Wireshark 4.6 adds scatter plot visuals, live capture compression and protocol decoding

Wireshark 4.6 introduces major updates focused on analysis precision, capture efficiency, and protocol coverage across Linux, macOS, and Windows. The new Plots dialog adds scatter plot visualizations that display raw packet field values like DNS query lengths, with multi-plot and live scrolling support. This provides a more detailed view of traffic behavior compared to I/O Graphs, which aggregate data over time. Live captures can now be compressed while writing, reducing disk space usage during extended or high-volume sessions.

Encrypted traffic analysis has been expanded with support for decrypting NTP packets secured by Network Time Security (NTS) and improved MACsec decryption using additional key sources. The release also adds decoding for protocols such as Asymmetric Key Packages (AKP), Binary HTTP, Bluetooth HCI variants, BIST TotalView-ITCH, BPSec COSE Context, Commsignia Capture Protocol (C2P), and others within the DECT, DLMS/COSEM, and GSMA RSP ecosystems.

On Linux, new BPF filter extensions allow capturing traffic by direction or interface index for more granular control. Custom columns now mirror packet detail formatting for consistency, and new interface options include “Copy as HTML,” manual redissections, SI-prefixed TCP Stream Graphs, and a unified macOS installer supporting Intel and Apple Silicon. Legacy dependencies such as AirPcap, WinPcap, and older libnl versions have been deprecated. Full release notes with detailed technical information and bug fixes are available here.