
Termshark – A terminal UI for tshark, inspired by Wireshark - gcla
https://termshark.io
======
psophis
This is very cool. Though I’ve always done remote wireshark captures:

    
    
        ssh root@sniff_server_ip -p port tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -
    

Source: [https://serverfault.com/questions/362529/how-can-i-sniff-
the...](https://serverfault.com/questions/362529/how-can-i-sniff-the-traffic-
of-remote-machine-with-wireshark#530020)

It works very well on low volume captures.

~~~
neilv
This method even worked for Wiresharking all PS3 traffic in real time for a
GTA Online session, running the tcpdump on a little plastic old mipsel SoC
OpenWrt router that was also doing all the routing (not a passive sniffing
box), without noticeable effect on gameplay. (I was trying to detect
cheaters.)

BTW, for anyone new to tcpdump, you can also specify selectors/filtering on
the command line, to reduce the traffic. The filtering in Wireshark is on top
of that.

~~~
kayoone
online games are pretty low volume though, data is usually transmitted at a
few Kbps per player. Just out of interest, how did you try to spot cheaters
doing that?

~~~
kodisha
Not quite in their interest to publicly explain methods of how they detect
cheaters :)

It's one of best guarded secrets in gaming industry.

~~~
kayoone
OP does not sound like he was actually working for Rockstar on GTA, more like
a hobby project

~~~
neilv
Correct, not working for Rockstar. And I'm pretty sure R* stopped caring about
cheaters ruining Online for last-gen console, shortly after that could push
people to buy the game again, for current-gen. :)

------
fulafel
This seems useful. Are there other good recent tools for analyzing network
traffic? For example something more high-level than Wireshark? A common use is
to zero in on the flow you're interested in, and see which party is saying
what. And maybe zoom back out and pick another flow. The flow choosing part
could use better UI, maybe in the form of a more high level view.

~~~
isostatic
My first port of call tends to be tcpdump, with various filters and greps to
pick out what I want. Usually I'm looking at RTP streams [0], so I run it
through some perl to decode [1]

For wider monitoring, at key points on the network I use ntop [2] to see
what's

If I want a quick overview of a given machine I load up iftop [3], which isn't
very thrilling on my desktop at the moment

[0] [https://i.imgur.com/O9ekuPt.png](https://i.imgur.com/O9ekuPt.png) [1]
[https://i.imgur.com/x9l0UNd.png](https://i.imgur.com/x9l0UNd.png) [2]
[https://i.imgur.com/gFXAxwa.png](https://i.imgur.com/gFXAxwa.png) [3]
[https://i.imgur.com/vmpgR6i.png](https://i.imgur.com/vmpgR6i.png)

All of these are trivial to install (except for the RTP perl script which I
have as a custom apt-gettable package) and don't require non-standard
interpreters and package managers.

Nethertheless I went to get this. I had to install 540MB of support files just
to run "go get github.com/gcla/termshark/cmd/termshark". Still it compliles.
Then I run it, and it shows bugger all, I suspect I need to find and install
more libraries (tcell, gowid), which themselves require massive downloads.

It's simply not worth it, it's like going back in time 20 years.

~~~
gcla
hi isostatic - sorry for the trouble :( I had hoped that compiling it would be
quick and reliable. By default termshark will be installed in ~/go/bin/ \-
though it sounds like you have it compiled, it's just not running. Send me a
message if you like and I'll see if I can get it working for you. There are
also pre-compiled binaries at
[https://github.com/gcla/termshark/releases](https://github.com/gcla/termshark/releases)

~~~
isostatic
As an old fart I expect to type "./configure; make", however it did seem to
compile.

It runs, just doesn't look like it's reading anything from "sudo ./termshark
-i eno1 icmp". Works fine when reading a pcap file, works fine when launching
from a root session (rather than via sudo)

------
neilv
Drat; this was my best idea for a portfolio Rust app!

The more we do of this kind of tool in a memory-safe language, the better.

For a while, it seemed like Wireshark dissectors were second only to 2D image
format libraries, for memory exploits. I joked that one way to locate and
compromise a network admin's workstation would be to create a simple network
anomaly that would prompt them to fire up Wireshark. :)

~~~
ausjke
isn't this a go application, I did not see any rust usage yet here.

~~~
smolder
While GP wanted to write it in rust, I think they just meant it's not as
useful of a thing to write (in any language) now that this implementation
exists.

------
antpls
I wish softwares were more often retrofitted to terminal when possible. Good
work !

~~~
derpherpsson
The terminal is Eternal. It has not changed since the Dawn of Time.

It's not retrofitting. If you make it work for the terminal it will always
work from now on.

It comes outside the reaches from the graphical designers. Nothing with a
graphical design survives more than 10 years.

~~~
bovermyer
Just because the terminal doesn't use graphics does not mean it can't be
improved by visual design.

------
cjcampbell
I have some students who are really going to dig this. I teach an introductory
networking course with students that have significantly less technical
background than the typical CS networks course.

A lot of the students are already feeling stretched, as this is their first
deep dive into the terminal. Though I do teach them how to run a remote
capture through SSH, I can imagine them finding some relief in this.

------
dordoka
Link to the project in github [0], as the site seems to be down due to the hug
of death.

[0] [https://github.com/gcla/termshark](https://github.com/gcla/termshark)

------
ohples
Hmm, XForwarding Wireshark is one of the only reasons I use XForwarding, I
should see what this can do.

------
moshohayeb
This is incredibly useful. I spend a lot of time rsyncing captures to examine
on WireShark.

This went immediately to my personal /bin/

------
nextlevelwizard
Doesn't have vim bindings :(

But handles custom rules well :)

~~~
programd
Another vote for Vim key bindings. Think of it as future proofing. For all
eternity :)

------
lloeki
Wireshark is very good and this definitely looks like a nice tool, that could
be a good alternative to ngrep that I usually rely on on the command line.

[https://github.com/jpr5/ngrep](https://github.com/jpr5/ngrep)

------
macinjosh
I was looking for something like this just yesterday! Looking forward to
giving it a try.

------
gcla
Thanks to everyone for the kind words and encouragement. It's been very
gratifying. Now I have a good number of suggestions, and a handful of bugs to
fix!

------
rosstex
Awesome work! Let's get it into Homebrew.

------
ausjke
awesome tool, termshark is 16MB after compiling and it is so handy and useful
especially for servers. Using it right now.

------
CodeWriter23
Made me a little nostalgic for our old Sniffer™️. Edit: from Network General.

------
knowsmorsecode
Post your python to go urwid port gcla. Well done!

------
astatine
Looks very good! Will give it a spin soon.

------
felipelemos
Really nice. Reminds me of IPTraf.

------
mikehollinger
That looks good! Good job.

------
knolax
Does it require ncurses?

------
koffiezet
Looks very nice, but not yet available in brew on OSX?

~~~
gcla
Thanks for the suggestion, I'll put that on my todo list!

~~~
Yptur
Cool thanks for the work! I'll try it out once the formula is released :)
(Note: I am a different person)

