termshark is a terminal UI for tshark, inspired by Wireshark.
Basic Usage
- termshark -i <interface> - Capture live from network interface
- termshark -r <file> - Load and analyze pcap file
- termshark <file> - Load pcap file (alternative)
Navigation
- j or ↓ - Move down through packets
- k or ↑ - Move up through packets
- Enter - Expand/collapse packet details
- Space - Expand/collapse fields
- h - Collapse tree view
- l - Expand tree view
- / - Search/filter packet fields
- n - Next packet
- p - Previous packet
- g - Go to top
- G - Go to bottom
Filtering and Search
- / - Open filter/search UI
- Ctrl+F - Open filter/search UI (alternative)
- Enter - Apply filter
- Esc - Cancel filter
Display Options
- t - Toggle display format
- Ctrl+N - Next tab (if using tabs)
- Ctrl+P - Previous tab (if using tabs)
System
- q - Quit termshark
- ? - Show help
Configuration
Config File Location
- ~/.config/termshark/config.yaml (user config)
- ~/.config/termshark/ (profiles directory)
- ~/.termshark/ (legacy location)
Example Configuration
# termshark config
profiles:
default:
columns:
- Time
- Source
- Destination
- Protocol
- Length
- InfoCommand Line Options
- -i <interface> - Capture from interface
- -r <file> - Read from pcap file
- -f <filter> - Apply display filter
- -Y <filter> - Apply display filter (alternative)
- -n - Disable network name resolution
- -N - Disable port name resolution
Tips
- Use live capture vs. reading pcap to compare behavior
- Pipe output with tshark flags into termshark for filtering before loading
- Familiarize with filter syntax early (e.g., ip.src == 1.2.3.4)
- Use keyboard navigation to avoid switching back and forth to mouse
- When working over SSH, using termshark avoids copying large pcap files
- Adjust visible columns and packet details via profiles to reduce noise
- Ensure tshark is installed and up to date, since termshark uses it under the hood
- Use Wireshark-compatible display filters for familiarity
- Profiles allow customizing column layouts and color schemes