Termshark – A terminal UI for tshark, inspired by Wireshark
187 points
1 year ago
| 9 comments
| termshark.io
| HN
Linux-Fan
1 year ago
[-]
Termshark can be a live saver if you need to analyze large packet captures. The GUI of Wireshark was almost unusable with some large (30 GiB or something?) capture on my development laptop and some filters. Termshark did not process that data quickly but at least allowed me to get the job done.
reply
ape4
1 year ago
[-]
Of course, sending traffic to the terminal is network traffic so you need to exclude it when you're monitoring.
reply
Uehreka
1 year ago
[-]
(Edit: nvm, I read TFA)
reply
jaimehrubiks
1 year ago
[-]
Many times I Google something like "Wireshark from remote ssh" and I manage to stream the remote tshark stream to my local Wireshark UI. However, this is very interesting and welcoming project, and I guess it will make it simpler in many use cases
reply
jamesfmilne
1 year ago
[-]
Wireshark supports this natively.

Look at the `SSH remote capture: sshdump`. https://www.wireshark.org/docs/man-pages/sshdump.html

Wireshark can SSH into the remote machine, perform the capture, then show the packets in your local instance of Wireshark.

It's a bit of a nuisance to setup of course, tshark has a bit less friction here, and TUIs are always cool.

reply
imglorp
1 year ago
[-]
The other way to do it is ssh to remote box, `tcpdump -w foo.pcap` there, then bring it back by scp and you can open it for analysis in full wireshark.
reply
gorgonq
1 year ago
[-]
You can even let tcpdump write packets to stdout, then pipe directly to your local wireshark and get a live view:

    ssh your-host tcpdump -w - -U 'not port 22' | wireshark -i - -k
makes sense to exclude port 22 from the dump =)
reply
silentprog
1 year ago
[-]
This works, but you won’t get the interface name in wireshark. If you also require the captured interface you can substitute tcpdump with tshark
reply
ElijahLynn
1 year ago
[-]
I've used this method with success! +1
reply
emmelaich
1 year ago
[-]
tshark includes the functionality of tcpdump and more
reply
toast0
1 year ago
[-]
If you're ok installing stuff on the remote side, which you'd need to be to run this anyway, I'd expect wireshark to work well with X forwarding.

This looks nicer, but X forwarding is a generic solution to displaying GUIs locally while running them remotely.

reply
Galanwe
1 year ago
[-]
> If you're ok installing stuff on the remote side, which you'd need to be to run this anyway

It is more likely easier to build / install this on a remote server than to have X11 forwarding.

- X11 fwd is often disabled in sshd config, as it introduces a number of backchannels for a compromised server to leak to the client.

- If you're working on a remote _server_, it is very unlikely that an X client will be available there. Building an X client & it's dependencies as non-root is a thousand times worst than building such a small TUI. Been there, done that.

- Remote X11 is horribly slow, you'll most likely want some more modern variant (x2go & co), which will be a nightmare to build, or tunnel.

reply
theamk
1 year ago
[-]
Installing wireshark on non-gui machines brings tons of junk.. just tried this on Ubuntu's minimal container with tshark installed -- and by default, wireshark brings in 206 extra packages, including python3 and systemd. It's a bit better with --no-install-recommends, but still 105 extra packages.

termshark, being written in go, has zero (0) extra packages other than tshark.

reply
bdd8f1df777b
1 year ago
[-]
My remote machine, a cheap VPS VM, is too weak to support GUI. The network between my machine and VM is also too slow for that.
reply
sonicanatidae
1 year ago
[-]
Nice tool. I don't use WireShark every day, but this will be handy for the times I'm breaking it out.

Thanks!

reply
JoshTriplett
1 year ago
[-]
This looks impressive! The UI looks nice to use, and I'd probably use this instead of wireshark the next time I'm doing network analysis.

Another "why": you want to do live capture and analysis, but don't want to run a GUI program as root for a variety of reasons.

reply
fragmede
1 year ago
[-]
Here is a list of some of them: https://www.wireshark.org/security/
reply
equanos
1 year ago
[-]
The one thing i never looked for but want to instal asap! 10 extra points for using Go.
reply
threatofrain
1 year ago
[-]
I don't mean to ask a crass question, but is the project potentially abandoned? It certainly still gets issues but hasn't received updates for a long time.
reply
spacecadet
1 year ago
[-]
As a regular tshark/pyshark user, where much of the output is CLI, I enjoy this.
reply
letwhile
1 year ago
[-]
This project exists since more than 4 years. No need to bump without any news or comment.
reply