Termshark A terminal UI for tshark inspired by Wireshark
Termshark A terminal UI for tshark inspired by Wireshark

Termshark: A Terminal UI for tshark Inspired by Wireshark

A terminal user-interface for tshark, inspired by Wireshark.

If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!

Features

  • Read pcap files or sniff live interfaces (where tshark is permitted)
  • Filter pcaps or live captures using Wireshark’s display filters
  • Reassemble and inspect TCP and UDP flows
  • View network conversations by protocol
  • Copy ranges of packets to the clipboard from the terminal
  • Written in Golang, compiles to a single executable on each platform – downloads available for Linux, macOS, BSD variants, Android (termux) and Windows

tshark has many more features that termshark doesn’t expose yet! See What’s Next.

Dark Mode for Termshark
Dark Mode for Termshark

Install

Dependencies

"
"

Termshark depends on these open-source packages:

  • tshark – command-line network protocol analyzer, part of Wireshark
  • tcell – a cell based terminal handling package, inspired by termbox
  • gowid – compositional terminal UI widgets, inspired by urwid, built on tcell

Note that tshark is a run-time dependency, and must be in your PATH for termshark to function. Version 1.10.2 or higher is required (approx 2013).

Arch Linux

Debian

Termshark is only available in unstable/sid at the moment.

apt update
apt install termshark

Homebrew

brew update
brew install termshark

Kali Linux

apt update
apt install termshark

NixOS

nix-channel --add https://nixos.org/channels/nixpkgs-unstable
nix-channel --update
nix-env -iA nixpkgs.termshark

SnapCraft

"
"

Termshark can be easily installed on almost all major distros just by issuing:

snap install termshark

Note there is a big caveat with Snap and the architecture of Wireshark that prevents termshark being able to read network interfaces. If installed via Snap, termshark will only be able to work with pcap files. See this explanation.

Termux (Android)

pkg install root-repo
pkg install termshark

Note that termshark does not require a rooted phone to inspect a pcap, but it does depend on tshark which is itself in Termux’s root-repo for programs that do work best on a rooted phone.

If you would like to use termshark’s copy-mode to copy sections of packets to your Android clipboard, you will also need Termux:API. Install from the Play Store, then from termux, type:

pkg install termux-api

Ubuntu

If you are running Ubuntu 19.10 (eoan) or higher, termshark can be installed like this:

sudo apt install termshark

For Ubuntu < 19.10, you can use the PPA nicolais/termshark to install termshark:

sudo add-apt-repository --update ppa:nicolais/termshark
sudo apt install termshark

Building

Termshark uses Go modules, so it’s best to compile with Go 1.12 or higher. Set GO111MODULE=on then run:

go get github.com/gcla/termshark/v2/cmd/termshark

Then add ~/go/bin/ to your PATH.

For all packet analysis, termshark depends on tshark from the Wireshark project. Make sure tshark is in your PATH.

Quick Start

Read a pcap file with termshark
Read a pcap file with termshark
  • Inspect a local pcap:
termshark -r test.pcap
  • Capture ping packets on interface eth0:
termshark -i eth0 icmp

Run termshark -h for options.

$ termshark -h
termshark v2.2.0

A wireshark-inspired terminal user interface for tshark. Analyze network traffic interactively from your terminal.
See https://termshark.io for more information.

Usage:
  termshark [FilterOrPcap]

Application Options:
  -i=<interfaces>                                            Interface(s) to read.
  -r=<file/fifo>                                             Pcap file/fifo to read. Use - for stdin.
  -d=<layer type>==<selector>,<decode-as protocol>           Specify dissection of layer type.
  -D                                                         Print a list of the interfaces on which termshark can capture.
  -Y=<displaY filter>                                        Apply display filter.
  -f=<capture filter>                                        Apply capture filter.
  -t=<timestamp format>[a|ad|adoy|d|dd|e|r|u|ud|udoy]        Set the format of the packet timestamp printed in summary lines.
      --tty=<tty>                                            Display the UI on this terminal.
      --pass-thru=[auto|true|false]                          Run tshark instead (auto => if stdout is not a tty). (default: auto)
      --log-tty                                              Log to the terminal.
  -h, --help                                                 Show this help message.
  -v, --version                                              Show version information.

Arguments:
  FilterOrPcap:                                              Filter (capture for iface, display for pcap), or pcap to read.

If --pass-thru is true (or auto, and stdout is not a tty), tshark will be
executed with the supplied command-line flags. You can provide
tshark-specific flags and they will be passed through to tshark (-n, -d, -T,
etc). For example:

$ termshark -r file.pcap -T psml -n | less

See the termshark user guide, and my best guess at some FAQs. For a summary of updates, see the ChangeLog.