termshark

Monitor the default network interface

$ sudo termshark

$ sudo termshark [interface]

termshark [ options ] [ <capture filter> ]

-r <file>
    Read packets from the specified capture file (e.g., a PCAP file). This is commonly used for offline analysis.

-i <interface>
    Start a live packet capture on the specified network interface (e.g., eth0, wlan0). This requires appropriate permissions.

-D
    List all available network interfaces that can be used for live capture and then exit. Useful for identifying interface names.

-f <capture filter>
    Apply a BPF-style capture filter to limit which packets are captured by the kernel. This filter is applied before packets are written to disk or processed by tshark (e.g., 'tcp port 80').

-Y <display filter>
    Apply an initial Wireshark-style display filter to the captured or loaded packets. This filter is applied after capture and dissection (e.g., 'http.request', 'ip.addr == 192.168.1.1').

-p
    Do not put the network interface into promiscuous mode during live capture. Only packets addressed to the host will be seen, potentially missing broadcast or other network traffic.

-s <snaplen>
    Set the snapshot length for packet capture to snaplen bytes. Only the first snaplen bytes of each packet are captured, which can reduce file size for large captures but might truncate packet data.

-l
    Start directly in live capture mode. This option is particularly useful for continuous real-time traffic monitoring, especially when operating over SSH where interactive control might be delayed.

--config <dir>
    Specify an alternative configuration directory for termshark settings and history. By default, it uses a standard XDG configuration path.

--color-scheme <scheme>
    Set the UI color scheme (e.g., 'dark', 'light'). This allows users to customize the visual appearance to their preference or terminal background.

termshark is a powerful, open-source terminal user interface (TUI) for tshark, the command-line packet analyzer that comes with Wireshark.

It provides a rich, interactive experience for network traffic analysis directly within your terminal, making it ideal for SSH sessions, remote servers, or environments where a graphical desktop is not available or desired. termshark can capture live network traffic or open existing PCAP files, presenting the data in a familiar three-pane layout similar to Wireshark: packet list, packet details, and packet bytes.

It supports display filters, search functionalities, and various navigation options, allowing users to efficiently inspect network protocols, troubleshoot connectivity issues, and analyze security incidents without leaving the command line. By leveraging the robust dissection capabilities of tshark, termshark offers deep protocol inspection in a lightweight, accessible format.

While powerful, termshark operates within the limitations of a terminal interface. It lacks the rich graphical features of Wireshark, such as complex statistics graphs or visual flow analysis. Mouse support may be limited depending on the terminal emulator. It requires tshark to be installed and accessible in the system's PATH. For very high-throughput networks, the performance can be constrained by terminal rendering speed and tshark's processing capabilities, potentially leading to dropped packets if not properly configured.

termshark is fundamentally dependent on tshark, which must be installed and accessible in your system's PATH. tshark is part of the Wireshark suite. Without tshark, termshark cannot function as it relies on tshark for all packet capture and dissection capabilities.

The user interface of termshark largely mimics the key bindings and navigation paradigm of graphical Wireshark, making it intuitive for users already familiar with Wireshark. Common actions like navigating lists, applying filters, and inspecting packet details are performed using similar keyboard shortcuts.

termshark was developed by Mark Ellzey to address the need for a full-featured network protocol analyzer that could run directly in a terminal. It emerged as a solution for scenarios where a graphical environment was unavailable, such as on remote servers accessed via SSH, or for users who preferred a command-line-centric workflow. The project began around 2018, leveraging the robust packet dissection engine of tshark to provide a Wireshark-like interactive experience without the graphical overhead, quickly gaining popularity among network administrators and security professionals.

wireshark(1), tshark(1), tcpdump(1), dumpcap(1)