'Wireshark For The Terminal' Termshark 2.0 Adds Stream Reassembly, Piped Input And Dark Mode
Termshark, a Wireshark-like terminal interface for TShark written in Go, was updated to version 2.0.0. This release includes support for dark mode, piped input, and stream reassembly, as well as performance optimizations that make the tool faster and more responsive.
Wireshark, the free and open source network protocol analyzer, already has a terminal version - TShark. But TShark doesn't have an interactive terminal user interface (TUI), and this is where Termshark comes in - it's an interactive terminal interface for TShark that tries to copy the Wireshark layout.
The latest Termshark 2.0 includes some important performance improvements. The application now uses less CPU, is less laggy under mouse input, and will use less than half as much RAM on larger pcaps.
There are also quite a few new features in the latest Termshark 2.0.0 too:
Also, with this release it's now possible to install Termshark on macOS using Homebrew. On Windows, Termshark no longer depends on the Cywgin tail command, and thus on a Cygwin installation.
For a bit more about Termshark, read: Analyze Network Traffic With Termshark, A Terminal UI For TShark (Wireshark)
The Termshark releases page has binaries for Linux (x64 and armv6), macOS and Windows. Or you can build it yourself if you prefer. Termshark is also on Homebrew for macOS users.
To install the Termshark binary on Linux (any Linux distribution), get the binary from GitHub, extract it, and from the folder where it's extracted you can install it to
Arch Linux users will find Termshark in the Arch User Repository.
Termshark is also available in Debian sid/bullseye, Ubuntu 19.10 Eoan Ermine and newer, and Kali Linux. Right now only version 1.0.0 is available though, and you can install it using:
To work, Termshark needs TShark to be installed. This is part of Wireshark, and on macOS you can install it using brew (
On Linux the package name depends on the distribution you're using. For example it's
So to install TShark on Debian, Ubuntu, Linux Mint, Kali Linux, etc., use:
When prompted, answer
To install wireshark-cli on Fedora:
On both Ubuntu and Fedora (and other Linux distributions) you'll also need to add your user to the
After this, reboot your Ubuntu or Fedora machine (usually you're supposed to logout/login but that wasn't enough in my case).
Wireshark, the free and open source network protocol analyzer, already has a terminal version - TShark. But TShark doesn't have an interactive terminal user interface (TUI), and this is where Termshark comes in - it's an interactive terminal interface for TShark that tries to copy the Wireshark layout.
The latest Termshark 2.0 includes some important performance improvements. The application now uses less CPU, is less laggy under mouse input, and will use less than half as much RAM on larger pcaps.
There are also quite a few new features in the latest Termshark 2.0.0 too:
- Support for TCP and UDP stream reassembly. To access this feature head to the
Analysysmenu and pressfor click theReassemble streammenu item - Termshark now has a dark mode in which it uses a dark background. Enable it from the
Miscmenu. The default mode continues to use a white background. - Termshark can be configured to auto-scroll when reading live data (interface, fifo or stdin)
- Pipe and fifo input support. E.g. to pipe the tshark input:
tshark -i eth0 -w - | termshark - The Termshark UI can now run on a different tty, e.g.
termshark -i eth0 --tty=/dev/pts/5 - Like Wireshark, Termshark will now preserve the opened and closed structure of a packet as you move from one packet to the next. This lets the user see differences between packets more easily
- Termshark now respects job control signals sent via the shell i.e. SIGTSTP and SIGCONT
- The current packet capture source (file, interface, pipe, etc) is displayed in the Termshark title bar
- Termshark can be configured to eagerly load all pcap PDML data, rather than 1000 packets at a time
- You can now simply hit enter in the display filter widget to make its value take effect
Also, with this release it's now possible to install Termshark on macOS using Homebrew. On Windows, Termshark no longer depends on the Cywgin tail command, and thus on a Cygwin installation.
For a bit more about Termshark, read: Analyze Network Traffic With Termshark, A Terminal UI For TShark (Wireshark)
Download and install Termshark
The Termshark releases page has binaries for Linux (x64 and armv6), macOS and Windows. Or you can build it yourself if you prefer. Termshark is also on Homebrew for macOS users.
To install the Termshark binary on Linux (any Linux distribution), get the binary from GitHub, extract it, and from the folder where it's extracted you can install it to
/usr/local/bin using:sudo install termshark /usr/local/binArch Linux users will find Termshark in the Arch User Repository.
Termshark is also available in Debian sid/bullseye, Ubuntu 19.10 Eoan Ermine and newer, and Kali Linux. Right now only version 1.0.0 is available though, and you can install it using:
sudo apt install termsharkInstall TShark, required by Termshark
To work, Termshark needs TShark to be installed. This is part of Wireshark, and on macOS you can install it using brew (
brew install wireshark). On Linux the package name depends on the distribution you're using. For example it's
tshark on Debian / Ubuntu / Kali, while the package that provides TShark on Fedora is called wireshark-cli. So to install TShark on Debian, Ubuntu, Linux Mint, Kali Linux, etc., use:
sudo apt install tsharkWhen prompted, answer
Yes to the Should non-superusers be able to capture packets? question.To install wireshark-cli on Fedora:
sudo dnf install wireshark-cliOn both Ubuntu and Fedora (and other Linux distributions) you'll also need to add your user to the
wireshark group (created by the installation of TShark - if not, add this group using sudo groupadd wireshark) to be able to run TShark, and thus Termshark, without root:sudo usermod -a -G wireshark $USERAfter this, reboot your Ubuntu or Fedora machine (usually you're supposed to logout/login but that wasn't enough in my case).
