What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.
Wireshark is used by government agencies, educational institutions, corporations, small businesses and nonprofits alike to troubleshoot network issues. Additionally, Wireshark can be used as a learning tool
Cybersecurity professionals often use Wireshark to trace connections, view the contents of suspect network transactions and identify bursts of network traffic. It is a key part of any IT pro’s toolkit – once they have mastered how to use it.
Wireshark does three things:
- Packet Capture: Wireshark listens to a network connection in real time and then grabs entire streams of traffic – quite possibly tens of thousands of packets at a time.
- Filtering: Wireshark is capable of slicing and dicing all of this random live data using filters. By applying a filter, you can obtain just the information you need to see.
- Visualization: Wireshark, like any good packet sniffer, allows you to dive right into the very middle of a network packet. It also allows you to visualize entire conversations and network streams.
Wireshark is hosted by the Wireshark Foundation, a nonprofit which promotes protocol analysis education. Wireshark and the foundation depend on your contributions in order to do their work. If you or your organization would like to contribute or become a sponsor, visit wiresharkfoundation.org.
Wireshark 4.6.1 Security Fixes
Wireshark 4.6.1 addresses multiple vulnerabilities that could allow attackers — or even malformed traffic — to crash the widely used network protocol analyzer. The update, released this week, underscores the ongoing pressures facing developers of essential open-source security tools as adversaries increasingly target the software that defenders rely on.
Wireshark, being an indispensable utility for network forensics, incident response, and protocol research, is installed on millions of systems worldwide. Because of its central role in traffic inspection, any flaw exposing the application to denial-of-service (DoS) conditions presents a meaningful risk to analysts conducting investigations or monitoring critical environments.
Two High-Priority Vulnerabilities Patched
The headline fixes in Wireshark 4.6.1 address two crash-inducing vulnerabilities, both discovered in protocol dissectors — the components responsible for parsing network data.
- BPv7 Dissector Crash (wnpa-sec-2025-05)
The first issue involves the Bundle Protocol Version 7 (BPv7) dissector, used in Delay-Tolerant Networking implementations (including space-communication research and niche IoT systems). Incorrect handling of crafted packets could cause Wireshark to crash during capture analysis.
While the vulnerability does not appear to allow remote code execution, security researchers note that the ability to deliberately crash Wireshark during an investigation can disrupt time-sensitive operations. The flaw was cataloged as Issue #20770 on Wireshark’s GitLab tracker.
- Kafka Dissector Crash (wnpa-sec-2025-06)
A second vulnerability, tied to the Kafka protocol dissector — used in modern cloud and event-streaming architectures — could similarly trigger a crash when processing certain message formats. Tracked as Issue #20823, the flaw is considered particularly relevant for enterprises using Wireshark to diagnose streaming-platform issues or analyze high-volume telemetry traffic.
The Wireshark Foundation credited community contributors and internal testers for identifying and verifying both issues. Security analysts note these types of dissector crashes have historically been a recurring patch category for Wireshark; as one analyst at Rapid7 put it in 2024, “Any protocol parser is a potential attack surface because malformed or intentionally crafted packets can destabilize the tool if boundaries aren’t strictly enforced.”
Wireshark 4.6.1 – What Else Is New?
Beyond security patches, the 4.6.1 update introduces broad stability enhancements, many of which correct persistent bugs carried over from previous releases.
Bluetooth L2CAP Dissector Fixes
Wireshark corrects longstanding misbehavior in the L2CAP retransmission mode, an issue that affected Bluetooth traffic analysis and occasionally produced misleading reconstructions of data streams.
DNS HIP Labeling Correction
The DNS Host Identity Protocol (HIP) dissector now properly identifies public key (PK) algorithm fields instead of mislabeling them as Host Identity Tag (HIT) length values. While subtle, such inaccuracies can lead analysts to misinterpret packet contents during digital identity or authentication research.
Crash Fixes in TShark and Lua Plugins
A recurrent source of frustration for power users — crashes triggered by Lua-based extensions in TShark, Wireshark’s command-line counterpart — has been fully resolved. This brings improved stability for automated pipelines, custom dissector scripts, and large-scale batch processing systems.
File Handling & Performance Updates
The update includes multiple file-related fixes:
- Crashes tied to FileHandler operations while reading capture files.
- Write failures involving LZ4-compressed output, now corrected.
- Compatibility issues with Omnipeek capture files, which prevented certain users from opening cross-platform datasets in Wireshark 4.6.0.
Analysts will also notice smoother performance when selecting specific messages during live review sessions — an improvement that addresses interface stalls reported by enterprise users handling large or complex captures.
More Than 30 Protocols Updated
Wireshark’s value lies in its unparalleled breadth of protocol support, and version 4.6.1 continues that trend with updates to over 30 protocols, enhancing visibility into the rapidly evolving network ecosystem.
Notable updated dissectors include:
- 802.11 Radiotap
- DNS
- DTLS
- HTTP / HTTP3
- SMB
- SNMP
- TCP
- TLS
These updates enhance compatibility with new extensions, cryptographic negotiation patterns, and traffic structures seen in modern enterprise networks, cloud environments, and IoT devices. As new application frameworks and encryption standards emerge, protocol analyzers must remain constantly updated — a challenge the Wireshark project faces with every release.
Industry Reaction: Open-Source Tools Under Pressure
Security professionals widely regard Wireshark as one of the most trustworthy tools in the defensive arsenal. Yet its ubiquity also makes it a target.
A cybersecurity researcher at SANS Institute noted in a recent panel discussion that “When threat actors disrupt the defender’s visibility, they can gain the upper hand. Tools like Wireshark must be safeguarded with the same rigor as enterprise software.” The demand for rapid, reliable patches continues to rise as network traffic grows in complexity.
Open-source maintainers, including those at the Wireshark Foundation, have long emphasized that community reporting and sponsorships play a critical role in sustaining timely development. The Foundation reiterated this message alongside the 4.6.1 release, encouraging organizations that rely on Wireshark for security operations to contribute financially or participate in protocol dissector testing.
Update Recommended for All Users
Wireshark 4.6.1 is now available for Windows, macOS, and Linux through the official Wireshark website. Given the nature of the patched vulnerabilities — both capable of terminating active analysis sessions — the Foundation urges all users, particularly those in enterprise and government environments, to apply the update immediately.
Organizations conducting threat-hunting operations, network forensics, or protocol development should consider this a mandatory security update, as the risk of disrupted investigations or monitoring sessions is non-trivial.
Getting Wireshark
Wireshark source code and installation packages are available from https://www.wireshark.org/download.html.
Vendor-supplied Packages
Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.
File Locations
Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use Help › About Wireshark › Folders or tshark -G folders to find the default locations on your system.
Getting Help
The User’s Guide, manual pages and various other documentation can be found at https://www.wireshark.org/docs/
Community support is available on Wireshark’s Q&A site and on the wireshark-users mailing list. Subscription information and archives for all of Wireshark’s mailing lists can be found on the mailing list site.
Bugs and feature requests can be reported on the issue tracker.
You can learn protocol analysis and meet Wireshark’s developers at SharkFest.
