Wireshark 4.6.0 is officially here, marking the first release in the 4.6 branch of the world’s most popular network protocol analyzer. The open-source tool, developed under the nonprofit Wireshark Foundation, continues to evolve as a must-have utility for network administrators, developers, and educators.
This update delivers a wide range of new features and refinements. For starters, the Windows version now includes Npcap 1.83, while both Windows and macOS installers ship with Qt 6.9.3, replacing the older 6.5.3 version. The macOS release also moves to a universal installer, eliminating separate Intel and Arm64 builds. WinPcap support has finally been dropped entirely, closing a decade-old chapter and requiring users to move to Npcap.
One of the most intriguing additions is a new “Plots” dialog, offering scatter plots for network data visualization. Live capture compression has been improved too. TShark now supports compression while writing live captures, not just during file rotation. The update also modernizes timestamp handling by switching to ISO 8601 format, which standardizes how times are displayed in JSON, CSV, and custom output fields.
On the decryption front, Wireshark now supports NTP decryption with Network Time Security (NTS) and expands MACsec packet decryption through additional key handling options. These additions improve how encrypted traffic can be analyzed, particularly in enterprise or academic environments.
Other highlights include a refined interface that works better on smaller screens, enhanced Lua scripting capabilities, and better protocol support. You can now export X.509 certificates directly, decrypt HTTP traffic with Zstandard compression, and even “Follow Stream” for MPEG-2 transport streams. For those deep in the weeds, EUI-64 addresses can now be compared and sliced like byte array. This is a subtle (but welcome) improvement for low-level network analysis.
Wireshark’s dark mode and color scheme can now be set independently of your operating system’s theme, as long as it’s built with Qt 6.8 or newer. And while many improvements target usability, Linux users will appreciate better support for BPF extensions in capture filters, making advanced packet captures more flexible.
On the compatibility side, Wireshark 4.6.0 removes support for AirPcap, WinPcap, and older libnl versions, and introduces new protocol dissection for dozens of formats, including Binary HTTP, DECT NR+, Network Time Security Key Establishment Protocol (NTS-KE), and Roughtime.
Wireshark 4.6.0 is available now for Linux, macOS, and Windows at wireshark.org/download. Linux users can also install it through their distribution’s package manager once repositories update.
1 thought on “Wireshark 4.6.0 brings fresh features, dark mode control, and better packet decryption for Linux and macOS”