A terminal user-interface for tshark, inspired by Wireshark.
If you’re debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!
- Read pcap files or sniff live interfaces (where tshark is permitted)
- Filter pcaps or live captures using Wireshark’s display filters
- Reassemble and inspect TCP and UDP flows
- View network conversations by protocol
- Copy ranges of packets to the clipboard from the terminal
- Written in Golang, compiles to a single executable on each platform – downloads available for Linux, macOS, BSD variants, Android (termux) and Windows
tshark has many more features that termshark doesn’t expose yet! See What’s Next.
Termshark depends on these open-source packages:
- tshark – command-line network protocol analyzer, part of Wireshark
- tcell – a cell based terminal handling package, inspired by termbox
- gowid – compositional terminal UI widgets, inspired by urwid, built on tcell
Note that tshark is a run-time dependency, and must be in your
PATH for termshark to function. Version 1.10.2 or higher is required (approx 2013).
- termshark-bin: binary package which simply copies the released binary to install directory. Made by jerry73204
- termshark-git: Compiles from source, made by Thann
Termshark is only available in unstable/sid at the moment.
apt update apt install termshark
brew update brew install termshark
apt update apt install termshark
nix-channel --add https://nixos.org/channels/nixpkgs-unstable nix-channel --update nix-env -iA nixpkgs.termshark
Termshark can be easily installed on almost all major distros just by issuing:
snap install termshark
Note there is a big caveat with Snap and the architecture of Wireshark that prevents termshark being able to read network interfaces. If installed via Snap, termshark will only be able to work with pcap files. See this explanation.
pkg install root-repo pkg install termshark
Note that termshark does not require a rooted phone to inspect a pcap, but it does depend on tshark which is itself in Termux’s root-repo for programs that do work best on a rooted phone.
If you would like to use termshark’s copy-mode to copy sections of packets to your Android clipboard, you will also need Termux:API. Install from the Play Store, then from termux, type:
pkg install termux-api
If you are running Ubuntu 19.10 (eoan) or higher, termshark can be installed like this:
sudo apt install termshark
For Ubuntu < 19.10, you can use the PPA nicolais/termshark to install termshark:
sudo add-apt-repository --update ppa:nicolais/termshark sudo apt install termshark
Termshark uses Go modules, so it’s best to compile with Go 1.12 or higher. Set
GO111MODULE=on then run:
go get github.com/gcla/termshark/v2/cmd/termshark
~/go/bin/ to your
For all packet analysis, termshark depends on tshark from the Wireshark project. Make sure
tshark is in your
- Inspect a local pcap:
termshark -r test.pcap
- Capture ping packets on interface
termshark -i eth0 icmp
termshark -h for options.
$ termshark -h termshark v2.2.0 A wireshark-inspired terminal user interface for tshark. Analyze network traffic interactively from your terminal. See https://termshark.io for more information. Usage: termshark [FilterOrPcap] Application Options: -i=<interfaces> Interface(s) to read. -r=<file/fifo> Pcap file/fifo to read. Use - for stdin. -d=<layer type>==<selector>,<decode-as protocol> Specify dissection of layer type. -D Print a list of the interfaces on which termshark can capture. -Y=<displaY filter> Apply display filter. -f=<capture filter> Apply capture filter. -t=<timestamp format>[a|ad|adoy|d|dd|e|r|u|ud|udoy] Set the format of the packet timestamp printed in summary lines. --tty=<tty> Display the UI on this terminal. --pass-thru=[auto|true|false] Run tshark instead (auto => if stdout is not a tty). (default: auto) --log-tty Log to the terminal. -h, --help Show this help message. -v, --version Show version information. Arguments: FilterOrPcap: Filter (capture for iface, display for pcap), or pcap to read. If --pass-thru is true (or auto, and stdout is not a tty), tshark will be executed with the supplied command-line flags. You can provide tshark-specific flags and they will be passed through to tshark (-n, -d, -T, etc). For example: $ termshark -r file.pcap -T psml -n | less
See the termshark user guide, and my best guess at some FAQs. For a summary of updates, see the ChangeLog.
termshark (this link opens in a new window) by gcla (this link opens in a new window)
A terminal UI for tshark, inspired by Wireshark