Penetration testing and cyber defense

Termshark a terminal user interface for tshark

2 min read
termshark a terminal user interface

If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, Termshark can help!

What is Termshark?


Termshark is a terminal user interface for Tshark, inspired by Wireshark.

TShark is a network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.

TShark‘s native capture file format is pcapng, which is also the format used by Wireshark and various other tools.

Termshark Features

  • Read pcap files or sniff live interfaces (where tshark is permitted)
  • Filter pcaps or live captures using Wireshark’s display filters
  • Reassemble and inspect TCP and UDP flows
  • View network conversations by protocol
  • Copy ranges of packets to the clipboard from the terminal
  • Written in Golang, compiles to a single executable on each platform – downloads available for Linux, macOS, BSD variants, Android (termux), and Windows

tshark has many additional features that Termshark does not yet expose! See What’s Next.

Install Packages

Termshark is pre-packaged for the following platforms: Arch Linux, Debian (unstable), FreeBSD, Homebrew, MacPorts, Kali Linux, NixOS, SnapCraft, Termux (Android), and Ubuntu.


Termshark uses Go modules. Set GO111MODULE=on then run:

go install

For versions of Go between 1.14 and 1.17, use

go get

Then add ~/go/bin/ to your PATH.

For all packet analysis, Termshark depends on tshark from the Wireshark project. Make sure tshark is in your PATH.

Termshark Quick Start

Inspect a local pcap:

termshark -r test.pcap

Capture ping packets on the interface eth0:

termshark -i eth0 icmp

Run termshark -h for options.


Pre-compiled executables are available via GitHub releases. Or download the latest build from the master branch.


See the termshark user guide and my best guess at some FAQs. For a summary of updates, see the ChangeLog.


Termshark depends on these open-source packages:

  • tshark – command-line network protocol analyzer, part of Wireshark
  • tcell – a cell-based terminal handling package, inspired by termbox
  • gowid – compositional terminal UI widgets, inspired by urwid, built on tcell

Note that tshark is a run-time dependency, and must be in your PATH for termshark to function. Version 1.10.2 or higher is required (approx 2013).

About The Author

1 thought on “Termshark a terminal user interface for tshark

Comments are closed.

Discover more from Tgeniusclub

Subscribe now to keep reading and get access to the full archive.

Continue reading