Wireshark 4.6.0: Major Packet Analysis & Decryption Upgrades

The latest Wireshark 4.6.0 release delivers substantial enhancements for network analysts, introducing powerful packet analysis and decryption capabilities alongside smoother data capture workflows. This update strengthens the open-source tool’s position as a go-to solution for troubleshooting and investigating network traffic across diverse environments.

Users on macOS and Windows benefit from several platform-specific improvements. On macOS, Wireshark can now dissect detailed process information, packet metadata, flow IDs, and drop data provided by tcpdump. For Windows users, the update includes newer dependencies: Npcap 1.83 replaces the older version, and the Qt framework advances to 6.9.3 for improved performance and compatibility. The macOS installer is now a single universal package supporting both Intel and Apple Silicon processors, eliminating any confusion about which version to download. Support for legacy Windows capture drivers like WinPcap and AirPcap has been removed, directing users toward modern, actively maintained driver stacks.

Data capture operations become more efficient with the ability to compress traffic as it is written to disk. Previously, compression was only applied when Wireshark rotated to a new file during extended capture sessions. This enhancement is particularly valuable for analysts collecting large datasets. Time stamps in JSON and other machine-readable outputs now consistently use the ISO 8601 UTC format, helping to prevent ambiguous or mismatched timings in logs that can complicate investigations. Custom columns have also been refined, allowing data to be displayed in the same format as the Packet Details pane, while numeric columns now sort numerically instead of alphabetically.

Decryption capabilities receive a significant boost with support for NTP packets using Network Time Security, a welcome feature for professionals troubleshooting time synchronization issues. MACsec decryption has been expanded to include Security Association Keys unwrapped by the MKA dissector or through lists of pre-shared keys. The release also adds protocol support for emerging formats, including RIFF, TTL files, Binary HTTP, DECT-2020 (New Radio), and GSMA Remote SIM Provisioning. These additions make Wireshark better equipped for environments blending traditional IP networks with telecom or Internet of Things traffic.

Interface improvements provide quality-of-life upgrades for users who spend long hours analyzing packet traces. A new “Plots” dialog replaces the older I/O Graphs tool, offering scatter plots, multiple plot views, and automatic scrolling for live updates. Packet lists can now be copied as neatly formatted HTML, simplifying the process of sharing findings in reports or documentation. Theme control has been enhanced on Windows and macOS, allowing users to set the color scheme independently of the system default, provided Wireshark is built with Qt 6.8 or later. Linux users gain broader support for Berkeley Packet Filter extensions such as “inbound,” “outbound,” and “ifindex,” which were previously rejected.

As part of ongoing code maintenance, several legacy components have been retired. Beyond the removal of WinPcap and AirPcap, support for early versions of the libnl library has ended. The CMake option ENABLESTATIC is now deprecated in favor of BUILDSHARED_LIBS. These changes aim to streamline the build process and focus development efforts on actively maintained components.

Wireshark 4.6.0 is currently available for download on Windows, macOS, and Linux. Users planning to upgrade should verify that their existing capture drivers and custom scripts are compatible with the new formats and dependencies.

(Source: HelpNet Security)