Hacker News new | past | comments | ask | show | jobs | submit login
Termshark – A terminal UI for tshark, inspired by Wireshark (termshark.io)
616 points by gcla on April 23, 2019 | hide | past | favorite | 63 comments

This is very cool. Though I’ve always done remote wireshark captures:

    ssh root@sniff_server_ip -p port tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -
Source: https://serverfault.com/questions/362529/how-can-i-sniff-the...

It works very well on low volume captures.

I've made a simple script based on your example:


  if [[ -z "$1" ]]; then
      echo -e "Usage: $(basename $0) <host[:port]> <interface> [filters]"
  ssh_host=$(echo $1 | cut -d: -f1)
  ssh_port=$(echo $1 | cut -s -d: -f2)
  [[ -z "$ssh_port" ]] && ssh_port=22
  [[ -z "$2" ]] && tcpdump_interface="any" || tcpdump_interface="$2"
  [[ ! -z "$3" ]] && tcpdump_filters="and \($3\)"
  ssh root@${ssh_host} -p ${ssh_port} \
      tcpdump -U -s0 "not port ${ssh_port} ${tcpdump_filters}" -i ${tcpdump_interface} -w - \
      | wireshark -k -i -

nice, but a small nit: you don't need to quote variables inside bash double brackets.

This method even worked for Wiresharking all PS3 traffic in real time for a GTA Online session, running the tcpdump on a little plastic old mipsel SoC OpenWrt router that was also doing all the routing (not a passive sniffing box), without noticeable effect on gameplay. (I was trying to detect cheaters.)

BTW, for anyone new to tcpdump, you can also specify selectors/filtering on the command line, to reduce the traffic. The filtering in Wireshark is on top of that.

online games are pretty low volume though, data is usually transmitted at a few Kbps per player. Just out of interest, how did you try to spot cheaters doing that?

Not quite in their interest to publicly explain methods of how they detect cheaters :)

It's one of best guarded secrets in gaming industry.

OP does not sound like he was actually working for Rockstar on GTA, more like a hobby project

Correct, not working for Rockstar. And I'm pretty sure R* stopped caring about cheaters ruining Online for last-gen console, shortly after that could push people to buy the game again, for current-gen. :)

Wouldn't they just cheat with some of the common methods and train some AI with the packet dumps to spot it?

Perhaps he was looking for an abnormal amount of traffic, attempting to resend the same message, and hoping the server will do it multiple times in the same frame. I would guess trying to find spots where the client is overly trusted.

Game traffic is usually encrypted. How good depends on the game. So you might only see some packets with a larger payload and deduce stuff from there.

Came here to write the very same command. I only use -l instead of -U. In Windows using WSL I use something like this:

  ssh root@remotehost "tcpdump -i eth1 -s0 -l -w - 'udp'" | /mnt/c/Program\ Files/Wireshark/Wireshark.exe -k -i -

Option "-l" only supposed to be used with text output. When mis-applied to binary (-w) output, it will:

- On Linux, flush buffer at wrong places, breaking last (few) packet(s);

- On Windows, flush buffer after every byte (which gives acceptable result, but is very inefficient).

With "-w", always use "-U" instead.

Thank you so much, not had a clue

Who would have known that :) I sense a project developer is contributing to the discussion here :).

Indeed, this method is cool. It allowed me to sniff the traffic between some poorly documented IoT device and a remote server (unencrypted, what else) via OpenWrt:

[0] https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wi...

ah, very handy!

This seems useful. Are there other good recent tools for analyzing network traffic? For example something more high-level than Wireshark? A common use is to zero in on the flow you're interested in, and see which party is saying what. And maybe zoom back out and pick another flow. The flow choosing part could use better UI, maybe in the form of a more high level view.

My first port of call tends to be tcpdump, with various filters and greps to pick out what I want. Usually I'm looking at RTP streams [0], so I run it through some perl to decode [1]

For wider monitoring, at key points on the network I use ntop [2] to see what's

If I want a quick overview of a given machine I load up iftop [3], which isn't very thrilling on my desktop at the moment

[0] https://i.imgur.com/O9ekuPt.png [1] https://i.imgur.com/x9l0UNd.png [2] https://i.imgur.com/gFXAxwa.png [3] https://i.imgur.com/vmpgR6i.png

All of these are trivial to install (except for the RTP perl script which I have as a custom apt-gettable package) and don't require non-standard interpreters and package managers.

Nethertheless I went to get this. I had to install 540MB of support files just to run "go get github.com/gcla/termshark/cmd/termshark". Still it compliles. Then I run it, and it shows bugger all, I suspect I need to find and install more libraries (tcell, gowid), which themselves require massive downloads.

It's simply not worth it, it's like going back in time 20 years.

How is that different from compiling other software with build dependencies? I mean, if you consider libc etc most applications have quite a large tree of build deps if you need to download _all_ libraries from scratch - it's just that in most cases you already have those deps.

Next time you need to build a golang project you most likely won't have to download all of those libs again, unless you remove them for some reason.

hi isostatic - sorry for the trouble :( I had hoped that compiling it would be quick and reliable. By default termshark will be installed in ~/go/bin/ - though it sounds like you have it compiled, it's just not running. Send me a message if you like and I'll see if I can get it working for you. There are also pre-compiled binaries at https://github.com/gcla/termshark/releases

As an old fart I expect to type "./configure; make", however it did seem to compile.

