Termshark — Terminal User Interface for Packet Analysis

Introduction

Termshark provides a Wireshark-inspired terminal UI for analyzing packet captures. Built on top of tshark, it offers interactive packet list, detail, and hex views without needing a graphical desktop — making it ideal for debugging network issues directly on remote servers via SSH.

What Termshark Does

• Displays live packet captures or reads pcap/pcapng files with an interactive TUI
• Provides three-pane Wireshark-style layout: packet list, protocol detail tree, and hex dump
• Supports Wireshark display filters for narrowing down traffic to specific protocols or hosts
• Allows reassembly and following of TCP/UDP streams directly in the terminal
• Copies packets or fields to clipboard and supports column customization

Architecture Overview

Termshark is written in Go and wraps tshark (Wireshark's CLI dissector) to leverage its protocol decode capabilities. The TUI is built with the gowid library. Packets are loaded asynchronously in chunks to keep the interface responsive even with large captures. The application delegates all protocol dissection to tshark via PDML/PSML XML output formats.

Self-Hosting & Configuration

• Requires tshark installed on the system (provided by the Wireshark package)
• Configuration stored in ~/.config/termshark/termshark.toml for theme and column preferences
• Custom color themes supported for adapting to different terminal backgrounds
• Works over SSH connections making it useful for headless server debugging
• Supports both live capture (requires root/capabilities) and offline pcap reading

Key Features

• Full Wireshark display filter syntax support for precise traffic isolation
• TCP and UDP stream reassembly with follow-stream view in the terminal
• Asynchronous packet loading keeps the UI responsive with multi-gigabyte captures
• Column layout customization matches your preferred Wireshark profile
• Conversation and endpoint statistics views for traffic summarization

Comparison with Similar Tools

• Wireshark — full GUI requiring a desktop environment; Termshark brings similar UX to terminals
• tshark — Wireshark's CLI tool outputs text only; Termshark adds interactive navigation and filtering
• tcpdump — minimal text output without protocol tree or interactive exploration
• ngrep — regex-based packet matching without structured protocol dissection

FAQ

Q: Does Termshark require Wireshark to be installed? A: It requires tshark (the CLI component), which is part of the Wireshark package but does not need the full GUI.

Q: Can Termshark capture packets without root access? A: Live capture requires elevated privileges. Reading existing pcap files works as a regular user.

Q: How does performance compare to Wireshark for large captures? A: Termshark loads packets lazily and asynchronously, so it stays responsive even with large files, though initial indexing by tshark takes similar time.

Q: Does it support all Wireshark protocol dissectors? A: Yes. Since it uses tshark under the hood, it supports all protocols that Wireshark can decode.

Sources

• https://github.com/gcla/termshark
• https://termshark.io/