Wireshark 4.6.0 Released - What's new?

Wireshark 4.6 has just been released, marking a significant update to the popular free and open-source network protocol analyzer across Linux, macOS, and Windows systems. This version introduces significant new features and improvements. Notably, Wireshark can now decrypt NTP (Network Time Protocol) packets protected by NTS (Network Time Security) and supports compressing live captures on-the-fly as packets are written to disk. These enhancements, along with many others, make Wireshark 4.6 a compelling upgrade for network engineers, developers, and security analysts. Below, we highlight some of the major changes in this release.

Key New Features and Improvements

• New “Plots” dialog for traffic visualization – Wireshark 4.6 introduces a new Plots dialog that provides scatter plot graphs of network traffic (as a complement to the older I/O graphs, which use histograms). The Plots window supports multiple concurrent plots, various marker styles, and automatic scrolling for real-time data visualization. This helps users better visualize traffic patterns and anomalies at a glance.

• On-the-fly capture file compression – Live packet captures can now be compressed while writing to file, reducing disk usage during long sniffing sessions. In previous versions, capture file compression was only possible at rotation intervals (with multi-file captures), but Wireshark 4.6 lets you compress the capture data stream continuously as it’s being recorded. This is especially useful when capturing high-volume traffic over extended periods.

• NTP decryption with NTS – Wireshark can now decrypt and dissect secure NTP traffic that uses NTS (Network Time Security) for authentication. If the necessary NTS key exchange packets (NTS-KE) and keys are present in the capture, Wireshark 4.6 will utilize them to decrypt NTP packets and even verify the integrity of the authenticated portions. This allows analysts to inspect time-synchronization protocols that are protected by NTS – a feature introduced as secure time sync becomes more common.

• Other analysis enhancements – The update expands Wireshark’s ability to decrypt MACsec (Media Access Control Security) traffic on wired networks by using keys obtained from the MKA key agreement protocol or from user-provided pre-shared keys. Additionally, the TCP Stream Graph tool now labels its axes with SI-prefixed units (e.g., Kbps, Mbps), ensuring clarity and consistency in graph readings.

• UI and usability improvements – Wireshark 4.6 brings several quality-of-life updates to the interface. For example, there’s a new “Copy as HTML” option that lets you copy packet list data as formatted HTML (with aligned columns) for reporting or analysis elsewhere. There’s also a new “Redissect Packets” command in the View menu, allowing you to manually re-run dissection on captured data (valid after changing decode preferences or adding decryption keys). These enhancements make the tool more convenient to use during in-depth analysis sessions.

• Dropped legacy support – As a major release, Wireshark 4.6 deprecates some outdated components. Notably, it no longer supports the WinPcap and AirPcap capture drivers on Windows; users should ensure they use the modern Npcap driver going forward (WinPcap was last updated in 2013 and is considered obsolete). Similarly, ancient versions of the libnl library (Netlink Protocol Library v1 and v2 on Linux) are no longer supported. Removing support for these legacy components streamlines Wireshark’s code and focuses development on current technologies.

• Broader protocol coverage – Wireshark 4.6 expands its protocol decoding support, adding dozens of new protocols and file formats. For example, it can now dissect Binary HTTP (a binary-form HTTP protocol), new Bluetooth HCI protocols (for Android and Intel controllers), and various financial trading feeds (e.g., BIST-ITCH/OUCH), among others. The release also introduces support for emerging network and security protocols like the Network Time Security Key Establishment (NTS-KE) and Roughtime (secure time synchronization), as well as new standards in telecommunications such as GSMA remote SIM provisioning (SGP.22/SGP.32 for eSIM). In addition, Wireshark 4.6 can now decode specific file formats like the Resource Interchange File Format (RIFF) and TTL capture files, further extending its analysis capabilities. (For a complete list of newly supported protocols, see the official release notes.)

Availability and Installation

Wireshark 4.6 is available now as a stable release. You can download the source code and updated installers for Windows and macOS from the official Wireshark website. Linux users will receive the update through their distribution’s package repositories in the near future (many distros provide Wireshark packages and will update to 4.6). If you prefer, a Flatpak package is also published on Flathub for easy installation across various Linux distributions.

For those eager to try Wireshark 4.6 on Ubuntu 24.04 LTS, detailed setup instructions are available. You can follow this guide on installing and configuring Wireshark on Ubuntu 24.04 to get up and running quickly. How to Install and Configure Wireshark on Ubuntu 24.04 provides step-by-step installation commands, tips for enabling non-root packet capture, and other configuration notes for Ubuntu users.

Wireshark remains an indispensable tool for network troubleshooting, security auditing, and protocol development. The 4.6 release’s new features – from NTS-decrypted NTP analysis to improved live capture handling – continue to solidify Wireshark’s position as the go-to solution for deep network traffic inspection. As an open-source project, Wireshark 4.6 is a free upgrade; users are encouraged to update and take advantage of the new capabilities and enhancements in this major release