 TB and new file naming patterns are supported for better chronological sorting.

Security fixes

NTLMSSP dissector crash in Wireshark 4.2.0 through 4.0.6 and 4.0.0 through 4.0.16 allows denial of service via packet injection or crafted capture files. The issue was fixed in versions 4.2.7 and 4.0.17.

“We are not aware of any exploits for this issue. It may be possible to crash Wireshark by injecting a malformed packet onto the wire or by getting someone to read a malformed packet trace file.”

Older Wireshark versions 4.2.7 and 4.0.17 have been patched with news release, you can download the official releases here.

Wireshark 4.4.0 represents a significant advancement in network analysis capabilities, offering improved visualization, more powerful filtering, and improved performance. Users are encouraged to download the latest version from the official Wireshark website and explore the wealth of new features and improvements.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial