Termshark

A terminal user-interface for tshark, inspired by Wireshark.

If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!

Features

• Read pcap files or sniff live interfaces (where tshark is permitted).
• Inspect each packet using familiar Wireshark-inspired views
• Filter pcaps or live captures using Wireshark’s display filters
• Copy ranges of packets to the clipboard from the terminal
• Written in Golang, compiles to a single executable on each platform – downloads available for Linux (+termux), macOS, FreeBSD, and Windows

Changelog v2.2

e073727 A first attempt to make termshark themeable
962362d A function to construct a color by looking it up in the config file
e10382a A limited function to build a widget containing scrollable text
1722d07 A minibuffer command to load a new pcap file
b9d4e1e A minibuffer option to set the preferred terminal type
9c8d532 A new callback handler for pcap operations
654a4aa A new minibuffer command to clear the filter and apply it
709b15f A reworking of the tshark pcap loaders
afd03cd A simple type that formats PSML for display in a dialog
b090f05 A simple widget to display the termshark log file
410a81a A simpler way to detect when a live packet source is ready
1c2a84f A small struct to track vim key-chord state
e1fa8cf A widget to provide a vim “last-line” or emacs “minibuffer”

More…

Use

It provides a terminal-based user interface for analyzing packet captures. It’s inspired by Wireshark and depends on tshark for all its intelligence. Termshark is run from the command-line. You can see its options with

termshark v1.0.0

A wireshark-inspired terminal user interface for tshark. Analyze network traffic interactively from your terminal.
See https://github.com/gcla/termshark for more information.

Usage:
  termshark [FilterOrFile]

Application Options:
  -i=<interface>                                          Interface to read.
  -r=<file>                                               Pcap file to read.
  -d=<layer type>==<selector>,<decode-as protocol>        Specify dissection of layer type.
  -Y=<displaY filter>                                     Apply display filter.
  -f=<capture filter>                                     Apply capture filter.
      --pass-thru=[yes|no|auto|true|false]                Run tshark instead (auto => if stdout is not a tty). (default: auto)
      --log-tty=[yes|no|true|false]                       Log to the terminal.. (default: false)
  -h, --help                                              Show this help message.
  -v, --version                                           Show version information.

Arguments:
  FilterOrFile:                                           Filter (capture for iface, display for pcap), or pcap file to read.

If --pass-thru is true (or auto, and stdout is not a tty), tshark will be
executed with the supplied command- line flags. You can provide
tshark-specific flags and they will be passed through to tshark (-n, -d, -T,
etc). For example:

$ termshark -r file.pcap -T psml -n | less

Download & Tutorial

Copyright (c) 2019 Graham Clark