Wireshark 3.0.0: review of innovations

Wireshark Foundation has released the final stable-version of the popular network traffic analyzer - Wireshark 3.0.0. The new release eliminated several bugs, implemented the ability to analyze new protocols, and replaced the WinPcap driver with Npcap.

Wireshark is the world's most popular network protocol analyzer. It is used for troubleshooting, analysis, development, and training.

New and updated features

• Improved user interface. Support for some obsolete features and libraries has been removed.
• The IP card function (Map button in the Endpoints dialog box) was added back to the updated form (Error 14693).
• The macOS package now comes with Qt 5.12.1. Previously, it came with Qt 5.9.7.
• MacOS package requires version 10.12 or later of macOS (High Sierra / Mojave). If you are using an older version of macOS, use Wireshark 2.6.
• Wireshark now supports Swedish and Ukrainian (it supports Russian from version 2.9).
• Added support for using PKCS # 11 tokens to decrypt RSA to TLS.
• Windows installers now come with Qt 5.12.1. Previously, they came with Qt 5.12.0.
• Windows Installers .exe now comes with Npcap instead of WinPcap. In addition to active support (by the nmap project), Npcap supports loopback capture and capture of the 802.11 Wi-Fi monitoring mode (if supported by the NIC driver).
• Talk timestamps are supported for UDP / UDP protocols.
• TShark now supports the -G elastic-mapping option, which generates the ElasticSearch mapping file.
• The "Capture Information" dialog has been added back (error 12004).
• The Ethernet and IEEE 802.11 interceptors no longer check the frame check sequence (checksum) by default.
• The TCP dissector has received a new preference for “reassembling unordered segments” to correct problems with opening and decoding if TCP segments are not received in order.
• Decryption support for the new WireGuard dissector (error 15011, Libgcrypt 1.8 required).
• The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old display filter fields are “bootp. * "Are still supported, but may be removed in a future release.
• SSL dissector has been renamed to TLS. As with BOOTP, the old “ssl. Display filter fields. * "Supported, but may be removed in a future release.
• Apt-x has been renamed to aptX.
• When importing from a hex dump, you can now add an ExportPDU header with the name of the payload. This causes a particular dissector directly without downstream protocols.
• The extshap sshdump and ciscodump interfaces can now use a proxy to connect to SSH.
• Dumpcap now supports -a packets: NUM and -b packets: NUM options.

Support for new protocols

In addition to updating the huge number of protocols that already exist in Wireshark, the developers added support for the following:
')
Apple Wireless Direct Link (AWDL), Basic Transport Protocol (BTP), BLIP Couchbase Mobile (BLIP), CDMA 2000, Circuit Emulation Service over Ethernet (CESoETH), Cisco Meraki Discovery Protocol (MDP), Distributed Ruby (DRb), DXL, E1AP (5G), EVS (3GPP TS 26.445 A.2 EVS RTP), Exablaze trailers, General Circuit Services Notification Application Protocol (GCSNA), GeoNetworking (GeoNw), GLOW Lawo Emberplus Data Format, Great Britain Companion Specification (GBCS) used in The Smart Metering Equipment (HM3CLinkData, Intelligent Transport Systems (ITS) application level, ISO 13400-2 Diagnostic communication over Internet Protocol (DoIP), ITU- X.696 Octet Encoding Rules (OER), Local Number Portability Database Query Protocol (ANSI), MsgPack, NGAP (5G), NR (5G) PDCP, Osmocom Generic Subscriber Update Protocol (GSUP), PCOM protocol, PKCS # 10 ( RFC2986 Certification Request Syntax), PROXY (v2), S101 Lawo Emberplus transp Orchestrate, Secure Reliable Transport Protocol (SRT), Spirent Test Center Signing for Ethernet and FibreChannel (STCSIG, disabled by default), Sybase-specific portions of TDS, systemd Journal Export, TeamSpeak 3 DNS, TPM 2.0, Ubiquiti Discovery Protocol ( UBDP), WireGuard, XnAP (5G), and Z39.50 Information Retrieval Protocol.

WinPcap → Npcap

The most current innovation is to replace WinPcap with Npcap. Although the Npcap library is based on WinPcap / Libpcap, however, it is more optimized, has better performance, portability and security. Also an important factor is the support of Npcap by the developers of the Nmap Project, as opposed to WinPcap, which has not been updated since 2013.