Termshark – A terminal UI for tshark, inspired by Wireshark
187 points
2 years ago
| 9 comments
| termshark.io
| HN
Linux-Fan
2 years ago
[-]
Termshark can be a live saver if you need to analyze large packet captures. The GUI of Wireshark was almost unusable with some large (30 GiB or something?) capture on my development laptop and some filters. Termshark did not process that data quickly but at least allowed me to get the job done.
reply
ape4
2 years ago
[-]
Of course, sending traffic to the terminal is network traffic so you need to exclude it when you're monitoring.
reply
Uehreka
2 years ago
[-]
(Edit: nvm, I read TFA)
reply
jaimehrubiks
2 years ago
[-]
Many times I Google something like "Wireshark from remote ssh" and I manage to stream the remote tshark stream to my local Wireshark UI. However, this is very interesting and welcoming project, and I guess it will make it simpler in many use cases
reply
jamesfmilne
2 years ago
[-]
Wireshark supports this natively.

Look at the `SSH remote capture: sshdump`. https://www.wireshark.org/docs/man-pages/sshdump.html

Wireshark can SSH into the remote machine, perform the capture, then show the packets in your local instance of Wireshark.

It's a bit of a nuisance to setup of course, tshark has a bit less friction here, and TUIs are always cool.

reply
imglorp
2 years ago
[-]
The other way to do it is ssh to remote box, `tcpdump -w foo.pcap` there, then bring it back by scp and you can open it for analysis in full wireshark.
reply
gorgonq
2 years ago
[-]
You can even let tcpdump write packets to stdout, then pipe directly to your local wireshark and get a live view:

    ssh your-host tcpdump -w - -U 'not port 22' | wireshark -i - -k
makes sense to exclude port 22 from the dump =)
reply
silentprog
2 years ago
[-]
This works, but you won’t get the interface name in wireshark. If you also require the captured interface you can substitute tcpdump with tshark
reply
ElijahLynn
2 years ago
[-]
I've used this method with success! +1
reply
emmelaich
2 years ago
[-]
tshark includes the functionality of tcpdump and more
reply
toast0
2 years ago
[-]
If you're ok installing stuff on the remote side, which you'd need to be to run this anyway, I'd expect wireshark to work well with X forwarding.

This looks nicer, but X forwarding is a generic solution to displaying GUIs locally while running them remotely.

reply
Galanwe
2 years ago
[-]
> If you're ok installing stuff on the remote side, which you'd need to be to run this anyway

It is more likely easier to build / install this on a remote server than to have X11 forwarding.

- X11 fwd is often disabled in sshd config, as it introduces a number of backchannels for a compromised server to leak to the client.

- If you're working on a remote _server_, it is very unlikely that an X client will be available there. Building an X client & it's dependencies as non-root is a thousand times worst than building such a small TUI. Been there, done that.

- Remote X11 is horribly slow, you'll most likely want some more modern variant (x2go & co), which will be a nightmare to build, or tunnel.

reply
theamk
2 years ago
[-]
Installing wireshark on non-gui machines brings tons of junk.. just tried this on Ubuntu's minimal container with tshark installed -- and by default, wireshark brings in 206 extra packages, including python3 and systemd. It's a bit better with --no-install-recommends, but still 105 extra packages.

termshark, being written in go, has zero (0) extra packages other than tshark.

reply
bdd8f1df777b
2 years ago
[-]
My remote machine, a cheap VPS VM, is too weak to support GUI. The network between my machine and VM is also too slow for that.
reply
sonicanatidae
2 years ago
[-]
Nice tool. I don't use WireShark every day, but this will be handy for the times I'm breaking it out.

Thanks!

reply
JoshTriplett
2 years ago
[-]
This looks impressive! The UI looks nice to use, and I'd probably use this instead of wireshark the next time I'm doing network analysis.

Another "why": you want to do live capture and analysis, but don't want to run a GUI program as root for a variety of reasons.

reply
fragmede
2 years ago
[-]
Here is a list of some of them: https://www.wireshark.org/security/
reply
equanos
2 years ago
[-]
The one thing i never looked for but want to instal asap! 10 extra points for using Go.
reply
threatofrain
2 years ago
[-]
I don't mean to ask a crass question, but is the project potentially abandoned? It certainly still gets issues but hasn't received updates for a long time.
reply
spacecadet
2 years ago
[-]
As a regular tshark/pyshark user, where much of the output is CLI, I enjoy this.
reply
letwhile
2 years ago
[-]
This project exists since more than 4 years. No need to bump without any news or comment.
reply