The Wireshark Foundation has revealed the release of Wireshark 4.4.0, bringing a host of new elements, modifications, and bug fixes to the popular open-source network protocol analyzer. This latest version introduces significant enhancements to graphing abilities, shows filter functionality, and overall implementation. One of the significant refinements in Wireshark 4.4.0 is the comprehensive overhaul of the graphing dialogs. The I/O Graphs, Flow Graph / VoIP Calls, and TCP Stream Graphs have all accepted significant updates, offering users more accurate and flexible visualization options.

The I/O Graphs dialog now sustains gaps as small as 1 microsecond and can take up to 33 million graph items. Memory utilization has been optimized, and the graph is more thoughtful about when to retap, recalculate, or replot information. Users can now reorder graphs by drag-and-drop, and the legend can be repositioned to other corners of the graph.

Advanced Display Filter Abilities

Wireshark 4.4.0 presents important enhancements to display filter functionality:

• Value String Support: Enhanced handling of comparisons with value strings, including support for regular expression matching.
• Date and Time Arithmetic: Users can now execute arithmetic operations on date and time values.
• New Functions: Additional display filter functions have been added to test IP address properties and convert unsigned integer types.
• Plugin Support: Display filter functions can now be executed as libwireshark plugins, permitting greater extensibility.

A significant advancement in this release is the capability to define custom columns utilizing any valid field expression. This contains display filter functions, arithmetic calculations, packet slices, and logical tests. Similarly, custom output fields for tshark can now be described using these terms, providing users with unprecedented flexibility in data representation and investigation.

Implementation Progress

Wireshark 4.4.0 brings several performance improvements:

• Faster Reduction: The software can now be built with zlib-ng rather than zlib, contributing substantially faster-compressed file support.
• LZ4 Compression: Capture files can now be saved with LZ4 compression, emphasizing speed and keeping fast random access.
• Interface Management: Adding interfaces at startup is now about twice as fast, with fewer UAC pop-ups on Windows systems.

The new release presents support for several new protocols, including Allied Telesis Resiliency Link, ATN Security Label, Bit Index Explicit Replication (BIER), and many others. Multiple existing protocol dissectors have also been updated to deliver more accurate and complete analysis.

• Lua 5.4 Support: The Windows and macOS installers now ship with Lua 5.4.6, while support for Lua 5.1 and 5.2 has been terminated.
• Automatic Profile Switching: Wireshark now supports automatic switching between configuration profiles based on show filters.
• Enhanced File Handling: The maximum file size for captures has been expanded to 2 TB, and new file naming patterns are supported for better chronological sorting.

Security Fixes

NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to 4.0.16 permits denial of service through packet injection or prepared capture file. The problem is resolved with versions 4.2.7, 4.0.17.

“We are ignorant of any exploits for this case. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by persuading somebody to read a malformed packet path file.”