Termshark

A terminal user-interface for tshark, inspired by Wireshark.

If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!

Features

• Read pcap files or sniff live interfaces (where tshark is permitted).
• Inspect each packet using familiar Wireshark-inspired views
• Filter pcaps or live captures using Wireshark’s display filters
• Copy ranges of packets to the clipboard from the terminal
• Written in Golang, compiles to a single executable on each platform – downloads available for Linux (+termux), macOS, FreeBSD, and Windows

Changelog v2.4

51e7457 A function to provide a list of Wireshark profiles
5a37f65 A new tree iterator that disregards expanded and contracted nodes
4eea46b A screenshot of search in action
d0e1859 A search implementation for termshark
1b73b61 Abstract this simple confirmation function
0399719 Add a command and menu option to view the termshark config
a5f9cd4 Add a new termshark filter state
8d67241 Add a short summary of packet search to the ChangeLog
b9aefce Add a summary of stderr to the dialog displayed when tshark fails
7601e01 Add an extra token to each line of stderr from termshark processes
efaeaa3 Add information on the packet search feature to the user guide
9b5a9ac Add missing minibuffer commands to the docs
3657975 Add note on tshark -G folders use
d950730 Add profile suppport to the ChangeLog
f48fcfd Add profiles to the table of contents
18a9e55 Add search to the main menu
37ec8df Add some documentation on the new profile support
15ef1fb Bug fix – the client and server packet counts were not being updated
5323696 Bug fix for conversations view table sorting
79fad3d Bug fix to prevent packet list search not returning
cd0d2a3 Bug fix to restore preservation and display of recently-used filters
0578a1c Change default suppress-errors boolean to true, not false
f087f72 Document the new config settings for packet search.
ba7c647 Don’t activate the termshark tcell screen right away
4aac0dc Eliminate a github dependabot warning
17ef1a1 Eliminate unnecessary inactivity timer work
8761edc Enable bracketed paste in various edit widgets e.g. display filter
6af7638 Explain how termshark uses tshark when searching packets
cd968da Factor out a function to turn a KeyValue error into a string
4903d64 Fix a bug that could cause a hang at shutdown
559e412 Fix a deadlock in the packet list search implementation
d72d5ad Fix a race condition that sporadically breaks extcap captures
63f62c3 Fix bug meaning that default config was not reloaded
e8de021 Fix bug that resulted in sporadic failed stream reassembly
cd190f7 Fix capture method comparison
519ac74 Fix sporadic crash on startup – seen on termux
a36a478 Fix the ChangeLog anchor to reflect a slightly earlier release date
5577dd6 Fix the same bugs in the struct and bytes search code
bc700cd Fix typo
04de996 Fix typo in menu operation leading to UI inconsistencies
949dbf7 Fix up stderr for all external dumpcap routines
7bffb01 Fix view problems when moving around the packet structure
42dec34 Generalize a toml-writing function
9ccca57 Generalize the TsharkSettings function
f058492 Generalize the simple file viewer widget
34bcfe2 Go back to contributor defaults!
0b29e32 I broke the Windows build…
256c574 Improve the one-line explanation of v2.4
c5bfbef Initial implementation of a profiles feature for termshark
c92241b Local build instructions need to change
57f90d0 Make current the arch linux install instructions
41c25b4 Make dark-mode the default
a9843d9 Make sure the minibuffer doesn’t allow styles to bleed through
4477425 Make the hex view’s cursor position more visible
b594823 Make these dialogs modal
db5daa0 Merge branch ‘master’ into profiles2
b9a1c6a Merge branch ‘master’ into profiles2
ee730c9 Merge branch ‘master’ into search
0bc1d46 Merge branch ‘profiles2’
f8b0034 Merge branch ‘profiles2’ into v24docs
e436160 Merge branch ‘v24docs’
a96779e Merge remote-tracking branch ‘origin/master’ into profiles2
cdca3e9 Merge remote-tracking branch ‘origin/master’ into profiles2
4f9ddcd Merge remote-tracking branch ‘origin/master’ into profiles2
37e7535 Merge remote-tracking branch ‘origin/master’ into search
b92b83c Merge remote-tracking branch ‘origin/master’ into search
5e28c15 Merge remote-tracking branch ‘origin/master’ into search
4b86e78 Merge remote-tracking branch ‘origin/master’ into v24docs
4621aae Merge remote-tracking branch ‘origin/master’ into v24docs
0e22fd0 Merge remote-tracking branch ‘origin/master’ into v24docs
eab04cc Merge remote-tracking branch ‘origin/master’ into v24docs
68b2ba1 Merge remote-tracking branch ‘origin/master’ into v24docs
5aa42e9 Merge remote-tracking branch ‘origin/master’ into v24docs
006bca5 Merge remote-tracking branch ‘origin/profiles2’ into v24docs
1e2e0e2 Merge remote-tracking branch ‘origin/search’
8d23c3d More documentation updates for upcoming v2.4
785fd48 Move capinfo under pkg
3b8f1ca Move file tailing logic under pkg too
a09eb2a Move more top-level packages under pkg
8add110 Move the tshark fields extracting code to pkg too
f7f929d Optimistically update the ChangeLog for the v2.4 release date
608b473 Overdue ChangeLog updates
4fa9320 Provide a better table sorter for the conversations view
786e63f Provide more information when packet capture fails
0117c97 Rearrange the config file handling code
381d351 Rearrange the contributors list
2fddcc4 Reduce use of legacy GOWID_TTY variable
9c15935 Remove a use of the global viper struct
f0a80fa Remove my local replace comments
b8476af Rework profile minibuffer commands and add a connection to Wireshark
a1fd08c Silly error in the edit widget led to losing cursor control
73953a8 Some more involved refactoring to move confwatcher to pkg
c29398b Test out an updated demo animated gif
af76832 Thanks @elig0n for the packet search idea!
82249c6 The cli package can also move to pkg
c37544a This should also be moved from the top-level
1ef877d Try harder to make it possible to go install termshark
4cc4668 Try to ensure the profiles dir exists when termshark starts
1eacb35 Update Travis build workflow for Go 1.18
114fa1a Update after refreshing the all-contributors npm module
c840f4c Update copyrights
13c7515 Update instructions for building with the Go toolchain
5580676 Update the ChangeLog with info about suppress-tshark-errors
1ac3107 Update the What’s Next section
3050278 Update the github build workflow
ef07dd1 Update the info shown via “help cmdline”
a259b99 Update to latest gowid
5d88947 Update to latest gowid
1ba156b Update to latest gowid
566ff18 Update to latest gowid and to tcell/v2
4f9ef62 Update to the latest gowid
b54bc04 Update version string in binary for ongoing development
d01a1d5 Use the latest version of gowid
5acb0df Various changes to termshark’s hex/bytes packet view
df4d2aa When capinfo is opened, put focus on the Close button

Use

It provides a terminal-based user interface for analyzing packet captures. It’s inspired by Wireshark and depends on tshark for all its intelligence. Termshark is run from the command line. You can see its options with

termshark v1.0.0



A wireshark-inspired terminal user interface for tshark. Analyze network traffic interactively from your terminal.

See https://github.com/gcla/termshark for more information.



Usage:

  termshark [FilterOrFile]



Application Options:

  -i=<interface>                                          Interface to read.

  -r=<file>                                               Pcap file to read.

  -d=<layer type>==<selector>,<decode-as protocol>        Specify dissection of layer type.

  -Y=<displaY filter>                                     Apply display filter.

  -f=<capture filter>                                     Apply capture filter.

      --pass-thru=[yes|no|auto|true|false]                Run tshark instead (auto => if stdout is not a tty). (default: auto)

      --log-tty=[yes|no|true|false]                       Log to the terminal.. (default: false)

  -h, --help                                              Show this help message.

  -v, --version                                           Show version information.



Arguments:

  FilterOrFile:                                           Filter (capture for iface, display for pcap), or pcap file to read.



If --pass-thru is true (or auto, and stdout is not a tty), tshark will be

executed with the supplied command- line flags. You can provide

tshark-specific flags and they will be passed through to tshark (-n, -d, -T,

etc). For example:



$ termshark -r file.pcap -T psml -n | less

Download & Tutorial

Copyright (c) 2019 Graham Clark