It runs, just doesn't look like it's reading anything from "sudo ./termshark -i eno1 icmp". Works fine when reading a pcap file, works fine when launching from a root session (rather than via sudo)

Riverbed Pilot[0] (or whatever it's called now) may be what you're looking for. It works incredibly well to help drill down the haystack, and then export that particular part to Wireshark. Do like.

[0] https://www.riverbed.com/gb/products/steelcentral/steelcentr...

It's called Packet Analyzer nowadays, and that's exactly what it was designed for.

There was some discussion about opening a new wireshark window at the current location so you could navigate like in a browser more or less. It didn't go anywhere https://seclists.org/wireshark/2015/Apr/97

I seem to remember a really old gtk1.x app that would show network flows as blobs representing local/remote hosts on the left and right of the screen, and ribbons connecting the blobs scaled to the amount of traffic per stream. Don't remember the name though.



I remember using that as well many years ago. Fun times.

> Overview of changes in EtherApe 0.9.18 (Sunday, June 3, 2018):

> EtherApe now is a pure GTK 3 application, with canvas supplied by GooCanvas.

It's still in active development! Will have some fun with it :).

I need to admit, I have a lot of respect for someone that can keep a project going for so long. I assume there are contributors, but it wouldn't surprise me if it's a one-person lead. People who also tend to have other side projects going. I have trouble maintaining a bunch of GitHub side repo's and keeping Ubuntu installations on a bunch of VPS's up to date.

I'm using Wireshark filters to automatically categorize traces (using tshark) and compile a HTML overview. “Wireshark://“ will open the corresponding PCAP then.

Having this integrated in some tool would be great.

Flow telemetry like NetFlow in general; ntop, specifically.

Charles Proxy?

Charles is an http proxy only - it does not capture any other protocols. Good for general app debugging, but did not fit the bill when I recently tried to dig into traffic coming out of my shady ip camera.

I recently used this method (wireshark/windows) [1] with the cam vendors app on an old iPhone to get more insight into what was going on (particularly outside the HTTP space).


Drat; this was my best idea for a portfolio Rust app!

The more we do of this kind of tool in a memory-safe language, the better.

For a while, it seemed like Wireshark dissectors were second only to 2D image format libraries, for memory exploits. I joked that one way to locate and compromise a network admin's workstation would be to create a simple network anomaly that would prompt them to fire up Wireshark. :)

It's an UI for tshark. The dissectors are from Wireshark.

isn't this a go application, I did not see any rust usage yet here.

While GP wanted to write it in rust, I think they just meant it's not as useful of a thing to write (in any language) now that this implementation exists.

I wish softwares were more often retrofitted to terminal when possible. Good work !

The terminal is Eternal. It has not changed since the Dawn of Time.

It's not retrofitting. If you make it work for the terminal it will always work from now on.

It comes outside the reaches from the graphical designers. Nothing with a graphical design survives more than 10 years.

Just because the terminal doesn't use graphics does not mean it can't be improved by visual design.

Very true. The Terminal is like cave painting or cuneiform pressed into clay with reeds. It will last forever.

The MVC approach seems to have been abandoned.

I typically write my code as a library that can then be called by an interface (or other program) rather than as a monolithic unit. Also makes it easier to run on diferent devices.

I have some students who are really going to dig this. I teach an introductory networking course with students that have significantly less technical background than the typical CS networks course.

A lot of the students are already feeling stretched, as this is their first deep dive into the terminal. Though I do teach them how to run a remote capture through SSH, I can imagine them finding some relief in this.

Link to the project in github [0], as the site seems to be down due to the hug of death.

[0] https://github.com/gcla/termshark

Hmm, XForwarding Wireshark is one of the only reasons I use XForwarding, I should see what this can do.

This is incredibly useful. I spend a lot of time rsyncing captures to examine on WireShark.

This went immediately to my personal /bin/

Doesn't have vim bindings :(

But handles custom rules well :)

Another vote for Vim key bindings. Think of it as future proofing. For all eternity :)

Wireshark is very good and this definitely looks like a nice tool, that could be a good alternative to ngrep that I usually rely on on the command line.


I was looking for something like this just yesterday! Looking forward to giving it a try.

Thanks to everyone for the kind words and encouragement. It's been very gratifying. Now I have a good number of suggestions, and a handful of bugs to fix!

Awesome work! Let's get it into Homebrew.

awesome tool, termshark is 16MB after compiling and it is so handy and useful especially for servers. Using it right now.

Made me a little nostalgic for our old Sniffer™️. Edit: from Network General.

Post your python to go urwid port gcla. Well done!

Looks very good! Will give it a spin soon.

Really nice. Reminds me of IPTraf.

That looks good! Good job.

Does it require ncurses?

Looks very nice, but not yet available in brew on OSX?

Thanks for the suggestion, I'll put that on my todo list!

Cool thanks for the work! I'll try it out once the formula is released :) (Note: I am a different person)

I tried to brew install it as well. Would definitely like to see this formula available.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact