I’m running Ubuntu 20.04 on my notebook, which by now is around 2 years old. This means that some programs are of the same age, as newer versions are not included in the repository. For most programs, that is just fine for me. Some programs are evolving quickly, however, and when it comes to Wireshark, it might be good to have the latest version. As I wanted to have a closer look at http3 and also at some 5G core network related interactions (the two topics are independent), I decided to get the latest Wireshark version to see if the dissectors of the latest version would show me more than those in the two year old version of Wireshark.
When it comes to Linux, there are no binaries of the latest version available, one has to compile from source. Sounds more complicated than it actually is.
While the Wireshark repository and the latest source (v3.7.0 at the time of writing) are hosted on Github, the instructions to compile the code and which libraries are required are a bit vague. This gap is filled by this Github Gist, which contains a straight forward bash script that installs the required libraries, pulls the Wireshark code from Github and then executes the commands to compile the binary. The comments in the repository also contain the command how to give the dumpcap library root rights, so Wireshark itself can be run from a non-root user account. A nice bonus: The new binary does not overwrite Ubuntu 20.04’s older version, so both can be used in parallel to check for differences in packet decoding.
When it comes to http3, the difference between Wireshark 3.2.3 and 3.7.0 are quite significant. Unfortunately, even 3.7.0 does not decode the data inside the http3 streams, but seeing the http3 headers and the general protocol is better than nothing. But I guess and anticipate that this feature is not too far away, as it as also been implemented in Wireshark for http2. Decoding and http3 stream is probably very similar. So I will revisit this topic a bit later in the year.
When it comes to 5G core network protocol decoding, I was quite surprised that I did not see a decoding difference between the two year old version of Wireshark and the latest version hosted on Github. Even the two year old version decodes the 5G core protocols, including N1/N2 communication to and from the RAN, as well as http2 based protocols between 5GC elements without any problems. So it looks like the Wireshark dissectors were implemented while or shortly after the first set of 5G core specs were finished. Interesting!