'Wireshark For The Terminal' Termshark 2.0 Adds Stream Reassembly, Piped Input And Dark Mode

Termshark, a Wireshark-like terminal interface for TShark written in Go, was updated to version 2.0.0. This release includes support for dark mode, piped input, and stream reassembly, as well as performance optimizations that make the tool faster and more responsive.

Termshark Tshark TUI

Wireshark, the free and open source network protocol analyzer, already has a terminal version - TShark. But TShark doesn't have an interactive terminal user interface (TUI), and this is where Termshark comes in - it's an interactive terminal interface for TShark that tries to copy the Wireshark layout.

The latest Termshark 2.0 includes some important performance improvements. The application now uses less CPU, is less laggy under mouse input, and will use less than half as much RAM on larger pcaps.

There are also quite a few new features in the latest Termshark 2.0.0 too:

  • Support for TCP and UDP stream reassembly. To access this feature head to the Analysys menu and press f or click the Reassemble stream menu item
  • Termshark now has a dark mode in which it uses a dark background. Enable it from the Misc menu. The default mode continues to use a white background.
  • Termshark can be configured to auto-scroll when reading live data (interface, fifo or stdin)
  • Pipe and fifo input support. E.g. to pipe the tshark input: tshark -i eth0 -w - | termshark
  • The Termshark UI can now run on a different tty, e.g. termshark -i eth0 --tty=/dev/pts/5
  • Like Wireshark, Termshark will now preserve the opened and closed structure of a packet as you move from one packet to the next. This lets the user see differences between packets more easily
  • Termshark now respects job control signals sent via the shell i.e. SIGTSTP and SIGCONT
  • The current packet capture source (file, interface, pipe, etc) is displayed in the Termshark title bar
  • Termshark can be configured to eagerly load all pcap PDML data, rather than 1000 packets at a time
  • You can now simply hit enter in the display filter widget to make its value take effect

Also, with this release it's now possible to install Termshark on macOS using Homebrew. On Windows, Termshark no longer depends on the Cywgin tail command, and thus on a Cygwin installation.

For a bit more about Termshark, read: Analyze Network Traffic With Termshark, A Terminal UI For TShark (Wireshark)

Download and install Termshark

The Termshark releases page has binaries for Linux (x64 and armv6), macOS and Windows. Or you can build it yourself if you prefer. Termshark is also on Homebrew for macOS users.

To install the Termshark binary on Linux (any Linux distribution), get the binary from GitHub, extract it, and from the folder where it's extracted you can install it to /usr/local/bin using:

sudo install termshark /usr/local/bin

Arch Linux users will find Termshark in the Arch User Repository.

Termshark is also available in Debian sid/bullseye, Ubuntu 19.10 Eoan Ermine and newer, and Kali Linux. Right now only version 1.0.0 is available though, and you can install it using:

sudo apt install termshark

Install TShark, required by Termshark

To work, Termshark needs TShark to be installed. This is part of Wireshark, and on macOS you can install it using brew (brew install wireshark).

On Linux the package name depends on the distribution you're using. For example it's tshark on Debian / Ubuntu / Kali, while the package that provides TShark on Fedora is called wireshark-cli.

So to install TShark on Debian, Ubuntu, Linux Mint, Kali Linux, etc., use:

sudo apt install tshark

When prompted, answer Yes to the Should non-superusers be able to capture packets? question.

To install wireshark-cli on Fedora:

sudo dnf install wireshark-cli

On both Ubuntu and Fedora (and other Linux distributions) you'll also need to add your user to the wireshark group (created by the installation of TShark - if not, add this group using sudo groupadd wireshark) to be able to run TShark, and thus Termshark, without root:

sudo usermod -a -G wireshark $USER

After this, reboot your Ubuntu or Fedora machine (usually you're supposed to logout/login but that wasn't enough in my case).