Wireshark 4.6.0 brings major updates for packet analysis and decryption

If you’ve ever used Wireshark to dig into network traffic you know how vital even small upgrades can be. With version 4.6.0 the team behind the open-source network protocol analyzer has added a number of features that could change how you analyse traffic, decode protocols and handle captures across platforms.

Wireshark 4.6.0

Mac and Windows users get notable upgrades

The 4.6.0 release introduces a handful of platform-specific improvements that make day-to-day packet work easier. On macOS, Wireshark can now dissect process information, packet metadata, flow IDs and drop data provided by tcpdump. Windows users get updated dependencies: Npcap 1.83 replaces 1.79, and the Qt framework jumps to 6.9.3 for better performance and compatibility.

The macOS installer is now a single universal package for Intel and Apple Silicon, reducing confusion over which version to grab. At the same time, support for older Windows capture drivers like WinPcap and AirPcap has been removed, steering users toward newer driver stacks that are actively maintained.

Capturing data gets smoother

For those who rely on live captures, the update makes it possible to compress traffic as it’s written to disk. Previously, compression only worked when Wireshark rotated to a new file during a long capture. This small change can make a difference for analysts collecting large data sets.

Time stamps in JSON and other machine-readable outputs are now always written in ISO 8601 UTC format. That may sound minor, but it helps eliminate mismatched or ambiguous times in logs, which can cause real confusion during investigations.

Custom columns have also been refined. Users can display data in the same format as the Packet Details pane, and numeric columns now sort numerically rather than alphabetically.

Deeper decoding for encrypted and emerging protocols

Wireshark’s strength has always been its wide range of supported protocols, and 4.6.0 extends that reach further. It can now decrypt NTP packets using Network Time Security, a feature welcomed by anyone troubleshooting time synchronization. MACsec decryption has been expanded too, with support for Security Association Keys unwrapped by the MKA dissector or through lists of pre-shared keys.

The release also adds support for new and evolving formats, including RIFF, TTL files, Binary HTTP, DECT-2020 (New Radio) and GSMA Remote SIM Provisioning. These additions make Wireshark better suited for environments that mix traditional IP networks with telecom or IoT traffic.

Interface tweaks that save time

Wireshark 4.6.0 brings new quality-of-life touches for people who spend hours in packet traces. A new “Plots” dialog replaces the older I/O Graphs tool, giving users scatter plots, multiple plot views and automatic scrolling for live updates. Packet lists can now be copied as neatly formatted HTML, which simplifies sharing results in reports or documentation.

Theme control has been improved too. On Windows and macOS, users can set the color scheme independently of the system default, provided Wireshark is built with Qt 6.8 or later. Linux users gain wider support for Berkeley Packet Filter extensions like “inbound,” “outbound” and “ifindex,” which were previously rejected.

Dropping legacy components

As part of a wider cleanup, Wireshark has retired some older parts of its code and build system. Besides the removal of WinPcap and AirPcap, support for early versions of the libnl library has ended. The CMake option ENABLE_STATIC is also deprecated in favor of BUILD_SHARED_LIBS. These changes are meant to simplify builds and focus attention on active components.

Version 4.6.0 is available now for Windows, macOS and Linux. Before upgrading, users should confirm that their capture drivers and scripts align with the new formats and dependencies.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!

Don't miss