Wireshark 4.6.6 arrives on Linux with essential security patches that prevent crashes in the ROHC dissector and fix a MACsec buffer overflow vulnerability. The release restructures how third-party extcap plugins are discovered, now defaulting to /usr/libexec/wireshark/extcap while allowing manual overrides via environment variables. Network analysts will also benefit from updated protocol decoders for Kafka, SIP, and industrial standards alongside native JSON capture file support.

Wireshark 4.6.6 Update Fixes ROHC Crash and Updates Linux Plugin Paths

Wireshark 4.6.6 lands with a critical fix for the ROHC dissector crash and a structural change to how third-party extcap plugins are located. The release also ships updated dissectors for Kafka, SIP, and MACsec alongside improved JSON capture file support. Getting this update installed through your distro package manager or compiling from source requires attention to a few path changes that will save you debugging time later.

Security Patches and Dissector Stability

The ROHC protocol crash fix addresses wnpa-sec-2026-51, which triggers when malformed compressed headers hit the parser. Network engineers who routinely analyze wireless traffic or IoT device communications will notice fewer sudden application exits when opening suspicious pcap files. The MACsec dissector also receives a global buffer overflow patch that prevents memory corruption during packet inspection. These fixes matter because fuzzing tools constantly throw edge cases at protocol parsers, and ignoring them usually means the analysis session ends with a core dump right when you need it most.

Linux Plugin Paths and Build Adjustments

The most noticeable change for Linux users involves how extcap binaries are discovered. The application now looks in /usr/libexec/wireshark/extcap by default instead of scattering across multiarch directories like /usr/lib64. This aligns with standard Unix conventions since helper binaries do not require the same architecture-specific layout as shared libraries. You can override this behavior entirely by setting the WIRESHARK_EXTCAP_DIR environment variable before launching the application. Distributions that skip the libexec directory, such as Alpine Linux, continue using the legacy path to maintain compatibility. Developers packaging third-party extensions should update their install scripts accordingly, otherwise those custom capture tools will quietly fail to load after an upgrade. The change was technically introduced in 4.6.0 but finally got proper documentation here, so checking your plugin paths now prevents a silent breakage during routine maintenance.

Protocol Support and File Format Additions

Updated dissectors now handle Kafka, SIP, RF4CE, PFCP, and BACapp traffic with improved decoding accuracy. If you monitor industrial control networks or VoIP infrastructure, these updates will reduce false positives in your expert information panel. The release also adds native support for JSON capture files, which makes it much easier to import data from cloud monitoring tools or containerized network observability stacks without writing custom parsers.

Head over to the Wireshark download page to grab 4.6.6 and get those security patches applied before you dive into your next network analysis session.