Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Wireshark 3.6.0 Released

Published: 2021-11-29
Last Updated: 2021-11-29 13:55:05 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Wireshark version 3.6.0 was released.

It has many updates and bug fixes.

There is one change I want to highlight: the behavior of operator != (not equal) in display filters. Starting with version 3.6.0, expression "a != b" is the same as "!(a == b)".

This was not the case prior to version 3.6.0, and it's something you might have noticed (I'm sure you are aware of this if you ever took my Wireshark trainings ;-) ).

When the syntax of a display filter is correct, the background color of the display filter field is green:

If the syntax is wrong, the background color is red (<> is not a valid operator here):

And if you would use the != operator, then the background color would be yellow:

Yellow means that the syntax is correct, but that the semantics might not be what you expect. That's because fields can have multiple values. For example, field ip.addr has 2 values (ip.src and ip.dst). But ip.src can also have multiple values, for example when an IP packet is embedded inside another IP packet (an ICMP packet for example).

The yellow color is a warning: check if the semantics are what you expect, and if not, rewrite your expression: "a != b" -> "!(a == b)". This would give you a green color:

Starting with version 3.6.0, the semantics of operator != have changed. "a != b" is semantically the same as "!(a == b)" now, and the yellow color no longer appears:

FYI: if you need the "old" semantics, use operator ~= (any_ne).


Didier Stevens
Senior handler
Microsoft MVP

Keywords: update wireshark
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Video: YARA Rules for Office Maldocs
Nov 28th 2021
2 days ago by DidierStevens (0 comments)

Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis
Nov 27th 2021
3 days ago by DidierStevens (0 comments)

Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
Nov 26th 2021
3 days ago by Guy (0 comments)

YARA's Private Strings
Nov 25th 2021
4 days ago by DidierStevens (0 comments)

Phishing page hiding itself using dynamically adjusted IP-based allow list
Nov 24th 2021
5 days ago by Jan (0 comments)

YARA Rule for OOXML Maldocs: Less False Positives
Nov 23rd 2021
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
5 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
7 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
7 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
8 months ago by (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
9 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Shadow IT Makes People More Vulnerable to Phishing
Nov 10th 2021
2 weeks ago by Xme (0 comments)

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
4 months ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
4 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
4 months ago by DidierStevens (0 comments)

Downloader Disguised as Excel Add-In (XLL)
Nov 19th 2021
1 week ago by Xme (0 comments)