A terminal user-interface for tshark, inspired by Wireshark.

If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!
Features
- Read pcap files or sniff live interfaces (where tshark is permitted)
- Filter pcaps or live captures using Wireshark’s display filters
- Reassemble and inspect TCP and UDP flows
- View network conversations by protocol
- Copy ranges of packets to the clipboard from the terminal
- Written in Golang, compiles to a single executable on each platform – downloads available for Linux, macOS, BSD variants, Android (termux) and Windows
tshark has many more features that termshark doesn’t expose yet! See What’s Next.

Install
Dependencies
Termshark depends on these open-source packages:
- tshark – command-line network protocol analyzer, part of Wireshark
- tcell – a cell based terminal handling package, inspired by termbox
- gowid – compositional terminal UI widgets, inspired by urwid, built on tcell
Note that tshark is a run-time dependency, and must be in your PATH
for termshark to function. Version 1.10.2 or higher is required (approx 2013).
Arch Linux
- termshark-bin: binary package which simply copies the released binary to install directory. Made by jerry73204
- termshark-git: Compiles from source, made by Thann
Debian
Termshark is only available in unstable/sid at the moment.
apt update
apt install termshark
Homebrew
brew update
brew install termshark
Kali Linux
apt update
apt install termshark
NixOS
nix-channel --add https://nixos.org/channels/nixpkgs-unstable
nix-channel --update
nix-env -iA nixpkgs.termshark
SnapCraft
Termshark can be easily installed on almost all major distros just by issuing:
snap install termshark
Note there is a big caveat with Snap and the architecture of Wireshark that prevents termshark being able to read network interfaces. If installed via Snap, termshark will only be able to work with pcap files. See this explanation.
Termux (Android)
pkg install root-repo
pkg install termshark
Note that termshark does not require a rooted phone to inspect a pcap, but it does depend on tshark which is itself in Termux’s root-repo for programs that do work best on a rooted phone.
If you would like to use termshark’s copy-mode to copy sections of packets to your Android clipboard, you will also need Termux:API. Install from the Play Store, then from termux, type:
pkg install termux-api
Ubuntu
If you are running Ubuntu 19.10 (eoan) or higher, termshark can be installed like this:
sudo apt install termshark
For Ubuntu < 19.10, you can use the PPA nicolais/termshark to install termshark:
sudo add-apt-repository --update ppa:nicolais/termshark
sudo apt install termshark
Building
Termshark uses Go modules, so it’s best to compile with Go 1.12 or higher. Set GO111MODULE=on
then run:
go get github.com/gcla/termshark/v2/cmd/termshark
Then add ~/go/bin/
to your PATH
.
For all packet analysis, termshark depends on tshark from the Wireshark project. Make sure tshark
is in your PATH
.
Quick Start

- Inspect a local pcap:
termshark -r test.pcap
- Capture ping packets on interface
eth0
:
termshark -i eth0 icmp
Run termshark -h
for options.
$ termshark -h
termshark v2.2.0
A wireshark-inspired terminal user interface for tshark. Analyze network traffic interactively from your terminal.
See https://termshark.io for more information.
Usage:
termshark [FilterOrPcap]
Application Options:
-i=<interfaces> Interface(s) to read.
-r=<file/fifo> Pcap file/fifo to read. Use - for stdin.
-d=<layer type>==<selector>,<decode-as protocol> Specify dissection of layer type.
-D Print a list of the interfaces on which termshark can capture.
-Y=<displaY filter> Apply display filter.
-f=<capture filter> Apply capture filter.
-t=<timestamp format>[a|ad|adoy|d|dd|e|r|u|ud|udoy] Set the format of the packet timestamp printed in summary lines.
--tty=<tty> Display the UI on this terminal.
--pass-thru=[auto|true|false] Run tshark instead (auto => if stdout is not a tty). (default: auto)
--log-tty Log to the terminal.
-h, --help Show this help message.
-v, --version Show version information.
Arguments:
FilterOrPcap: Filter (capture for iface, display for pcap), or pcap to read.
If --pass-thru is true (or auto, and stdout is not a tty), tshark will be
executed with the supplied command-line flags. You can provide
tshark-specific flags and they will be passed through to tshark (-n, -d, -T,
etc). For example:
$ termshark -r file.pcap -T psml -n | less
See the termshark user guide, and my best guess at some FAQs. For a summary of updates, see the ChangeLog.
termshark (this link opens in a new window) by gcla (this link opens in a new window)
A terminal UI for tshark, inspired by Wireshark