Interactive Wireshark-Based Terminal UI Termshark 2.1 Released With Conversations View, More

Termshark Wireshark interactive terminal interface

Termshark, an interactive Wireshark-like terminal interface for TShark written in Go, was updated to version 2.1 (2.1.0 followed quickly by 2.1.1 to solve an issue) with new features like a conversation view for the most common conversation types, support for multiple live captures / interfaces on the command line, support for extcap interfaces by default, and more.

Wireshark is a popular free and open source network protocol analyzer for Linux, macOS, BSD, Solaris and other Unix-like operating systems, and Microsoft Windows. Wireshark has a GUI, and for those wanting to use it from the command line there's TShark, a terminal oriented version of Wireshark for capturing and displaying packets. TShark doesn't have an interactive user interface though.

This is where Termshark comes in. Termshark is an interactive terminal user interface (TUI) for TShark, inspired by the Wireshark user interface. Its features include:

  • Read pcap files or sniff live interfaces (where tshark is permitted)
  • Filter pcaps or live captures using Wireshark's display filters
  • Reassemble and inspect TCP and UDP flows
  • View network conversations by protocol
  • Copy ranges of packets to the clipboard from the terminal
  • Works with both light and dark terminals (See the Toggle Dark Mode item in the app Misc menu)
  • Cross-platform (written in Go), available for Linux, macOS, FreeBSD, Android (Termux) and Windows

Termshark conversations view
Termshark 2.1.1 conversations view

What's new in Termshar 2.1 (2.1.1.):

  • Added a new conversation view for the most common conversation types (Ethernet, IPv4, IPv6, TCP and UDP). This can be accessed from the Analysis menu > Conversations
  • Support for multiple live captures / interfaces on the command line. Previously you could only run Termshark on one interface, e.g. termshark -i eth0, but with this release you can specify multiple interfaces, e.g. termshark -i eth0 -i eth1 -i eth2
  • Termshark's packet hex view displays a scrollbar if the data doesn't fit in the space available
  • Termshark can show a capture file's properties using the capinfos binary (bundled with tshark)
  • Termshark now supports extcap interfaces by default. The extcap interface is a plugin interface that allows external binaries to act as capture interfaces directly in wireshark. It is used in scenarios where the source of the capture is not a traditional capture model (live capture from an interface, from a pipe, from a file, etc)
  • Now the user can copy the capture file information to the clipboard. Open capture file properties, then hit c for copy-mode, then hit ctrl-c to copy.
  • Use the latest gowid (widgets for terminal user interfaces, written in Go) for maximizable dialogs. This is bound to the z key when a modal dialog is open
  • Other small enhancements and bug fixes

Also, in case you missed it, the previous Termshark release (2.0.3) introduced support for colorized packets in list view by default, using the Wireshark colorfilter rules, as well as support for TShark's -t option to specify the timestamp format in the packet list view.

You might also like: bandwhich Shows What`s Taking Up Your Network Bandwidth On Linux And macOS

Download Termshark

By following the download link from the button above you'll reach the Termshark GitHub releases tab from where you can download the source code or binaries for Linux (armv6 and x64), FreeBSD, macOS and Microsoft Windows.

Extract the downloaded archive containing the binary and run it from the current folder or install it somewhere in your PATH, like /usr/local/bin.

You'll need tshark / wireshark-cli (the package name depends on the Linux distribution you're using) installed on the same system as Termshark to use it!

For more on Termshark (including installing tshark on Debian / Ubuntu and wireshark-cli on Fedora, how to add your user to the Wireshark group to be able to run TShark and Termshark without super user privileges, etc.) and a quick startup guide, see Analyze Network Traffic With Termshark, A Terminal UI For TShark (Wireshark)

I also recommend reading the Termshark User Guide.