The development release of Wireshark 1.5.0 was released last week, marking the latest milestone for the family of packet analysis applications. Since hesitantly crossing the 1.0 mark in 2008 (two years after being renamed from Ethereal), Wireshark has been growing at a fairly ambitious pace. I'm currently using Wireshark 1.2.7. Curious what features have been introduced recently, I grabbed the development source tarball and compiled it on my Ubuntu workstation.
This article discusses some of the more useful improvements since 1.2.7, some of which are available in the current stable release 1.4.3. For a complete list of features, bug fixes, and new supported protocols see the Wireshark release notes.
Packet List Column Context Menu (v1.4.0)
Right-clicking on a display column in the packet list pane presents a context menu from which the user can easily sort or hide (v1.5.0) the column, horizontally align its fields, and modify the information it displays. Columns can also be rearranged by dragging them with the mouse.
Ignoring Packets (v1.4.0)
Packets can be ignored by right-clicking on the packet in the list and selecting "Ignore Packet". This is handy for temporarily removing specific packets without actually altering the capture data.
Import Captures from Text (v1.5.0)
The functionality of the standalone utility text2pcap has been incorporated in the Wireshark GUI. Packet captures in text format (hex dumps) can be imported under File > Import.
Syntax Checking for Capture Filters (v1.5.0)
Wireshark implements two types of filters: capture filters and display filters. Capture apply at a very low level in the packet capture library (libpcap or WinPcap) and determine which packets are recorded in the capture file. Display filters apply only to the GUI presentation; enabling a display filter does not modify the contents of the capture file, only which packets are displayed when the filter is activated.
Release 1.5.0 introduces syntax-checking support in the capture filter field. This allows a user to verify that the filter provided is correct before attempting to start a capture. (The display filter has supported syntax checking for some time.)
Window Scaling Graph (v1.5.0)
Joining the four existing TCP stream graphs (RTT, throughput, Stevens, and tcptrace) in this release is a TCP window scale graph. The name is a bit misleading: the TCP window scale actually remains static for the duration of a TCP session. What is being graphed is the calculated TCP window size (a far more useful attribute) over the duration of a TCP connection.
The TCP window graph for a TCP session can be opened under Statistics > TCP Stream Graphs > Window Scaling Graph after selecting a TCP packet in the capture. Note that TCP windows are unidirectional; be sure to select a packet from the desired direction of the TCP session.