termshark

Terminal-based Wireshark interface

TLDR

Monitor default interface

$ sudo termshark

Monitor specific interface

$ sudo termshark -i [eth0]

Read a pcap file

$ termshark -r [path/to/capture.pcap]

Apply a display filter

$ sudo termshark -i [eth0] -Y "[http.request]"

Apply a capture filter

$ sudo termshark -i [eth0] -f "[port 80]"

SYNOPSIS

termshark [OPTIONS] [INTERFACE|FILE]

termshark is a terminal-based user interface for tshark that provides a Wireshark-like experience in the terminal. It offers packet list, packet details, and packet bytes views with interactive navigation.The interface supports keyboard navigation, display filtering, and stream reassembly similar to the graphical Wireshark.

PARAMETERS

-i INTERFACE

Capture on specified interface

-r FILE

Read from pcap file

-Y FILTER

Apply display filter

-f FILTER

Apply capture filter

-d layer==selector,protocol

Specify dissection of layer type

--pass-thru [auto|yes|no]

Run tshark instead of UI (auto means if stdout is not a tty)

--debug

Enable debug mode with profiling server on port 6060

KEYBOARD SHORTCUTS

Tab - Switch between views/ - Filter packetsEnter - Expand/collapse detailsq - Quit

CAVEATS

Requires tshark (Wireshark CLI) to be installed. Root privileges needed for live capture. Large capture files may be slow to load.

HISTORY

termshark was created by Graham Clark to bring Wireshark's interface paradigm to the terminal, enabling packet analysis over SSH or in environments without a GUI.