Termshark

A terminal user-interface for tshark, inspired by Wireshark.

If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!

Features

• Read pcap files or sniff live interfaces (where tshark is permitted).
• Inspect each packet using familiar Wireshark-inspired views
• Filter pcaps or live captures using Wireshark’s display filters
• Copy ranges of packets to the clipboard from the terminal
• Written in Golang, compiles to a single executable on each platform – downloads available for Linux (+termux), macOS, FreeBSD, and Windows

Changelog v2.0

Added

• Termshark supports TCP and UDP stream reassembly. See termshark’s “Analysis” menu.
• By popular demand, termshark now has a dark mode! To turn on, run termshark and open the menu.
• It can be configured to “auto-scroll” when reading live data (interface, fifo or stdin).
• It uses less CPU, is less laggy under mouse input, and will use less than half as much RAM on larger pcaps.
• It now supports piped input e.g.

$ tshark -i eth0 -w - | termshark

• Termshark now supports input from a fifo e.g.

1$ mkfifo myfifo 
1$ tshark -i eth0 -w myfifo 
2$ termshark -r myfifo

• It supports running its UI on a different tty (make sure the tty doesn’t have another process competing for reads and writes). This is useful if you are feeding termshark with data from a process that writes to stderr, or if you want to see information displayed in the terminal that would be covered up by termshark’s UI e.g.

termshark -i eth0 --tty=/dev/pts/5

• Like Wireshark, termshark will now preserve the opened and closed structure of a packet as you move from one pocket to the next. This lets the user see differences between packets more easily.
• It can now be installed for MacOS from Homebrew.
• It now respects job control signals sent via the shell i.e. SIGTSTP and SIGCONT.
• It on Windows no longer depends on the Cygwin tail command (and thus a Cygwin installation).
• The current packet capture source (file, interface, pipe, etc) is displayed in the termshark title bar.
• It can be configured to eagerly load all pcap PDML data, rather than 1000 packets at a time.

Changed

• You can now simply hit enter in the display filter widget to make its value take effect.

Use

It provides a terminal-based user interface for analyzing packet captures. It’s inspired by Wireshark and depends on tshark for all its intelligence. Termshark is run from the command-line. You can see its options with

termshark v1.0.0

A wireshark-inspired terminal user interface for tshark. Analyze network traffic interactively from your terminal.
See https://github.com/gcla/termshark for more information.

Usage:
  termshark [FilterOrFile]

Application Options:
  -i=<interface>                                          Interface to read.
  -r=<file>                                               Pcap file to read.
  -d=<layer type>==<selector>,<decode-as protocol>        Specify dissection of layer type.
  -Y=<displaY filter>                                     Apply display filter.
  -f=<capture filter>                                     Apply capture filter.
      --pass-thru=[yes|no|auto|true|false]                Run tshark instead (auto => if stdout is not a tty). (default: auto)
      --log-tty=[yes|no|true|false]                       Log to the terminal.. (default: false)
  -h, --help                                              Show this help message.
  -v, --version                                           Show version information.

Arguments:
  FilterOrFile:                                           Filter (capture for iface, display for pcap), or pcap file to read.

If --pass-thru is true (or auto, and stdout is not a tty), tshark will be
executed with the supplied command- line flags. You can provide
tshark-specific flags and they will be passed through to tshark (-n, -d, -T,
etc). For example:

$ termshark -r file.pcap -T psml -n | less

Download & Tutorial

Copyright (c) 2019 Graham Clark