Termshark is a terminal UI for Tshark, which is inspired by Wireshark.
If you are debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help.
- Read pcap files or sniff live interfaces (where tshark is permitted).
- Inspect each packet using familiar Wireshark-inspired views
- Filter pcaps or live captures using Wireshark’s display filters
- Reassemble and inspect TCP and UDP flows
- Copy ranges of packets to the clipboard from the terminal
- Written in Golang, compiles to a single executable on each platform – downloads available for Linux, macOS, FreeBSD, Android (termux) and Windows
Termshark is pre-packaged for the following platforms: Arch Linux, Debian (unstable), FreeBSD, Homebrew, Kali Linux, NixOS, SnapCraft, Termux (Android) and Ubuntu.
Termshark uses Go modules, so it’s best to compile with Go 1.11 or higher. Set GO111MODULE=on then run:
go install github.com/gcla/termshark/v2/cmd/termshark
Then add ~/go/bin/ to your PATH.
For all packet analysis, termshark depends on tshark from the Wireshark project. Make sure tshark is in your PATH.
Inspect a local pcap:
termshark -r test.pcap
Capture ping packets on interface eth0:
termshark -i eth0 icmp
Run termshark -h for options.
Termshark depends on these open-source packages:
- tshark – command-line network protocol analyzer, part of Wireshark
- tcell – a cell based terminal handling package, inspired by termbox
- gowid – compositional terminal UI widgets, inspired by urwid, built on tcell
Note that Tshark is a run-time dependency, and must be in your PATH for termshark to function.