Termshark a terminal user interface for tshark

If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, Termshark can help!

What is Termshark?

Termshark is a terminal user interface for Tshark, inspired by Wireshark.

⚡ TShark is a network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.

TShark‘s native capture file format is pcapng, which is also the format used by Wireshark and various other tools.

Termshark Features

• Read pcap files or sniff live interfaces (where tshark is permitted)
• Filter pcaps or live captures using Wireshark’s display filters
• Reassemble and inspect TCP and UDP flows
• View network conversations by protocol
• Copy ranges of packets to the clipboard from the terminal
• Written in Golang, compiles to a single executable on each platform – downloads available for Linux, macOS, BSD variants, Android (termux), and Windows

tshark has many additional features that Termshark does not yet expose! See What’s Next.

Install Packages

Termshark is pre-packaged for the following platforms: Arch Linux, Debian (unstable), FreeBSD, Homebrew, MacPorts, Kali Linux, NixOS, SnapCraft, Termux (Android), and Ubuntu.

Building

Termshark uses Go modules. Set GO111MODULE=on then run:

go install github.com/gcla/termshark/v2/cmd/termshark@v2.4.0

For versions of Go between 1.14 and 1.17, use

go get github.com/gcla/termshark/v2/cmd/termshark

Then add ~/go/bin/ to your PATH.

For all packet analysis, Termshark depends on tshark from the Wireshark project. Make sure tshark is in your PATH.

Termshark Quick Start

Inspect a local pcap:

termshark -r test.pcap

Capture ping packets on the interface eth0:

termshark -i eth0 icmp

Run termshark -h for options.

Downloads

Pre-compiled executables are available via GitHub releases. Or download the latest build from the master branch.

Documentation

See the termshark user guide and my best guess at some FAQs. For a summary of updates, see the ChangeLog.

Dependencies

Termshark depends on these open-source packages:

• tshark – command-line network protocol analyzer, part of Wireshark
• tcell – a cell-based terminal handling package, inspired by termbox
• gowid – compositional terminal UI widgets, inspired by urwid, built on tcell

Note that tshark is a run-time dependency, and must be in your PATH for termshark to function. Version 1.10.2 or higher is required (approx 2013).

About The Author

Tgeniusclub

See author's posts