The Windows .exe installers now ship with Npcap instead of WinPcap. Besides being actively maintained (by the nmap project), Npcap brings support for loopback capture and 802.11 WiFi monitor mode capture (if supported by the NIC driver).

Conversation timestamps are supported for UDP/UDP-Lite protocols

TShark now supports the -G elastic-mapping option which generates an ElasticSearch mapping file.

The “Capture Information” dialog has been added back (Bug 12004).

The Ethernet and IEEE 802.11 dissectors no longer validate the frame check sequence (checksum) by default.

The TCP dissector gained a new “Reassemble out-of-order segments” preference to fix dissection and decryption issues in case TCP segments are received out-of-order. See the User’s Guide, chapter TCP Reassembly for details.

Decryption support for the new WireGuard dissector (Bug 15011, requires Libgcrypt 1.8).

The BOOTP dissector has been renamed to DHCP. With the exception of “bootp.dhcp”, the old “bootp.*” display filter fields are still supported but may be removed in a future release.

The SSL dissector has been renamed to TLS. As with BOOTP the old “ssl.*” display filter fields are supported but may be removed in a future release.

Coloring rules, IO graphs, Filter Buttons and protocol preference tables can now be copied from other profiles using a button in the corresponding configuration dialogs.

APT-X has been renamed to aptX.

When importing from hex dump, it’s now possible to add an ExportPDU header with a payload name. This calls the specific dissector directly without lower protocols.

The sshdump and ciscodump extcap interfaces can now use a proxy for the SSH connection.

Dumpcap now supports the -a packets:NUM and -b packets:NUM options.

Wireshark now includes a “No Reassembly” configuration profile.

Wireshark now supports the Russian language.

The build system now supports AppImage packages.

The Windows installers now ship with Qt 5.12.0. Previously they shipped with Qt 5.9.7.

Support for DTLS and TLS decryption using pcapng files that embed a Decryption Secrets Block (DSB) containing a TLS Key Log (Bug 15252).

The editcap utility gained a new --inject-secrets option to inject an existing TLS Key Log file into a pcapng file.

A new dfilter function string() has been added. It allows the conversion of non-string fields to strings so string functions (as contains and matches) can be used on them.

The Bash test suite has been replaced by one based on Python unittest/pytest.