If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, Termshark can help!
What is Termshark?
Termshark is a terminal user interface for Tshark, inspired by Wireshark.
⚡ TShark is a network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.
TShark‘s native capture file format is pcapng, which is also the format used by Wireshark and various other tools.
Termshark Features
- Read pcap files or sniff live interfaces (where tshark is permitted)
- Filter pcaps or live captures using Wireshark’s display filters
- Reassemble and inspect TCP and UDP flows
- View network conversations by protocol
- Copy ranges of packets to the clipboard from the terminal
- Written in Golang, compiles to a single executable on each platform – downloads available for Linux, macOS, BSD variants, Android (termux), and Windows
tshark has many additional features that Termshark does not yet expose! See What’s Next.
Install Packages
Termshark is pre-packaged for the following platforms: Arch Linux, Debian (unstable), FreeBSD, Homebrew, MacPorts, Kali Linux, NixOS, SnapCraft, Termux (Android), and Ubuntu.
Building
Termshark uses Go modules. Set GO111MODULE=on then run:
go install github.com/gcla/termshark/v2/cmd/termshark@v2.4.0
For versions of Go between 1.14 and 1.17, use
go get github.com/gcla/termshark/v2/cmd/termshark
Then add ~/go/bin/ to your PATH.
For all packet analysis, Termshark depends on tshark from the Wireshark project. Make sure tshark is in your PATH.
Termshark Quick Start
Inspect a local pcap:
termshark -r test.pcap
Capture ping packets on the interface eth0:
termshark -i eth0 icmp
Run termshark -h for options.
Downloads
Pre-compiled executables are available via GitHub releases. Or download the latest build from the master branch.
Documentation
See the termshark user guide and my best guess at some FAQs. For a summary of updates, see the ChangeLog.
Dependencies
Termshark depends on these open-source packages:
- tshark – command-line network protocol analyzer, part of Wireshark
- tcell – a cell-based terminal handling package, inspired by termbox
- gowid – compositional terminal UI widgets, inspired by urwid, built on tcell
Note that tshark is a run-time dependency, and must be in your PATH for termshark to function. Version 1.10.2 or higher is required (approx 2013).
Ce sont des bon truc vraiment