The arrival of Wireshark 4.6 It represents a significant update for one of the most widely used network protocol analyzers in the world, as it was when it was published. new version of Wireshark 3.0.0This release introduces a handful of features designed to improve visualization, capture performance, and interoperability with other tools, including fine-tuning columns, time formats, and statistics.
In addition to internal improvements, the project strengthens its multiplatform support with updated packages for Windows and macOS, and maintains its Linux distribution in both source and Flatpak formats. The release also incorporates changes to system dependencies and components, seeking greater stability and a clearer lifecycle for professional users.
Wireshark 4.6 Highlights in Analysis and Visualization
One of the great additions is the new "Plots" dialog, which allows for the generation of scatter plots with multiple traces, markers, and automatic scrolling. This facilitates faster visual diagnostics during long sessions or during changing traffic patterns.
The live capture compression while writing to disk, which is especially useful in high-packet-rate environments. In parallel, writing absolute time fields to JSON output (-T json) takes the form ISO 8601 in UTC, and UTC time columns display the Z suffix according to the standard.
In terms of decryption, Wireshark can now decrypt NTP using NTS (Network Time Security). For this to work, you need to have the TLS client secrets, the exporter secrets, and the packets. NTS-KE. In addition, the ability to handle MACsec is extended: it is possible to use the SAK unpacked by the MKA dissector or the PSK configured directly in the MACsec dissector. For completeness, the axes of the TCP Stream Graph uses SI prefixes, fine-tuning the reading of magnitudes.
Platform improvements and capture adjustments
On Linux, capture filters with extensions GMP such as inbound, outbound and ifindex can be used directly for capture, which opens the door to advanced kernel-level filtering scenarios. When done packet matching, the underlying type of the fields EUI-64 converted to bytes, improving consistency.
On macOS, Wireshark can now process additional information that tcpdump provides: process data, packet metadata, flow identifiers, or loss events, among others. This enriches analysis on Apple devices without complex configurations.
On Windows, the installers are distributed with Npcap 1.83 (previously 1.79), and on both Windows and macOS the official packages move to Qt 6.9.3 (formerly 6.5.3). Universal installers are provided on macOS, valid for Arm64 and Intel, simplifying the choice of binary.
Columns, Tables, and Utilities: More Control and Consistency in Wireshark 4.6
Custom columns incorporate an option to display values ​​with the same format as in the details of the package, avoiding visual discrepancies between panels. In addition, DNP3 now appears in the tables of Conversations y Endpoints, and the ethers file supports EUI-64 name assignments.
The dissection export dialog in the GUI can output the raw hex bytes of the framework for each field, with or without exporting the field value. The Lua API, meanwhile, adds support for Libgcrypt symmetric encryption functions, which expands scripting and automation options.
In the tables themselves Conversations y Endpoints A switch is added to display exact byte counts and bit rates, rather than human-readable formats with SI units. And TShark debuts the preference -o statistics.output_format to control the output format of certain taps of statistics.
Import, export and workflow
The "Import from Hex Dump" function and text2pcap accept now groups of 2 to 4 bytes, which makes it easier to reconstruct captures from heterogeneous text dumps. In addition, from "Print" and "Export Packet Dissection" you can add frame timestamps as preamble in the hex dumps.
The list of packages and the list of events They no longer allow multi-line rows, which improves readability and prevents unexpected jumps. It also incorporates Follow Stream for PIDs of MPEG-2 Transport Stream, and HTTP/2 tracking for 3GPP sessions over 5G can be optionally enabled.
In the Edit menu appears «Copy › as HTML» to copy plain text with aligned columns and choose the format when using keyboard shortcuts, while in View the option is added to manually redissect packages. When Wireshark is compiled with Qt 6.8 or higher (as in the official installers), the light/dark theme can be set independently of the system setting on Windows and macOS.
Formats and protocols that are added
In the formats section, Wireshark 4.6 adds RIFF and TTL decoding, expanding its reach beyond purely network protocols.
The list of new supported protocols is extensive and spans multiple sectors: industrial packaging, automotive, IoT, satellite, and mobile. These include AKP, Binary HTTP, BIST TotalView-ITCH y BIST TotalView-OUCH, plus several Bluetooth and Bundle Protocol Security additions:
- Asymmetric Key Packages (AKP)
- Binary HTTP
- BIST TotalView-ITCH (BIST-ITCH)
- BIST TotalView-OUCH (BIST-OUCH)
- Bluetooth Android HCI (HCI ANDROID)
- Bluetooth Intel HCI (INTEL HCI)
- BPSec COSE Context and BPSec Default SC
- Commsignia Capture Protocol (C2P)
Mobile network technologies, measurement and specialized encapsulations are also coming, such as DECT NR+ (DECT-2020), DLMS/COSEM, Ephemeral Diffie-Hellman over COSE, ILNP, trailer LDA_NEO_TRAILER, LSDP, LLC V1 and the internal protocol vSomeIP:
- DECT NR+ (DECT-2020 New Radio)
- DLMS/COSEM
- Ephemeral Diffie-Hellman Over COSE
- Identifier-Locator Network Protocol (ILNP)
- LDA Neo Device trailer (LDA_NEO_TRAILER)
- Lenbrook Service Discovery Protocol (LSDP)
- LLC V1
- vSomeIP Internal Protocol (vSomeIP)
The batch is completed with support Navitrol messaging, NTS-KE, LIDAR sensors such as Ouster VLP-16, Private Line Emulation (PLE), RC V3, RCG, Roughtime, SBAS L5 and remote eSIM provisioning SGP.22 y SGP.32:
- Navitrol messaging
- Network Time Security Key Establishment Protocol (NTS-KE)
- Ouster VLP-16
- Private Line Emulation (PLE)
- RC V3 and RCG
- Roughtime
- SBAS L5 Navigation Message
- SGP.22 GSMA Remote SIM Provisioning (SGP.22)
- SGP.32 GSMA Remote SIM Provisioning (SGP.32)
Finally, protocols and channels oriented towards automation and USB, among others, are added: SICK CoLA (ASCII and Binary), Silabs Debug Channel, XCP, USB-PTP and messages from VLP-16 Data and Position.
Wireshark 4.6 Retired Features and Dependency Changes
With this version Wireshark stops supporting AirPcap and WinPcap. On Windows systems, Npcap is used by default, so WinPcap can be uninstalled if it is still present on the system.
Support for versions is also being discontinued. 1 and 2 of libnl (Netlink Protocol Library Suite), and libxml2 becomes a required dependency. At the build level, the CMake option ENABLE_STATIC is removed in favor of BUILD_SHARED_LIBS, unifying criteria in the compilation process.
Wireshark 4.6 availability and download
Wireshark 4.6 can be downloaded from your official site in source code form to compile, as well as pre-compiled packages for Windows and macOS. The following are also available there: notes from this release. On Linux, the application is available as Flatpak on Flathub, facilitating its deployment on multiple distributions.
If you were already using the 4.4 or 4.2 branch, you will notice that many of these improvements do not require flow changes and integrate naturally into everyday work: more useful graphics, richer exports, and new decoding capabilities open the door to more precise analysis without sacrificing performance.
This release consolidates Wireshark as a reference tool by adding advanced visualization, support for emerging protocols and careful maintenance of packages and dependencies, reducing friction for both those who capture traffic on a daily basis and those who dissect specific formats.
