Termshark can be easily installed on almost all major distros just by issuing:
snap install termshark
Note there is a big caveat with Snap and the architecture of Wireshark that prevents termshark being able to read network interfaces. If installed via Snap, termshark will only be able to work with pcap files. See this explanation.
pkg install root-repo
pkg install termshark
Note that termshark does not require a rooted phone to inspect a pcap, but it does depend on tshark which is itself in Termux’s root-repo for programs that do work best on a rooted phone.
If you would like to use termshark’s copy-mode to copy sections of packets to your Android clipboard, you will also need Termux:API. Install from the Play Store, then from termux, type:
pkg install termux-api
If you are running Ubuntu 19.10 (eoan) or higher, termshark can be installed like this:
sudo apt install termshark
For Ubuntu < 19.10, you can use the PPA nicolais/termshark to install termshark:
Termshark uses Go modules, so it’s best to compile with Go 1.12 or higher. Set GO111MODULE=on then run:
go get github.com/gcla/termshark/v2/cmd/termshark
Then add ~/go/bin/ to your PATH.
For all packet analysis, termshark depends on tshark from the Wireshark project. Make sure tshark is in your PATH.
Inspect a local pcap:
termshark -r test.pcap
Capture ping packets on interface eth0:
termshark -i eth0 icmp
Run termshark -h for options.
$ termshark -h
A wireshark-inspired terminal user interface for tshark. Analyze network traffic interactively from your terminal.
See https://termshark.io for more information.
-i=<interfaces> Interface(s) to read.
-r=<file/fifo> Pcap file/fifo to read. Use - for stdin.
-d=<layer type>==<selector>,<decode-as protocol> Specify dissection of layer type.
-D Print a list of the interfaces on which termshark can capture.
-Y=<displaY filter> Apply display filter.
-f=<capture filter> Apply capture filter.
-t=<timestamp format>[a|ad|adoy|d|dd|e|r|u|ud|udoy] Set the format of the packet timestamp printed in summary lines.
--tty=<tty> Display the UI on this terminal.
--pass-thru=[auto|true|false] Run tshark instead (auto => if stdout is not a tty). (default: auto)
--log-tty Log to the terminal.
-h, --help Show this help message.
-v, --version Show version information.
FilterOrPcap: Filter (capture for iface, display for pcap), or pcap to read.
If --pass-thru is true (or auto, and stdout is not a tty), tshark will be
executed with the supplied command-line flags. You can provide
tshark-specific flags and they will be passed through to tshark (-n, -d, -T,
etc). For example:
$ termshark -r file.pcap -T psml -n | less