Wireshark – the popular open source protocol analysis tool – is available in version 4.2.0. It is the first major release under the newly founded non-profit Wireshark Foundation and, in addition to bug fixes, also brings some exciting new functions.
Advertisement
The most important innovations
In the new version, a Windows installer for ARM64 is now available. The first special feature the developers highlight is the new dark mode under Windows. The project has also improved packet sorting and UTF-8 output. In addition, the installation on Linux is now deferable based on relative RPATHs. In addition, the autocompletion of display filters should now be more intelligent and better protected against suggestions of incorrect syntax. There is also a new display filter for raw user data in bytes.
The simplified TLS decryption using the session key method represents real added value. In this way, the Wireshark Foundation takes into account the so-called “HTTPization of the network” and makes analysis easier. Previously, an environment variable had to be set in the operating system’s environment variables SSLKEYLOGFILE for recording the session keys and referenced in the TLS settings of Wireshark. Only then was the analyst allowed to start the desired browser – Firefox or Chrome – in order to write the session keys from the TLS handshake into the keylog file via the environment variable. The HTTP traffic, previously encrypted using TLS, could then be analyzed in plain text. Version 4.2.0 now simplifies this by adding a new “TLS Keylog Launcher” under the “Tools” menu item, which makes setup easier and thus allows TLS decryption with just a few keystrokes.
The new function for simplified TLS decryption using the session key method. You can see in the list of protocols “Transport Layer Security” and below the http data in plain text – in this case a GET request from a call to heise.de.
Also in the “Tools” area there is now a “MAC Address Blocks” menu, which can be used to query the manufacturer using the MAC OUI. So you no longer need any external tools.
Bug fixing
In addition, the new version also offers version maintenance of the underlying tools, such as Npcap 1.78 in 4.2.0rc2. VoIP administrators can also look forward to fixes in the RTP player that have occurred since switching to Qt 6. This means that VoIP conversations can now be played back in the usual quality for analysis. All details about the new version can be found in the release notes.
(fo)