Wireshark is the most popular network protocol analyzer in the world. It is used for troubleshooting, analysis, development and education. Wireshark 4.0 was officially released recently. From the point of view of the version number, the new version has brought a lot of changes since 3.6.

Default main window layout

In past versions, Wireshark followed the standard set by its predecessors, placing packet lists, packet details, and byte views on top of each other, like this:

This standard was set a long time ago, when most monitors had a 4:3 aspect ratio and a lower resolution than today. As of Wireshark 4.0, the default is for detail and bytes views to be next to each other, which makes it easier to take advantage of the space available on modern monitors.

Sessions and Endpoints

Session and endpoint dialogs are already a popular feature, and are often the first thing people look at when investigating a problem. Wireshark 4.0 makes it more powerful and easier to use. For example, TCP and UDP sessions can now be seen side-by-side in separate windows. Sorting has been improved and you can now hide columns, filter on stream IDs, and export data as JSON.

hex import

Sometimes the packets you are interested in are not in a pcap or pcapng file that you can open directly with Wireshark, but are buried in a hex dump. Wireshark provides two methods for converting hex dumps to pcaps.”Import From Hex Dump” in the main program and text2pcap tool. In past versions they had different feature sets and behaved differently, but in Wireshark 4.0 they are more consistent.

features that will disappear

The official 32-bit Windows package is no longer provided for Wireshark 4.0 and later. If you are still using a 32-bit Windows system, the official Wireshark 3.6 update will continue to be provided until 2024. You will not be able to use the new features of version 4.0 and later.

Features still under development

There are two very wanted Windows features that are not yet in version 4.0, dark mode and Arm64 support. Dark mode requires support from the user interface library Qt, which is still a work in progress, but hopefully will be introduced in Wireshark 4.2.

Building a package for Arm64 requires building hardware and software library support, which is also expected to be possible in Wireshark 4.2.

More details can be found here: https://blog.wireshark.org/2022/10/whats-new-in-wireshark-4-0/