Analyze Network Traffic With Termshark, A Terminal UI For TShark (Wireshark)

Termshark is a new terminal user interface for TShark (network protocol analyzer), inspired by Wireshark. It runs on Linux, macOS and Windows.

TShark is a terminal version of Wireshark, the free and open source packet analyzer used for network troubleshooting, analysis, software and communication protocol development. TShark doesn't have an interactive terminal user interface though, and this is where Termshark comes in.

Termshark is written in Go, and makes use of TShark which is part of Wireshark. Its interactive terminal interface uses tcell, a cell-based terminal handling package inspired by termbox, and gowid, a Go package that provides widgets and a framework for making terminal user interfaces.

The command line tool had its first release a few days ago, so don't expect it to support all of TShark's features just yet. Currently Termshark features:

Read pcap files or sniff live interfaces (where TShark is permitted)
Inspect each packet using familiar Wireshark-inspired views
Filter pcaps or live captures using Wireshark's display filters
Copy ranges of packets to the clipboard from the terminal

If you want to see it in action, there's a Termshark GIF on its homepage. I preferred not to add it to this article as it's a bit too large (3mb).

The developer plans to improve Termshark, with quite a few features being planned, like the ability to select a packet and display the reassembled stream, show pcap statistics, colorize the packets in the packet list view using the Wireshark coloring rules, and more.

The interactive network traffic analyzer includes some handy keyboard shortcuts, like / to go to the display filter, TAB to switch panes, c to switch to copy-mode, etc. You can also adjust the horizontal (+/-) or vertical </>) split, or maximize the pane (\). All the available keyboard shortcuts are shown by pressing ?.

Also see: Wireless Sniffer Kismet 2019-04-R1 Adds New Web UI, Support For Non-WiFi Captures

Download Termshark

The Termshark releases page has binaries for Linux (x64 and armv6), macOS and Windows. Or you can build it yourself if you prefer.

To install the Termshark binary on Linux, get it from GitHub, extract it, and from the folder where it's extracted you can install it to /usr/local/bin using:

sudo install termshark /usr/local/bin/

Install TShark, required by Termshark

To work, Termshark needs TShark to be installed. This is part of Wireshark, and on macOS you can install it using brew (brew install wireshark). On Linux the package name depends on the distribution you're using. For example it's tshark on Debian / Ubuntu, while the package that provides TShark on Fedora is called wireshark-cli.

So to install TShark on Debian, Ubuntu, Linux Mint, etc., use:

sudo apt install tshark

When prompted, answer Yes to the Should non-superusers be able to capture packets? question.

To install wireshark-cli on Fedora:

sudo dnf install wireshark-cli

On both Ubuntu and Fedora (and other Linux distributions) you'll also need to add your user to the wireshark group (created by the installation of TShark - if not, add this group using sudo groupadd wireshark) to be able to run TShark, and thus Termshark, without root:

sudo usermod -a -G wireshark $USER

After this, I had to reboot my Ubuntu 19.04 and Fedora 29 machines (usually you're supposed to logout/login but that wasn't enough in my case).

Quick Termshark usage

Now you're ready to use Termshark. Use it to inspect a local pcap using:

termshark -r myfile.pcap

Replace myfile.pcap with the name (and path) of the pcap file.

Launch Termshark and set it to read from an interface (enp4s0 in this example; change this to an interface available on your system):