How to use termshark for live network capture?

Use the -i flag with an interface name, e.g., 'termshark -i eth0'. It relies on tshark for live sniffing where permissions allow, enabling real-time packet inspection in the terminal.

Can termshark filter packets like Wireshark?

Yes, it supports Wireshark's display filter syntax for both pcap files and live captures, allowing precise filtering using familiar expressions such as 'icmp' or custom protocols.

Termsahark vs tshark: which one should I use?

Termshark adds an interactive TUI to tshark, so it's better for visual inspection and exploration in terminals. Use tshark directly for scriptable, command-line-only analysis or when termshark's UI isn't needed.

How to install termshark on Ubuntu?

Pre-packaged for Ubuntu via the README's installation list; you can use apt if available, or download the single executable from GitHub releases and ensure tshark is installed separately.

Does termshark support TCP stream reassembly?

Yes, it includes flow reassembly features for TCP and UDP streams, allowing you to inspect reconstructed conversations directly from the TUI, as listed in the key features.

What are termshark's limitations with large pcap files?

Performance may degrade with very large captures due to terminal memory and refresh limits; it's best for moderate-sized files or remote analysis where transferring pcaps is impractical.

Can I customize termshark's display columns?

Version 2.4 added profiles for colors and columns, as noted in the ChangeLog, allowing some customization via configuration files to tailor the packet list view.

Open-Awesome

termshark

MITGov2.4.0

A terminal UI for tshark, providing Wireshark-like packet analysis directly in the terminal.

GitHub

9.9k stars435 forks0 contributors

What is termshark?

Termshark is a terminal user interface (TUI) for tshark, the command-line packet analyzer. It provides an interactive, Wireshark-inspired interface within the terminal for inspecting packet capture (pcap) files and live network traffic. It solves the problem of analyzing network packets on remote servers or headless environments where a full graphical Wireshark installation is not feasible.

Target Audience

Network engineers, system administrators, security analysts, and developers who need to perform packet analysis in terminal-only or remote environments, or who prefer command-line workflows.

Value Proposition

Developers choose Termshark because it delivers the core analytical power of Wireshark/tshark in a lightweight, terminal-native interface. Its single-binary portability and ability to handle large pcaps remotely offer a significant advantage over transferring files for desktop GUI analysis.

Overview

A terminal UI for tshark, inspired by Wireshark

Use Cases

Best For

Analyzing packet captures on remote servers over SSH
Debugging network issues in headless or minimal Linux environments
Performing quick packet inspection without a desktop GUI
Learning network protocols using a terminal-based tool
Integrating packet analysis into command-line scripting workflows
Security monitoring and incident response on terminal-accessible systems

Not Ideal For

Projects requiring Wireshark's full graphical analysis tools like IO graphs or geolocation maps
High-speed network monitoring where real-time GUI responsiveness is critical
Teams needing advanced collaborative features or integrated reporting found in desktop Wireshark
Environments where tshark cannot be installed due to administrative restrictions

Pros & Cons

Pros

Portable Single Binary

Compiled in Go to a single executable for multiple platforms including Linux, macOS, Windows, and Android, as highlighted in the README, making it easy to deploy without complex dependencies.

Wireshark Filter Compatibility

Supports Wireshark's powerful display filter syntax for packet filtering, allowing users to leverage familiar, industry-standard queries directly in the terminal.

Terminal-Centric Workflow

Enables copying packet ranges to clipboard and operating entirely within the terminal, ideal for remote SSH sessions or headless environments where GUI access is impractical.

Live and File Analysis

Can inspect pcap files or sniff live network interfaces using tshark, providing flexibility for both historical and real-time packet debugging, as demonstrated in the quick start examples.

Cons

Dependent on tshark

Requires tshark to be installed and in PATH, adding an external dependency that may not be available in all environments, and limiting standalone use.

Limited Feature Exposure

The README explicitly states that 'tshark has many more features that termshark doesn't expose yet,' meaning advanced protocol analysis tools are missing compared to full Wireshark.

Terminal UI Performance

Terminal interfaces may struggle with very large packet captures or high-speed live traffic due to refresh rate constraints, unlike optimized GUI applications.

Open Source Alternative To

termshark is an open-source alternative to the following products:

Wireshark

Wireshark is a network protocol analyzer that captures and displays network traffic in real-time for troubleshooting, analysis, and education.

Frequently Asked Questions

Related Projects

iperf

iperf3: A TCP, UDP, and SCTP network bandwidth measurement tool

Stars8,527

Forks1,420

Last commit3 days ago

openwifi

open-source IEEE 802.11 WiFi baseband FPGA (chip) design: driver, software

Stars4,652

Forks786

Last commit18 days ago

nethogs

Linux 'net top' tool

Stars3,633

Forks297

Last commit3 months ago

pyshark

Python wrapper for tshark, allowing python packet parsing using wireshark dissectors

Stars2,483

Forks451

Last commit2 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub