Question 1

How to use termshark for live network capture?

Accepted Answer

Use the -i flag with an interface name, e.g., 'termshark -i eth0'. It relies on tshark for live sniffing where permissions allow, enabling real-time packet inspection in the terminal.

Question 2

Can termshark filter packets like Wireshark?

Accepted Answer

Yes, it supports Wireshark's display filter syntax for both pcap files and live captures, allowing precise filtering using familiar expressions such as 'icmp' or custom protocols.

Question 3

Termsahark vs tshark: which one should I use?

Accepted Answer

Termshark adds an interactive TUI to tshark, so it's better for visual inspection and exploration in terminals. Use tshark directly for scriptable, command-line-only analysis or when termshark's UI isn't needed.

Question 4

How to install termshark on Ubuntu?

Accepted Answer

Pre-packaged for Ubuntu via the README's installation list; you can use apt if available, or download the single executable from GitHub releases and ensure tshark is installed separately.

Question 5

Does termshark support TCP stream reassembly?

Accepted Answer

Yes, it includes flow reassembly features for TCP and UDP streams, allowing you to inspect reconstructed conversations directly from the TUI, as listed in the key features.

Question 6

What are termshark's limitations with large pcap files?

Accepted Answer

Performance may degrade with very large captures due to terminal memory and refresh limits; it's best for moderate-sized files or remote analysis where transferring pcaps is impractical.

Question 7

Can I customize termshark's display columns?

Accepted Answer

Version 2.4 added profiles for colors and columns, as noted in the ChangeLog, allowing some customization via configuration files to tailor the packet list view.

termshark

What is termshark?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Open Source Alternative To

Frequently Asked Questions