Is there any plans to support vim key bindings?

The issue is down to parsing escape codes in psml. Fix coming!

Applying a display filter during a live capture does nothing.
Confirmed on Macos: 10.14

Support for a wireshark coloring rule configuration file, to configure and support the wireshark coloring ruleset.

The default ruleset provides at-a-glance protocol and issue recognition. Being able to point to a config file where this exists on the filesystem allows us to import and share our existing wireshark coloring rulesets

DO NOT EDIT THIS FILE! It was created by Wireshark

@bad [email protected] && !tcp.analysis.window_update@[4626,10023,11822][63479,34695,34695]
@hsrp State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092]
@spanning Tree Topology [email protected] == 0x80@[4626,10023,11822][65535,64764,40092]
@ospf State [email protected] != 1@[4626,10023,11822][65535,64764,40092]
@icmp [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[4626,10023,11822][47031,63479,29812]
@arp@arp@[64250,61680,55255][4626,10023,11822]
@icmp@icmp || icmpv6@[64764,57568,65535][4626,10023,11822]
@tcp [email protected] eq 1@[42148,0,0][65535,64764,40092]
@sctp [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092]
@Ttl low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim && !ospf) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695]
@smb@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822]
@http@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822]
@dcerpc@dcerpc@[51143,38807,65535][4626,10023,11822]
@routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822]
@tcp SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822]
@tcp@tcp@[59367,59110,65535][4626,10023,11822]
@udp@udp@[56026,61166,65535][4626,10023,11822]
@broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774]
@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]

 blackarch ~ ]$ ifconfig enp58s0f1
enp58s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.65  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::9ccf:e3dc:a22b:4d8c  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::de0d:7644:64b1:1e80  prefixlen 64  scopeid 0x20<link>
        ether 80:fa:5b:4f:5a:ee  txqueuelen 1000  (Ethernet)
        RX packets 746591  bytes 897956470 (856.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 455377  bytes 52721791 (50.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 127  base 0xd000  

[ blackarch ~ ]$ termshark -i enp58s0f1
Could not find network interface enp58s0f1

please fix.

I've published termshark on the Snap store so it can be easily installed on almost all major distros just by issuing: snap install termshark
After installation, it requires some additional permissions:

snap connect termshark:network-control
snap connect termshark:bluetooth-control
snap connect termshark:firewall-control
snap connect termshark:ppp
snap connect termshark:raw-usb
snap connect termshark:removable-media

PS C:\WINDOWS\system32> termshark -i wifi
Could not find network interface wifi

PS C:\WINDOWS\system32> tshark -i wifi
Capturing on 'wifi'
1 0.000000 2600:100f:b01e:92c1:e497:adce:657c:53c1 → 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 ICMPv6 86 Neighbor Solicitation for 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 from 7e:50:49:23:f5:64
2 0.000250 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 → 2600:100f:b01e:92c1:e497:adce:657c:53c1 ICMPv6 86 Neighbor Advertisement 2600:100f:b01e:92c1:6871:3be5:289d:c5f5 (sol, ovr) is at 20:79:18:8d:81:af
3 0.999516 0 40.90.10.180 → 172.20.10.3 TLSv1.2 85 31 Application Data
3 packets captured

SemVer is a way to track versions. Termshark has added many features/fixes since initial release, but only has one version. For feature adds since v1, increment minor (1.[2].3) and for bugfixes, increment patch (1.2.[3]). I'm proposing to call latest commit, 74abf8f "v1.1.0" as a bundle of all previous features/fixes, but to increment version in future with features/patches in mind.

What do you think?

I like the ability to switch layout/pane views, but the one I use the most is not there (layout order = pane 1 packet list, 2 packet details, 3 packet bytes)

I would like to see the current wireshark 3.x layout views scrollable with |, and configurable as a default display option in termshark.toml

termshark looks for the tail.exe at "c:\cygwin64\bin\tail.exe" via hardcoded way.

as titled

% termshark
Error: terminal entry not found [TERM: screen.xterm-256color]
zsh: exit 1 termshark
% TERM=xterm-256color termshark
Packets read from interface eth0 have been saved in /$home/.cache/termshark/eth0-921608986.pcap

First of all, congrats on launching a cool project!

I want termshark to launch on the first interface to mimic the behavior of tshark. Depending on how you have this set up, you could call tshark without interface arguments if termshark does not receive any.

On the CLI, this will show you the first interface tshark sees (and will use):
tshark -D | awk 'NR==1 { print $2}'.

Hello!
Got error when trying to analyze SIP protocol:

Hi - one common request is to have termshark be part of homebrew. I've put together a formula - would anyone like to try it before I officially submit it to the homebrew team? This works for me on linuxbrew, but I don't have ready access to a Mac right now to test it there. Here's a link to the formula:

https://gist.github.com/gcla/a40524d4deb9b95b404b2ec678577d20

To test it out, drop the formula in Library/Taps/homebrew/homebrew-core/Formula/termshark.rb, then

brew update
brew install termshark
<...wait...>
termshark -v
brew test termshark   # crucial step for homebrew acceptance
brew uninstall termshark
brew install --build-from-source termshark

Thanks :-)

This should be trivial to add.

Problem

I am loading a very tiny pcap file (11 packets) with termshark.

Current Behavior

When using using the mouse, clicking and scrolling, the ram usage is up at 20 to 30 GB within seconds.

Expected Behavior

I am not sure how much ram termshark should consume.

Screenshots as applicable

(I cut out the IPs)

Steps to Reproduce

1. open a small file
2. click or scroll anywhere

Context

Please provide the complete output of these commands:

• Wireshark Version (tshark -v):

TShark (Wireshark) 3.0.3 (Git commit 6130b92b0ec6)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.60.5, with zlib 1.2.11, without SMI, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.8 and PKCS #11 support, with Gcrypt 1.8.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.36.0, with LZ4, with Snappy,
with libxml2 2.9.9.

Running on Linux 4.19.69-1-MANJARO, with        Intel(R) Xeon(R) CPU E5-1620 0 @
3.60GHz (with SSE4.2), with 19988 MB of physical memory, with locale
LC_CTYPE=en_GB.UTF-8, LC_NUMERIC=de_DE.UTF-8, LC_TIME=de_DE.UTF-8,
LC_COLLATE=en_GB.UTF-8, LC_MONETARY=de_DE.UTF-8, LC_MESSAGES=en_GB.UTF-8,
LC_PAPER=de_DE.UTF-8, LC_NAME=de_DE.UTF-8, LC_ADDRESS=de_DE.UTF-8,
LC_TELEPHONE=de_DE.UTF-8, LC_MEASUREMENT=de_DE.UTF-8,
LC_IDENTIFICATION=de_DE.UTF-8, with libpcap version 1.9.0-PRE-GIT (with
TPACKET_V3), with GnuTLS 3.6.9, with Gcrypt 1.8.5, with zlib 1.2.11, binary
plugins supported (0 loaded).

Built using gcc 9.1.0

• Termshark Version (termshark -v):

termshark v1.0.0++

Please also provide any relevant information about your environment (OS, VM, pi,...):
Manjaro Linux 18.1.0

This is related to #9 Read from stdin insofar as unix redirection is concerned. The following works with wireshark reading from the pipe, but not termshark:

bash-5.0$ mkfifo mypipe
bash-5.0$ tshark -r file.pcap -w mypipe &
[1] 52917
bash-5.0$ termshark -i mypipe
Could not find network interface mypipe

Fix coming...

Could you please add the feature to read from stdin to support something like this:

kubectl -n NS exec POD -c CONTAINER -- tcpdump -s0 -w - -lUni INTERFACE | termshark -i -

or this:

ssh USER@IP -- tcpdump -s0 -w - -lUni any port PORT or port PORT | termshark -i -

1. In one terminal, enter termshark -i <interface> to start a capture
2. In another terminal, enter killall termshark
3. In the initial terminal, text with ANSI escape codes is still sent, and the terminal is inoperable and/or wrongly colored.

OS: Macos 10.14

I started testing out the termshark to hopefully one day be able to use it more often with packet capture analysis. I discovered that termshark is consistently utilizing a lot of CPU resources, causes my system to hang, and will frequently output the error codes shown in the screenshots.

$ tshark -v
TShark (Wireshark) 3.0.3 (Git commit 6130b92b0ec6)

Copyright 1998-2019 Gerald Combs [email protected] and contributors.
License GPLv2+: GNU GPL version 2 or later http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.58.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.13.0, with Lua
5.1.5, with GnuTLS 3.6.7 and PKCS #11 support, with Gcrypt 1.8.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.34.0, without LZ4, without
Snappy, without libxml2.

Running on Linux 5.2.11-100.fc29.x86_64, with Intel(R) Core(TM) i7-8650U CPU @
1.90GHz (with SSE4.2), with 15687 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.9.0-PRE-GIT (with TPACKET_V3), with GnuTLS
3.6.7, with Gcrypt 1.8.4, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 8.3.1 20190223 (Red Hat 8.3.1-2).

Seems related to this:

syncthing/syncthing-android#1291

and may just need to be compiled with go 1.13:

golang/go#29674

Hi,

I compiled Termshark on my Raspberry 3B+ running Arch Linux ARM aarch64 and go1.12.7 linux/arm64.

When I run it, the UI looks like this:

https://imgur.com/6I4D6PG

What am i missing?

Thanks!

First of all, thank you so much for this great project.

My first feature request would be a dark theme. The fairly bright colors can be a little overwhelming in dark environments.

When using go get github.com/gcla/termshark/cmd/termshark, the version is v<localbuild>. Confirmed on Macos 10.14.

Checked repo per #42 and found additional contributors (crossed out issues have been closed):

Add to bugs

• #1: @abenson (Andrew Benson)
• #5: @sagis-tikal (sagis-tikal)
• #7: @punkymaniac (punkymaniac)
• #11,#12: @pocc (Ross Jacobs)
• #18: @msenturk (msenturk)
• #21: @szuecs (Sandor Szücs)
• #24: @dawidd6 (Dawid Dziurla)

The heuristic here being: Did you open an issue that was judged to be a bug? PR inbound.

sudo add-apt-repository --update ppa:nicolais/termshark
tag:launchpad.net:2008:redacted
More info: https://launchpad.net/~nicolais/+archive/ubuntu/termshark
Press [ENTER] to continue or Ctrl-c to cancel adding it.

'Error reading https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&exact=on&search=0xtag:launchpad.net:2008:redacted: Not Found'

Anyone else experience this?

The worst thing is the invisible cursor.

On screen:

On tmux:

I'm currently in the process of packaging termshark for Nix/NixOS. I would like to build the tagged versions from source. Could you give me a hint on how to compile termshark?

I've tried the following without success:

➜ ~/vcs/termshark (v1.0.0) go version
go version go1.11.6 linux/amd64
➜ ~/vcs/termshark (v1.0.0) export GO111MODULE=on
➜ ~/vcs/termshark (v1.0.0) go build  -o termshark *.go
# command-line-arguments
./copycommand_darwin.go:7:5: CopyToClipboard redeclared in this block
	previous declaration at ./copycommand_android.go:7:5
./copycommand.go:9:5: CopyToClipboard redeclared in this block
	previous declaration at ./copycommand_darwin.go:7:5
./copycommand_windows.go:7:5: CopyToClipboard redeclared in this block
	previous declaration at ./copycommand.go:9:5
./have_fdinfo_linux.go:7:7: HaveFdinfo redeclared in this block
	previous declaration at ./have_fdinfo.go:9:20

Thanks 😄

Part of the problem here is that when files are too large, it's harder to contribute :)

I'm seeing a lot of UI logic in this file. Maybe refactor that out as a first step?

There are references to a MIT LICENSE file but none is present.

I would like a .deb package for this tool.

Packaging a single binary as a .deb package is fairly simple [0], but will ofc require a bit of extra time when releasing. Could you be convinced to do it? Or can I create an "official" PPA for the tool?

[0] Shameless plug: I made the tool ELF2deb to automate the "anything-to-deb" process.

It would be nice to recommend that users upgrade to latest tshark, but this may not be possible for all users. @gcla has also put in work towards making tshark v1.1.0 not break.

1. If there are certain versions of tshark that cause undesirable behavior (like #50), it should be documented in the FAQ. Thoughts?
2. Corollary is: What versions of Wireshark should be wontfix vs documented into FAQ vs bug?

When termshark is executed with no parameters and not as root it will print the following error:
"INFO[0004] tshark: Couldn't run /usr/bin/dumpcap in child process: Permission denied"

Tried to use both the pre-compiled version and to compile it using the with GO111MODULE=on
termshark version: 1.0.0
tshark version: TShark (Wireshark) 3.0.1 (Git)
OS version: 4.19.35-1-MANJARO (inside of a VirtualBox VM)

Totally love this tool but would even more so if it had the "Follow Stream" feature from Wireshark...perhaps the feature I depend on the most.

hit enter in filter input is noop. How about when input is valid we do apply button callback?

In the above box, I tried both enter and space keys, but the termshark was not closed. cancel button works well.

I'm using macOS 10.14 and latest termshark.

I make it available on AUR for Arch Linux users. This is a binary package, which simply copies the released binary to install directory. Enjoy it. The issue page is left for discussion.

I might be missing something, but I'm not seeing test functions in termshark.go. It looks like there's a smattering of unit tests scattered throughout other files, which is good. More unit tests for the main file would be helpful here (and goes hand in hand with #20).

I am on a mac and installed termshark via brew. For some reason I am not able to see hex data... ever. I have tried multiple terminals as well as live data and reading from a pcap.

Has anyone experienced this?

A feature request stemming from a bug reported by @jJit0

When I look into this, take a look at ~/.wireshark/preferences, gui.column.format

I started trying to use termshark to analyze packet captures for my work. I noticed that I am unable to change the scrollbar position by clicking on the scrollbar itself. The scrollbar only seems to function by clicking either the box on the bar or by clicking on the arrows. I'm referring to being able to click on a different position on the scrollbar in order to jump to that position, i.e. jump quickly to the end of the file. I'm using Tilix terminal, Fedora 29, xorg session (in case this information is helpful).

When termshark is executed with root permissions it cannot find any device. ends up printing the following error: "Giving up waiting for : "

Tried to use both the pre-compiled version and to compile it using the with GO111MODULE=on
termshark version: 1.0.0
tshark version: TShark (Wireshark) 3.0.1 (Git)
OS version: 4.19.35-1-MANJARO (inside of a VirtualBox VM)

Thanks for this good-looking app :)

This came up on twitter - 1.5m load time for wireshark, 6.5m load time for termshark. Termshark is dependent on tshark -T psml, and currently will run through the whole pcap to generate the packet list, slowly updating the progress bar as it goes. If

$ time tshark -r my.pcap -T psml > /dev/null

isn't appreciably faster than termshark, then short of looking at tshark itself, maybe termshark can consider "lazy loading" of the packet list as well, like it does for the packet structure (PDML). This raises its own issues, like how would termshark know how many packets are in the pcap before a full load, and does it need to know. Could it use capinfos - which will work its way through the pcap much more quickly than a tshark process that is generating XML output.. Can we just turn off the progress bar early, when enough packets have been loaded for several screens-worth of scrolling. All seems to add extra complexity.

When leaving termshark; the Yellow Do you want to quit dialogue box,
my console (CMD or 4NT) will look like this after 1 screen-ful of scroll up.

I assume a fix would be to save the B/F colours on program entry.
And restore those on program exit.

I'm on Win-10.

Would it possible to add a shortcut to enable auto scrolling of the packet capture rows in the main window as with wireshark?

Really liking this project!

=== RUN   TestFields1
--- FAIL: TestFields1 (1.09s)
    fields_test.go:18: 
                Error Trace:    fields_test.go:18
                Error:          Received unexpected error:
                                open /home/builder/.cache/termshark/tsharkfields.gob.gz: no such file or directory
                Test:           TestFields1
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
        panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x87754d]

goroutine 20 [running]:
testing.tRunner.func1(0xc0000e8600)
        /usr/lib/go-1.11/src/testing/testing.go:792 +0x387
panic(0x8f4340, 0xd3c630)
        /usr/lib/go-1.11/src/runtime/panic.go:513 +0x1b9
github.com/gcla/termshark.TestFields1(0xc0000e8600)
        /build/source/_build/src/github.com/gcla/termshark/fields_test.go:20 +0xad
testing.tRunner(0xc0000e8600, 0x98efb8)
        /usr/lib/go-1.11/src/testing/testing.go:827 +0xbf
created by testing.(*T).Run
        /usr/lib/go-1.11/src/testing/testing.go:878 +0x35c
FAIL    github.com/gcla/termshark       1.114s

This only happens if termshark wasn't run before.
Simply executing termshark -h and then running tests, resolves this issue.

UPDATE: Okay after more investigation, it seems like the problem is about non existing termshark directory in $XDG_CONFIG_CACHE.

Hi,

When I launch termshark -i wlan0, I get this error

goroutine 1 [running]: main.makePacketListModel(0xc0002881e0, 0x4, 0xa, 0xc001a70000, 0x2e, 0x40, 0xb459c0, 0xc0001224d0, 0xc002cbac20) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:1529 +0x721 main.updatePacketListWithData(0xc0002881e0, 0x4, 0xa, 0xc001a70000, 0x2e, 0x40, 0xb459c0, 0xc0001224d0) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:1536 +0x7e main.updatePacketViews.BeforeBegin.func1.1.1.1(0xb459c0, 0xc0001224d0) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:1048 +0xd0 github.com/gcla/gowid.RunFunction.RunThenRenderEvent(0xab8b30, 0xb459c0, 0xc0001224d0) /usr/gocode/src/github.com/gcla/gowid/app.go:720 +0x3a github.com/gcla/gowid.(*App).RunThenRenderEvent(0xc0001224d0, 0xb39220, 0xab8b30) /usr/gocode/src/github.com/gcla/gowid/app.go:600 +0x47 main.cmain(0x0) /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:3114 +0x61c7 main.main() /usr/gocode/src/github.com/gcla/termshark/cmd/termshark/termshark.go:2109 +0x4b

I also get the same error when I try to read a pcap file 'termshark -r test.pcap'

I'm using the Golang-go 1.11.6 btw