Wireshark Version 4.6.0 Ready For Download

Posted by WarMax356 November 3, 2025
#image_title

What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.

Wireshark is used by government agencies, educational institutions, corporations, small businesses and nonprofits alike to troubleshoot network issues. Additionally, Wireshark can be used as a learning tool

Cybersecurity professionals often use Wireshark to trace connections, view the contents of suspect network transactions and identify bursts of network traffic. It is a key part of any IT pro’s toolkit – once they have mastered how to use it.

Wireshark does three things:

  1. Packet Capture: Wireshark listens to a network connection in real time and then grabs entire streams of traffic – quite possibly tens of thousands of packets at a time.
  2. Filtering: Wireshark is capable of slicing and dicing all of this random live data using filters. By applying a filter, you can obtain just the information you need to see.
  3. Visualization: Wireshark, like any good packet sniffer, allows you to dive right into the very middle of a network packet. It also allows you to visualize entire conversations and network streams.

Wireshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol analysis education. Wireshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, visit wiresharkfoundation.org.

Wireshark 4.6.0 Brings Native macOS pktap Metadata Support

In the ever-evolving field of network protocol analysis, macOS users just received a major upgrade. Wireshark—the open-source network analyzer trusted by cybersecurity professionals and IT specialists—has released version 4.6.0, introducing native support for macOS pktap metadata. This update adds visibility into process IDs (PIDs) and process names, allowing analysts to see exactly which applications are generating specific network traffic—no workarounds required.

For years, Apple’s pktap pseudo-interface has embedded process-related metadata in packet captures, but Wireshark lacked native parsing capabilities to expose it. With version 4.6.0, that gap has finally closed. The software can now decode and display process-level information directly within its interface, helping users quickly correlate packets with their originating processes—especially valuable for UDP traffic, where traditional socket monitoring tools often fall short.

Wireshark’s new release integrates pktap’s rich metadata at the core level, turning a long-requested feature into a standard capability.

For security professionals and forensic analysts, the implications are immediate. Linking a suspicious packet stream to a specific process used to involve juggling tools like netstat and lsof. Now, Wireshark simply displays the PID and process name alongside the packet data, cutting investigation time and minimizing errors.

Technical Depth and Broader Impact

pktap functions as a pseudo-interface on macOS, enriching captures from tools like tcpdump with additional metadata. Wireshark 4.6.0’s enhanced dissection capabilities bring that data into the GUI, supporting advanced filters, visualizations, and process-level insights once limited to command-line utilities.

According to the official release notes, this version also refines Wireshark’s visualization toolkit—adding improvements like enhanced scatter plots in the Plots dialog. While these enhancements benefit all users, the pktap integration stands out as a breakthrough for macOS analysts, bridging a long-standing divide between Apple’s ecosystem and cross-platform network forensics.

Wireshark 4.6.0 Complete Breakdown

Wireshark now supports enhanced process information, packet metadata, flow IDs, drop data, and other insights provided by tcpdump on macOS systems.

Installer and Platform Updates

  • Npcap Upgrade (Windows): The Windows installers now include Npcap 1.83 (previously 1.79).
  • Qt Upgrade (Windows & macOS): Installers now ship with Qt 6.9.3 (previously 6.5.3).
  • Universal macOS Installer: A single universal macOS installer now supports both Arm64 and Intel architectures.
  • WinPcap Support Removed: Wireshark no longer supports WinPcap. Users should install Npcap instead. WinPcap 4.1.3 (2013) supported only Windows 8, which is now deprecated.

New Features and Enhancements

Plots Dialog: A new Plots dialog introduces scatter plot visualization, complementing the I/O Graphs histogram view. Supports multiple plots, markers, and auto-scrolling.

Live Capture Compression: Live captures can now be compressed while writing, using the –compress option in TShark.

Time Formatting Updates:

Absolute time fields now always use ISO 8601 UTC in JSON output (-T json).

ASCII time formatting (e.g., Dec 18, 2017 05:28:39 EST) is deprecated in favor of ISO 8601.

A preference, protocols.display_abs_time_ascii, allows legacy formatting if needed.

UTC time columns now include a trailing “Z” per ISO 8601.

TShark -G Option Improvements: The -G glossary report option no longer needs to appear first and now respects additional command-line options (-o, -d, –disable-protocol, -C).

EUI-64 Handling: EUI-64 fields are now treated as byte arrays for packet matching, allowing slicing and comparison (e.g., wpan.src64[:3] == eth.src[:3]).

Decryption Enhancements:

  • NTP (NTS): Wireshark can decrypt NTP packets using Network Time Security (NTS) when key material is available.
  • MACsec: Decryption now supports SAK unwrapping via MKA dissector or PSKs defined in the MACsec dissector preferences.

Graph and UI Improvements:

  • TCP Stream Graphs now use SI-prefixed units.
  • Custom columns can mirror Packet Details formatting and now sort numerically when applicable.
  • Reduced minimum width for the I/O Graph window improves usability on small screens.

Display Filter Functions: New float and double functions enable explicit type conversion for numeric and time-based fields.

X.509 Export: Certificates used in TLS and other protocols can now be exported from the File › Export Objects › X509AF menu or via –export-objects x509af in TShark.

HTTP Enhancements: The HTTP and HTTP/2 dissectors now support Zstandard (ZSTD) Content-Encoding.

Follow Stream Support: Added for MPEG-2 Transport Stream PIDs and Packetized Elementary Streams for external playback.

DNP3 Support: Distributed Network Protocol 3 is now included in Conversations and Endpoints tables.

Lua Enhancements:

  • Preloaded libraries bit and rex_pcre2 are now available through require().
  • Added a Conversation object for Lua, providing access to conversation data.

UI and Usability Enhancements:

  • Packet and event lists no longer display multi-line rows.
  • Ethers file now supports EUI-64 mappings.
  • Enhanced Import from Hex Dump and text2pcap functionality with extended byte group and offset support.
  • Option to include frame timestamps in hex dumps.
  • Added Edit › Copy › as HTML with configurable output and keyboard shortcuts.
  • GUI export options now include JSON output without duplicate keys, raw frame bytes, and multiple format options.
  • Conversations and Endpoints dialogs can display precise byte counts and bit rates.
  • TShark’s -z taps now respect a statistics.output_format preference.
  • Dark and Light color schemes can be set independently of OS theme (requires Qt ≥ 6.8).

Build and System Changes

  • libxml2: Now a mandatory dependency (not compatible with version 2.15.0).
  • Documentation Build (Windows): No longer requires Java.
  • Manual Redissect Option: A new View › Redissect Packets command allows re-analysis when decryption secrets or address resolutions change.
  • HTTP2/5G Integration: Optional tracking of 3GPP sessions over 5G Service-Based Interfaces with IMSI association.
  • Linux BPF Extensions: Capture filters using extensions such as inbound, outbound, and ifindex can now compile and be used in captures.

Removed Features and Deprecated Options

  • AirPcap and WinPcap support removed.
  • libnl v1 and v2 no longer supported.
  • ENABLE_STATIC CMake option deprecated; use BUILD_SHARED_LIBS instead.

New File Format Support

  • Resource Interchange File Format (RIFF)
  • TTL File Format

New Protocols Supported

Includes but is not limited to:

AKP, Binary HTTP, BIST TotalView-ITCH/OUCH, Bluetooth (Android & Intel HCI), BPSec COSE Context, C2P, DECT NR+, DLMS/COSEM, Ephemeral Diffie-Hellman over COSE, ILNP, LDA Neo Trailer, LSDP, Navitrol Messaging, NTS-KE, Ouster VLP-16, Private Line Emulation (PLE), RC V3, RCG, Roughtime, SBAS L5, SGP.22 & SGP.32, SICK CoLA, Silabs Debug Channel, XCP, USB-PTP, vSomeIP Internal Protocol.

Capture File and Interface Updates

  • BLF Format: Improved reading and writing capabilities.
  • Windows ETWdump: Enhanced user experience and now displays raw bytes for unknown events.

API Updates

  • The Lua API now supports Libgcrypt symmetric cipher functions.

Getting Wireshark

Wireshark source code and installation packages are available from https://www.wireshark.org/download.html.

Vendor-supplied Packages

Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.

File Locations

Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use Help About Wireshark Folders or tshark -G folders to find the default locations on your system.

Getting Help

The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/

Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.

Bugs and feature requests can be reported on the issue tracker.

You can learn protocol analysis and meet Wireshark’s developers at SharkFest.

A Step Forward for macOS Network Analysis

Wireshark 4.6.0 reinforces the project’s dedication to cross-platform excellence as macOS continues evolving with tighter privacy and security controls. It also answers years of community feedback—from Stack Overflow threads dating back to 2015 to countless Wireshark forum discussions—requesting an easier way to decode pktap captures in the graphical interface.

For professionals working in network security, this release is more than an incremental improvement—it’s a genuine workflow upgrade. With native pktap decoding, macOS users can now perform process-level analysis on par with other platforms.

author avatar
WarMax356 Founder
See Full Bio
social network icon
Tags: